520 likes | 627 Views
Auditing Your Program and Developing Initiatives. Helen Streck President/CEO. Workshop Agenda. Introductions Understanding Audits Lifecycle and Elements of an Audit Planning and Scoping Your Audit Findings and Developing Initiatives. Introduction. 3. Introduction.
E N D
Auditing Your Program andDeveloping Initiatives Helen Streck President/CEO
Workshop Agenda • Introductions • Understanding Audits • Lifecycle and Elements of an Audit • Planning and Scoping Your Audit • Findings and Developing Initiatives
Introduction • Importance of Good Recordkeeping • Values for a RIM Program • Knowing Your Requirements • Strategic Review of Risks • Drivers for Continuous Improvement • Auditing’s Input
Value of RIM IF - Information is a key asset to an organization then RIM • Establishes the controls for compliance • Improves efficiency • Element of reasonableness • Removes costs when value no longer exits • Facilitates effective/efficient decision making • Improves system performance
Knowing Your Requirements SEC 17-A, sections 3 & 4 HIPAA Government PaperworkElimination Act FACTA USA Patriot Act NASD 3110 Check 21 NASD 3010 NYSE 342 Gramm-Leach-Bliley Act Sarbanes-Oxley Act
Drivers for Continuous Improvement • Industry Competition • Data Storage Costs • Excessive Costs of eDiscovery – Obsolete Data • Rising Costs of Human Labor • “Personalization” of Information • Increased Regulations and Inspections • Over-Regulating
Using Audits for Improvement This session will focus on how to plan and use an Audit to aid a RIM Program in building the improved services that meet the needs for continuous improvement
Defining an Audit A RIM audit is an independent, objective activity designed to “add value and improve” an organization’s operations for creating and managing information.
Understanding Audits • Independent Objective Evaluation • Provide Assurances • Compliance • Efficiencies • Effectiveness • Evaluates • Governance • Controls • Risk Management
Auditing Characteristics • Holistic Approach • Consistent with Org’s Mission and Goals • Prioritized on a Risk-Based Approach • Conducted Routinely • Outside-Looking-In View
Audit’s Value Statement • Proves controls via documentation and evaluation • Checks for controls that reduce or eliminate unabated information growth • Ensures the application of rules that eliminate obsolete information that may be discoverable • Determines the effectiveness of procedures • Identifies isolated instances of duplication
Evaluating Risk Exposure • Audits must evaluate risk exposure • Reliability and Integrity of Information • Effectiveness of Programs and Services • Efficiency of Operations • Safeguards of the Information Assets • Compliance with Laws, Regulations, Policies
Risks with Poor RIM Programs • Loss of Intellectual Property • Delayed Decision-making/Filings • Increased Technology Costs • Increased eDiscovery Costs/Penalties • Poor System/Operational Responsiveness • Decreased Competitiveness • Unmanaged Liability
Using Industry Standards • Use industry standards and best practices to benchmark • GARP • ISO and ANSI standards • Best Practices • Sedona Principles
Elements of Compliant Programs • Accountability • Integrity • Information protection • Compliance • Information is available • Retention • Disposition • Transparency Generally Accepted Recordkeeping Practices www.arma.org
Audit Cycle 5 4 2 3 1 4 Reporting Planning Performance Reporting Follow-up Preparation Planning Follow-up Preparation Follow-up Preparation Performance Performance Reporting Performance Performance 21
Steps in an Audit • Planning • Define purpose, scope, criteria and objectives • Prioritize based on risk
The Purpose • Start with defining the purpose of the audit – sets the tone • Looking for mistakes • Complying with requirements • Seeking opportunities to improve • Define the expected outcomes • What are the actions to follow
The Purpose • Why • To meet regulatory requirements • To verify the controls established to protect PHI • To check the processes that document the use of public funds • Outcomes • Report of evaluation and findings • Findings are prioritized as high, medium or low the high being the most severe • Actions • Develop corrective plan (initiatives) with timelines
Exercise One Based on the previous discussion of the benefits and purpose of an audit – In Groups of 2-3 Define the purpose of an audit for your RIM Program
Audit Objectives • Relate the elements of your program to the Corporate goal • Examples of objects include • To determine the level of protection taken and routinely followed to protect paper records • To assess management’s commitment by assignments and participation on the Steering Committee • To measure the rate of the department’s completion of the RIM learning course
Set Criteria Ratings Next determine what you must have: • What program elements are critical • What program elements are important to have • What program elements are preferred but you could live without
