hhs system internal audit annual report · hhs system internal audit annual report as required by...

HHS System Internal

Audit Annual Report

As Required by

Texas Government Code,

Section 2102.009

Fiscal Year 2019

October 2019

Annual Report Fiscal Year 2019

HHS System Internal Audit Page i

Table of Contents

Introduction .............................................................................................. 1

1. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site.............................................................................. 2

2. Internal Audit Plan for Fiscal Year 2019 .................................................... 3

3. Consulting Services and Nonaudit Services Completed ............................... 8

4. External Quality Assurance Review ........................................................ 11

5. Internal Audit Plan for Fiscal Year 2020 .................................................. 12

6. External Audit Services Procured in Fiscal Year 2019 ................................ 17

7. Reporting Suspected Fraud and Abuse ................................................... 18


HHS System Internal Audit Page 1 of 18

Introduction

The Fiscal Year 2019 Annual Internal Audit Report for the Texas Health and Human Services (HHS) Internal Audit Division is provided in accordance with the Texas Internal Auditing Act requirements for internal auditors to prepare and distribute an annual report of activities and complies with the guidelines set forth by the State Auditor’s Office.

HHS Internal Audit completed audit work and provided management with information and analyses to assist in initiating improvements to operations and to strengthen internal controls. In addition to audit work, Internal Audit provided advice and assistance on governance, risk management, and controls, and management actively engages HHS Internal Audit as they continue to work toward more effective and efficient processes in the agency.

https://statutes.capitol.texas.gov/Docs/GV/pdf/GV.2102.pdf

https://statutes.capitol.texas.gov/Docs/GV/pdf/GV.2102.pdf



1. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site

Texas Health and Human Services sent the approved audit plan (as well as subsequent amendments) and the Annual Audit Report for posting to the Reports and Presentations page of the HHS public home page within 30 days of approval as required by statute.

https://statutes.capitol.texas.gov/Docs/GV/htm/GV.2102.htm#2102.015




2. Internal Audit Plan for Fiscal Year 2019

Report Number Audit Name Report Date 18-01-016 Texas Medicaid and Healthcare

Partnership Contract 1/11/2019

18-01-019 Managed Care Payments to Rural Hospitals

11/9/2018

18-01-020 General and Application Controls for Selected Maximus Applications

2/21/2019

18-01-021 Medical and Social Services Audit Contracts

11/2/2018

18-01-025 Trust Funds 9/14/2018 18-02-022 DSHS Texas Center for Infectious

Disease 10/17/2018

18-02-026 DSHS Oral Health Improvement Program

11/16/2018

19-01-006 State Hospital Revenue 5/15/2019 19-01-007 Office of Inspector General

Internal Affairs 2/28/2019

19-01-011 Child Care Licensing 9/3/2019 19-01-020 Health Record Data Fieldwork – Report

expected January 2020 19-01-016 Background Checks Reporting – Report

expected October 2019 19-01-014 Information Technology – Project

Management Office Project Terminated

19-01-025 Construction Reporting – Report expected November 2019

19-01-013 Health, Developmental and Independence Services Contract Management

5/13/2019

19-01-012 Information Technology Contract Process

5/10/2019

19-01-022 DSHS Maternal and Child Health Grant Management

Fieldwork – Report expected December 2019

DSHS Consumer Protection – Surveillance

Will be included in Fiscal Year 2020 Audit Plan



19-02-017 DSHS Accounts Revenue and Receivables Processes

8/29/2019

19-010-19 Veteran’s Program Grant Management

8/6/2019

19-01-027 Contract Expenditures Planning – Report expected March 2020

19-01-023 Inventory Processes Fieldwork – Report expected January 2020

Audit Verifications 19-03-001 First Quarter 1/3/2019 19-03-008 Second Quarter 3/21/2019 19-03-009 Third Quarter 6/13/2019 19-03-010 Fourth Quarter 9/27/2019

Explanation of Deviations from 2019 Internal Audit Plan As noted below in Section V. Internal Audit Plan for Fiscal Year 2020, the HHS Internal Audit risk assessment process is a perpetual process. As a result, the audit plan may change quarterly due to more frequent identification of, and response to, shifts in risk.

Methods Used to Ensure Compliance with Contract Processes and Controls for Monitoring Agency Contracts HHS Internal Audit considered compliance with contract processes and control for monitoring agency contracts as required by Texas Government Code, Section 2102.005(b). As requested, the report number, name, report date, and follow-up status for each audit report related to agency contracts and contract processes and controls completed in the last five years (fiscal years 2015 to current) are described in the tables that follow.





