hhs system internal audit annual report · hhs system internal audit annual report as required by...
TRANSCRIPT
![Page 1: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/1.jpg)
HHS System Internal
Audit Annual Report
As Required by
Texas Government Code,
Section 2102.009
Fiscal Year 2019
October 2019
![Page 2: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/2.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page i
Table of Contents
Introduction .............................................................................................. 1
1. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site.............................................................................. 2
2. Internal Audit Plan for Fiscal Year 2019 .................................................... 3
3. Consulting Services and Nonaudit Services Completed ............................... 8
4. External Quality Assurance Review ........................................................ 11
5. Internal Audit Plan for Fiscal Year 2020 .................................................. 12
6. External Audit Services Procured in Fiscal Year 2019 ................................ 17
7. Reporting Suspected Fraud and Abuse ................................................... 18
![Page 3: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/3.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 1 of 18
Introduction
The Fiscal Year 2019 Annual Internal Audit Report for the Texas Health and Human Services (HHS) Internal Audit Division is provided in accordance with the Texas Internal Auditing Act requirements for internal auditors to prepare and distribute an annual report of activities and complies with the guidelines set forth by the State Auditor’s Office.
HHS Internal Audit completed audit work and provided management with information and analyses to assist in initiating improvements to operations and to strengthen internal controls. In addition to audit work, Internal Audit provided advice and assistance on governance, risk management, and controls, and management actively engages HHS Internal Audit as they continue to work toward more effective and efficient processes in the agency.
![Page 4: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/4.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 2 of 18
1. Compliance with Texas Government Code, Section 2102.015: Posting the Internal Audit Plan, Internal Audit Annual Report, and Other Audit Information on Internet Web Site
Texas Health and Human Services sent the approved audit plan (as well as subsequent amendments) and the Annual Audit Report for posting to the Reports and Presentations page of the HHS public home page within 30 days of approval as required by statute.
![Page 5: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/5.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 3 of 18
2. Internal Audit Plan for Fiscal Year 2019
Report Number Audit Name Report Date 18-01-016 Texas Medicaid and Healthcare
Partnership Contract 1/11/2019
18-01-019 Managed Care Payments to Rural Hospitals
11/9/2018
18-01-020 General and Application Controls for Selected Maximus Applications
2/21/2019
18-01-021 Medical and Social Services Audit Contracts
11/2/2018
18-01-025 Trust Funds 9/14/2018 18-02-022 DSHS Texas Center for Infectious
Disease 10/17/2018
18-02-026 DSHS Oral Health Improvement Program
11/16/2018
19-01-006 State Hospital Revenue 5/15/2019 19-01-007 Office of Inspector General
Internal Affairs 2/28/2019
19-01-011 Child Care Licensing 9/3/2019 19-01-020 Health Record Data Fieldwork – Report
expected January 2020 19-01-016 Background Checks Reporting – Report
expected October 2019 19-01-014 Information Technology – Project
Management Office Project Terminated
19-01-025 Construction Reporting – Report expected November 2019
19-01-013 Health, Developmental and Independence Services Contract Management
5/13/2019
19-01-012 Information Technology Contract Process
5/10/2019
19-01-022 DSHS Maternal and Child Health Grant Management
Fieldwork – Report expected December 2019
DSHS Consumer Protection – Surveillance
Will be included in Fiscal Year 2020 Audit Plan
![Page 6: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/6.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 4 of 18
19-02-017 DSHS Accounts Revenue and Receivables Processes
8/29/2019
19-010-19 Veteran’s Program Grant Management
8/6/2019
19-01-027 Contract Expenditures Planning – Report expected March 2020
19-01-023 Inventory Processes Fieldwork – Report expected January 2020
Audit Verifications 19-03-001 First Quarter 1/3/2019 19-03-008 Second Quarter 3/21/2019 19-03-009 Third Quarter 6/13/2019 19-03-010 Fourth Quarter 9/27/2019
Explanation of Deviations from 2019 Internal Audit Plan As noted below in Section V. Internal Audit Plan for Fiscal Year 2020, the HHS Internal Audit risk assessment process is a perpetual process. As a result, the audit plan may change quarterly due to more frequent identification of, and response to, shifts in risk.
