Regional Health
CORPORATE
RESPONSIBILITY
Auditing and Monitoring
Standard Operating Procedure
FY11
Contents
Section 1: Introduction ................................................................................................................... 3
Section 2: Objectives and Responsibilities .................................................................................... 3
2.1 Objectives of the CR Department ......................................................................................... 3
2.2 Auditing Standards................................................................................................................ 3
Section 3: Nature of Audits and Audit Selection ........................................................................... 3
3.1 Nature of Audits .................................................................................................................... 3
3.2 Audit Selection...................................................................................................................... 3
3.2.1 High Risk……………………………………………………………………………..4
3.2.2 Medium Risk…………………………………………………………………………4
3.2.1 Low Risk……………………………………………………………………………..4
Section 4: Audit Development & Process ..................................................................................... 4
4.1 Pre-Audit Discussion ............................................................................................................ 5
4.2 Initial Research and Pre-Audit Preparation .......................................................................... 5
Section 5: Audit Methodology and Procedures ............................................................................. 5
5.1 Fieldwork and Work Papers.................................................................................................. 5
5.3 Retention of Records............................................................................................................. 5
5.4 Audit Sampling ..................................................................................................................... 5
5.4.1 OIG Claims Review ....................................................................................................... 6
5.4.2 Statistical Sampling ....................................................................................................... 6
5.4.3 Non-statistical Sampling ................................................................................................ 6
5.4.4 Sampling Definitions & Plans ....................................................................................... 6
Section 6: Reporting ...................................................................................................................... 7
Section 7: Communication ............................................................................................................. 7
7.1 Exit Conference .................................................................................................................... 7
7.2 Monitoring ............................................................................................................................ 7
Addendum A: Financial Audits ..................................................................................................... 8
Addendum B: Medical Services .................................................................................................. 10
Addendum C: Privacy and Security............................................................................................. 12
Addendum D: Research Audits ................................................................................................... 13
Addendum E: Audit Checklist ..................................................................................................... 15
Addendum F: Audit Report Template ......................................................................................... 16
2
Final Version 9-03-10
Corporate Responsibility’s
Auditing and Monitoring
Standard Operation Procedure
Section 1: Introduction
The Standard Operation Procedures Manual is a reference tool for the Corporate Responsibility
(CR) department in the performance of its duties under established standards. The Regional
Health Compliance & Audit Committee of the Board of Trustees shall review and approve the
annual Audit Plan, the results of audits as well as related recommendations for improvement in
accordance with the Corporate Compliance Plan, Code of Conduct and the Articles of
Incorporation for Regional Health.
Section 2: Objectives and Responsibilities
2.1 Objectives of the CR Department
The CR department provides an independent analysis through auditing and monitoring
performed based on the following objectives:
a) To determine activities are in compliance with system policies, procedures and goals,
contractual obligations, state and federal laws, regulations; as well as, ethical business
practices.
b) To recommend improvements in management controls, practices, and procedures to
mitigate risk.
c) To evaluate the accuracy, timeliness, and effectiveness of information supplied to
management and external organizations.
2.2 Auditing Standards
Audits are conducted according to generally accepted standards; as well as, state and federal
regulations using audit programs, techniques, and procedures necessary in the circumstances
specific to each assigned area (e.g., finance, coding, privacy, information security, or research).
Section 3: Nature of Audits and Audit Selection
3.1 Nature of Audits
Audits performed by the CR department are grouped into the following categories:
a) Financial (Addendum A)
b) Medical Services for Documentation and Coding (Addendum B)
c) Privacy and security (Addendum C)
d) Research (Addendum D)
3.2 Audit Selection
The CR department establishes audit activities from several areas: the Office of Inspector
General (OIG) work plan, risk assessments, requests from a facility/department, trends in privacy
issues, etc. The level of risk is established based on the following guidelines:
3
Final Version 9-03-10
3.2.1 High Risk
a) Potential noncompliance to state or federal regulations
b) Government agency communication/correspondence
c) Allegation of abuse and/or neglect to a patient
d) Noncompliance to standards of care and/or quality indicators
e) Breach of protected health information (PHI)
f) Potential severe penalties
g) Cash loss and/or dollar value to include non-routine overpayments
h) Hotline calls and/or trends identified with a potential violation of code of conduct,
policy and/or regulations.