Texas Health and Human Services System and Health and Human Services Commission

Report Number Audit Name

Report Date

Status of Recommendations

15-01-007 After-the-Fact Purchases 8/10/2015 Verified: 1, 2 15-02-003 Medicaid/CHIP Division

Managed Care Contracts 12/10/2015 Verified: 2, 3, 4a, 4b

Verification Pending: 5, 6 In Progress: 1

15-02-004 Office of Community Services Subrecipient Monitoring

11/25/2015 Verified: 1a, 1b, 1c, 1d, 2a, 2b, 3a, 3b, 3c, 4, 5a, 5b, Verification Pending: 5c

16-01-005 HHSC Oversight of Outsourced Services

7/19/2016 Verified: 1a, 1b, 2, 3a, 3b, 3c

16-02-002 Pay for Quality Program 6/14/2016 Verified: 1, 2, 3, 4, 5 16-02-004 Access to HHSAS and HCATS 2/3/2016 Verified: 1a (HHSAS)

Verification Pending: 1b (HCATS)

16-02-006 Enrollment Broker Contract Monitoring

8/10/2016 Verified: 1, 2, 4 In Progress: 3

16-02-014 Oversight of Statewide Network of Community Partners

11/21/2016 Verified: 4, 5, 6, 7, 8 In Progress: 1, 2, 3,

16-02-017 Oversight of Selected Administrative Goods and Services Contracts

12/19/2016 Moved to #18-01-023: 2, 3, 4, 5, 6 Verified: 7 Closed: 1

16-02-024 Contract Processing Times for Selected HHSC Contracts

2/7/2017 Follow up with #18-01-023: 8, 11 Verified: 2, 3, 4, 5, 6 In Progress: 1, 7, 9, 10, 12

17-01-029 HHS System Business Continuity and Disaster Recovery

1/3/2018 Verification Pending: 4, 5, 6, 7

17-02-002 Eligibility Operation – Vendor Operations

Verified: 1, 2, 3

17-02-010 Vendor Drug Program 11/7/2017 Verified: 2 Verification Pending: 1 In Progress: 3

17-02-013 Contract Monitoring of Local Mental Health Authorities

10/25/2017 Verified: 7 Verification Pending: 1, 2, 3, 4, 5, 6,

17-02-024 Construction and Maintenance Contract Management

9/1/2017 Verified: 1, 2, 3, Closed: 4




Report Date


17-02-025 Health Informatics Services and Quality

8/16/2017 Verified: 5 Verification Pending: 4 Closed: 1, 2, 3

17-02-026 Claims Administrator Contract Oversight

10/24/2017 Verified: 1, 2, 3, 4, 5, Verification Pending: 6

17-04-009 State Supported Living Center Volunteer Services

5/5/2017 Verified: 3 Verification Pending: 4, 5

18-01-016 Texas Medicaid and Healthcare Partnership Contract

1/11/2019 Verification Pending: 4, 5, 6, 7, 8, 9, 10, 11 In Progress: 1, 2, 3

18-01-018 Early Childhood Intervention Program

6/5/2018 Verification Pending: 1, 2, 3

18-01-019 Managed Care Payments to Rural Hospitals

11/9/2018 Verified: 1 Verification Pending: 3, 4, 5 In Progress: 6 Closed: 2

18-01-020 General and Application Controls for Selected Maximus Applications

2/21/2019 Verification Pending: 1, 2, 3, 4, 5, 6, In Progress: 7

18-01-021 Medical and Social Services Audit Contracts

11/2/2018 Verification Pending: 2, 3 Closed: 1

18-01-023 Procurement and Contracting Services Procurement Processes

7/5/2018 Verified: 1, 2, 3, 7, 8, 12, 13, 14, 20, 22 Verification Pending: 4, 5, 6, 11, 15, 18 In Progress: 16, 17, 19, 21 Closed: 9, 10

19-01-006 State Hospital Revenue 5/15/2019 Verification Pending: 4, 5, 6 In Progress: 1, 2, 3, 7, 8, 9, 10, 11