Methods Used to Ensure Compliance with Contract Processes and Controls for Monitoring Agency Contracts HHS Internal Audit considered compliance with contract processes and control for monitoring agency contracts as required by Texas Government Code, Section 2102.005(b). As requested, the report number, name, report date, and follow-up status for each audit report related to agency contracts and contract processes and controls completed in the last five years (fiscal years 2015 to current) are described in the tables that follow.
![Page 7: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/7.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 5 of 18
Texas Health and Human Services System and Health and Human Services Commission
Report Number Audit Name
Report Date
Status of Recommendations
15-01-007 After-the-Fact Purchases 8/10/2015 Verified: 1, 2 15-02-003 Medicaid/CHIP Division
Managed Care Contracts 12/10/2015 Verified: 2, 3, 4a, 4b
Verification Pending: 5, 6 In Progress: 1
15-02-004 Office of Community Services Subrecipient Monitoring
11/25/2015 Verified: 1a, 1b, 1c, 1d, 2a, 2b, 3a, 3b, 3c, 4, 5a, 5b, Verification Pending: 5c
16-01-005 HHSC Oversight of Outsourced Services
7/19/2016 Verified: 1a, 1b, 2, 3a, 3b, 3c
16-02-002 Pay for Quality Program 6/14/2016 Verified: 1, 2, 3, 4, 5 16-02-004 Access to HHSAS and HCATS 2/3/2016 Verified: 1a (HHSAS)
Verification Pending: 1b (HCATS)
16-02-006 Enrollment Broker Contract Monitoring
8/10/2016 Verified: 1, 2, 4 In Progress: 3
16-02-014 Oversight of Statewide Network of Community Partners
11/21/2016 Verified: 4, 5, 6, 7, 8 In Progress: 1, 2, 3,
16-02-017 Oversight of Selected Administrative Goods and Services Contracts
12/19/2016 Moved to #18-01-023: 2, 3, 4, 5, 6 Verified: 7 Closed: 1
16-02-024 Contract Processing Times for Selected HHSC Contracts
2/7/2017 Follow up with #18-01-023: 8, 11 Verified: 2, 3, 4, 5, 6 In Progress: 1, 7, 9, 10, 12
17-01-029 HHS System Business Continuity and Disaster Recovery
1/3/2018 Verification Pending: 4, 5, 6, 7
17-02-002 Eligibility Operation – Vendor Operations
Verified: 1, 2, 3
17-02-010 Vendor Drug Program 11/7/2017 Verified: 2 Verification Pending: 1 In Progress: 3
17-02-013 Contract Monitoring of Local Mental Health Authorities
10/25/2017 Verified: 7 Verification Pending: 1, 2, 3, 4, 5, 6,
17-02-024 Construction and Maintenance Contract Management
9/1/2017 Verified: 1, 2, 3, Closed: 4
![Page 8: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/8.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 6 of 18
Report Number Audit Name
Report Date
Status of Recommendations
17-02-025 Health Informatics Services and Quality
8/16/2017 Verified: 5 Verification Pending: 4 Closed: 1, 2, 3
17-02-026 Claims Administrator Contract Oversight
10/24/2017 Verified: 1, 2, 3, 4, 5, Verification Pending: 6
17-04-009 State Supported Living Center Volunteer Services
5/5/2017 Verified: 3 Verification Pending: 4, 5
18-01-016 Texas Medicaid and Healthcare Partnership Contract
1/11/2019 Verification Pending: 4, 5, 6, 7, 8, 9, 10, 11 In Progress: 1, 2, 3
18-01-018 Early Childhood Intervention Program
6/5/2018 Verification Pending: 1, 2, 3
18-01-019 Managed Care Payments to Rural Hospitals
11/9/2018 Verified: 1 Verification Pending: 3, 4, 5 In Progress: 6 Closed: 2
18-01-020 General and Application Controls for Selected Maximus Applications
2/21/2019 Verification Pending: 1, 2, 3, 4, 5, 6, In Progress: 7
18-01-021 Medical and Social Services Audit Contracts
11/2/2018 Verification Pending: 2, 3 Closed: 1
18-01-023 Procurement and Contracting Services Procurement Processes
