310 likes | 484 Views
Compliance Effectiveness Assessments. Georgia Hospital Association Compliance Officers Retreat September 3, 2014. Shannon Sumner, CPA Principal. Presentation Objectives. Leading Practices in Compliance Programs Self Assessment Process Highlight Leading Practices in the Seven Elements
E N D
Compliance Effectiveness Assessments Georgia Hospital Association Compliance Officers Retreat September 3, 2014 Shannon Sumner, CPA Principal
Presentation Objectives • Leading Practices in Compliance Programs • Self Assessment Process • Highlight Leading Practices in the Seven Elements • Self Assessment Resources
Audience Questions – Experience • New to Compliance Role (less than 1 year) • In Honeymoon Phase (1-3 years) • In Formative Years (4-5 years) • Hitting Your Stride (6-10 years) • Been There, Done That (>10 years)
Audience Questions – Size of Compliance Team • Me, Myself, and I (1 person) • Just the Two of Us (2 people) • See No Evil, Hear No Evil, Speak No Evil (3 people) • We are Family (4-5 people) • Seriously? (>5 people)
Audience Questions – Duties • Vanilla - Compliance Only • Swirl - Internal Audit and Compliance • Rocky Road - Everything!!
Headlines Hospitals must address employee fraud reports with procedural fairness
Self Assessment Process • There is not one single best Compliance Assessment Tool! • Collaborate with Internal Audit where possible. • Partner with another Compliance Officer – peer review. • Recommend Scoring Tool: • Facilitates Education and Training. • Facilitates Trending by Area.
Key Questions to Ask • How would you rate your own Compliance Program (Scale 1 – 5, 5 Highest)? • When was the last time your Compliance Program was audited? • Have you called your organization‘s Compliance Hot Line? • If someone in your organization is asked “Who is the Compliance Officer?” would they know what to say? • Does your Audit/Compliance Committee ask tough questions? Are they engaged? • Are you aware of (maintain a listing) all outsourced services and vendors?
Key Questions to Ask • Are you aware of all of the joint ventures within your organization? • Are you copied on all internal audit reports? • Does your organization have a Fraud Policy and investigation protocol? • Are you involved in exit interviews for all senior executives and other high risk areas? • Do you receive a copy of the external audit Management Letter Comments? • How comfortable are you that all Conflicts of Interest have been disclosed by Management, Governance, and Physicians?
Effectiveness Red Flags • The Compliance Work Plan has a lot of “Plan to…” line items • Little to no Hotline Activity • No history of Compliance Effectiveness Assessments by outside parties • No questions are asked by Compliance/Audit Committee members • Auditing error percentages consistently high (>5%) • Compliance Risk Assessment is conducted in a vacuum • The Compliance Officer is not aware of the organization’s risk appetite/tolerance • The Compliance Team has not received compliance specific education • Action plans are consistently past due • Risks identified through risk assessment are not addressed (internally or externally) • Compliance is not advised of what may appear to be “routine” thefts or other human resource issues
High Level Oversight Boards May Use Compliance as a Defense Strategy; Feds Expect More Oversight “Board members are increasingly entering the compliance fray, and five years from now compliance will have the same level of board oversight as the organization’s finances, a former federal prosecutor says. As regulators, prosecutors, stockholders and other stakeholders demand more from boards, they are asking management, including compliance officers, for more evidence that the compliance program is accomplishing its goals instead of merely rubber-stamping reports.”– Report on Medicare Compliance, August 4, 2014
I - High Level Oversight Risk Expected Control
I - High Level Oversight (Con’t) Risk Expected Control
I - High Level Oversight (Con’t) Risk Expected Control
II - Policies and Procedures Risk Expected Control
II - Policies and Procedures (Con’t) Risk Expected Control
III - Open Lines of Communication Risk Expected Control
IV - Training and Education Risk Expected Control
IV - Training and Education (Con’t) Risk Expected Control
V - Monitoring and Auditing Risk Expected Control
VI - Response to Deficiencies Risk Expected Control
VII - Consistent Enforcement Risk Expected Control
Self-Assessment Resources https://www.cms.gov/Medicare/Compliance-and-Audits/Part-C-and-Part-D-Compliance-and-Audits/Downloads/Compliance-Program-Effectiveness-Self-Assessment-Questionnaire.pdf
Self Assessment Resources http://oig.hhs.gov/compliance/compliance-guidance/docs/Health_Care_Directors_Compliance_Duties.pdf
Self Assessment Resources Health Care Compliance Association http://www.hcca-info.org
Thank You! Shannon Sumner, CPA Principal ssumner@pyapc.com (865) 673-0844