19-01-012 Information Technology Contract Processes

5/10/2019 In Progress: 1, 2, 3, 4, 5, 6

19-01-013 Health, Developmental and Independence Services Contract Management

5/13/2019 Verification Pending: 1, 2, 3, 5, 6, 7 In Progress: 4, 8

19-01-019 Veteran’s Program Grant Management

8/6/2019 In Progress: 1, 2

19-01-020 Health Record Data Expected January 2020

Not applicable




Report Date


19-01-022 Maternal and Child Health Grant Management

Expected December 2019

Not applicable

19-01-027 Contract Expenditures Expected March 2020

Not applicable

Department of State Health Services


Report Date

Status of Contract Recommendations

2015-10 Vulnerability Management and Remediation

9/22/2015 Verified: 3 Verification Pending: 2, 4 Closed: 1

2015-11 Selected State Hospital Expenditures

10/10/2015 Closed: 1, 2

2017-08 Oversight of Local Registrars 6/30/2017 Closed: 1, 2, 3, 4 18-02-009 Vital Statistics Unit Printing

Plates: 3/9/2018

Closed: 1 Verification Pending: 2

18-02-022 Texas Center for Infectious Disease

10/17/2018 Verification Pending: 2, 3, 4, 5, 6, 7, 8, 9, 10 In Progress: 1

19-02-017 Revenue and Receivables Processes

8/29/2019 In Progress: 1, 2, 3, 4



3. Consulting Services and Nonaudit Services Completed

Internal Audit staff presented on the audit process, risk assessment, and control frameworks at staff meetings and leadership academies as requested by management. In addition, the HHS Internal Audit completed the following consulting services during fiscal year 2019:

Report Number Project Name Completion Date 18-04-024 Utilization Review Oversight of Managed

Care September 2018

18-04-027 HIPAA Security Controls January 2019 19-04-015 HHS System Conflicts of Interest Terminated 19-04-021 Veteran’s Program Grant Monitoring July 2019 19-04-024 Rehabilitative and Independent Services

Contracting Process July 2019

19-00-000 Management Assistance Office of Civil Rights January 2019 Three Lines of Defense February 2019 IDD BH Contract Operations June 2019 Procurement and Contracting Services

(PCS) Internal Control Questionnaire June 2019

PCS Nondisclosure Agreements August 2019 Image API August 2019

Utilization Review Oversight of Managed Care Objective: Perform a functional analysis of the utilization review process and identify potential improvements. The engagement was refined to focus on contract action processes stemming from Long Term Social Services (LTSS) Utilization Reviews.

Scope: Current rules, regulations, policies, procedures, and processes related to the utilization review processes for oversight of Managed Care.

Observations and Results:

● Roles and Responsibilities: LTSS Utilization Review policies, procedures, and templates in place are reportedly updated as needed when process



improvements are identified. Roles and responsibilities for identifying, calculating, and pursuing LDs are clearly defined.

● Monitoring Process Timeliness: The current utilization review monitoring process is comprised of six phases. While some estimated timeframes for key phases of the process were communicated, defined timeframes do not exist. Key items that must be defined for this process to be effective, include: Specific number of days allowed for the managed care organizations to

object to any of the liquidated damages reflected in the draft demand letter.

Defined timeframe for the rebuttal process, which should include time for the managed care organization to provide additional information and LTSS Utilization Review to review the information.

HIPAA Security Controls Objective: Review the risk assessment process developed in response to the OCR CAP requirements.

Scope: Risk assessment process, including any risk analysis tools, estimated budgeting and supporting documentation collected to address the OCR CAP.


● Estimated hours to complete a risk assessment should be reduced. ● Assessments do not include all required HIPAA controls. ● A list of applications in scope of the CAP has not been finalized.

HHS System Conflicts of Interest Project Terminated

Veteran’s Program Grant Monitoring Objective: Perform an analysis of Veteran Grant monitoring to identify potential efficiencies and improvements.

Scope: Current rules, regulations, policies, procedures and processes related to the monitoring of Texas Veterans and Family Alliance grants.


● Current monitoring tools include monitoring of contract requirements ● Monitoring efficiency improvements may include: Enhance performance data tracking to facilitate analysis of trends.



Enhance performance reporting document to identify incomplete fields. Implement a risk assessment process for monitoring. Finalize financial review procedures.

Rehabilitative and Independent Services Contracting Processes Objective: Review processes used for procuring new contracts and renewal amendments and to identify questions on control structures for management consideration. The engagement was refined to focus on the contract process as it relates to open enrollments

Scope: Current rules, regulations, policies, procedures, and processes related to the RIS contracting process.


● A flowchart of the open enrollment process was developed. ● Negotiations are not generally applied to open enrollment contracts as they

are noncompetitive procurements. However, negotiating rates is permissible per 1 TAC Section 355.9040, depending on the services or goods provided.