i) Identified materiality with a conflict of interest
j) Documentation and/or coding error rate less than 80% accurate
k) Overpayments greater than $100,000
l) Reputation capital
3.2.2. Medium Risk
m) Exit interviews alleging noncompliance to items in High Risk category
n) Potential violations of policy
o) Documentation and/or coding error rate less than 90%
p) Known problem areas based on nature of the problem, previous audits and outcomes.
q) Turnover of key personnel, addition of new functions, or significant increases in
activities.
r) Management concerns
s) Significant lapse of time since a high risk area was audited
3.2.3 Low Risk
t) Routine overpayments less than $25,000
u) Monitoring results based on previous audits.
v) Release of one individual record containing protected health information with limited
risk of further disclosure
Section 4: Audit Development & Process
4.1 Pre-Audit Discussion
The Vice President of CR or designee will assign audits appropriately to CR staff within their
area of expertise. Prior to the audit or review, members of the CR team, including management
and the assigned CR Auditor will define the objectives, general scope and background
information for the audit and record this information on the appropriate document. The
objective defines the purpose of the audit, while the scope defines the timeframe, population, and
methodology (statistical or non-statistical) needed for the audit. The background provides any
information involved that identified the issue, including any person(s) and the regulations
pertaining to the issue, if applicable.
The CR Auditor will then initiate the Audit Checklist (Addendum E). It is also their
responsibility to initiate and maintain contact with the individuals from the facility/department(s)
being audited. Effective communication at the beginning of the audit can materially influence
the atmosphere in which the audit is conducted.
4
Final Version 9-03-10
4.2 Initial Research and Pre-Audit Preparation
The CR auditor will collect and consider the following as he/she develops the audit:
a) Previous internal and external audits and/or reports.
b) Questionnaires or surveys
c) Policies and procedures
d) Contracts and/or Business Associate Agreements
e) Regulations, statutes, bylaws
f) Subject matter experts, e.g. coders, auditors, technical experts and/or legal
g) Research seminar materials or handbooks
h) Disclosed conflicts of interest
Section 5: Audit Methodology and Procedures
5.1 Fieldwork and Work Papers
Fieldwork is the process of gathering information for measurement and evaluation.
Work papers document the work the CR auditor has prepared and should be complete, accurate,
clear, legible, logical and support observations, testing, conclusions and recommendations.
Work papers will be maintained in an electronic format and filed in the subdirectory created and
titled for the audit project on the CR Intranet Hub page. The naming file convention for the
work papers is as follows: facility, mmddyyyy, “file description” (e.g., OIG Correspondence).
All created documents should have the electronic file name as a footer at the bottom of the paper.
Information that is protected by privacy laws should not be included in the work papers.
Personnel records and student records are protected by privacy laws. When these types of
records are reviewed in an audit; names, social security numbers, and other identifying
information should be expunged from the work papers.
Avoid including multiple choices of an item in the work papers or any item that is not necessary
to support the work performed and the findings and conclusions in the audit report.
5.2 Attorney-Client Privilege
The attorney-client privilege may be invoked and directed by internal or external legal counsel.
The definition of A/C privilege is to protect the privacy of the information exchanged between
an attorney and a client. Its objective is to encourage open and honest conversations that enable
an attorney to provide the best possible representation to the client.
5.3 Retention of Records
All correspondence, memoranda, and work papers will be maintained in accordance with the
Regional Health Document Retention Policy COC 8217-21. A permanent electronic copy of all
audits will be maintained in the appropriate folder on the CR Hub Page.
