Continuous Auditing & the Search for Fraud Presented to: The Association of Governmental Accountants by: Charles W. Lawver, Virginia DMAS October 20 , 2009. Introduction.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Continuous Auditing & the Search for FraudPresented to:The Association of Governmental Accountantsby:Charles W. Lawver, Virginia DMASOctober 20, 2009
The Virginia Department of Medical Assistance Services (DMAS) administers the Federal & State sponsored health care programs for eligible persons with limited income and resources. These programs include Medicaid, Family Access to Medical Insurance Security (FAMIS), Medical Assistance for Low Income Children (FMIS Plus) and a number of other programs benefiting children, the aged, blind and disabled:
The number of Virginians 65 and older will increase 5 times faster than the general population over the next 10 years.
Access to health care for uninsured children is a DMAS priority.
Opportunity: Fraud Auditing Timely Enough to Make a Difference
--The Internal Control Evaluation System (ICE), an Access data base application listing internal controls and related management objectives for all 144 DMAS business processes. ICE contains a full risk assessment and scoring module, work paper templates and audit control reports.
--It also tracks and reports on the status of all audit findings of Internal Audit, the Auditor of Public Accounts (APA) and the Centers for Medicaid and Medicare Services (CMS)….
Risk Assessment Module
Audit AdministrationAudit PlanningStaff AssignmentsTime Keeping
Internal Control Description
Work Paper Formats
Business Process TablesReporting
Policies & Procedures
Business Process Name
--The Business Process Performance Review System (BPPRS, contains in excess of 200 concurrent tests of all aspects of the internal control of Virginia Medicaid.
--Each audit year, Internal Audit includes tests from the BPPRS in its Annual Audit Plan based on the outcome of its Annual Risk Assessment which calculates a test frequency score for each test and related business process
--Most BPPRS tests, are conducted using SAS and ACL routines complemented by use of the Microsoft Office components Excel and Access.
--Staff members specialize in areas of the Program and are assigned a series of tests each audit year which they are expected to independently conduct supported by our full time Systems Analyst whose job it is to support them and maintain the data base.
--DMAS Internal Audit has been using ACL for approximately eight years.
--We initially purchased two desktop copies to help perform the complex stratified sampling of claims involved in a Federally mandated recipient eligibility project.
--The software performed so well, was so easy to use and the telephone support was so good, we decided to use it to address an opportunity which we had been trying to address for a number of years.
The Problem:--DMAS Operating Divisions were requesting the ability to run copies of IA concurrent tests to improve their own operations, specifically to identify aberrant medical providers and other problem Program suppliers. This was especially true of the DMAS Fiscal and Program Integrity (fraud investigation) Divisions.
-- Although very powerful, SAS routines can be difficult to bundle into testing suites.
--To effectively run SAS, a certain degree of expertise is required which is not typically available within DMAS operating divisions.--DMAS IA employees only a single systems analyst so we lack the staff to support our operating divisions in their use of SAS and concurrent tests.--The Solution was to purchase and install server based ACL.
--Let’s consider current detection of several apparent frauds…
Step 1 – Determine the Automated Procedures & Objectives
Step 2 – Make Arrangements with the Auditee(s) to Obtain Data
Step 3 – Transfer Auditee Data
Step 4 – Verify Auditee Data
Step 5 – Run Test & Report Results
--In this example the provider overstates the amount of co-insurance.
--Instead of the correct amount of $18.73, the amount of $18,373.00 was entered.
--Medicaid paid the overstated amount which the provider certified as correct on the crossover claim.
--Our investigation revealed that, upon receipt of the payment, the provider failed to notify DMAS and never sent a subsequent refund.
--This matter was referred to our Program Integrity Unit.
--Both of these charges were submitted by the same provider at the same time.
--One as a hospital bill and one as a special facility bill.
--One claim is for 9/28/07 only and the other is for 9/28-30/07.
--A provider cannot bill Codes 111 and 857 for the same day.
--This matter was referred to our Program Integrity Unit.
Audits Go Deeper & Broader
DMAS can perform deeper and broader audits since we can look at both preventive and detective
controls on a universal basis with automated alerting for exception based reporting.This significantly improves audit coverage while reducing the costs of compliance over time.
Audits Take Less Time
In the past, it could take weeks just to assemble the proper documentation & data to start an audit.With continuous auditing, DMAS can assemble multiple individual tests of a single business process or a group of processes and perform them as a single testing suite. The suite can be performed at any time, at the drop of a hat.
Internal Auditors Provide a Value Added Service The rapidity and range of the tests we can perform allowed us to identify over $7 million dollars in recoverable Medicaid and Medicare claims in 2008. Our total budget for the Internal Audit function is less than $400,000; a value added return of 17.5 times cost.We have experienced a like level of return for the past 15 years.
Increased Transparency with Auditees The auditees become accustomed to receiving frequent, short form reports on the high risk controls associated with their business processes. This increases IA visibility and relevance while removing much of the mystery surrounding the traditional audit process. Findings follow up is streamlined and enhanced.
Enhanced Communication with External Auditors We have shared our approach and data with the staff of the Auditor of Public Accounts. The APA can review our test library and test results and gauge their level of reliance assuring less duplication of effort.DMAS IA can perform rapid, customized data extractions for the APA in support of the annual audit.
Improved Utilization of Specialized Audit Skills Our test library includes ACL and SAS code which can be executed by any auditor. This frees up staff with special expertise to design new tests and consult with management and auditees on more complicated control situations and emerging issues.This saves time and money and ultimately results in a higher quality work life for the audit staff.
Key Controls are Rationalized With the frequent testing of key controls, it has been possible to identify those which are truly vital to our critical business processes and de-emphasize those which are not.This has allowed for the identification of controls which are no longer relevant or which over.