UNIVERSITY OF VIRGINIA
BOARD OF VISITORS
MEETING OF THE
AUDIT AND COMPLIANCE COMMITTEE
June 11, 2010
AUDIT AND COMPLIANCE COMMITTEE
(Open Session)
Friday, June 11, 2010
11:30 a.m. – 12:00 noon
Board Room, The Rotunda
Committee Members:
W. Heywood Fralin, Chair
Helen E. Dragas
Austin Ligon
Vincent J. Mastracco, Jr.
Don R. Pippin
Warren M. Thompson
John O. Wynne, Ex-officio
AGENDA
PAGE
I.
II.
ACTION ITEMS (Ms. Deily)
A. Audit Schedule, 2010 – 2011
B. Corporate Compliance Project Schedule,
2010-2011, (Ms. Deily will introduce
Ms. Strauss, Chief Corporate Compliance
and Privacy Officer, Ms. Strauss to report)
INFORMATION ITEM (Ms. Deily)
Summary of Findings
III.
EXECUTIVE SESSION – LIST OF ITEMS
IV.
APPROVAL OF SUMMARY OF AUDIT FINDINGS
1
7
9
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
BOARD MEETING:
June 11, 2010
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.A.
Audit Schedule
BACKGROUND: Ms. Deily will present the proposed Audit Schedule
for the 2010-2011 Fiscal Year. The Schedule has been developed
based on required work from state and external agencies, risk
assessment models, requests from management, and analyses of
work performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance Committee
and by the Board of Visitors
APPROVAL OF THE AUDIT SCHEDULE FOR FISCAL YEAR 2010-2011
RESOLVED, the Audit Schedule for Fiscal Year 2010-2011 is
approved as recommended by the Audit and Compliance Committee.
1
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
Determination of Hours Available
for 2010-2011 Audit Projects
Total
Total Hours Available
35,360
Less:
4,160
Vacancies
Sub-Total
31,200
Professional
Development
Holidays
Other Leave
Other Activities
Office and Personnel
Administration
Recruiting
Committee & Council
Meetings
Travel
Hours Available for Audit
Projects
1,274
1,560
3,896
3,674
20,796
Other
Activities
10%
Vacancies
12%
Audits
59%
Holidays
4%
Prof. Dev.
4%
Other Leave
11%
2
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
Allocation of Hours Available for Audit Projects
Fiscal Year 2010-2011
Total
Hours Available for Audit Projects
Less:
Wrap-up of FY 09-10 Audit
Schedule
Unscheduled Audits/Special
Requests/Hotline Projects
General Systems Development
& Consulting
External Assistance
20,796
Board Preparation & Mtgs
330
4,875
1,043
611
134
IT Support of Projects/
Activities
1,028
General Project Support/
Supervision/Strategic Planning
3,895
Hours Available for Scheduled Audit
Projects
8,880
3
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2010-2011 Audit Schedule
UNIVERSITY
DEPARTMENT/DIVISION
ADMINISTRATIVE & SUPPORT SERVICES
President’s Office
College at Wise
ARMICS
Self Service Time and Leave System
ARRA (Federal Stimulus Funds)
Financial Administration
ATHLETICS
NCAA Compliance – (Non major areas)
PROVOST ACTIVITIES
Art Inventory
OTHER ACTIVITIES
University Bookstore/Cavalier Computers Inventory
Follow-Up Audits - University
Compliance Audits
UNIVERSITY TOTAL
BUDGETED
HOURS
250
600
150
600
400
600
400
150
100
150
1,511
4,911
4
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2010-2011 Audit Schedule
HEALTH SYSTEM
DEPARTMENT/DIVISION
PATIENT CARE ACTIVITIES
General Clinical Research Center
Outpatient Clinic Charge Captures (Post-Epic)
ADMINISTRATIVE & SUPPORT SERVICES
Financial Reporting
Medical Center Procurement
SCHOOL OF MEDICINE
Department of Pathology
Follow-up Audits
OTHER ACTIVITIES
Epic System Consulting
ARMICS – Medical Center
Follow-up Audits – Medical Center
Inventory – Pharmacy Services
Inventory – Surgical Supply
HEALTH SYSTEM TOTAL
BUDGETED
HOURS
400
400
350
500
350
100
250
100
200
25
25
2,700
5
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
2010-2011 Audit Schedule
