| Fiscal Year 2001 Audit Plan | ||||
| % | ||||
| Budgeted | of | |||
| Audit/Project | Hours | Total | Description of Scope | |
| Key Financial and Operating Audits | ||||
| Accounts Receivable - Hospital and Other General | 610 | The objective of this audit is to evaluate the adequacy of the controls within the A/R process that ensure 1) bills are processed accurately and timely 2) payments, adjustments and write-offs are accurate, complete and timely 3) collection activities are monitored for effectiveness 4) practices comply with applicable policies (e.g. BPM 36) and 5) job responsibilities are properly segregated in both manual and automated processes. | ||
| Inpatient Professional Fee Charge Capture | 610 | The objective of this audit is to evaluate the effectiveness and efficiency of the processes in place for capturing and processing inpatient professional charges. Scope considerations include, but are not limited to, the completeness, accuracy, and timeliness of the current processes. | ||
| Pharmacy Inventory Management and Charge Capture | 752 | The objective of this audit is to assess the effectiveness and efficiency of key business processes within the Pharmacy operation. Scope considerations include, but are not limited to, inventory management, drug distribution, controlled substance management, and charge capture. | ||
| MSRDP Expenditures | 511 | The objective of this audit is to assess the overall process for planning, budgeting, reporting and monitoring MSRDP expenditures. Scope considerations include, but are not limited to, the long-range planning process, annual budgeting process, monitoring expenditure performance, reporting reliable expenditure data, and reviewing non-payroll expenditures for compliance with MSRDP By-laws and BPMs. | ||
| Family Practice Residency Program | 215 | The objective of this audit is to ensure that Family Practice Residency Program funds were expended in accordance with progam guidelines and the Annual Financial Report, provided to the Texas Higher Education Coordinating Board, present fairly the amounts for which program funds were expended. | ||
| Procurement Card Control Review | 205 | The objective of this audit is to assess the adequacy of the controls associated with the ProCard procurement process. Scope considerations include, but are not limited to, controls that ensure expenditures are appropriate and properly supported (including segregation of duties), bills are accurate and reconciled with departmental records, payments are timely, and applicable policies and procedures are followed. | ||
| Electronic Time Capture System | 505 | The objective of this audit is to assess the adequacy of the controls within the ETC process that ensure time and attendance information is accurately captured, processed and passed to the Payroll system. Scope considerations include, but are not limited to, time entry (clockins/outs), the approval and documentation process for time corrections /adjustments; bi-weekly time processing to Payroll, and monitoring for compliance with policies and procedures. | ||
| ARP/ATP Grant Review | 215 | The objective of this required biennial review is to review grant expenditures to provide assurance to the Texas Higher Education Coordinating Board that ARP/ATP grant funds are being used for the purposes intended. | ||
| Key Financial and Operating Information Subtotal | 3623 | 18% | ||
| Institutional Compliance | ||||
| Institutional Compliance Program Effectiveness Review | 400 | In FY 1999, Audit Services conducted a design review of the Institutional Compliance Program (ICP). The objective of the FY 2001 project is to review and assess the effectiveness of the ICP based on guidelines and expectations of UTMB management, UT System, and industry standards. | ||
| Ambulatory Payment Classification (APC) Design Review | 475 | The objective of this project is to review the adequacy of the key business processes that facilitate proper reimbursement based on Ambulatory Payment Classifications under Medicare's Outpatient Prospective Payment System. Scope considerations include, but are not limited to, documentation of services rendered, coding accuracy, modifier assignment, training efforts, and implementation design. | ||
| Professional Fee Billing Design Review | 170 | The objective of this project is to review the monitoring plan and processes currently being established to provide pre-submission coding reviews for professional fees. | ||
| Institutional Compliance Training Design and Effectiveness Review | 170 | The objective of this review is to assess the programs planned and in place to coordinate, plan, create, deliver, and monitor compliance training for all UTMB physicians, faculty and staff. | ||