5.4 Audit Sampling
The type of sampling used is determined by the audit.
5
Final Version 9-03-10
5.4.1 OIG Claims Review
The OIG Claims Review procedures require a Discovery Sample of 50 sampling units to
be randomly selected for review. If the net financial error rate of those 50 sampling units
equals or exceeds 5%, then a Full Sample must be reviewed and a Systems Review
must be conducted. The Full Sample must include a sufficient number of sampling units
to yield results that estimate the overpayment in the population within a 90% confidence
and 25% precision level.
5.4.2 Statistical Sampling
The objective of statistical sampling is to employ random selection procedures to
eliminate the risk of bias and to permit quantification of sampling confidence. Statistical
sampling methods should be used when any of the following criteria apply:
Cost/benefit analyses support the additional costs and time required.
The use of the government approved RAT-STATS statistical software designed to assist
in the selection of random samples and evaluating the audit results.
Risk of a sampling error must be quantified.
5.4.3 Non-statistical Sampling
The objective of non-statistical sampling, also referred to as, a snapshot audit, is to
review a focused area that is non-statistical or judgment sampling.
a) If a system has weak controls that cannot be relied upon, it would also be wasteful to
spend a great deal of time performing extensive substantive tests.
b) The audit objectives are met by a non-statistical sample.
c) The population has no variability.
5.4.4 Sampling Definitions & Plans
Attributes: To estimate the attributes or characteristics of a population--obtaining "yes or
no" answers--with a measurable degree of reliability.
Variables: To estimate the value of a population--dollars, weights, time spans, or other
variables--with a measurable degree of reliability.
Discovery: To identify, through sampling, at least one suspected item and discontinue
sampling when the item is identified.
Judgment: To use samples for the purpose of obtaining information that need not be
attributed to the entire population with measured reliability.
In deciding which selection technique or sampling plan to use, the auditor should
consider these applications:
a) Random Numbers: Each of the items in the population is, or can readily be,
numbered.
b) Interval: Items are not or cannot be numbered or where random sampling would be
excessively expensive.
6
Final Version 9-03-10
c) Stratification: The population is composed of items that vary considerably in value or
in other characteristics of interest.
Section 6: Reporting
The Audit Report (Addendum F) will be completed after the audit examination fieldwork is
finished. The audit report includes:
a) A cover page with the title, fiscal year, date of report, and distribution list (template
located on the CR Intranet Hub.
b) Subsequent pages that contain the objectives, scope, background and
findings/recommendation summary.
c) Individual findings that address all recommendations to the finding.
d) Conclusion.
The Audit Report will be reviewed with the Vice President of CR or designee before distribution
to pertinent individuals and/or review at the exit conference. The Audit Report should have the
following characteristics:
a) Accuracy: the Audit Report should be completely factual with supportive references
whenever possible. Statements of fact must carry the assurance the CR auditor
personally observed or validated each fact in the report.
b) Clarity: the Audit Report should accurately express ideas that result in a thorough
understanding of that idea by the reader.
c) Conciseness: the Audit Report should eliminate anything that is superfluous, irrelevant,
or immaterial.
d) Tone: the Audit Report should have a positive tone and written courteously. Negative
situations presented in a positive manner usually produce positive results.
e) Tense: the Audit Report should be written in the past tense.
Section 7: Communication
7.1 Exit Conference
The Exit Conference is intended to formally present all of the audit findings and
recommendations to the Management of the audited department/facility. Management should
carefully review each finding to determine the accuracy of the facts presented. An agreement
should be reached to the facts presented and a clear understanding of the recommendations as
well as follow-up responsibility.
Audit findings will be presented formally in the audit report.
7.2 Monitoring
The CR department will conduct follow-up monitoring on the recommendations and/or
corrective action plans made for each finding. The nature of the follow-up is dictated by the
seriousness and complexity of the deficiencies noted and as appropriate, will be report to
executive management.