7/5/2018 Verified: 1, 2, 3, 7, 8, 12, 13, 14, 20, 22 Verification Pending: 4, 5, 6, 11, 15, 18 In Progress: 16, 17, 19, 21 Closed: 9, 10
19-01-006 State Hospital Revenue 5/15/2019 Verification Pending: 4, 5, 6 In Progress: 1, 2, 3, 7, 8, 9, 10, 11
19-01-012 Information Technology Contract Processes
5/10/2019 In Progress: 1, 2, 3, 4, 5, 6
19-01-013 Health, Developmental and Independence Services Contract Management
5/13/2019 Verification Pending: 1, 2, 3, 5, 6, 7 In Progress: 4, 8
19-01-019 Veteran’s Program Grant Management
8/6/2019 In Progress: 1, 2
19-01-020 Health Record Data Expected January 2020
Not applicable
![Page 9: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/9.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 7 of 18
Report Number Audit Name
Report Date
Status of Recommendations
19-01-022 Maternal and Child Health Grant Management
Expected December 2019
Not applicable
19-01-027 Contract Expenditures Expected March 2020
Not applicable
Department of State Health Services
Report Number Audit Name
Report Date
Status of Contract Recommendations
2015-10 Vulnerability Management and Remediation
9/22/2015 Verified: 3 Verification Pending: 2, 4 Closed: 1
2015-11 Selected State Hospital Expenditures
10/10/2015 Closed: 1, 2
2017-08 Oversight of Local Registrars 6/30/2017 Closed: 1, 2, 3, 4 18-02-009 Vital Statistics Unit Printing
Plates: 3/9/2018
Closed: 1 Verification Pending: 2
18-02-022 Texas Center for Infectious Disease
10/17/2018 Verification Pending: 2, 3, 4, 5, 6, 7, 8, 9, 10 In Progress: 1
19-02-017 Revenue and Receivables Processes
8/29/2019 In Progress: 1, 2, 3, 4
![Page 10: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/10.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 8 of 18
3. Consulting Services and Nonaudit Services Completed
Internal Audit staff presented on the audit process, risk assessment, and control frameworks at staff meetings and leadership academies as requested by management. In addition, the HHS Internal Audit completed the following consulting services during fiscal year 2019:
Report Number Project Name Completion Date 18-04-024 Utilization Review Oversight of Managed
Care September 2018
18-04-027 HIPAA Security Controls January 2019 19-04-015 HHS System Conflicts of Interest Terminated 19-04-021 Veteran’s Program Grant Monitoring July 2019 19-04-024 Rehabilitative and Independent Services
Contracting Process July 2019
19-00-000 Management Assistance Office of Civil Rights January 2019 Three Lines of Defense February 2019 IDD BH Contract Operations June 2019 Procurement and Contracting Services
(PCS) Internal Control Questionnaire June 2019
PCS Nondisclosure Agreements August 2019 Image API August 2019
Utilization Review Oversight of Managed Care Objective: Perform a functional analysis of the utilization review process and identify potential improvements. The engagement was refined to focus on contract action processes stemming from Long Term Social Services (LTSS) Utilization Reviews.
Scope: Current rules, regulations, policies, procedures, and processes related to the utilization review processes for oversight of Managed Care.
Observations and Results:
● Roles and Responsibilities: LTSS Utilization Review policies, procedures, and templates in place are reportedly updated as needed when process
![Page 11: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/11.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 9 of 18
improvements are identified. Roles and responsibilities for identifying, calculating, and pursuing LDs are clearly defined.
