How the Office of the Medicaid Inspector General Documents Their Internal Control Review Dennis Holder MBA, CGFM, CRMA Director, Office of Risk Management Office of the Medicaid Inspector General March 14, 2013 Albany, New York
Introduction to OMIG • Established in 2006 as an independent program integrity entity within the Department of Health (DOH) • Our mission: To enhance the integrity of the New York State Medicaid program by preventing and detecting fraudulent, abusive and wasteful practices in the Medicaid program and recovering improperly expended Medicaid funds while promoting high-quality patient care
Internal Controls Definition of Internal Control Is the integration of the activities, plans, attitudes, policies and efforts of the people of an organization working together to provide reasonable assurance that the organization will achieve its objectives and mission.
System of Internal Control An Internal Control System is a process which uses preventive and detective methods to assist an organization to achieve its goals and objectives. The system is composed of five related components which are: Control Environment Risk Assessment Control Activities Monitoring Communication
Control Environment The Control Environment is probably the most important aspects of a system of internal control. The Control Environment reflects the organizations culture and the tone at the top which together influences the control consciousness of employees.
Other Components Risk Assessment This is the identification and analysis of risk which may hinder the achievement of the organizations goals and objectives. Control Activities These are the policies, procedures, laws, rules and regulations which govern the accomplishment of goals and objectives.
Other Components (continued) Monitoring The process of observing, tracking and evaluating the performance and achievement of goals and objectives. Communication The ability to identify, capture and exchange information in a method that enables employees to effectively perform their assigned responsibilities.
Summary These five components when properly aligned will provide an effective system of internal controls which will assist in the achievement of goals and objectives and hinder the execution of fraudulent transactions and the misuse and abuse of resources.
The Four Step Process The “Four Step Process” was developed by Division of Budget as a method of evaluating and documenting the system of internal controls which an organization uses to achieve their goals and objectives. OMIG adopted this process and revised it to fit our purposes.
What are the Four Steps • Function Identification • A listing of the functions a division is responsible for executing. • Risk Assessment • A numerical assessment of the vulnerability of a function to risk.
What are the Four Steps? (continued) • Internal Control Review • Guidelines which assist the functional manager to examine the strength and weakness of the controls which govern the function. • Corrective Action Plan • Now that the functions risk has been determined and controls have been reviewed, the Corrective Action Plan is prepared to strengthen any identified weaknesses.
Step 1 – Function Identification This form is completed by the Deputy Medicaid Inspector General. The form list all functions within a division by bureau and unit that are used to assist the division to achieve its responsibilities.
Step 2 – Vulnerability Assessment • The purpose of this form is to determine a functions vulnerability of risk. • Risk can be classified as High, Medium or Low. • Twelve 12 characteristics are used to determine the level of risk for each function. Each characteristic receives a numerical value ranging from 1 to 5. A low risk is valued as 1 and high risk is valued as 5.
Functional Vulnerability (Risk) Assessment Step 2 - FUNCTIONAL VULNERABILITY ASSESSMENT Function: _______________ Office/Unit: __________________________ Responsible Individual: Telephone: ___________________________ For each characteristic listed below, rate the function's vulnerability from 1 to 5, with 5 being the highest degree of risk. For example, a highly sensitive, technical or administratively complex function should be rated a 5 for the first category listed below. • TOTAL SCORE (add ratings 1 thru 12): _________ • Overall Level of Vulnerability • Total Score of Total Score of Total Score under • 48+ indicates 25-47 indicates 25 indicates • HIGH MODERATE LOW
Step 2 – Vulnerability Assessment CHARACTERISTIC Sensitivity/Complexity of Operations If the function is important to OMIG’s primary responsibilities; involves sensitive program, fiscal or political considerations; or is highly technical or administratively complex, consider the risk as being high. (Greater complexity implies greater risk) CONSIDERATIONS Is the function routine/repetitive, involving large numbers of small value transactions or does it involve a complex set of tasks requiring individual initiative and/or involvement of other bureaus or other agencies? Is this function highly visible /vital to political jurisdiction or the public?
Step 2 – Vulnerability Assessment CHARACTERISTIC Personnel Properly trained and technically proficient personnel are assigned to this function; assignments are clearly defined; employee performance is periodically reviewed and additional staff development is provided as necessary. (The more qualified and trained the staff, the lower the risk.) CONSIDERATIONS Is staff adequately trained to conduct the variety, and complexity of functions? Is special training a prerequisite for employment? Is there a viable, ongoing staff development program to keep employee skills current with administrative systems, computer support or emerging new mandates?
Step 3 – Internal Control Review The functions manager will examine the controls over the function and the actual work being accomplished. The manager is responsible for identifying weaknesses within the function and develop corrective actions to mitigate or eliminate the weakness. The form for Step 3 provides the guidelines to assist the manager to conduct the examination.
Corrective Action Plan The fourth step in this process is designed to provide a description of the action(s) which will be taken to strengthen the weaknesses identified in Steps 2 & 3. The “Corrective Action Plan” should identify who is responsible for implementing the corrective action and when it is anticipated to be implemented.
Follow Up This entire process is conducted as a self-assessment of the system of internal controls used by each functional manager. The Internal Control Officer reviews each document submitted and asks questions to clarify the information reported. However, that is not enough. OMIG requires the functional manager to report the progress for implementing the CA which is approved by the Division Manager.
Follow Up • The Corrective Action Report is returned to ORM. • OMIG does not have, nor is required to have, an Internal Audit function. • ORM will randomly select Corrective Action Reports and visit the area to review the documentation they have supporting the testing the Functional Manager conducted.
Follow Up • The results of the Follow Up Review are communicated to the Functional Manager, their Division Director and the Medicaid Inspector General.
Conclusion • I hope the process that OMIG uses to document their Annual Internal Control Review is helpful to you. • Additional resources can be found on the NYSICA Website.
Thank You Thanks for listening.
Contact Information Dennis Holder Director, Office of Risk Management New York State Office of the Medicaid Inspector General 800 N. Pearl St. Albany, NY 12204 Phone Number (518) 408-0482 Dennis.email@example.com