7
Final Version 9-03-10
Corporate Responsibility Audit Manual
Addendum A
Financial Audits
Items for potential review: The efficiency and effectiveness of all operations associated with
the audit issue may include a review of the following:
1) Departmental fiscal and operational procedures,
2) Controls and responsible recording of activities in such areas as, but not limited to:
a. the receipt, recording, deposit, and security over all cash receipts,
b. the write-off allowance of patient charges,
c. the procurement, receipt and payment of inventory and supplies,
d. interfaces between systems, and
e. the accuracy of internal and external reports.
3) Contracts with external entities and organizations
4) Security and control of equipment and facilities,
5) Recommendations and implementation from prior audits,
6) Compliance with system policies and procedures.
Approach to test and evaluate controls and procedures: CR will review all pertinent
information provided, including policies and procedures; interview necessary personnel; and
verify procedures.
Testing procedures are designed to verify the control’s existence and operational effectiveness.
The following table provides a summary of the types of tests that may be employed to verify the
control environment:
Audit stage
Type of procedure
Manual methods of gathering evidence include:
Control
testing
Tests of control
Observation, inspection, inquiry, re-performance and application as
prescribed by policies, procedures, rules, regulations and sound business
practice. (SAS 1, Section 320.55)
Tests of detail
Substantive
testing
Transaction testing, physical examination, inquiry of employees,
recalculation, confirmation, vouching, cut-off test.
Analytical procedure Reasonableness test, ratio analysis, scanning, roll-forward procedure,
comparison, benchmarking.
Flowcharts:
A flowchart is a method for documenting and understanding the flow of a system and for
identifying its control points. It is a pictorial description of how transactions flow through a
system. It visually communicates procedures and controls and the sequence in which they occur.
Processes can be easily analyzed for appropriate internal controls by documenting activities
chronically. The following guidelines should be followed in preparing flowcharts.
1) Prepare or update a flowchart for each audit, as applicable.
8
Final Version 9-03-10
2) Use appropriate design and flowchart symbols for the activity being analyzed.
3) Identify and document control points and respective sub-routines.
4) Prepare a narrative on control activities based on interviews with the auditee.
Space Requirements: Communicate the on-site office space needed, access to computers and
departmental staff with the auditee.
Time Required: Advise the auditee of a tentative start and finish dates which should include the
turn-around-time from the draft report to the exit conference.
Documentation Requests: Consider the need for access to financial, medical records, research
records, job descriptions, etc. and request the items well in advance.
Open communication: CR will work closely with designated personnel from the department to
ensure awareness of any concerns that might arise during the audit process.
9
Final Version 9-03-10
Corporate Responsibility Audit Manual
Addendum B
Medical Services
Corporate Responsibility’s Medical Services staff are responsible for the Professional Services
Monitoring audits, Claim Review audits and Probe audits.
A. Professional Services Monitoring Audits
1. The standard audit process will ensure audits are completed in an efficient and timely
manner in accordance with the schedule established by CR. Audit services will include,
but are not limited to, the following:
 Assess the coding accuracy as reflected in the medical record.
 Assess whether medical records are being completed correctly and in a timely manner.
 Evaluate services or items provided for reasonableness and medical necessity.
 Determine if medical records contain the required documentation to support the charges
billed.
 Identify areas of documentation that require education or improvement.
 Assess whether education provided resulted in improved documentation standards.
 Identify risks based upon regulatory and/or industry standards and develop
recommendations to mitigate the risks.