● Monitoring Process Timeliness: The current utilization review monitoring process is comprised of six phases. While some estimated timeframes for key phases of the process were communicated, defined timeframes do not exist. Key items that must be defined for this process to be effective, include: Specific number of days allowed for the managed care organizations to
object to any of the liquidated damages reflected in the draft demand letter.
Defined timeframe for the rebuttal process, which should include time for the managed care organization to provide additional information and LTSS Utilization Review to review the information.
HIPAA Security Controls Objective: Review the risk assessment process developed in response to the OCR CAP requirements.
Scope: Risk assessment process, including any risk analysis tools, estimated budgeting and supporting documentation collected to address the OCR CAP.
Observations and Results:
● Estimated hours to complete a risk assessment should be reduced. ● Assessments do not include all required HIPAA controls. ● A list of applications in scope of the CAP has not been finalized.
HHS System Conflicts of Interest Project Terminated
Veteran’s Program Grant Monitoring Objective: Perform an analysis of Veteran Grant monitoring to identify potential efficiencies and improvements.
Scope: Current rules, regulations, policies, procedures and processes related to the monitoring of Texas Veterans and Family Alliance grants.
Observations and Results:
● Current monitoring tools include monitoring of contract requirements ● Monitoring efficiency improvements may include: Enhance performance data tracking to facilitate analysis of trends.
![Page 12: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/12.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 10 of 18
Enhance performance reporting document to identify incomplete fields. Implement a risk assessment process for monitoring. Finalize financial review procedures.
Rehabilitative and Independent Services Contracting Processes Objective: Review processes used for procuring new contracts and renewal amendments and to identify questions on control structures for management consideration. The engagement was refined to focus on the contract process as it relates to open enrollments
Scope: Current rules, regulations, policies, procedures, and processes related to the RIS contracting process.
Observations and Results:
● A flowchart of the open enrollment process was developed. ● Negotiations are not generally applied to open enrollment contracts as they
are noncompetitive procurements. However, negotiating rates is permissible per 1 TAC Section 355.9040, depending on the services or goods provided.
● Five procurements were tested on nineteen attributes reflecting internal and state procurement policies and procedures. All five had at least one non-compliant attribute and at least five attributes that could not be assessed using available documentation.
● Timelines for the development of the five contracts were created to demonstrate the time contract development, renewals, and amendments can take using the current open enrollment processes and required attributes.
![Page 13: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/13.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 11 of 18
4. External Quality Assurance Review
The HHS Internal Audit External Quality Assurance Review was completed in August 2019, by Postlethwaite & Netterville, a state contracted vendor. Excerpts from the Executive Summary of the resulting report include the following opinions:
Postlethwaite & Netterville, APAC (P&N) is pleased to have provided the Texas Health and Human Services system (HHS) with a full external Quality Assurance Review (QAR) of its Internal Audit Division (Internal Audit) for the period of September 1, 2016 through August 31, 2019.
The QAR assessed Internal Audit’s compliance with the following:
1. International Standards for the Professional Practice of Internal Auditing (Standards);
2. Generally Accepted Government Auditing Standards (GAGAS); and 3. Texas Internal Auditing Act (TIAA)
OPINION AS TO CONFORMANCE WITH THE STANDARDS, CODE OF ETHICS AND TEXAS INTERNAL AUDITING ACT
It is our overall opinion that the Internal Audit Division at HHS Generally Conforms with the following for the period of September 1, 2016 through August 31, 2019:
1. The Standards and the Code of Ethics promulgated by the Institute of Internal Auditors (IIA); and
2. The Texas Internal Auditing Act codified by Texas Government Code 2102.
There were no opportunities for improvement identified that would be considered reportable items.