| Research -- A-21 Issues Design and Effectiveness Review | 600 | The objective of this review is to assess the design of the ICP Program to ensure the program will address all significant compliance risks in the areas of research costs and time and effort reporting on federal projects. | ||
| Health Insurance Portability and Accountability Act (HIPAA) | 175 | At management's request, Audit Services (particularly the Health Information Auditor) will participate in various aspects of HIPAA readiness preparation. This may include design and implementation reviews of specific elements of the HIPAA requirements. IT Audit work is also included and discussed in the Information Technology Audits section below. | ||
| Compliance Progress Reviews | Audit Services has agreed to perform Compliance Progress Reviews (CPR) for the Institutional Compliance Program (ICP), focusing on the high-risk areas in the Compliance Plan. Objectives in each CPR will generally include a review of progress reports submitted by the respective areas to the ICP and appropriate validation of actions reported. An objective of each CPR will be to determine readiness of the high-risk area for future monitoring or audit review. | |||
| Hospital Billing Charge Master Description | 230 | |||
| EMTALA | 220 | |||
| Health Information | 180 | |||
| Background Checks | 77 | |||
| Environmental Health and Safety | 85 | |||
| Compliance Progress Reviews To Be Determined | 205 | |||
| Institutional Compliance Subtotal | 2987 | 14% | ||
| Information Technology Audits | ||||
| General Controls Review | ||||
| HIPAA | 500 | To review and provide assurance that UTMB's plans to address the issues related to the Healthcare Insurance Portability and Accountability Act of 1996 are responsive to the approaching deadlines approved by legislation. | ||
| Information Technology Infrastructure Initiative (ITII) | 300 | The objective of this audit is to ensure that roles and responsibilities of third parties are clearly defined, service levels are defined, measurable and monitored, and that the third-party services are in compliance with UTMB policies and regulations. | ||
| Master Domain Name Server | 500 | This project will include a review of access controls, backup and recovery procedures, audit trails, system parameters, policies and other system administration monitoring capabilities. Also, it will review controls that ensure the reliability and integrity of information and safeguarding of assets. | ||
| Change Control Review for the SMS Mainframe Products | 300 | This audit will cover system software implementation controls which include controls over the design of new software, testing of the software, placing the approved software into production and ensuring all impacted system and application software and data are properly converted and verified prior to implementation. | ||
| IT Standards, Training and Accountability | 300 | We will assist management in ensuring that all personnel in the organization have and know their roles and responsibilities in relation to information systems. All personnel should have sufficient authority to exercise the role and responsibility assigned to them. Everyone should be made aware that they have some degree of responsibility for internal control and security. Consequently, regular campaigns will be organized and undertaken to increase awareness and discipline. Assessments will be perform after expectations have been communicated. | ||
| Viruses Prevention and Response | 200 | To review management's established framework of adequate preventative, detective and corrective control measures to address the response to viruses and malicious software code. | ||
| Intrusion Detection and Monitoring | 350 | This audit will review management's approach to proactively monitoring the network for intrusions, handling and responding to the incidents, and training security administrators to deal with intrusions, policies, and reporting. | ||
| Clin Web | 450 | This review will include a review of access controls, backup and recovery procedures, audit trails, system parameters, and the transmission of secured transaction on the Web. Also, it will review the controls that ensure the reliability and integrity of information and safeguarding of assets. | ||
| Institutional eMail Systems | 350 | This review will include of usage policies, access controls, backup and recovery procedures, audit trails, system parameters, monitoring, and system administration practices. It will also review the controls that ensure the reliability and integrity of information and safeguarding of assets. | ||
| Application Reviews | ||||
| IS Support for General Audits | 200 | IS auditors will assist general and medical auditors on their reviews of application systems. | ||
| System Development and Life Cycle Reviews | ||||
| eCommerce | 200 | Our objective is to facilitate efforts to ensure that proper controls are designed and implemented to achieve a successful completion and implementation of eCommerce solution. | ||
