The document discusses implementing the 2013 COSO internal control framework in a healthcare organization. It describes the planning process which includes gaining executive support, forming an implementation team with internal control expertise, and developing an implementation plan. The plan should include timelines, resource needs, and team roles. Scoping involves focusing first on high risk areas that could impact achieving objectives, like the revenue cycle process which requires many controls. A phased approach is then outlined including assessment, documentation, remediation, testing and reporting, and optimization of internal controls.
The document discusses implementing the 2013 COSO internal control framework in a healthcare organization. It describes the planning process which includes gaining executive support, forming an implementation team with internal control expertise, and developing an implementation plan. The plan should include timelines, resource needs, and team roles. Scoping involves focusing first on high risk areas that could impact achieving objectives, like the revenue cycle process which requires many controls. A phased approach is then outlined including assessment, documentation, remediation, testing and reporting, and optimization of internal controls.
The document discusses implementing the 2013 COSO internal control framework in a healthcare organization. It describes the planning process which includes gaining executive support, forming an implementation team with internal control expertise, and developing an implementation plan. The plan should include timelines, resource needs, and team roles. Scoping involves focusing first on high risk areas that could impact achieving objectives, like the revenue cycle process which requires many controls. A phased approach is then outlined including assessment, documentation, remediation, testing and reporting, and optimization of internal controls.
The document discusses implementing the 2013 COSO internal control framework in a healthcare organization. It describes the planning process which includes gaining executive support, forming an implementation team with internal control expertise, and developing an implementation plan. The plan should include timelines, resource needs, and team roles. Scoping involves focusing first on high risk areas that could impact achieving objectives, like the revenue cycle process which requires many controls. A phased approach is then outlined including assessment, documentation, remediation, testing and reporting, and optimization of internal controls.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 4
Approaching the 2013 Framework implementation
Before launching into the next sections, it is providing appropriate medical care, the process important to briefly examine some basic concepts includes obtaining payment information (in the form and why those of payment, insurance verification, or other means) concepts are such an integral part of the 2013 from the patient, accurately coding and billing for the Framework implementation. COSO defines internal services rendered, and applying payments received to control as “a process, effected by an entity’s board the patient account. Timely and detailed medical of directors, management, and other personnel, documentation by the medical staff is imperative. designed to provide reasonable assurance Consideration also needs to be given regarding the achievement to the various IT systems (EHR, billing, etc.) that are of objectives relating to operations, reporting, and used throughout the process. If these processes are not compliance.” COSO provides further characterization of designed and implemented effectively, the healthcare the objectives, which allow organizations to focus on organization may not achieve its operational, different aspects of internal control: “Operational compliance, and reporting objectives within the OBJECTIVES pertain to effectiveness and efficiency of the revenue cycle. entity’s operations, including operational and financial performance goals, Therefore, an organization’s stakeholders play an and safeguarding assets against loss. Reporting OBJECTIVES important role in implementing the 2013 Framework. For pertain to internal and external financial and nonfinancial example, senior management and members of the reporting and may encompass reliability, timeliness, board of directors should generally understand the transparency, or other terms as set forth by regulators, 2013 Framework and recognized standard setters, or the entity’s policies. its implementation benefits, costs, and approach. These Compliance OBJECTIVES pertain to adherence to laws parties may already have a broad understanding of and regulations to which the entity is subject.”3 the necessity for an effective internal control system, and some may perform or support internal controls as The hospital system has to comply with a significant a part of their daily routine. It is possible, however, number of laws and regulations before the patient that there may not even steps through its doors, while the patient is being be a full understanding of what is essential to cared for, and after the patient leaves when billing is implement the 2013 Framework. This can be resolved performed. If any of those operational processes is not through proper working properly, there will be a financial impact to the communication, training, and integration as well as a organization because of the inability to obtain strong, supportive tone at the top, which are all reimbursement for the services rendered. Given the elements imbedded within the 2013 Framework. importance of internal controls, their design and execution (or lack thereof) can greatly affect the Once awareness among the most senior leaders is various objectives and strategies of an organization, established, the organization needs to formulate an ultimately affecting its success. overall plan for implementation, including mechanisms for gaining support throughout the organization. An As an example of how those objectives apply to a implementation team should be staffed with process within a healthcare organization and how individuals who have expertise in internal control and important it is to set objectives, let’s use the a strong working knowledge of revenue cycle. Typically, the revenue cycle is the organization to minimize the learning curve. considered a high-risk area to an organization, and it The implementation team should first spend time requires many controls throughout the process. As a developing a project implementation plan, including plans patient receives services in a healthcare for assessing, designing, implementing, and setting, numerous departments are involved and maintaining systems of internal control. The approach necessitate continuous coordination and oversight. In that follows (Exhibit 3) is one of many different ways addition to the 2013 Framework can be implemented within a healthcare organization.
