Michael Serluco, CPA, Partner and Marc Stein, MBA, Principal from Withum provide an overview of the current fraud and abuse environment and the importance of effective compliance plans. They will also discuss COVID-19 financial and revenue cycle compliance risks and the evolving role of internal audit in healthcare organizations to ensure best practices.
Learning Objectives
-Explain recent regulatory trends and best practices including compliance plans
-Identify COVID-19 financial and revenue cycle compliance risks
-Describe financial management’s role in mitigating regulatory and other healthcare risk
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Internal Audit's Evolving Role in Fraud/Abuse and COVID-19 Risks
1. withum.com
Internal Audit’s Evolving
Role in Fraud/Abuse and
COVID-19 Risks and Best
Practices
Michael Serluco, Partner, Healthcare
Marc Stein, Principal, Healthcare Advisory
January 13, 2021
2. withum.com
What We’ll Do Today
Overview of Fraud and Abuse regulations and best practices
Discuss Internal Audit’s role in mitigating Regulatory and
COVID-19 Risks
Overview of CARES Act funding and associated risks and best
practices
Update on DOJ settlement trends and guidance regarding
compliance plans
2
3. withum.com
Health Care Enforcement Recovery Overview
Health care enforcement continues to be a profitable pursuit for the
Federal Government. From 2017 through 2019 (the most recent period for
which data is available), the Office of Inspector General reports that it
collected $4.20 for every $1.00 spent on enforcement efforts
The Health Care Fraud and Abuse Control (HCFAC) Program was
established under the 1996 Heath Insurance Portability and
Accountability Act (HIPAA) to identify and prosecute health care fraud
and abuse. The 2019 results include :
Federal Government won or negotiated over $2.6 billion in health care fraud
judgments and settlements.
$3.6 billion was returned to the Federal Government or paid to private persons
• Approximately $2.5 billion was transferred to the Medicare Trust Funds
3
4. withum.com
DOJ Guidance
April 2017 and revised in April 2019 the US Department of Justice ("DOJ")
published its guidance on the "Evaluation of Corporate Compliance Programs"
(the "Guidance“) which included the following 11 key compliance program
evaluation topics within 3 overarching questions that prosecutors should use in
their review and assessment of a company’s compliance program:
1. Is the Program well designed?
Risk Assessment
Policies and Procedures
Training and Communication
Confidential Reporting and Investigation of misconduct
Third Party Management
Mergers and Acquisitions
4
5. withum.com
DOJ Guidance
2. Is the program being implemented effectively?
Senior and Middle Management
Autonomy and Resources
Incentives and Disciplinary Measures
3. Does the program work in practice?
Continuous Improvement, Periodic Testing and Review
Analysis and Remediation of Underlying Misconduct
5
6. withum.com
DOJ Guidance
June 2020 DOJ update changed the second question “is the compliance
program being implemented effectively” to asking instead whether the
compliance program is "adequately resourced and empowered to
function effectively.” This includes:
• Commitment and implementation of a culture of compliance at all levels of the organization
• Ensuring those with day-to-day operational responsibility have adequate resources,
appropriate authority and direct access to governing authority
• Enabling compliance program effectiveness through investment in training and development
and access to relevant data sources
6
7. withum.com
Top Compliance Risks
The following is a summary of top 2020 compliance risks
Documentation
17%
Coding/Billing
30%
HIPAA
Security
14%
HIPAA Privacy
15%
Medical
Necessity
9%
Government
Enforcement
7%
Other
8%
Source – 2020 Healthicity Compliance and Auditing Benchmark Report
7
8. withum.com
Compliance Program Trends
To mitigate these risks, the importance of implementing an effective compliance
program that prevents fraud, waste and abuse has grown with the increase in the
number of government settlements of non-compliance with regulations. Of the
organizations included in the report:
96% have a formal compliance program
80% perform an annual risk assessment
• 38% take over 21 hours to conduct a risk assessment
71% of employees will have at least one hour of compliance training
56% utilize a blended compliance training approach ( online and in-person)
54% have Chief Compliance Officer (CCO) who meets quarterly with the compliance committee
45% have the CCO meet with overall Board of Directors/Trustees
34% anticipate that the great challenge on managing their compliance program is keeping
current on regulations
31% considered the OIG work plan as the key driver in prioritizing compliance work plan audits
8
9. withum.com
Compliance Program Trends
In this environment, developing and implementing an effective compliance
program has become a standard expectation within the health care industry.