● Five procurements were tested on nineteen attributes reflecting internal and state procurement policies and procedures. All five had at least one non-compliant attribute and at least five attributes that could not be assessed using available documentation.

● Timelines for the development of the five contracts were created to demonstrate the time contract development, renewals, and amendments can take using the current open enrollment processes and required attributes.



4. External Quality Assurance Review

The HHS Internal Audit External Quality Assurance Review was completed in August 2019, by Postlethwaite & Netterville, a state contracted vendor. Excerpts from the Executive Summary of the resulting report include the following opinions:

Postlethwaite & Netterville, APAC (P&N) is pleased to have provided the Texas Health and Human Services system (HHS) with a full external Quality Assurance Review (QAR) of its Internal Audit Division (Internal Audit) for the period of September 1, 2016 through August 31, 2019.

The QAR assessed Internal Audit’s compliance with the following:

1. International Standards for the Professional Practice of Internal Auditing (Standards);

2. Generally Accepted Government Auditing Standards (GAGAS); and 3. Texas Internal Auditing Act (TIAA)

OPINION AS TO CONFORMANCE WITH THE STANDARDS, CODE OF ETHICS AND TEXAS INTERNAL AUDITING ACT

It is our overall opinion that the Internal Audit Division at HHS Generally Conforms with the following for the period of September 1, 2016 through August 31, 2019:

1. The Standards and the Code of Ethics promulgated by the Institute of Internal Auditors (IIA); and

2. The Texas Internal Auditing Act codified by Texas Government Code 2102.

There were no opportunities for improvement identified that would be considered reportable items.

OPINION AS TO CONFORMANCE WITH THE GENERALLY ACCEPTED GOVERNMENT AUDITING STANDARDS

It is our overall opinion that the Internal Audit Division at HHS receives a Peer Review Rating of Pass for the period of September 1, 2016 through August 31, 2019 with the Generally Accepted Government Auditing Standards (GAGAS) distributed by the Government Accountability Office (GAO) (2011 Revision). There were no opportunities for improvement identified that would be considered reportable items.



5. Internal Audit Plan for Fiscal Year 2020

The audit plan below includes 19 total audits (7 carried over from fiscal year 2019) and will be added to throughout the year based on risk and agency needs. In addition, Internal Audit staff will conduct verification work on recommendations reported by management as implemented and address management requests as possible. The Fiscal Year 2020 Internal Audit Plan was approved by the Executive Commissioner on September 23, 2019.

Projects

Health and Human Services System (HHSC and DSHS) Budget (Hours)

Protected Health Information for Select Systems (formerly Health Record Data)*

1,200

Criminal Background Checks (formerly Background Checks) 100

Contract Expenditures* 1,200

Inventory Processes 1,700

Information Security Office Exceptions 2,000

Network Access for Terminated Employees 1,500

Data Use Agreements* 2,500

Regional Human Resources Policies and Procedures 1,800

Decommissioned Systems 3,500

IT Preparedness for Malware Threats and Malicious Software 3,000

PCS Approvals* 2,000

Substance Use Contracts* 2,000



Health and Human Services Commission (HHSC) Budget (Hours)

Construction 700

Office of Inspector General’s Benefits Integrity Program 1,200

Rate Analysis 2,000

Access and Eligibility Services’ Community Access 1,500

C-059 External Data Sharing Compliance 1,500

Department of State Health Services (DSHS) Budget (Hours)

Maternal and Child Health Grant Management* 750

Consumer Protection 1,200

Tuberculosis Program Services and Coordination 2,000

DSHS Pharmacy 2,500

Projects with a “*” indicate projects that will address contract management and other requirements. None of the projects included in the Fiscal Year 2020 Internal Audit Plan specifically address benefits proportionality, expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act.



High Risks Unaddressed by Plan The following business processes were ranked as "high risk" but not included in the Fiscal Year 2020 Internal Audit Plan either due to recent audit activity, management priorities, or resource limitations:

Health and Human Services System Business Area Auditable Unit Chief Policy Officer Regulatory Services: Health Care Quality Chief Policy Officer Regulatory Services: Adult Protective Services

Investigations

Chief Policy Officer Regulatory Services: Long-Term Care Regulatory Chief Counsel Appeals Program & Services MSS: Medicaid & CHIP Services Department – Quality &

Program Improvement Program & Services MSS: Medicaid & CHIP Services Department – Medical

Transportation Program

Department of State Health Services Business Area Auditable Unit Public Health Laboratory and Infectious Disease Services – Infectious

