The art of writing effective audit observations

Audits are a means of evaluating operations and other functions of an organization. ISO 19011:2011 Guidelines for Auditing Management Systems describes audits as a process used for gathering the evidence of verifiable documents and map their suitability, alignment and fulfilment with the company’s policies and procedures.

An audit is an important tool that helps organizations to analyze opportunities, implement best practices, and assess all the important factors in a business, such as risks, ethics, controls and quality. Conveying these to the management is the primary aim of an audit.

An audit is indispensable for mitigating risks and ensuring governance. An audit can be either:

o  Internal, where an organization’s employees in charge of audits in an organization in charge of audits carry out audits, or

o  External, where an external, independent auditing professional examines and evaluates the company’s functions objectively.

Each of these two types of audits is important. Either of these may be required, or both may be required, depending on the kind of business and practices an organization has.

Broadly, these are the types of audits:

Financial audits: Financial audits, as the name suggests, are related to how an organization keeps financial controls in place and report them to the authorities. Financial audits are summed up in financial statements, which spell out the extent to and the ways by which financial aspects of organizations tally.

Operational audits: These are the audit or assessment and evaluation of how an organization actually carries out its business. Being of this nature; operational audits are concerned primarily with business processes. The aim of operational audits is to suggest ways by which organizations can improve their operations to optimize their businesses and increase ROI.

Compliance audits: These are carried out to ensure the compliance with regulatory requirements in an organization. A number of these regulations need to be complied with depending on the nature and location of business.

Information Systems: Since no organization can stay aloof from automation and since information systems are required for almost all functions in an organization; it needs to systematically and thoroughly review its information systems from time to time. An effective information systems audit takes not only existing, but also emerging technologies into consideration and suggests ways by which to improve its network and firewall its data security.

Integrated Audits: Suggestive of its name; an integrated audit is one that assesses, monitors and controls all the kinds of audits –Financial, Operational, Compliance, and information systems risks. Auditing professionals locate these integrated audits on a business process or cycle or part of it.

Understanding and carrying out operational audits

Operational audits, being among the important kinds of audits, are governed by their own set of standards. They have their own set of standards that need to be complied with. These are set out by The Institute of Internal Auditors (IIA). And, like other types of audits, operational audits require a high degree of knowledge, diligence and skill.

The ways and means of carrying out operational audits can be complex and requires adherence to a number of standards and best practices. Auditors need to be thorough in their understanding of how to do these in an optimized fashion and ensure results for the organization.

Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance, will be providing this insight at a highly educative webinar. Jonnie T. Keith, who has over 40 years of audit experience and has served as the Chief Audit Executive for the Metropolitan Atlanta Rapid Transit Authority (MARTA) for the past 10 years, will be the speaker at this webinar.

To enroll for this session and to gain from the expertise Jonnie brings into auditing, please visit http://www.compliance4all.com/control/w_product/~product_id=501309LIVE?Linkedin-SEO

A complete roundup of operational audits and the ways of writing audit observations effectively

At this webinar, Jonnie will explain the intricacies of an operational audit. Jonnie will explain the importance and ways of writing these audit observations effectively and compellingly. He will explain the concept and all the important aspects that go into operational audits, such as management responsibilities and the key IIA standards that go into audits and the areas of their purview, such as the following:

2010 – Planning

2201 – Planning Considerations

2220 – Engagement Scope

2240 – Engagement Work Program

2300 – Performing the Engagement

2400 – Communicating Results

2500 – Monitoring Progress

http://asq.org/learn-about-quality/auditing/

https://finance.columbia.edu/content/types-audits

http://www.accountingtools.com/operational-audit

https://na.theiia.org/about-us/about-ia/Pages/About-the-Profession.aspx

Procurement and Contract Fraud is usually off -the books- and difficult to detect and investigate

In this interconnected, interdependent global world, the need for contracting procurement of any goods or services is strong and indispensable. However, the benefits of this feature notwithstanding, there are several loopholes in the procurement and contracting activity. Outsourcing and contracting, by their very nature, are vulnerable to fraud. Fraud can happen at any stage of the procurement and contract process.