While even the best program cannot prevent all violations, a tailored, proactive
compliance program is more likely to identify issues early.
Additionally, the existence of such a program is a positive factor when
negotiating with the government, should that become necessary.
Finally, if any significant compliance issues are detected through your own
compliance program activities, self-reporting is usually a much-preferred
position as opposed to being a target in another one of these government
enforcement actions.
9
10. withum.com
Fraud and Abuse Regulations
High priority Healthcare Federal Fraud and Abuse laws are as follows:
False Claims Act (FCA) [31 U.S.C.§§ 3729–3733]
Physician Self-Referral Law ( Stark Law) [42 U.S.C.§ 1395nn]
Anti-Kickback Statute (AKS) [42 U.S.C.§ 1320a-7b(b)]
Exclusion Authorities [42 U.S.C.§ 1320a-7]
Civil Monetary Penalties Law [42 U.S.C.§ 1320a-7a]
The following Governmental agencies are charged with enforcing these laws:
Department of Justice (DOJ)
Department of Health and Human Services (HHS) Office of Inspector General (OIG)
Centers for Medicare and Medicaid Services (CMS)
11
11. withum.com
False Claims Act (FCA) Risks
FCA imposes civil liability on any person knowingly presents or caused to be presented, a
false or fraudulent claim for payment by the Government.
Under civil FCA, no specific intent to defraud is required. The civil FCA defines “knowing” to
include actual knowledge but also deliberate or reckless disregard of the truth or falsity of
the information.
Civil penalties may result up to 3 times what the Government paid for each claim plus a
minimum ($11, 665) and maximum ($23,331) per each claim violation after June 20, 2020.
Under civil FCA, each instance of an item or service billed to Medicare or Medicaid counts as
a claim, so fines can add up quickly.
Criminal penalties for submitting false claims include imprisonment and criminal fines
12
12. withum.com
False Claims Act (FCA) Best Practices
Examples of FCA best practices include the following:
Monitor coding patterns
Review billing procedures and claim submission process
Perform a documentation/coding/billing review looking for: (1) medical necessity; (2)
billing for services not provided; (3) failure to use coding modifiers; and (4) upcoding,
etc.
• Primary reasons for conducting formal documentation/coding audits include:
Required by internal compliance program
Ensure bills are accurate and avoid penalties
• Compliance Guidelines published by OIG recommends auditing a minimum size of 10 patient
encounters for each provider
Small frequent audits reduce error and increase accuracy of claims submissions
• Communication of results to physician
• Implement remediation efforts, where applicable
• Implement applicable training programs
13
13. withum.com
Physician Self-Referral Law (Stark Law) Risks
Prohibits physicians from referring patients to receive “designated health
services” payable by Medicare and Medicaid from entities with which the
physician or immediate family member has a financial membership,
unless an exception applies
Financial relationships include both ownership/investment interests and
compensation arrangements
“Designated health services” include but are not limited to:
• Clinical laboratory services;
• Physical therapy and occupational therapy services;
• Radiology and certain imaging services;
• Radiation therapy services and supplies; and
• Inpatient and outpatient hospital services.
14
14. withum.com
Physician Self-Referral Law (Stark Law) Risks
The Stark Law is a strict liability statute which means proof of specific intent to
violate the law is not required.
Violations of the Stark Law may result in penalties that include denial of
payment, civil monetary penalties of up to $15,000 per service (and $100,000
for schemes that are designed to circumvent the Stark Law) and exclusion
from the Medicare and Medicaid programs
On November 20, 2020, CMS issued sweeping changes designed to provide
flexibility for value-based arrangements and care coordination and reduce the
burdens for physicians and healthcare providers. The regulation goes into
effect January 19, 2021.