OPINION AS TO CONFORMANCE WITH THE GENERALLY ACCEPTED GOVERNMENT AUDITING STANDARDS
It is our overall opinion that the Internal Audit Division at HHS receives a Peer Review Rating of Pass for the period of September 1, 2016 through August 31, 2019 with the Generally Accepted Government Auditing Standards (GAGAS) distributed by the Government Accountability Office (GAO) (2011 Revision). There were no opportunities for improvement identified that would be considered reportable items.
![Page 14: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/14.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 12 of 18
5. Internal Audit Plan for Fiscal Year 2020
The audit plan below includes 19 total audits (7 carried over from fiscal year 2019) and will be added to throughout the year based on risk and agency needs. In addition, Internal Audit staff will conduct verification work on recommendations reported by management as implemented and address management requests as possible. The Fiscal Year 2020 Internal Audit Plan was approved by the Executive Commissioner on September 23, 2019.
Projects
Health and Human Services System (HHSC and DSHS) Budget (Hours)
Protected Health Information for Select Systems (formerly Health Record Data)*
1,200
Criminal Background Checks (formerly Background Checks) 100
Contract Expenditures* 1,200
Inventory Processes 1,700
Information Security Office Exceptions 2,000
Network Access for Terminated Employees 1,500
Data Use Agreements* 2,500
Regional Human Resources Policies and Procedures 1,800
Decommissioned Systems 3,500
IT Preparedness for Malware Threats and Malicious Software 3,000
PCS Approvals* 2,000
Substance Use Contracts* 2,000
![Page 15: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/15.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 13 of 18
Health and Human Services Commission (HHSC) Budget (Hours)
Construction 700
Office of Inspector General’s Benefits Integrity Program 1,200
Rate Analysis 2,000
Access and Eligibility Services’ Community Access 1,500
C-059 External Data Sharing Compliance 1,500
Department of State Health Services (DSHS) Budget (Hours)
Maternal and Child Health Grant Management* 750
Consumer Protection 1,200
Tuberculosis Program Services and Coordination 2,000
DSHS Pharmacy 2,500
Projects with a “*” indicate projects that will address contract management and other requirements. None of the projects included in the Fiscal Year 2020 Internal Audit Plan specifically address benefits proportionality, expenditure transfers, capital budget controls, or any other limitation or restriction in the General Appropriations Act.
![Page 16: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/16.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 14 of 18
High Risks Unaddressed by Plan The following business processes were ranked as "high risk" but not included in the Fiscal Year 2020 Internal Audit Plan either due to recent audit activity, management priorities, or resource limitations:
Health and Human Services System Business Area Auditable Unit Chief Policy Officer Regulatory Services: Health Care Quality Chief Policy Officer Regulatory Services: Adult Protective Services
Investigations
Chief Policy Officer Regulatory Services: Long-Term Care Regulatory Chief Counsel Appeals Program & Services MSS: Medicaid & CHIP Services Department – Quality &
Program Improvement Program & Services MSS: Medicaid & CHIP Services Department – Medical
Transportation Program
Department of State Health Services Business Area Auditable Unit Public Health Laboratory and Infectious Disease Services – Infectious
Disease Prevention Public Health Consumer Protection: Meat Safety Assurance
Public Health Community Health Improvement: Public Health Screening and Services Coordination
Public Health Laboratory and Infectious Disease Services: Laboratory Services
Public Health Consumer Protection: EMS/Trauma Systems
Public Health Community Health Improvement: Environmental Epidemiology and Disease Registries
Public Health Laboratory & Infectious Disease Services – HIV/STD
![Page 17: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/17.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 15 of 18
Risk Assessment Methodology To facilitate more timely response to shifting risks, the Internal Audit Division has implemented a continuous risk assessment process and plans to update the audit plan as needed throughout the fiscal year. The process description for audit plan approval follows:
1. Define the audit universe. Develop a comprehensive list of "auditable units" (i.e., program areas/units, activities, processes, etc.) to be considered. This includes an ongoing review of organizational charts, agency reports, and the Health and Human Services Commission and Department of State Health Services Strategic Plans. Criteria for selecting "auditable units" includes: level of contribution to HHS Goals and Strategies, the magnitude of impact on the organization, the level of importance to justify the cost of control, and the efficiency in minimizing auditable units when possible.