2. Audit Process
CR will audit 10 encounters per provider on a retrospective basis and include Clinic and
Hospital Evaluation and Management (E/M), and consultation services. Audits will be
coordinated with the Clinic Administrators and facility Coders to be conducted within
their respective facility where possible, and keep inconveniences to a minimum. Followup audits will be based upon the provider’s accuracy rates in accordance with the
following table:
Audit Score
100 - 90%
89 - 70%
69% below
Follow-up Audit
One year
6 months
Within three months
3. Audit Report and Communications
CR will provide audit reports and supplemental data to Regional Health Physicians
(RHP) in accordance with the following guidelines:
3.1 Audit Score of 90% or Greater
Audit review meetings will not be scheduled with Physicians whose Audit Score
is 90% or greater. Audit reports will be emailed to RHP for their review and use.
3.2 Audit Score Less than 90%
CR Auditors will provide a draft copy of the audit report to RHP for review and
allow two business days to respond with questions. Immediately following the
review period, a meeting will be scheduled with the Clinic Administrator,
10
Final Version 9-03-10
Provider, Coder and RHP representative to review the audit report and provide
education as appropriate. In the event the audit results cannot be reviewed in a
timely manner with the provider due to unavailability within three weeks after the
audit has been completed, the Audit Report will be given to Dr. Reyno.
B. Claims Review Audits
The OIG Claims Review procedures require a Discovery Sample of 50 sampling units to be
randomly selected for review. If the net financial error rate of those 50 sampling units equals
or exceeds 5%, then a Full Sample must be reviewed and a Systems Review must be
conducted. The Full Sample must include a sufficient number of sampling units to yield
results that estimate the overpayment in the population within a 90% confidence and 25%
precision level.
The purpose of conducting a Discovery Sample as part of the Claims Review is to determine
the net financial error rate of the sample that is selected. If the net financial error rate equals
or exceeds 5%, the results of the Discovery Sample are used to determine the Full Sample
size. The Full Sample size is based on an estimate of the variability of the overpayment
amount in the population from which the sample was drawn. The results of the Discovery
Sample allow the reviewer to estimate how many sample units need to be reviewed in order
to estimate the overpayment in the population within certain confidence and precision levels
(e.g., generally, a 90% confidence and 25% precision level).
C. Probe Audits
Probe audits are performed to identify potential issues reported by Regional Health staff,
audit contractors or any other agency. In the event an issue is identified through the probe
review, the audit process will be followed according to the Audit Manual.
D. Reviews with Multiple CPT Codes
It is important when performing audits where multiple CPT/ICD codes are used to help
identify any potential issues or risks to compile a report that will separate per year and
per CPT/ICD code. Utilizing RatStats, the sample would be selected utilizing the 90%
confidence and 25% precision level or a statistical valid sampling.
11
Final Version 9-03-10
Corporate Responsibility Audit Manual
Addendum C
Privacy and Security Audit
Privacy and Security Audits are conducted to oversee Regional Health’s (RH) compliance with
the HIPAA Privacy and Security Rules.
Audit Types:
A.
Electronic Audits: Monitor access to RH patient’s protected health information(PHI) or
confidential business information.
1. Access Audits
a.
Random access audits may be conducted on electronic applications. Areas of
interest may include but are not limited to:
1. VIP patients as identified in Meditech by Admissions
2. Confidential patients
b. Focused access audit will be conducted on an “as needed” basis. Audit areas
include, but are not limited to:
1.
2.
3.
4.
5.
Patient/Employee complaints
Hotline/Reports
High profile/media patients
Information Security audits
Breach Notification Complaints
c. Procedure: See Addendum C.1 - Security and Privacy Access Audit
Flowsheet
B. Physical Audits: Monitor RH’s physical and technical safeguards for protecting patient’s
PHI and business data by conducting walk-thru audits.
Reporting:


As appropriate, audit results will be reported to Human Resources and/or Legal Services.
Breach logs must be reported annually to the Office of Civil Rights.