15
15. withum.com
Physician Self-Referral Law (Stark Law)- Best
Practices
Examples of Stark Law best practices include the following:
Ensure Conflict of Interest Questionnaires are completed, signed and any
conflicts disclosed are resolved
Annually review physician compensation to ensure that it is within Fair Market
Value benchmarks such as a specific percentile of the MGMA Physician
Compensation and Productivity Survey
Annually review physician leased space to ensure it is commercially reasonable
representing an arm’s length relationship with comparable properties in the
same local area.
16
16. withum.com
Anti-Kickback Statute (AKS) Risks
Prohibits the knowing and willful payment of “remuneration” to induce or reward patient referrals or the
generation of business involving any item or service payable by the Federal Health Care Programs (e.g., drugs,
supplies, or health care services for Medicare or Medicaid patients).
Applies to all sources of referrals, even patients.
Routinely waiving Medicare and Medicaid patient copayments could implicate the AKS statute and physicians may not advertise
that they forgive copayments
Violation of AKS is punishable by a $25,000 fine, imprisonment for up to five years, or both, and may subject a
violator to civil monetary penalties as well.
Violation of AKS is grounds for exclusion from participation in the Medicare and Medicaid programs and other
federal health care programs
On November 20, 2020, issued its final rule creating new safe harbors and modifying existing safe harbors. These
changes are deigned to provide greater flexibility and reduced regulatory burdens for care coordination and value-
based arrangements. The regulation goes into effect January 19, 2021.
17
17. withum.com
Anti-Kickback Statute (AKS) - Best Practices
Examples of AKS best practices include the following:
Physicians should register with the Federal Open Payments Program (Program)
which is mandated by the Affordable Care Act.
• This Program requires that information about gifts, speaking fees, travel, meals and other
benefits made by vendors ( e.g., drug makers, device manufacturers and group purchasing
organizations, etc.) to physicians and teaching hospitals be collected and stored in a
database. Any financial interest a doctor has in a medical business should also be stored.
• This database includes speaking fees, gifts, textbooks, entertainment expenses, meals,
travel costs and fees for serving on advisory boards
Physicians should check the CMS database maintained under this Program to
make sure the information is accurate as patients, the public and researchers
have the right to access this database.
18
18. withum.com
Exclusion from Federal Health Care Programs
(FHCP) Risks
OIG is legally required to exclude from participation in all FHCPs
individuals and entities convicted of the following criminal offenses:
Medicare or Medicaid Fraud
Patient abuse or neglect
Felony convictions for health care related fraud, theft or other financial
misconduct
If your physician practice employs or contracts with an excluded
individual or entity and FHCP payment is made for items or services that
person or entity furnishes, whether directly or indirectly, you could be
subject to a civil monetary penalty and/or an obligation to repay any
amounts attributable to the services of the excluded individual or entity.
19
19. withum.com
Exclusion from Federal Health Care Programs -
Best Practices
Examples of Exclusion best practices include the following:
For all new employees and vendors, screen against the OIG’s List of Excluded Individuals and
Entities. The online data can be accessed from OIG’s Exclusion Web site.
• If there is a match, do not hire the prospective employee or contract with the prospective vendor
On a monthly basis, screen all current and prospective employees and contractors against the
OIG’s List of Excluded Individuals and Entities.
Investigate all potential matches to determine if they are the excluded individual or entity
• If they are a match with the excluded individual or entity, take immediate action to suspend employment or
purchasing services (consistent with policies and procedures)
• If they are not a match with the excluded individual or entity, maintain applicable documentation
Investigate all potential matches to determine if they are the excluded individual or entity
• If they are a match with the excluded individual or entity, take immediate action to suspend employment or
purchasing services (consistent with policies and procedures)
• If they are not a match with the excluded individual or entity, maintain applicable documentation
20
20. withum.com
Office of Civil Rights (OCR) and HIPAA Risks
HIPAA compliance is monitored under the Office of Civil Rights
Risk of inadequate compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA)
regulations regarding unauthorized access to Protected Health Information (PHI) related inadequate
controls to privacy and confidentiality
Risk of noncompliance of HIPAA Regulations regarding unauthorized access to PHI as it relates to
HIPAA Security due to inadequate controls surrounding the physical security and logical access to
systems
One of the top healthcare compliance issues for 2020 will be maintaining strong HIPAA and cyber
security and privacy compliance
Breaches continue to occur at a steady pace from a combination of both internal and external causes
such as hackers, viruses and other malicious attacks
21
21. withum.com
Office of Civil Rights (OCR) and HIPAA Best
Practices
Examples of access best practices include the following:
Review process for access to system including all devices
Evaluate policies, forms and requests.