Common sources of procurement and contract frauds

A very common reason for procurement and contract frauds is when vendors and contractors collude with employees that are in charge of purchasing and administrating contracts. Another source of these procurement and contract frauds is the employee on whose request goods or services are purchased. Yet other procurement and contract frauds happen when solicited contractors work hand in glove with the bidding contractors. The Association of Certified Fraud Examiners (ACFE) estimates that as much as five percent of a business’ revenue is lost to procurement and contract frauds.

Since most of these procurement and contract frauds are based on off-the-books records, they go unnoticed for a good part, despite the fact that governments the world over have deployed scores of auditors and investigators with complete oversight of detecting and controlling procurement and contract frauds.

Plugging the loopholes

The many gaps in the contacting and procuring process need to be plugged if procurement and contract frauds have to be prevented. In addition, once these procurement and contract frauds happen, there need to be a few mechanisms to ensure that the procurement and contract frauds investigation is done thoroughly. Only this ensures that procurement and contract frauds do not go on to cause the kind of damage they normally do.

The first step to detecting, preventing and getting procurement and contract frauds right is to gain an understanding of the nature of the fraud. This understanding is the basis to gaining insights on how to deal with procurement and contract frauds. Many small and medium scale businesses suffer from procurement and contract frauds because are ill-equipped to deal with procurement and contract frauds, lacking as they do the knowledge needed to understand the nature of this activity.

A valuable learning session on procurement and contract frauds

A webinar from Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance, will impart lessons on how to understand deal with procurement and contract frauds. John E. Grimes III, who has over 45 years of law enforcement, criminal investigation, loss prevention, fraud examination experience, and teaching, will be the speaker at this session. In order to gain knowledge of the way in which the system of procurement and contract works and to understand how to prevent frauds, please register for this webinar by logging on to http://www.compliance4all.com/control/w_product/~product_id=501272LIVE?Wordpress-SEO Since the foundation to detecting and preventing procurement and contract frauds is a proper understanding of the various procurement and contract fraud hazards and schemes that are responsible for these frauds; John will start with giving offering knowledge of this aspect. He will explain which steps in the procurement chain procurement and contract frauds are most likely to occur.

Best practices for dealing with procurement and contract frauds

John will offer an understanding and awareness of the procurement fraud hazards that businesses or organizations that purchase materials are vulnerable to. He will also equip them with strategies that are aimed at detecting and preventing procurement and contract frauds, which will prevent them from sustaining huge losses. Also offered at this learning session is a set of proven best practices in investigative strategies that helps look into allegations of procurement and contract frauds.

At this highly valuable learning session on procurement and contract frauds, John will cover the following areas:

  • Basic Steps in the Procurement Process
  • Procurement Policies and Procedures
  • Conflict of Interest Policy
  • The various Procurement and Contract Fraud Hazards and what step in the procurement chain they occur.
  • Fraud Hazards in the Requirement Step
  • Conflict of Interest
  • Bribery, Kickbacks
  • Fraud Hazards in the Section Step
  • Bid Manipulation
  • Sole Source Awards
  • Fraud Hazards in the Post Award Step
  • Change Order Fraud
  • Phantom Employees and Equipment
  • Failure to meet Contract Specifications
  • Product Substitution
  • Fraud Hazards in the Payment Step
  • False, Inflated, or duplicate invoices
  • Three Cases Studies involving Conflict of Interest, Bribery, and Kickbacks.
  • Preventing and Detecting Procurement and Contract Fraud
  • Preliminary Steps
  • Pre-Award
  • Post Award
  • Conducting Procurement and Contract Fraud Investigations
  • Remedies

http://www.fraudconference.com/uploadedfiles/fraud_conference/content/course-materials/presentations/22nd/ppt/5a_paul_zikmund.pdf

https://www.cips.org/Documents/Knowledge/Chapter_12_Guile%20Procurement%20Fraud.pdf

http://www.acfe.com/topic.aspx?id=2722

Most common mistake is failure to prepare Form 1099-MISC

The IRS 1099-MISC form is one of the very important forms that need to be filled by a number of entities such as businesses, estates, trusts and non-profits at the end of each calendar year.

The IRS 1099-MISC is filed and filed for each person to whom a payment has been made during the year:

  • royalties or payments made to brokers for a value of at least $ 10 in place of dividends or interest that is tax-exempt;
  • payment of not less than $600 in the following categories:
  • rents
  • services carried out by a non-employee
  • awards and prizes
  • income payments from other sources
  • payments for healthcare and medical items
  • proceeds from crop insurance
  • payments made in cash to buy aquatic creatures from a person who is in that business or trade
  • payment made from a notional principal contract to either an estate, partnership or individual;
  • attorney fees
  • proceeds from a fishing boat
  • Direct sales of consumer products of a value of not less than $5,000 made to a buyer and meant for resale in any outlet that does not qualify to be a permanent, regular retail establishment.