Exhibit 3. An approach to implementing the 2013 Framework
Phase 1 Phase 2 Phase 3 Phase 4 Design, Phase 5
Planning & Assessment & Remediation testing & Optimization of scoping documentation planning & reporting effectiveness of implementation of controls internal control Phase 1: Planning and scoping Orientation As mentioned earlier, it is important that executive management and the board are in full support of the implementation. Messaging and strong tone from the top will increase the likelihood of full cooperation throughout the organization. Note that the implementation usually requires additional resources – or at least existing resources such as employees who can dedicate a good portion of their time to the project. Once the implementation team is established, the team needs to gain a strong understanding of the 2013 Framework, including the five components, the 17 principles, and the associated points of focus.
Given the current environment in many larger healthcare organizations that have gone through multiple mergers and acquisitions in recent years in order to increase performance and decrease costs, strengthening the current internal control environment in order to successfully handle the growth and complexity of the larger organization could be a significant driver in implementing the 2013 Framework. Because of competing priorities, the board may want to delegate authority to a committee (e.g., an audit and compliance committee [A&CC]) to oversee the implementation process. The A&CC and management can then select a management function such as internal control or ERM to oversee the implementation efforts. Internal audit may assist the responsible function by providing advice and input based on their overall knowledge of the organizational internal control structure and areas of risk. Furthermore, the assistance of outside consultants could provide additional expertise and initial and continuous support.
Healthcare organizations also may find it necessary to use leaders and staff from within the accounting department, as those individuals may have broad familiarity with the entity’s organizational structure and key process areas. It is most important to identify an ownership department that has deep, broad knowledge of how work is conducted within the organization. The ultimate selection will vary by organization, but it is also important to understand that internal controls are the responsibility of the entire organization. Therefore, in order to meet the goals and objectives of an organization, an effective internal control structure has to be owned and managed by all process owners. Planning In any well-managed project, the planning phase usually is the most important. Once support for implementation is garnered and the responsible team is identified, the next step is to develop the implementation plan. Several key areas should be considered in the plan, including a reasonable timeline, the number and types of resources needed, and the determination of roles and responsibilities of the implementation team. Because many competing priorities are being handled simultaneously throughout a healthcare organization at any point in time, the timeline should be flexible enough to accommodate shifting priorities. This might mean pushing the documentation of one process back and accelerating another, which requires flexibility from the implementation team and the full cooperation of management. Depending on the timeline urgency, the organization should consider the size of the implementation team and determine if the established team has sufficient knowledge of and experience with the covered processes. It is common for a team to be supplemented with additional resources from professional firms, which can help keep the timeline on target, document and test specific complex processes, or take advantage of lessons learned from other implementation efforts.
Scoping Scope is determined by the range of activities and by the period of record that are to be evaluated. Using COSO’s guidance, an organization’s management should focus on areas with the highest risks that could affect the organization’s ability to achieve its strategies and objectives. Therefore, the scope should be considered before, during, and after the planning phase. When implementing the 2013 Framework, the team should gain an understanding of the objectives and sub-objectives set by management (or governance) during the strategic planning process in order to identify the risks of failing to meet those objectives. Objectives can be categorized into three types (operations, reporting, compliance), and an objective can overlap categories. The team should evaluate the five components of the 2013 Framework (control environment, risk assessment, control activities, information and communication, and monitoring activities) to determine how well an organization’s internal control system is designed and operating to help management achieve those objectives (or allowing for timely communications if objectives will not be met).