Test to ensure that access is done in accordance with policies.
Perform an overall review to ensure access controls are working effectively
• Identify any deficiencies and/or weaknesses and develop a formal remediation plan
• Monitor progress and test that all deficiencies and weaknesses have been corrected
Examples of security best practices include the following:
Review process for security to system including all devices
Evaluate policies, forms and requests.
Test to ensure that security is done in accordance with policies.
Perform an overall review to ensure security controls are working effectively
• Identify any deficiencies and/or weaknesses and develop a formal remediation plan
• Monitor progress and test that all deficiencies and weaknesses have been corrected
22
22. withum.com
Credit Balance Risks
Per Patient Protection and Affordable Care Act (PPACA)
Providers (including physicians) must report and repay Medicare/Medicaid
overpayments within 60 days of “identification” or “applicable reconciliation,” whichever
is later
Retention of an identified overpayment after the 60-day period considered an “obligation
to pay” subject to a False Claims Act (FCA) enforcement action as a so-called “reverse
false claim”
Examples of Medicare credit balances include instances where a physician is:
Paid twice for the same service either by Medicare or by Medicare and another insurer;
Paid for services planned but not performed, or for noncovered services;
Overpaid because of errors made in calculating beneficiary deductible and/or
coinsurance amounts
23
23. withum.com
Credit Balance Best Practices
Examples of credit balances best practices include the following:
Validate accuracy of credit balance aging report by payor (including Medicare
and Medicaid).
Determine that adequate, trained staff are resolving credit balances
• Is the resource level appropriate?
• Are they qualified and well-trained?
Determine whether there are sufficient quality assurance and root cause
analysis processes.
Determine sufficiency and effectiveness of controls used to ensure refund and
reporting within 60 days of identification
24
24. withum.com
Purchasing Cycle Risks
Examples of purchasing cycle risks include the following:
Unauthorized or fictitious purchases are made.
Recorded purchases are coded to the wrong G/L account resulting in improper
expense or capitalization.
Received goods/services do not agree to goods/services ordered.
Invoices are for incorrect amount or for services not rendered.
Disbursements are processed for unauthorized purchases.
Disbursements are not properly authorized or accurate or payment made to in-
appropriate vendor.
Issuance of checks are not properly controlled.
Unauthorized employees have access to Purchasing/AP system.
25
25. withum.com
Purchasing Cycle Best Practices
Examples of purchasing cycle related best practices include the
following:
Vendor Master Maintenance including new vendor set-up, validation (W-9), and
related procedures.
Vendor Invoice Processing including 3-way match, invoice approval, invoice
entry, and related procedures.
Cash Disbursements including check processing, check signing, voided and
stored checks, checks made payable to cash and related procedures.
Accounts Payable management including monitoring controls and reconciliation
of such items as duplicate payments, expense reimbursements and related
procedures.
26
26. withum.com
Payroll Cycle Risks
Examples of payroll cycle risks include the following:
Unauthorized, duplicate or fictitious employees are added to human resource master
files, resulting in unauthorized payroll disbursements.
New Employees
• Information is recorded incorrectly (e.g., hourly or salary rates, etc.) in the master file resulting in
inaccurate payroll processing and disbursements.
• Are not added to the payroll records in the appropriate period, resulting in errors in payroll
processing and disbursements.
Active Employees
• Biweekly time is not authorized and does not reflect actual hours worked.
• Approved hourly and/or salary changes are not accurately recorded resulting in over or under
payment of payroll
Terminated Employees
• Are not removed from master file timely resulting in inaccurate disbursements
27
27. withum.com
Payroll Cycle Best Practices
Examples of payroll cycle related best practices include the following:
New Hire including approval of position, salary and benefits, etc.