Areas in which mistakes are made in filling up IRS 1099-MISC

The fact is that the IRS 1099-MISC form is the IRS 1099 form that comes with the maximum errors. Why is this so? What are the kinds of errors that people who file the IRS 1099-MISC are most prone to?

Among the most important areas in which people make errors most commonly in the IRS 1099-MISC form are these:

–       Mismatch between the payee’s name and the payee’s Identification Number, with confusion over the Social Security Number, or Taxpayer’s Identification Number, or Employer’s Identification Number. In many cases, the amount is seldom entered incorrectly in the provided boxes

–       Many people make errors in preparing Form 1099-MISC for payment of services of a value of over $600

–       Another major area in which errors occur in filling up IRS 1099-MISC is in the section in which to fill up the requisite amount, whether in Block 3, Block 7 Nonemployee Compensation, or Other Income.

Get to understand the proper method of preparing, filling and filing IRS 1099-MISC

It is to help overcome these fallacies that Compliance4All, a leading provider of professional trainings for all the areas of regulatory compliance will be organizing a learning session. At this webinar, which will be spread over 90 minutes, Greta Hicks, a former IRS Revenue Agent and Regional Training Coordinator, the author of IRS Examination and Appeals Procedures, and pilot tester of on-line continuing education courses for Checkpoint Learning, will be the speaker.

Want to gain insights into the workings of the IRS 1099-MISC?

Then, please register for this webinar by logging on to http://www.compliance4all.com/control/w_product/~product_id=501195LIVE?Wordpress-SEO

At this session, Greta will equip participants with the timeframe required for preparing to file for IRS 1099-MISC. She will state the correct methods of preparing for and filing these forms. By the time participants complete this course, they will have had a clear understanding of how to evaluate the W9 and prepare an IRS 1099-MISC with all the blocks appropriately ticked and completed, with suggestions about the content of each of these boxes. They will be able to select the entities and payments reported on Form 1099-MISC, will gain the confidence required to ensure that the Name and EIN, ID, and SSN match, and also be able to ensure that amounts are in the correct block.

To help participants get a clear idea of filing for IRS 1099-MISC, she will explain the following:

o  Review W-9 for accuracy and completeness

o  Match W-9 SSN, EIN, and TIN to IRS records

o  Entities that should send 1099 MISC

o  Entities who should receive a 1099-MISC

o  Block by block instructions of 1099-MISC.

At this webinar, Greta will cover the following areas:

o  What name and EIN/SSN goes on the 1099-MISC?

o  How do I know what amount goes in which block?

o  Example: Block 3, Other Income, versus Block 7, Non-Employee Compensation

o  Example: Block 7, Non-Employee Compensation Paid to Attorneys or Block, 14, Gross Proceeds Paid to an Attorney

o  Example: Block 6, Medical and Health Care Payments

o  Select the entities and payments reported on Form 1099-MISC.

https://www.irs.gov/uac/about-form-1099misc

Quality is everything for a product or service

Quality is everything for a product or service. Quality is defined in different ways. One of the well-known definitions of Quality is the ability of a product or service to reach expected levels of excellence. This is a simple theoretical definition. In practice, though, Quality is a highly painstaking area of activity that is necessary across all functions of all industries. If a product does not meet its quality requirements or criteria, it is doomed to failure.

An organization can understand Quality in different ways and give different definitions and connotations to the term, based on the nature of their business and what they perceive as excellence. It is understood and defined in differing ways by organizations. It can be perceived as a parameter against which standards or costumer expectations are measured. Can Quality be understood as a state achieved by a product or service, where it is has no shortcomings or defects? Can Quality also be a department or wing within an organization that is tasked with meeting Quality requirements? Is it possible to fix a standard for something as subjective as Quality?

Quality is a culture, a habit and a philosophy

Quality is these, and often, much more. It can be considered a culture and a philosophy in an organization, by which it continuously keeps meeting Quality requirements. Quality is at the very core of ensuring customer satisfaction, which in turn is the foundation for improved business success.