12
Final Version 9-03-10
Corporate Responsibility Audit Manual
Addendum D
Research Audits
As a means of evaluating responsible conduct of research compliance, the Research Compliance
Analyst will conduct internal audits, which are designed to identify standards of excellence and
potential areas for improvement in order to promote a solid foundation for the conduct of human
subjects’ research. Internal audits may be conducted on a routine basis or as requested by
Principle Investigators (PIs), Research Staff or the Institutional Review Board (IRB). PI/Staff or
IRB requests for audit are to be submitted directly to the Research Compliance Analyst via
phone, e-mail or written correspondence.
All human research approved by the IRB and conducted at Regional Health (RH) may undergo
internal audit in order to assure the protection of human research participants and compliance
with Federal regulations, state and local law, IRB policies and procedures, and RH’s FWA with
OHRP. The purpose of an internal audit is to:
 Assess adherence to Federal regulations as defined by OHRP and FDA.
 Assess adherence to RH IRB policies and procedures.
 Assess adherence to local and state laws and regulations.
 Determine that the rights and safety of human research participants have been properly
protected.
 Provide education to investigators.
The focus of the audit may be range from a complete review of the study (full) or specific
elements of the research process (partial). Requested audits may be full or partial dependent
upon the specificity of the request. Routine audits will be conducted monthly and will be subject
to a full study audit. The study(ies) chosen for routine audit will be randomly selected from the
IRB Agenda. Studies eligible for routine audit selection shall include non-sponsored studies,
studies subject to full IRB review, and studies having had at least one continuing review. At
least one study will be selected for routine audit each month. Time allowed, additional studies
may be chosen.
As sponsored research studies are already heavily monitored, they will be eliminated from
routine audit selections. The Corporate Responsibility Department requests that all external
monitoring activity be reported to the Research Compliance Analyst. The Research Compliance
Analyst will compile the findings from the external audit(s) and review for potential trends.
Specific trends identified will result in partial audits being conducted; however, if warranted by
external audit findings, full study review may be required.
Topics to be reviewed during a full study audit, are included in (but may not be limited to) the
Research Integrity Audit Checklist. IRB files will be retrieved from the Integrated Research
Informational System (iRIS) program. Additional study documentation and participant files will
be obtained at the research sites. Based upon the study’s enrollment count, the sample size of
participant file to be reviewed will be chosen using the RAT-STATS statistical software.
13
Final Version 9-03-10
The IRB office and member activities will be audited annually. A retrospective audit will be
conducted on the activities included within the convened meeting minutes of a randomly selected
month. The audit will include, but may not be limited to, the topics included with the Research
Integrity Audit Checklist.
14
Final Version 9-03-10
Corporate Responsibility Audit Manual
Addendum E
Corporate Responsibility Audit Checklist
Date
Completed
Initials
Planning (Plan)
 Pre-audit discussion
 Initial research and pre-audit preparation
 Develop audit methodology
 Opening Conference (as applicable)
 Distribute “You’re Having an Audit” Q&A sheet to the
department (as applicable)
Fieldwork (Do)
 Complete audit procedures
 Complete working papers
Tie-out (Check)
 Walk through audit concerns with V.P. or designee
 Update Permanent File With Current Working papers and
Correspondence
Reporting (Act)
 Draft audit report
 Review with V.P. or designee
 Exit Conference (as applicable)
 Revisions, if Necessary
 Final Report
 Need for monitoring
15
Final Version 9-03-10
Addendum F
Title
FY10
INITIALS OF PREPARER
DATE
CONFIDENTIAL
Distribution
List:
Names of persons
Shawn DeGroot, Vice President of Corporate Responsibility
Carla Texel, Director of Corporate Responsibility
16
Final Version 9-03-10
AUDIT REPORT
OBJECTIVE:
SCOPE:
BACKGROUND:
Findings and recommendations
A.1:
Finding A.1:
Recommendation A.1:
Monitoring A.1:
A.2:
Finding A.2:
Recommendation A.2:
Monitoring A.2:
A.3:
Finding A.3:
Recommendation A.3:
Monitoring A.3:
CONCLUSION:
17
Final Version 9-03-10