INFORMATION TECHNOLOGY
DEPARTMENT/DIVISION
Security Review of External Interfaces (U/HS)
Student Information System Review (U/Wise)
General Controls Review for end of 3 year
cycle (U/HS)
GPS Technology Review (U/HS)
Incident Response Review
BUDGETED
HOURS
255
255
252
255
252
INFORMATION TECHNOLOGY TOTAL
1,269
UNIVERSITY, HEALTH SYSTEM &
INFORMATION TECHNOLOGY TOTALS
8,880
6
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
BOARD MEETING:
June 11, 2010
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
I.B. Corporate Compliance Project
Schedule
BACKGROUND: Ms. Strauss will present the proposed Corporate
Compliance Project Schedule for the 2010-2011 Fiscal Year. The
Schedule has been developed based on required work from state
and external agencies, risk assessment models, requests from
management, and analyses of work performed in prior years.
ACTION REQUIRED: Approval by the Audit and Compliance Committee
and by the Board of Visitors
APPROVAL OF THE CORPORATE COMPLIANCE PROJECT SCHEDULE FOR FISCAL
YEAR 2010-2011
RESOLVED, the Corporate Compliance Project Schedule for
Fiscal Year 2010-2011 is approved as recommended by the Audit
and Compliance Committee.
7
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
UVA Health System
Corporate Compliance and Privacy Office
Determination of Hours Available for 2010-2011
Compliance and Privacy Activities
Fiscal Year 2010-2011
TOTAL
Total Hours Available
6,240
Less: Vacancies
0
Sub-Total
6,240
Professional Development
240
Leave and Holidays
880
Other Activities: Office and Personnel Administration
320
Hours Available for Compliance & Privacy Activities
4,800
Allocation of Hours Available for
Compliance & Privacy Activities
Fiscal Year 2010-2011
Hours Available for Compliance & Privacy Activities
Consulting
Education
Special Projects
Hours Available for Compliance & Privacy Projects
Total
4,800
600
800
800
2,600
Corporate Compliance & Privacy Projects
Fiscal Year 2010-2011
Projects
Outpatient Department Coding, Billing, &
Documentation
Privacy Monitoring and Auditing
End Stage Renal Disease Dialysis
Governmental Payors (RAC, MIC, ZPIC)
Inpatient Medicare Severity Diagnosis Related Groups
Total
8
HOURS
400
800
400
400
600
2,600
UNIVERSITY OF VIRGINIA
BOARD OF VISITORS AGENDA ITEM
BOARD MEETING:
June 11, 2010
COMMITTEE:
Audit and Compliance
AGENDA ITEM:
II. Summary of Findings
ACTION REQUIRED:
None
BACKGROUND: Ms. Deily will present a summary of findings on the
following audit reports: the Medical Center Financial Screening
Process and the Phantom Systems Review. The summary does not
require formal action, but is information of which the Board
should be made aware.
9
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Financial Screening Process
January 21, 2010
BACKGROUND
The Verifications Unit of Patient Financial Services (PFS) is
responsible for processing financial screenings for patients who
have no health insurance and do not qualify for local, state, or
federal healthcare programs; or for patients who anticipate
having difficulty paying their portion of the bill. The
qualifications for financial assistance or charity care are
based upon income and asset guidelines set by the Virginia
Department of Medical Assistance Services (DMAS) each fiscal
year in accordance with Federal Poverty Income Limits
established by the Department of Health and Human Services.
AUDIT OBJECTIVES
The objectives of the audit were to determine whether the
Medical Center (MC) was: (1) accurately evaluating and applying
financial assistance criteria to patients’ applications; and (2)
complying with new State legislation, Posting of Charity Care
Policies, which became effective on July 1, 2009.