| Business Systems Replacement | 200 | Our objective is to facilitate efforts to ensure that proper controls are designed and implemented to achieve a successful completion and implementation of new business systems at UTMB to support the needs of the business units. | ||
| Smart Cards | 100 | Our objective is to facilitate efforts to ensure that proper controls are designed and implemented to achieve a successful completion and implementation of a new security infrastructure and digital signatures. | ||
| Courion | 100 | Our objective is to facilitate efforts to ensure that proper controls are designed and implemented to achieve a successful completion and implementation of a secure method of an end-user being able to reset their passwords through an automated process. | ||
| Information Resource Access | 100 | Our objective is to facilitate efforts to ensure that proper controls are designed and implemented to achieve a successful completion and implementation of a secure automated method of granting access to employees to the resources they need to do their job. | ||
| Other IT Non-Administrative Projects | ||||
| Technical Assistance/Unplanned Projects | 200 | |||
| Long Term Planning and Risk Assessment | 100 | |||
| Task Force Committees | 100 | |||
| AS Network Management and Support | 300 | |||
| Information Technology Subtotal | 4850 | 23% | ||
| Risk Based Audits | ||||
| Institutional Review Board | 619 | The objective of this audit is to evaluate the effectiveness of the Institutional Review Board's infrastructure. Scope considerations include, but are not limited to, the board's composition, authority & sanction power, research protocol review process, reporting structure, and monitoring process. | ||
| Patient Registration | 855 | The objective of this audit is to assess the effectiveness and efficiency of the patient registration process. Scope considerations include, but are not limited to, insurance verification, co-payment and deposit determination and collection, pre-certification obtainment, and financial class assignment. | ||
| Facilitated Self Assessments | 1260 | Eleven facilitated assessments are planned. During each session Audit Services will facilitate management’s self-assessment of how well they are managing their risks in comparison to industry standards, best practices, and specific governing requirements. In cases where there is a significant performance gap, management will be asked to develop action plans to adequately reduce its level of exposure. Audit Services will perform ongoing monitoring of the status of these action plans. In cases where the results of the assessment sessions indicate that risk management practices are adequately controlling risks, Audit Services will consider these operational areas as potential candidates for the current or subsequent year’s work plan. | ||
| Health Information Audits | ||||
| Health Information Management Department | 470 | The objective of this audit is to evaluate the effectiveness and efficiency of the key operational processes within the Health Information Management Department. Scope considerations include, but are not limited to, loose report processing, record retrieval and management, release of information, quality assurance, coding, and cancer registry management. | ||
| Health Information in Mission Critical Systems | 500 | The objective of this audit is to assess the reliability of the flow of health information between various "Mission Critical" information systems, patient medical records, and other key health information repositories. This audit will also assess the processes in place for managing access, use, and control of health information contained in these automated systems. Scope considerations include, but are not limited to, the following systems: ClinWeb, IDXRad, Cerner, Enterprise Express, Practice Partner, and 3M Code 3. | ||
| Risk Based Audits Subtotal | 3704 | 18% | ||
| Projects | ||||
| UT System Requests | ||||
| Cost Savings Report | 175 | |||
| Information Requests | 190 | |||
| Follow-up Activities | 380 | |||
| Quality Assurance Review - Internal | 180 | |||
| Special Requests | ||||
| Training on Internal Ctrls/Departmental Financial Ctrl Accountability | 620 | |||
| Participation in Planning/Design of Control Systems | ||||
| Financial Reporting/Business Systems Replacement | 222 | |||
| E-Commerce/E-Procurement | 222 | |||
| Data Extraction for Audits | 125 | |||
| Management Advisory Services and Consulting | 338 | |||
| Investigations | 480 | |||
| Service Delivery Support | 1324 | |||
| FY 2000 Carry Forwards | 179 | |||
| Reserve for Unanticipated Projects | 715 | |||
| Projects Subtotal | 5150 | 25% | ||
| Change in Mgmt. Departmental Audits | ||||
| Areas To Be Determined | 350 | |||
| Departmental Audits Subtotal | 350 | 2% | ||
| Total Audit and Project Hours | 20664 | 100% | ||