Get an understanding of how to inculcate Quality

Imparting an understanding of the various shades and interpretations of Quality is the purpose of a webinar that is being organized by Compliance4All, a highly acclaimed provider of professional trainings for the areas of regulatory compliance. At this webinar, Susanne Manz, an accomplished leader in the medical device industry, who emphasizes Quality, compliance, and Six Sigma and brings extensive background in quality and compliance for medical devices from new product development, to operations, to post-market activities, will be the speaker.

To get a thorough understanding of Quality in all its forms and interpretations, and to benefit from the several years of experience the speaker brings into Quality, register by logging on to http://www.compliance4all.com/control/w_product/~product_id=501157LIVE?Linkedin-SEO

All about balancing factors to meet Quality requirements and expectations

The most important teaching Susanne will impart is the ways by which to accomplish Quality standards in the backdrop of several factors, often arduous and conflicting. For instance, a high quality product or service has to be produced to please the stakeholders. Or, the customers could ask for more. In an area like medical devices, the need for meeting Quality requirements is extremely high, given its criticality to patients, whose life often depends on the quality of these products. And then, Quality standards and processes have to meet regulatory requirements, which are often long drawn and require diligence and meticulousness of the highest order. And on top of all these, Quality has to be accomplished to meet business needs, keeping limited resources at hand.

Susanne will help participants understand ways by which all these can be balanced in order to achieve Quality and meet these expectations. At this webinar, Susanne will cover the following areas:

o  FDA and NB expectations for Quality Systems

o  Lessons Learned from 483s and warning letters

o  How culture can impact Quality and compliance risk

o  Management commitment and responsibility

o  Maturity Modeling

o  Key capabilities

o  Roles and responsibilities

o  Quality planning and strategy

o  Tools and techniques

o  Best Practices.

The FDA steps up efforts at bringing about medical device cyber security

It is a disturbing, but true fact that medical devices are hacked. Medical devices have inbuilt software, and hackers try to breach this. Medical device cyber security is thus critical, because lack of it can bring harm to patients who use medical devices that come with software built into them.

An important factor that makes medical devices vulnerable to cyberattacks, thus triggering and hastening the need for medical device cyber security is that many times, medical devices are not standalone devices. They are connected via the Net to a number of important sources such as hospitals, electronic records and healthcare providers.

This fact makes it easier for hackers to carry out cyberattacks on medical devices because it is not necessary for them to actually have access to the device to carry out their breach. All these factors combine to make medical device cyber security a much needed system.

The FDA guideline of June 2013

Keeping in mind the nature of fallibilities in a medical device; the FDA, with the intention of bringing about medical device cyber security passed the draft guideline on this topic in mid-2013. Titled the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices; this guideline sought to address the issue of medical device cyber security by making an attempt at identifying the issue from its root.

That is, this guideline on medical device cyber security put in place security checks and procedures that manufacturers of medical device have to put in place right from the earliest stages of manufacture, going all the way up to the time it is implanted in or used by the patient.

The main intention of this FDA medical device cyber security guideline is to offer recommendations that medical device manufacturers need to take to reduce the intentional or unintentional risk of an attack on a medical device. This FDA guideline seeks to enforce medical device cyber security by ensuring that the manufacturers take steps to secure medical devices by clearly defining medical device cyber security.

Terms clearly defined

The FDA defines medical device cyber security as steps taken to prevent any of these:

  • Unauthorized modification
  • Misuse of the device
  • Denying the use of the device
  • Unauthorized use of the information that is stored in these devices. This relates to the information stored, accessed and modified when the device is transferred from one source to another

Documentation is at the heart of ensuring medical device cyber security

Towards ensuring medical device cyber security as defined by it; this FDA guideline requires manufacturers to monitor and document all the aspects of medical device cyber security at all stages. Medical device manufacturers should bring about medical device cyber security by developing a set of controls in three vital areas:

  • Firstly, medical device manufacturers should take steps to permit only authorized personnel into the software of the medical device
  • Medical device manufacturers should also ensure medical device cyber security by filling only relevant and accurate data into the device
  • They should also ensure that data is available when asked for

Controls, controls, controls

A very important aspect of medical device cyber security that the Content of Premarket Submissions for Management of Cybersecurity in Medical Devices brings about is that it requires medical device manufacturers to monitor and document all the possible potential for medical device cyber security breach from the design stage itself.

