1 / 50

CONTINUOUS ASSURANCE

CONTINUOUS ASSURANCE. With ACL Porter Broyles Continuous Controls Analyst II, Harris County Texas President TexasACL User Group. What is ACL? ACL is the tool I use and prefer. It is not the only tool that can be used. What might be wrong?. Mechanical errors Logical errors

talor
Download Presentation

CONTINUOUS ASSURANCE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CONTINUOUS ASSURANCE With ACL Porter Broyles Continuous Controls Analyst II, Harris County Texas President TexasACL User Group

  2. What is ACL? ACL is the tool I use and prefer. It is not the only tool that can be used.

  3. What might be wrong? • Mechanical errors • Logical errors • Omission errors

  4. Who is responsible? Ultimately rests upon the business owners… not IT and not Audit.

  5. Monitoring vs Auditing Continuous Monitoring Continuous Auditing • The processes management puts in place to ensure that its policies, procedures, and business processes are operating effectively • Manage risks and design, implement, maintain, and monitor controls • Ultimately responsible for ensuring controls/processes work. • Business Units • Any method used by auditors to perform audit related activities on a more continuous or continual basis • Evaluate managements’ effectiveness of risk management and the effectiveness and efficiency of controls • Can help ensure that controls/processes are properly designed • Audit Division

  6. What are Continuous Assurances’ objectives? • Implement a combined strategy that uses Continuous Auditing, traditional auditing, and Continuous Monitoring activities; • Satisfy the demands from internal and external influences for assurance that control procedures are effective and that the information produced for decision-making has integrity; • Identify and reduce error, fraud, abuse, & noncompliance; • Operational efficiencies/cost savings opportunities;

  7. What are its benefits? • Analysis of 100% of the transaction population; • More timely assessment of transaction activity; • More timely assessment of controls and mitigation of weaknesses or violations; • Auditing and monitoring efficiencies and effectiveness; • Increased confidence in financial results and reporting;

  8. What does it take to perform? • The identification of the main business processes. • The identification of related transactions, system activities, and events of the main business processes. • The identification of the corresponding control points, objectives, and activities (Internal Controls). • The identification of the general assertions and their relationship to data integrity and reporting.

  9. Control Points - Control Objectives - Control Activities - Control Points - Control Objectives - Control Activities - Presentation Disclosure Reporting Assertions Data Integrity Available Accurate Reliable Transaction Assertions Account Balance Assertions Transactions System Activities Events Business Process What does it take to perform?

  10. Contemporary Continuous Assurance Contemporary Continuous Assurance is typically implemented on a transactional model. This generally means that the analyst creates a parallel process wherein they compare actual results with expected ones.

  11. Basis for conclusion No exceptions identified = Controls are effective No Exceptions <> Controls Effective

  12. What are you testing? Transactional testing tests the results, not the controls. Is the absence of an exception an indication that the control works or could it stem from the fact that the control has not been tested?

  13. Testing Controls In order to reach conclusions about controls, you have to be able to test the controls themselves. Can you demonstrate that: • The controls successfully stopped transactions they should have stopped? • The controls did not prevent transactions they should have allowed?

  14. Reaching a conclusion: With this approach, you’ve now tested the results and concluded that they were processed correctly. You’ve successfully demonstrated that the controls prevented transactions they should have prevented. You’ve shown that the controls did not prevent transactions they should have allowed. You can now conclude that the controls are effective!?

  15. Transactional Testing Fails us Even when perfectly performed, testing transactions is a detective analysis, not a preventive one. It can never tell us if the controls are currently working, only that they appeared to work in the past. Example: Duplicate Claims Payments

  16. Master Data Transactional testing is also contingent upon the master data being accurate. If the master data is wrong or corrupted, then the results can be erroneous as well. For example, suppose a vendor from the state of Washington (WA) is entered into the system with a state code of "CA"? What happens if the state is listed as WT? or left blank?

  17. Review of Changes If the data on the master data tables is not monitored, how can you affirm that the transactional based results that rely upon that data is correct?

  18. System Configuration Even after confirming that the Master Data is correct, can one really make declarations about the controls if they cannot speak to the System Configuration? We confirmed that each vendor is only entered once, but what happens if the system configuration associated with the vendor is entered multiple times?

  19. Vendor Master Confirmed

  20. What happens when: • There are multiple entries for the same system controls? • Management requests changes to a system control and it is only made on one entry? (or a new entry is created!) • The system controls include entries not know/identified by the programmer? • The system controls are changed by IT intentionally/accidentally?

  21. Harris County’s Model Configuration Tables Segregation of Duties Master Data Transactions/Results

  22. Why don’t more do it this way? • Must know the data/systems better • Bigger initial investment • Not the same emotional bang for the buck

  23. Conceptual Model Automated process generates reports at IT, which are automatically sent moved to a folder on our Audit Server. Analysis Loop Continuous Audit reviews and follows up upon exceptions.