Time and Attendance includes daily and biweekly hours by category (e.g.,
regular, overtime, shift differential, etc.), for exempt and nonexempt employees.
Authorization includes independent approval of employee's timecards and
manual adjustments.
Review and Processing includes review of outliers (excessive overtime, etc.),
uploading time and attendance reports into payroll system, printing of
paychecks and stubs.
Distribution of Payment includes actual check distribution or employee access
to their own information.
General Ledger Update includes payroll interface and reconciliation to General
Ledger and bank statement reconciliation.
28
28. withum.com
CARES Act Provisions For Health Care Entities
The Coronavirus Aid, Relief, and Economic Security Act (the CARES Act)
attempted to alleviate some of the financial strain on hospitals,
physicians, and other health care entities through a series of new policies
that temporarily boosted Medicare and Medicaid payments, allowed for
added flexibility in treatment modalities, and expanded the availability of
advance or accelerated payments from Medicare.
The CARES Act established a Provider Relief Fund (PRF) to be used for
economic support of health care entities in connection with health care
related expenses or “lost revenues” attributable to COVID-19 and
treatment of uninsured COVID-19 patients.
30
29. withum.com
Provider Relief Fund Terms and Conditions
The terms and conditions of the Provider Relief Fund state that Relief Fund
Payments will only be used to prevent, prepare for and respond to coronavirus
and shall reimburse the recipients only for healthcare expenses and lost
revenue attributable to coronavirus
The recipient certifies that it provides or provided after January 31, 2020,
diagnoses, testing or care for individuals with possible or actual cases of
COVID-19
The recipient certifies that it will not use the payment to reimburse expenses
or losses that have been reimbursed from other sources or other sources are
obligated to reimburse
31
30. withum.com
Provider Relief Fund Terms and Conditions
The reporting deadline for PRF dollars is February 15, 2021 and the portal, via HHS, to submit
the data will be open for use as of 1/15/2021
If recipients do not expend PRF funds in full by the end of calendar year 2020, they will have
an additional six months in which to use remaining amounts toward expenses attributable to
coronavirus but not reimbursed by other sources, or to apply toward “lost revenues”. ( will be
discussed further)
For example, the reporting period January – June 2021 will be compared to the same period
in 2020 from a budget perspective, or January – March 2021 will be compared to the same
quarter in 2020 (still waiting for further clarification on this)
For carry over funds through 6/30/21, the reporting deadline is 7/31/21
32
31. withum.com
Provider Relief Fund Terms and Conditions
Eligibility
Billed Medicare in 2019
Provided diagnosis, testing, or care for individuals with actual or possible cases
of COVID-19 after January 31, 2020
Not excluded from federal healthcare programs
Use of Funds
Only to prevent, prepare for, and respond to COVID-19
Only to reimburse for healthcare-related expenses or lost revenues attributable
to COVID-19
Must not use the funds to compensate for expenses or lost revenues that have
been reimbursed from other sources (i.e., FEMA funding, state grants, program-
specific funding, commercial insurance, etc.)
33
32. withum.com
Provider Relief Fund Terms and Conditions
Supporting Records
Maintain all records and cost documentation to support the appropriate use of funds,
and provide to the Secretary of HHS upon request
Substantiate use of funds for increased healthcare-related expenses or lost revenue
attributable to COVID-19 and evidence that those expenses/losses were not reimbursed
from other sources
Submit quarterly report to reflect total receipt of funds as well as detailed list of all
projects/activities in which covered funds were expended
Other Compliance Requirements
Restrictions on balance billing of out-of-network COVID-19 patients (i.e., seeking to
collect more than what the patient would have otherwise been required to pay if he/she
was an in-network patient)
Restrictions on using funds to pay for excessive salaries of physicians or executives
beyond defined level
34
33. withum.com
Provider Relief Fund Monitoring/Best Practices
• Upon the decision to retain the funds, the following activities should be taken in order to
manage the funds going forward and support compliance with the terms and conditions:
• Develop reasonable methodologies for calculating lost revenues across key lines of business
and affiliated entities
• Develop mechanisms to identify and track COVID-19-related expenses
• Develop policies, procedures, and standards regarding necessary documentation to support
the use of funds and compliance with HHS’s terms and conditions
• Establish infrastructure for tracking all COVID-19 funding sources and ensuring that the
funds are not being used for duplicate purposes
• Develop monitoring plans to mitigate unique funding compliance risks, such as audits
around balance billing, use of funds for excessive physician and executive salaries, etc.