OPINION ON AUDIT OBJECTIVES
In our opinion, financial assistance criteria were being
accurately evaluated and applied to patients’ applications in a
timely manner. The average response time for the applications
tested during the audit was three business days from receipt of
all required documentation to disposition of the application.
AREAS NOTED FOR IMPROVEMENT
1)
2)
The Medical Center was not fully in compliance with
recently enacted State legislation concerning the posting
of charity care policies by all hospitals.
Financial Verification Working Guidelines did not provide
guidance about expectations on scanning or document review
of financial screening related documents; as a result,
documentation inconsistencies were noted in patients'
verification files.
10
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Financial Screening Process
January 21, 2010
MANAGEMENT’S RESPONSE
Management concurs and has agreed to correct the identified
condition.
FINANCIAL IMPACT
Implementation of suggested actions will position the MC to be
in full compliance with enacted charity care legislation and
improve efficiencies in the Verifications Unit.
11
AUDIT DEPARTMENT
EXECUTIVE SUMMARY
Phantom Systems Review
January 21, 2010
BACKGROUND
There are a large number of information technology (IT) systems
in use at the departmental and school level at the University of
Virginia and the UVA Health System. These IT systems are
comprised of software and hardware, as well as ongoing support
and maintenance. Paying for all of these various systems and
services is very complex due to the large number of computers and
software applications in use, as well as the variant lengths of
service and support contracts in place. Some organizations around
the country have determined through audits that they have been
paying for IT resources that were either retired or little used.
IT resources such as these are often referred to as phantom
systems.
AUDIT OBJECTIVES
The Audit Department has completed an audit of phantom systems at
the University and Health System for the fiscal year 2010 audit
schedule. Our original audit objective was to determine whether
or not UVA was paying for systems that were either sparingly
used, or unused altogether. As the audit progressed, a second
audit objective was added as the complexity of IT purchasing
became apparent. This audit objective was to evaluate the
policies and procedures for purchasing of system components,
including hardware, software and services at UVA and the Health
System.
OPINION ON AUDIT OBJECTIVES
Overall, the University and Health System appeared to do a
sufficient job of removing systems from the books as the systems
themselves are retired or removed. The only identified payments
issued for unused systems in the audit were for telephone lines
and this situation will be addressed in the next IT audit.
However, there were several areas for improvement in the way that
hardware, software, and related support services are procured at
the University. Perhaps due to the decreased complexity of the
purchasing process for a centralized environment, the Health
System appeared to be less affected by the concerns noted in this
audit. The Health System should however, take note of the
weaknesses identified and the proposed improvements to avoid
similar weaknesses and to participate in the improvement process
when pertinent.
12
CRITICAL AREAS NOTED FOR IMPROVEMENT
1)
2)
3)
Purchasing cards were not an accepted form of payment in
UVA Marketplace.
Employees were circumventing purchasing card controls by
purchasing hardware or software from local-area businesses
with personal cash or credit and then seeking
reimbursement.
An Information Technology Manager was paying approximately
$13,000 per year for MacAfee antivirus software when a
suitable alternative, Symantec Antivirus, was funded
centrally at no cost to schools and departments.
AREAS NOTED FOR IMPROVEMENT
4)
5)
6)
Of the software available through ITC, there was no single
repository to obtain it, with several disparate sources
available.
One school was maintaining their own Microsoft Campus
Agreement, when strong consideration should be given to
adjoining with the University’s Microsoft Campus Agreement.
There was no ITC vendor presence within UVA Marketplace.
MANAGEMENT’S RESPONSE
Management concurs and has agreed to correct the identified
conditions.
FINANCIAL IMPACT TO THE UNIVERSITY AND HEALTH SYSTEM
Inefficiencies in purchasing of hardware, software, support and
maintenance could result in unrealized savings or revenue for
the University and Health System.
13