2. Select and weight risk factors. Risk factors are specific and identifiable sources of uncertainty or potential negative consequences. Risk is inherent to every auditable unit -what varies among units is the degree or level of risk. Level of risk is determined by the extent of impact to the agency as a whole, should the specific risk occur. Risk factors are selected by consideration of current issues by the Director of Internal Audit.
3. In addition, HHS Internal Audit staff assesses risk on five additional risk factors based on the COSO Internal Control Framework:
● Control Environment ● Assessing Risk ● Control Activities ● Information and Communication ● Monitoring Activities
Texas Administrative Code, Section 202 (TAC 202) risks are assessed (when applicable) within the Information and Communication risk factors and taken into account within individual project risk assessments.
4. Prioritize auditable units to assess overall risk level.
● Score: HHS Internal Audit scored each auditable unit using the Internal Audit Risk Factors and Scoring Guide.
![Page 18: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/18.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 16 of 18
● Additional Points: Areas identified as of interest or concern by executive management team members or the Director of Internal Audit received additional points at the discretion of the scoring team.
● Rank: Calculate based on the sum of all scores and rank all units relative to one another. Identify high, medium and low risk areas.
5. Monitoring and Updating Risk Assessment. Information is gained and added to the risk assessment tool through routine meetings with agency management, information learned during audit work, external reports and notifications, and other sources that identify risks. Risks are perpetually monitored, and the risk assessment is updated as often as needed, to address the most current risks at HHS. The audit plan is monitored and assessed routinely, and amendments are proposed as appropriate.
6. Identify Areas of Audit for the Proposed Fiscal Year 2020 Internal Audit Plan. Based on available staff hours, review of audit history, input from executive management, and other factors develop a proposal for the Executive Commissioner's review and input.
![Page 19: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/19.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 17 of 18
6. External Audit Services Procured in Fiscal Year 2019
Description Document Processing Services (DPS) Financial Audit Disproportionate Share Hospital and Uncompensated Care Audit Services Managed Care Organization (MCO) - Financial Audits Medical Transportation Program - Financial Statistical Reports (FSR) Texas Medicaid and Healthcare Partnership (TMHP) SOC-1 EHR (Electronic Health Record) Incentives Vendor Drug SOC-1 Audit SFY 2015 AUP Related Party Admin Testing NorthgateArinso Retrospective Cost Settlement Audit DSRIP (Delivery System Reform Incentive Payments) Eligibility Support Services program (ESS), Children’s Health Insurance Program (CHIP), and Enrollment Broker Retrospective Cost Settlement Audits MCO Performance Audits Medicaid & CHIP Services (MCS) - Vendor Drug Program HIPAA Audit TMHP - Retrospective Cost Settlement Audit Recovery Audits (RAC audits) Audits of Medicaid Providers Medicaid Managed Care Capitation Rates
![Page 20: HHS System Internal Audit Annual Report · HHS System Internal Audit Annual Report As Required by Texas Government Code, Section 2102.009 Fiscal Year 2019 October 2019 . Annual Report](https://reader033.vdocuments.net/reader033/viewer/2022042318/5f0732257e708231d41bc897/html5/thumbnails/20.jpg)
Annual Report Fiscal Year 2019
HHS System Internal Audit Page 18 of 18
7. Reporting Suspected Fraud and Abuse
The HHS Internet and Intranet, HHS Circular C-027, and HHS System ethics training, provide information on how to report suspected fraud, waste, and abuse. Employees must report suspected fraud, waste, or abuse in health and human services programs to the HHS Inspector General and the Texas State Auditor’s Office (SAO).
To our knowledge, these reports are being made in accordance with Section 7.09, Fraud Reporting, in the General Appropriations Act and Texas Government Code, Section 321.022.