Set Criteria Ratings Important Critical Preferred • Program has mission and vision statement • Program mission and vision statement endorsed by executives • Mission and vision statement are published for employees to access and see • Program mission statement is included in business unit’s goals and mission 28
Decide on Ratings Based on risk factors and known requirements how does the current documentation and practices measure up to the criteria? • Satisfactory • Needs Improvement • Unsatisfactory • N/A
Steps in an Audit • Planning • Define scope, criteria, and objectives • Prioritize based on risk
Steps in an Audit • Planning • Define scope, criteria, and objectives • Prioritize based on risk • Preparation • Create a checklist – what do you want them to produce for you to review • What is required by law to have • Submit checklist, questions and document request to the group being audited
Steps in an Audit • Planning • Define scope, criteria, and objectives • Prioritize based on risk • Preparation • Create a checklist – what do you want them to produce for you to review • What is required by law to have • Submit checklist, questions and document request to the group being audited • Performance • Collect and review of physical and electronic recordkeeping documentation • Conduct interview(s) with department(s) personnel as necessary
Steps in Performing an Audit • Ask the Department to identify your contact – Records Coordinator, Management – someone who can answer questions • Send checklist (what is being covered) in advance to contact • Obtain the list of names of employees to interview in advance • Schedule meetings with interviewees • Prepare a list of documents you want the department to provide you for review
Steps in an Audit • Planning • Define scope, criteria, and objectives • Prioritize based on risk • Preparation • Create a checklist – what do you want them to produce for you to review • What is required by law to have • Submit checklist, questions and document request to the group being audited • Performance • Collect and review of physical and electronic recordkeeping documentation • Conduct interview(s) with department(s) personnel as necessary • Reporting • Draft Findings Report • Discuss steps for improvement • Recommend Timelines – be realistic
Steps in an Audit • Planning • Define scope, criteria, and objectives • Prioritize based on risk • Preparation • Create a checklist – what do you want them to produce for you to review • What is required by law to have • Submit checklist, questions and document request to the group being audited • Performance • Collect and review of physical and electronic recordkeeping documentation • Conduct interview(s) with department(s) personnel as necessary • Reporting • Draft Findings Report • Discuss steps for improvement • Recommend Timelines – be realistic • Follow-up**
Using Audits for Improvement • Reviewing the risk, compliance requirements • Learning to rank initiatives • Understanding the resource requirements needed • Using a “Triage” approach
Triage Approach:General Description • Develops a plan that prioritizes the most pressing matters so that they receive immediate attention. • Places longer term goals on a drawing board to be reviewed with more analysis without pressure. • Postpone tasks that are of low risk and not urgent for the last phase of the project. Triage approach prioritizes the needs and risks of the project into manageable groups.
Triage Approach:General Description • Provides a means for “building onto” a Program by ensuring the correct components are done first. • Allows the Program owner to measure success and “see” definable improvements and not wait on project completion to be successful. • Separates project components based on risk and need so that items which are most critical get the immediate attention to reduce existing or potential risks.
Prioritize Like Emergency Room • Stop The Bleeding • RIM initiatives that address the immediate findings to achieve compliance
Levels of Process Improvements • Stop the Bleeding • RIM initiatives that address the immediate findings to achieve compliance • Treat The Underlying Cause(s) • Address the root symptoms
Levels of Process Improvements • Stop the Bleeding • RIM initiatives that address the immediate findings to achieve compliance • Treat The Underlying Cause(s) • Address the root symptoms • Establish Preventive Measures • Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems
Levels of Process Improvements • Stop the Bleeding • RIM initiatives that address the immediate findings to achieve compliance • Treat The Underlying Cause(s) • Address the root symptoms • Establish Preventive Measures • Long-term initiatives and projects involving multiple stakeholders, resources and automation to prevent future problems • Create Ongoing Efficiencies • As systems are operating smoothly and consistently, opportunities for streamlining arise