Disease Prevention Public Health Consumer Protection: Meat Safety Assurance

Public Health Community Health Improvement: Public Health Screening and Services Coordination

Public Health Laboratory and Infectious Disease Services: Laboratory Services

Public Health Consumer Protection: EMS/Trauma Systems

Public Health Community Health Improvement: Environmental Epidemiology and Disease Registries

Public Health Laboratory & Infectious Disease Services – HIV/STD



Risk Assessment Methodology To facilitate more timely response to shifting risks, the Internal Audit Division has implemented a continuous risk assessment process and plans to update the audit plan as needed throughout the fiscal year. The process description for audit plan approval follows:

1. Define the audit universe. Develop a comprehensive list of "auditable units" (i.e., program areas/units, activities, processes, etc.) to be considered. This includes an ongoing review of organizational charts, agency reports, and the Health and Human Services Commission and Department of State Health Services Strategic Plans. Criteria for selecting "auditable units" includes: level of contribution to HHS Goals and Strategies, the magnitude of impact on the organization, the level of importance to justify the cost of control, and the efficiency in minimizing auditable units when possible.

2. Select and weight risk factors. Risk factors are specific and identifiable sources of uncertainty or potential negative consequences. Risk is inherent to every auditable unit -what varies among units is the degree or level of risk. Level of risk is determined by the extent of impact to the agency as a whole, should the specific risk occur. Risk factors are selected by consideration of current issues by the Director of Internal Audit.

3. In addition, HHS Internal Audit staff assesses risk on five additional risk factors based on the COSO Internal Control Framework:

● Control Environment ● Assessing Risk ● Control Activities ● Information and Communication ● Monitoring Activities

Texas Administrative Code, Section 202 (TAC 202) risks are assessed (when applicable) within the Information and Communication risk factors and taken into account within individual project risk assessments.

4. Prioritize auditable units to assess overall risk level.

● Score: HHS Internal Audit scored each auditable unit using the Internal Audit Risk Factors and Scoring Guide.



● Additional Points: Areas identified as of interest or concern by executive management team members or the Director of Internal Audit received additional points at the discretion of the scoring team.

● Rank: Calculate based on the sum of all scores and rank all units relative to one another. Identify high, medium and low risk areas.

5. Monitoring and Updating Risk Assessment. Information is gained and added to the risk assessment tool through routine meetings with agency management, information learned during audit work, external reports and notifications, and other sources that identify risks. Risks are perpetually monitored, and the risk assessment is updated as often as needed, to address the most current risks at HHS. The audit plan is monitored and assessed routinely, and amendments are proposed as appropriate.

6. Identify Areas of Audit for the Proposed Fiscal Year 2020 Internal Audit Plan. Based on available staff hours, review of audit history, input from executive management, and other factors develop a proposal for the Executive Commissioner's review and input.



6. External Audit Services Procured in Fiscal Year 2019

Description Document Processing Services (DPS) Financial Audit Disproportionate Share Hospital and Uncompensated Care Audit Services Managed Care Organization (MCO) - Financial Audits Medical Transportation Program - Financial Statistical Reports (FSR) Texas Medicaid and Healthcare Partnership (TMHP) SOC-1 EHR (Electronic Health Record) Incentives Vendor Drug SOC-1 Audit SFY 2015 AUP Related Party Admin Testing NorthgateArinso Retrospective Cost Settlement Audit DSRIP (Delivery System Reform Incentive Payments) Eligibility Support Services program (ESS), Children’s Health Insurance Program (CHIP), and Enrollment Broker Retrospective Cost Settlement Audits MCO Performance Audits Medicaid & CHIP Services (MCS) - Vendor Drug Program HIPAA Audit TMHP - Retrospective Cost Settlement Audit Recovery Audits (RAC audits) Audits of Medicaid Providers Medicaid Managed Care Capitation Rates



7. Reporting Suspected Fraud and Abuse

The HHS Internet and Intranet, HHS Circular C-027, and HHS System ethics training, provide information on how to report suspected fraud, waste, and abuse. Employees must report suspected fraud, waste, or abuse in health and human services programs to the HHS Inspector General and the Texas State Auditor’s Office (SAO).

To our knowledge, these reports are being made in accordance with Section 7.09, Fraud Reporting, in the General Appropriations Act and Texas Government Code, Section 321.022.

http://www.lbb.state.tx.us/Documents/GAA/General_Appropriations_Act_2018-2019.pdf