• Monitor and communicate newly published regulatory guidance to applicable stakeholders
35
34. withum.com
OIG 2020 Active Work Plan Items - COVID -19
Audit of CARES Act Provider Relief Funds—General and Targeted Distributions to
Hospitals
Objective is to determine whether providers that received PRF payments complied with certain
Federal requirements, and the terms and conditions for reporting and expending PRF funds.
Audit of Medicare Telehealth Services During the COVID-19 Pandemic: Program
Integrity Risks
CMS implemented a number of waivers and flexibilities that allowed Medicare beneficiaries to
access a wider range of telehealth services without having to travel to a health care facility. This
review will be based on Medicare Parts B and C data and will identify program integrity risks
associated with Medicare telehealth services during the pandemic. We will analyze providers'
billing patterns for telehealth services. We will also describe key characteristics of providers that
may pose a program integrity risk to the Medicare program.
36
35. withum.com
Telehealth During COVID-19
Coronavirus Preparedness and Response Supplemental Appropriations Act
includes a provision allowing the Secretary of the HHS to waive certain
Medicare telehealth payment requirements during the Public Health
Emergency to allow beneficiaries in all areas of the country to receive
telehealth services, including at their home. Starting March 6, 2020 all
Medicare patients are eligible for telehealth services. The rural-only patients’
requirement was suspended. This expires at end of Public Health Emergency.
CMS list of services that are normally furnished in-person that may be
furnished via Medicare telehealth. Services are described by HCPCS codes and
paid under the Physician Fee Schedule (see next slide).
37
36. withum.com
Telehealth During COVID-19
CMS list of services that are normally furnished in-person that may be
furnished via Medicare telehealth. Services are described by HCPCS
codes and paid under the Physician Fee Schedule. There are 3 categories
of services:
Medicare Telehealth Visits
Virtual Check-in
E-visits
38
37. withum.com
Telehealth During COVID-19
New Jersey Telehealth Requirements (as of November 16, 2020)
Any NJ licensed healthcare provider may provide telehealth services. Licensed out-of-state
providers must have a pre-COVID-19 relationship with the patient to conduct a telehealth
encounter unless the encounter only concerns COVID-19
Providers are permitted to use alternative technologies such as audio only telephone or video
technology commonly available on smartphones and other devices as long as standard of care is
met.
Patient may orally consent to telehealth services.
If no pre-existing provider-patient relationship provider must (1) inform patient of his identity,
professional credentials and contact information and (2) identify the patient by name, DOB, phone
number and address.
A provider is no longer required to review a patient’s medical history and medical records prior to
an initial telehealth encounter. Providers should use clinical judgment to obtain relevant medical
history and review available medical records to meet applicable standards of care.
If the patient consents, provider must forward the records of the telehealth encounter to the
patient’s primary care provider or provider that the patient requests.
39
38. withum.com
Role of Internal Audit During COVID-19
The following are questions as to how internal audit should focus based on the
COVID-19 impact on the organization:
How relevant is the current audit plan and what parts of it require recalibration?
How does Internal Audit keep pace with the speed of changes occurring in the business,
including changes in the control environment?
How does the department pivot to help the organization address new business risks?
How does an internal audit team better use technology and data to gain insight?
The response to the above questions is that Internal Audit should take a more
data-driven approach that monitors and takes action quickly to help the
organization navigate the risks created due to COVID-19. This can be achieved
through a simplified continuous risk assessment through use of technology to
monitor risks created due to COVID-19 through an internal audit focus.
41
39. withum.com
Role of Internal Audit During COVID-19
Re-calibrate its approach to cyclical audit planning and coverage of risk
Adopt an agile management approach
Embrace short term prioritization and regular review /updates to the IA plan to mirror the
changing pace of risk and assurance needs
Collaborate with key stakeholders to understand and new and/or elevated risks and assess how
best to support with the provision of assurance.