Medical device manufacturers have to also bring to the notice of the FDA whenever they make changes related to security at the premarket notification stage. It seeks to fortify medical device cyber security by requiring medical device manufacturers to provide information relating to medical device cyber security by submitting data related to the following:

 

 

Elements of a Cyber Security Incident Response Program

A Cyber Security Incident Response Program (CSIRP) or a Cyber Security Incident Response Team (CSIRT) that anticipates and neutralizes a cyber-incident is a critical need for organizations, because an Internet or network security breach results in loss of valuable data, as well as several resources and the organization’s reputation and could potentially invite lawsuits.

While putting a CSIRP in place; the management has to take into consideration the fact that Information Security, Governance & Risk, are all critical aspects of planning and execution of the Information Security Plan. It has to decide who in the organization has the key responsibility towards developing an information security governance program. It has to also review existing Information Security policies and standards to gauge their sufficiency vis-à-vis industry best practices, and update them as needed, while meeting the requirements set out by compliance regulations.

A webinar to help understand CSIRP

The effective ways of doing this will be the focus of a webinar that is being organized by Compliance4All, a highly popular provider of professional trainings for all areas of regulatory compliance. Dr. (Ms.) Michael Redmond, CEO and Lead Consultant for Redmond Worldwide, who served as an Adjunct Professor for Continuity Management at New York University and the Master’s program at John Jay College, will be the speaker at this webinar. More details of this course can be had from http://www.compliance4all.com/control/w_product/~product_id=500961LIVE/

Scope of the training session

Ms. Redmond will teach participants of this webinar the ways by which their organizations can put a CSIRP in place. She will help them establish Key Performance Indicators (KPI) to determine if their CSIRP meets business objectives and operational metrics for effecting process improvement. She will also show participating organizations the ways of tailoring and enhancing their existing CSIRP and requirements for specific audiences based on the sensitivity of the information for which they are granted based on policies.

Other important learning outcomes offered at this session include how to strengthen IT Risk Management, which involves integrating information security risk management with Enterprise Risk Management and requires using common business terminology, congruent methods, and common or linked risk register, and establishing mechanisms for risk acceptance. Ms. Redmond will also explain to participants how they can build an IS regulation review process, schedule regulation requirements and put in place a set of procedures that help to deal with a breach, malware and related issues.

Information security audit –an understanding

A healthcare organization’s most precious information is kept in its IT systems, quite naturally. So, it is imperative for the organization to keep a complete tab on its IT security. The method in which this is done is what is called information security audit.

Patient records and the organization’s finances are just two of the myriad documents of crucial importance that a healthcare organization’s IT systems hold in them. If there is vulnerability in these systems, it backfires on the business, as security lapses that lead to leaks of important data not only undermine the healthcare organization’s reputation; it could also invite class action lawsuits.

Information security audit is acquiring importance in business circles to the extent that many financial institutions, investors and even customers insist on it before going ahead with dealing financially with healthcare organizations.

What are the ways in which an information security audit is to be carried out?

Information security audit is carried out through a well laid out, thorough process. It consists of the following steps:

Planning and preparation with the auditor: All the details relating to the information security audit should be discussed with the auditor. Most organizations take the services of external, independent auditors for the information security audit. Since information security audit covers all aspects of the information security, the healthcare organization should make clear to the auditor all the aspects of IT, such as the organization’s IT policy, details of the operating systems and software applications and other aspects, and so on.

Having clear audit objectives: This is a major step that decides what exactly the organizations wants audited to mitigate risk. This helps the auditor determine if there are proper controls and security measures in place.

Carrying out the audit review: The auditor usually does this by physically going to the data center and getting a complete idea of the way in which it processes information and carries out its set procedures.

Review: This is done after the information security audit is carried out. During this review, the client and the auditor discuss the entire exercise of the information security audit.

What should be audited?
An information security audit has to look at the all the areas that matter to the IT security of the healthcare organization. It should look specifically for the following:

  • Network vulnerabilities, since it is through networks that data is transmitted
  • Structural security
  • Specific tools used in network security, such as anti-virus software, logical security and access controls, firewalls and proxy servers, and auditing systems such as log management.
  • Encryption and IT
  • Controls

http://www.compliance4all.com/