How to Effectively Understand, Integrate and Cover IT Risk Functions for Audit Analytics within the Healthcare Industry Dieu Tran, CISA, CISSP, GNSA, CRISC Director, Business Risk. Mercy Health Nigel Matthews, CA, ACDA Professional Services Group, ACL Services Ltd Speaker Biography Dieu Tran, CISA, CISSP, GSNA, CRISC is Director at Business Risk Services Mercy Health where he provides the insight and consulting guidance to comply with regulatory and operational standards for IT Security. His experience transcends both the internal and public auditing communities. Prior to joining Mercy Health, Tran was the Supervisor of IT Audit & Network Security for Brown Smith Wallace, where he oversaw IT audit function and the network security practice. Tran’s Senior IT Auditor experience includes ventures with Rubin Brown, LLP; SBC and Deloitte and Touche. Dieu is a Certified Information Systems Security Professional (CISSP) and is an active member of both the Information Systems Audit and Control Association (ISACA) and the Institute of Internal Auditors (IIA). Dieu studied Business with an emphasis in Marketing/Management and received his B.S.B.A. from the University of Missouri St. Louis. Dieu has spoken at numerous industry events, most recently at The IIA’s GAM conference. Speaker Biography Nigel Matthews is Business Manager, Channel and Internal Delivery at ACL Services Ltd. He has been a change agent for audit and business assurance for over twenty years. He is responsible for developing and maintaining the technical competency of ACL’s consulting, training and support solutions teams around the world. Nigel has led audit process transformation, audit technology and continuous controls monitoring implementations at organizations in North America, Europe, the Middle East, Africa and Asia. He has worked with ACL customers in financial services and banking, insurance, healthcare, telecommunications, utilities, education, natural resources, and all levels of government. Prior to joining ACL, Nigel was a manager and senior consultant at Ernst & Young, where he provided audit services focusing on the financial services and utilities sectors, and advised clients on forensic accounting and information technology matters. Nigel is a member of the Canadian Institute of Chartered Accountants and holds a degree in Civil Engineering from the University of British Columbia. He is a frequent speaker on audit process and technology topics at industry gatherings and ACL customer events. Agenda            Introductions Mercy (Who we are) Challenges of Risk Management Big Picture – Developing a Business Case The Healthcare Top 5 Implementation Approach Establish Finance & Revenue Mgmt with IT HIPAA Successes Going Forward Questions Introductions  Nigel Matthews   Designations – CA, ACDA Experience  ACL Services Ltd. (analytics software provider)     Consulting and training programs Project management & client delivery Product management Big 4 Experience (E&Y)    IT audit Forensic investigations Analytics for audit and beyond Introductions  Dieu Tran – Director, Business Risk   Designations – CISA, CISSP, GNSA, CRISC Experience     IT Director Big 4 Experience (Deloitte & Touche) Internal Audit (SBC/AT&T) Regional Public Accounting Firms  IT Audit  Network Security (focused on network vulnerability and network penetration testing) Mercy Health • • • • 8th largest catholic healthcare system in the US Aprox. $4 billion in revenues 28 acute care hospitals Operates in seven-state area encompassing Arkansas, Kansas, Louisiana, Mississippi, Missouri, Oklahoma and Texas • Aprox 36,900 staff and 4,650 physicians Challenges of Risk Management • • • • • Leadership Security Concerns Fraud Prevention Compliance Challenging Technical Environment Challenges of Risk Management • IT burdened with ad hoc request data • Incomplete data, duplicate requests • Difficult to review results and ensure consistency • Changing Issues – Medicare/Medicaid, meaningful use, value based purchasing, and HIPAA How can we make others see the big picture? Develop the Business Case Pick Your Argument: • The “efficiency” play: – Expanded coverage using the same resources – Reduced FTE’s, additional $$ recognized from continuous monitoring strategies • The “effectiveness” play: – – – – Improved/better targeted control testing Savings initiatives Fraud management efforts Compliance imperatives - HIPAA Develop the Business Case Identify your stakeholders: • Business and finance teams • Medical teams • Risk assurance & audit teams • IT & systems management What’s in it for them? How would they measure success? The Healthcare Top 5: 1. Who’s really accessing patient records systems? – both holistically and for “high profile” patient records 2. Are we billing and collecting the revenue we’re entitled to? e.g. unbilled, rejected, data quality issues synching gaps between systems. 3. The OIG List – Are we unwittingly transacting with sanctioned providers? 4. Billing compliance – do billings comply with government and insurer rules? DRG coding, readmissions, for example! 5. Vendor management – duplicate vendors  duplicate payments! Implementation Approach Technology People Process Implementation Approach • Complete all technical setup and test functionality • Prioritize projects • Engage process owners • Training Establish Finance & Revenue Management with IT • Automate Manual Practices – Joining data cross systems • Maintain Data Integrity – Data comparisons/validation between multiple systems • Increase Efficiency – Automate exception reporting Health Insurance Portability and Accountability Act “The purpose of HIPAA is to prevent inappropriate use an disclosure of individuals‘ health information and to require organizations which use health information to protect that information and the systems which store, transmit, and process it.” Department of Medical Assistant Services, Government of Virginia HIPPA Compliance • Leverage Analytics – Continuous Auditing • OIG/EPLS – Continuous Monitoring • Patient records (inappropriate access) Measuring Success • Timely access to data • Reduced FTE hours performing manual processes • Revenue leakage identified • Process improvements Going Forward • Continued education to the organization on the power of analytics technology • Continue to measure and success & document ROI • Integrate audit analytics into all projects for smarter auditing • Think of analytics as a process, not a cottage industry – Results management is critical! – Hire & develop people with analytic skills Contact Information Dieu Tran dieu.tran@mercy.net Nigel Matthews nigel_matthews@acl.com www.acl.com http://twitter.com/ACLServices http://www.facebook.com/ACLServices Collaborate – Contribute – Connect http://www.isaca.org/Knowledge-Center The Knowledge Center is a collection of resources and online communities that connect ISACA members – globally, across industries and by professional focus - under one umbrella. Add or reply to a discussion, post a document or link, connect with other ISACA members, or create a wiki by participating in a community today!