How to Effectively Understand, Integrate Analytics within the Healthcare Industry

How to Effectively Understand, Integrate
and Cover IT Risk Functions for Audit
Analytics within the Healthcare Industry
Director, Business Risk. Mercy Health
Nigel Matthews, CA, ACDA
Professional Services Group, ACL Services Ltd
Speaker Biography
Dieu Tran, CISA, CISSP, GSNA, CRISC is Director at Business Risk Services
Mercy Health where he provides the insight and consulting guidance to
comply with regulatory and operational standards for IT Security. His
experience transcends both the internal and public auditing communities.
Prior to joining Mercy Health, Tran was the Supervisor of IT Audit & Network
Security for Brown Smith Wallace, where he oversaw IT audit function and
the network security practice. Tran’s Senior IT Auditor experience includes
ventures with Rubin Brown, LLP; SBC and Deloitte and Touche.
Dieu is a Certified Information Systems Security Professional (CISSP) and is
an active member of both the Information Systems Audit and Control
Association (ISACA) and the Institute of Internal Auditors (IIA). Dieu studied
Business with an emphasis in Marketing/Management and received his
B.S.B.A. from the University of Missouri St. Louis. Dieu has spoken at
numerous industry events, most recently at The IIA’s GAM conference.
Speaker Biography
Nigel Matthews is Business Manager, Channel and Internal Delivery at ACL Services
Ltd. He has been a change agent for audit and business assurance for over twenty
years. He is responsible for developing and maintaining the technical competency of
ACL’s consulting, training and support solutions teams around the world.
Nigel has led audit process transformation, audit technology and continuous controls
monitoring implementations at organizations in North America, Europe, the Middle
East, Africa and Asia. He has worked with ACL customers in financial services and
banking, insurance, healthcare, telecommunications, utilities, education, natural
resources, and all levels of government. Prior to joining ACL, Nigel was a manager and
senior consultant at Ernst & Young, where he provided audit services focusing on the
financial services and utilities sectors, and advised clients on forensic accounting and
information technology matters.
Nigel is a member of the Canadian Institute of Chartered Accountants and holds a
degree in Civil Engineering from the University of British Columbia. He is a frequent
speaker on audit process and technology topics at industry gatherings and ACL
customer events.
Mercy (Who we are)
Challenges of Risk Management
Big Picture – Developing a Business Case
The Healthcare Top 5
Implementation Approach
Establish Finance & Revenue Mgmt with IT
Going Forward
Nigel Matthews
Designations – CA, ACDA
ACL Services Ltd. (analytics software provider)
Consulting and training programs
Project management & client delivery
Product management
Big 4 Experience (E&Y)
IT audit
Forensic investigations
Analytics for audit and beyond
Dieu Tran – Director, Business Risk
Designations – CISA, CISSP, GNSA, CRISC
IT Director
Big 4 Experience (Deloitte & Touche)
Internal Audit (SBC/AT&T)
Regional Public Accounting Firms
 IT Audit
 Network Security (focused on network vulnerability and
network penetration testing)
Mercy Health
8th largest catholic healthcare system in the US
Aprox. $4 billion in revenues
28 acute care hospitals
Operates in seven-state area encompassing Arkansas,
Kansas, Louisiana, Mississippi, Missouri, Oklahoma and
• Aprox 36,900 staff and 4,650 physicians
Challenges of Risk Management
Security Concerns
Fraud Prevention
Challenging Technical Environment
Challenges of Risk Management
• IT burdened with ad hoc request data
• Incomplete data, duplicate requests
• Difficult to review results and ensure
• Changing Issues
– Medicare/Medicaid, meaningful use, value
based purchasing, and HIPAA
How can we make others see
the big picture?
Develop the Business Case
Pick Your Argument:
• The “efficiency” play:
– Expanded coverage using the same resources
– Reduced FTE’s, additional $$ recognized from
continuous monitoring strategies
• The “effectiveness” play:
Improved/better targeted control testing
Savings initiatives
Fraud management efforts
Compliance imperatives - HIPAA
Develop the Business Case
Identify your stakeholders:
• Business and finance teams
• Medical teams
• Risk assurance & audit teams
• IT & systems management
What’s in it for them?
How would they measure success?
The Healthcare Top 5:
1. Who’s really accessing patient records systems? –
both holistically and for “high profile” patient records
2. Are we billing and collecting the revenue we’re
entitled to? e.g. unbilled, rejected, data quality issues
synching gaps between systems.
3. The OIG List – Are we unwittingly transacting with
sanctioned providers?
4. Billing compliance – do billings comply with
government and insurer rules? DRG coding, readmissions, for example!
5. Vendor management – duplicate vendors  duplicate
Implementation Approach
Implementation Approach
• Complete all technical setup and test
• Prioritize projects
• Engage process owners
• Training
Establish Finance & Revenue
Management with IT
• Automate Manual Practices
– Joining data cross systems
• Maintain Data Integrity
– Data comparisons/validation between multiple
• Increase Efficiency
– Automate exception reporting
Health Insurance Portability and
Accountability Act
“The purpose of HIPAA is to prevent
inappropriate use an disclosure of individuals‘
health information and to require organizations
which use health information to protect that
information and the systems which store,
transmit, and process it.”
Department of Medical Assistant Services,
Government of Virginia
HIPPA Compliance
• Leverage Analytics
– Continuous Auditing
– Continuous Monitoring
• Patient records (inappropriate access)
Measuring Success
• Timely access to data
• Reduced FTE hours performing manual
• Revenue leakage identified
• Process improvements
Going Forward
• Continued education to the organization on the
power of analytics technology
• Continue to measure and success & document ROI
• Integrate audit analytics into all projects for smarter
• Think of analytics as a process, not a cottage industry
– Results management is critical!
– Hire & develop people with analytic skills
Contact Information
Dieu Tran
[email protected]
Nigel Matthews
[email protected]
Collaborate – Contribute – Connect
The Knowledge Center is a collection of
resources and online communities that
connect ISACA members – globally, across
industries and by professional focus - under
one umbrella. Add or reply to a discussion,
post a document or link, connect with other
ISACA members, or create a wiki by
participating in a community today!