Continue to deliver on-going assurance activities without disrupting critical
operational areas during times of crisis
Accelerate the deployment of analytics to deliver IA work remotely , increase coverage, focus on
outliers, and reduced business interruption , while still providing valuable insights and
assurance.
Work more closely with external providers to reduce disruptions of the
business
Provide an objective voice to organization teams who need to make decisions
quickly
42
40. withum.com
Role of Internal Audit During COVID-19
Reconsidering Threats and Risks
At the onset of the virus, some internal audit functions reacted by lending their risk
management expertise to help resolve immediate service delivery and operational
issues.
Leveraging investments in data analytics to identify relevant key performance
indicators facilitated the automated monitoring of risks.
Risk assessment involves providing audit services for new and emerging risk areas.
For example, some organizations made temporary changes to service delivery models to quickly restart
operations, which made up for shortages in employees.
These events led to the curtailment of specific traditional controls, requiring new risk mitigation
strategies and enhanced audit monitoring.
Especially of concern to internal audit were questions of how exceptions to controls and risk
acceptances were granted, as well as third-party risks, including supply chain disruptions
Finally, recovery and, in some cases, survival planning is another example of internal auditors lending
their expertise in facilitating organizational objectives
43
41. withum.com
Role of Internal Audit During COVID-19
Enhanced Monitoring and Reporting
To the extent available, internal auditors are also using data provided by
vendors and third-party service providers to enhance monitoring
capabilities. Internal auditors have dedicated more time to reviewing
external assessment reports, such as Service Organization Control (SOC) 1,
SOC 2, and internal reports provided by vendors. These can include
performance reports, information feeds, industry benchmark activity
reports, and compliance with service-level agreements.
Some areas of focus include ensuring compliance with regulatory
expectations, despite the challenges caused by COVID-19. Activities include
documentation, coding and billing audits regarding : (1) medical necessity;
(2) billing for services not provided; (3) failure to using coding modifiers and
(4) upcoding.
44
42. withum.com
Challenges For Internal Audit During COVID-19
Continue to function effectively where stakeholders have competing
priorities
Reduce the amount of stakeholder input and produce short, sharp advisory
pieces and leverage system access and available data to the greatest extent
Provide more frequent updates
Consider alternative methods in gathering evidence of control execution
or absence of documentation related to confirmation of key steps
Might be circumstances of control override with employees seeking
workarounds to existing security protocols and internal controls in order to keep
the business operating effectively
Fraud incentives are increased in times of crisis
45
43. withum.com
Internal Audit Department Structure
In-sourced
In-house staff performs internal audit
functions
Outsourced
Hire a third-party firm to provide
resources to perform internal audit
functions
Co-sourced
Use a blend of internal and external
resources to perform internal audit
functions
44. withum.com
Internal Audit Department Structure
In-source
Description • A formally established department
comprised of staff reporting to the
Board and an appropriate member of
Senior Management
Advantages • Builds and retains institutional
knowledge
• Helps to foster internal ownership of
issues
Disadvantages • Independence can be impaired over
time
• Potential limited depth of technical
skills can reduce effectiveness
45. withum.com
Internal Audit Department Structure
Outsource
Description • Third party firm provides all
components of internal audit function
and reports to member of Board and
appropriate member of senior
management
Advantages • Independent and objective
• Greater insights into alternative
approaches and best practices
Disadvantages • Dependence on strength of third-
party relationship and capability
• Potential staff continuity issues
46. withum.com
Internal Audit Department Structure
Co-source
Description • Third party firm supplements internal
audits on a project- by-project basis at
direction of Senior Management or
Board
Advantages • Can obtain appropriate specialized or
technical skills for each audit area on
an as needed basis
Disadvantages • Discretionary use might lead to lack of
focus
47. withum.com
Questions? Contact your Presenters
Michael A. Serluco, CPA
Partner, Healthcare Services
mserluco@withum.com
(732) 759 6821
Marc Stein
Principal, Healthcare Advisory Services
mstein@withum.com
(732) 828 1614