  24. About our project Legacy Project CABase Project • Reviewed 29 Key Tables • Analyst had to extract the tables directly from the system. • Analyst had to manually prepare all 29 tables. • Analyst had to individually load all tables into ACL. • Reviews 55 key tables • IT performs an automated nightly extract. • Files no longer have to be “prepared” to be loaded. • ACL systematically loads all tables without user input.

  25. About our project Legacy Project CABase • All fields are included in the analysis. • Roughly 3,900,000 comparisons performed daily. • Results identify specific change at the data element. • System identifies changes for each item. • Non-key fields were excluded from analysis. • Roughly 80,000 comparisons performed daily. • Results identify changes on a record level. • Analyst had to visually identify specific changes or use another program to do so.

  26. What that means: In other words, if there were 15 changes made to a single record: The legacy method identified the record and it was up to the analyst to identify the changes. With the new process, each change is independently identified ensuring that all changes are noted and explicitly capturing them for comparison: Note: This will make further analysis down the road easier as we have a record of specific changes for each date.

  27. About our project Legacy Project CABase • Analysis performed M-F, holidays excluded. • Analyst had to manually identify Critical and Important changes. This included reviewing several documents: • Critical Common Codes • Critical functions table • IFAS ConMon Follow-up Criteria • Analysis performed seven days a week, 365 days a year. • Most changes are automatically compared to the documents to determine Critical and Important changes. (Analyst review is still required, but significantly reduced.)

  28. About our project Legacy Project CABase • Analyst manually compares a number of records between two dates looking for anomalies. • 58 reports generated (2 for each table), and then the analysts creates several more manually tallying the results. • ACL automatically compares the number of records between two dates looking for anomalies. • 3 reports generated: • Change Exceptions • Processing Report • Summary report

  29. Report 1: Exceptions Report The first report provides a detailed explanation as to the changes made on the different tables from date to date.

  30. Exception Report: Basic Information Basic information about the change type, table, and key identifying material.

  31. Exceptions Report:Key Data

  32. Processing Report The Processing Report is a report that provides status updates of key tests and analysis performed during the project execution. These tests provide a solid level of comfort that the results are reliable and that the script performed as desired.

  33. CABase adds the following: • Maintains automated report documenting if data existed. • Compared the number of fields in the table between two dates. • Looks for duplicate values in “key fields” that should produce unique records. • Identified structure changes in the raw data. • Identifies data anomalies in the raw data. • Easily expandable to include other tables.

  34. Processing Report

  35. Supervisory Report The Supervisory Report is designed to enable a supervisor to obtain a quick high level overview of the days results as well as any possible issues that might impact the execution or accuracy of the project.

  36. Supervisor Report: Table Review

  37. Supervisory report: Summary of changes

  38. Supervisor Report:Key processing summary

  39. Supervisor Report:Non-Table Specific Results Some tests are not performed on individual tables, but are preserved on a run-by-run basis.

  40. Contract Maintenance How this approach could have saved us---an error with the largest hospital chain the state!

  41. Why Medical Profession is Ripe for Data Analytics In every transaction there are five key elements: • Who provided the service • Who received the service • What service was rendered • When was the service provided • How much did it cost

  42. Duplicate Payments You have five key pieces of information to design a multitude of tests with. • Look for cases where all five criteria are the same • Look for cases where 4 of the 5 criteria are met

  43. Children of Dependent Children • Use ACL to identify babies born to children of the primary insured. Are they being covered by the parents insurance? • Some insurance companies will cover children of dependent children. • Most states require coverage if the primary insured becomes the legal guardian of the baby.

  44. Gender Specific/Age Issues • Do searches for gender specific issues: • Women receiving prostrate care? • Men delivering babies? • Do searches for age specific issues: • Maternity for girls under the age of 10. • Issues involving the elderly.

  45. Compliance with State/Fed Mandates • If policy covers maternity, could not deny maternity claims as pre-existing condition. • If policy covers prosthetics, could not have benefits that were worse for than those provided by Medicare for prosthetic arms/legs.

  46. Insurance Fraud • Look for people who obtain insurance coverage and are immediately seen for medical conditions that usually result in automatic denials or various riders. • Large families where multiple children have birthdays too close to one another. (Beware of adoption/step children.) • Abuse of medical modifiers (MOD 51) • Upcoding/Unbundling • DME --- Rent v Purchase

  47. Upcoding: compare to others

  48. Upcoding: compare to self

  49. QuestionsPorter BroylesTexasACL@yahoo.comwww.texasacl.com

  50. www.TexasACL.com The number 1 independent website for ACL information.

More Related