| |
Welcome to the Internal Audit and Enterprise Risk Management Semi-Annual Refresh Survey. This survey should take you approximately 10 - 15 minutes to complete. This survey helps guide the activities of Internal Audit and Enterprise Risk Management and we appreciate your time in completing this survey.
-Section 1 relates to the currently scheduled internal audits. Please review any audits that are relevant to your department and/or for which you have relevant information.
-Section 2 allows you to add up to two additional risks that you think should be considered in our internal audit plan or referred to Enterprise Risk Management. A “risk” is any event or uncertainty that could significantly enhance or impede the Company’s ability to achieve current or future objectives
-Section 3 asks you to update the current list of Enterprise Risks. In addition, at the end of the survey you will have an opportunity to bring new risks to the attention of the committee.
Please do not skip ahead in the survey and only click for the next page when you have completed the current one. You will not be able to return and review your responses.
If you need assistance at any time, contact Diana Kirkpatrick at (503) 276-1891. |
| |
|
|
|
| |
| The following pages will take you through the internal audits currently scheduled through May 2010. Each page focuses on one audit. Please respond as fully as you are able before proceding to the next. |
| |
|
| |
1. Outsourced Operations (Timing Q409)
The audit will focus on contractual obligations and monitoring processes between Regence and outsourced vendors. |
| |
|
| |
| 1.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 1.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 1.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 1.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
2. Sales (Timing Q210)
The audit will focus on the sales process in Oregon, i.e. communication of sales plans, sales culture, sales strategy, communication between sales and actuarial, training, customized vs standard pricing, etc. |
| |
|
| |
| 2.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 2.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 2.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 2.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
3. Emergency Management Readiness (Timing Q309)
The audit will consist of three tracks, Emergency Management, BCP, and DRP that would be reviewed annually with the goal of partnering with the business and providing an overall assessment of Regence state of readiness to effectively manage a major disruption of services or a disaster. |
| |
|
| |
| 3.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 3.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 3.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 3.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
4. Medicare Compliance (Timing Q110)
The audit will focus on areas that CMS will potentially audit in coming years. |
| |
|
| |
| 4.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 4.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 4.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 4.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
5. FICCP (Model Audit Rule Readiness) (Timing Q210)
The audit will consist of reviewing the implementation plans and controls as well as process execution preparedness and the sustainment plan for Model Audit Rule Readiness. |
| |
|
| |
| 5.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 5.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 5.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 5.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
6. Provider Enrollment and Maintenance (Timing Q210)
This is a follow-up audit to ensure that the findings from the previous Provider Audit completed in early 2009 have been addressed. |
| |
|
| |
| 6.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 6.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 6.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 6.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
7. Finance - Closing Process (Timing Q409)
This audit will focus on estimates, management overrides, journal entries, nonrecurring transactions, and the disclosure committee related to the financial close. In addition, there will be a PeopleSoft Security review (administrative and application role based security configuration, audit trails, change management (automated/manual)). |
| |
|
| |
| 7.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 7.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 7.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 7.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
8. Communication Audit (Timing Q409)
This audit will focus on the downward communication from executives to second tier management, cross functional communication at leadership level, integration of goals at the leadership level, review messaging and tone from executives throughout the company, and the consistency of messaging cross-departmentally. |
| |
|
| |
| 8.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 8.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 8.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 8.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
9. Distributed Applications (Timing Q110)
This is an IT audit focused on the security management of non-main frame applications that reside outside the primary control of the RITS Systems Access Management (SAM). It also includes a review of data ownership roles and responsibilities. |
| |
|
| |
| 9.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 9.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 9.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 9.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
10. Trizetto Hosting - Site Visits (Timing Q210)
This IT audit will focus on audit change management, SDLC security, data conversion, as well as risk sections of HIPAA Administrative Safeguards Audit. In addition, third party expenses and validation of chargeable hours for approved purchase orders will be audited. |
| |
|
| |
| 10.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 10.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 10.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 10.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
11. Intellectual Property (Timing Q110)
Controls over intellectual property that provide for the classification, management, valuation, inventory, and security will be reviewed, as well as, education and training needs of employees and procedures to safeguard certain types of intellectual property. |
| |
|
| |
| 11.1. Have risks or control processes related to this audit changed significantly since March 2009? |
| |
If yes to changes in associated risks, please describe the cause and nature of the change. |
|
| |
| 11.2. Should the timing of the audit be changed, e.g. due to conflict with system implementation, other major business disruption, or change in the risk environment? |
| |
|
|
| |
| 11.2a. If yes to change in time, when should the audit be moved to? |
| |
|
|
|
| |
| 11.2b. If yes to change in audit timing, please give the reason for the recommendation. | | |
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
|
|
| |
| 1.1. Are there additional risks not related to the current Audit Plan which might merit our attention? |
| |
|
|
| |
| 1.2. Description of Risk: | | |
|
|
| |
| |
|
|
|
| |
| 1.4. Department(s) Impacted |
| |
|
|
|
|
|
| |
| 1.5. Probability (within an 18 month time horizon) |
| |
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| 2.1. Is there additional risk you can identify? |
| |
|
|
| |
| 2.2. Description of Risk: | | |
|
|
| |
| |
|
|
|
| |
| 2.4. Department(s) Impacted |
| |
|
|
|
|
|
| |
| 2.5. Probability (within an 18 month time horizon) |
| |
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
|
|
| |
| The following pages will take you through the ERM top risks for Regence. Each page focuses on one risk. Please respond as fully as you are able before proceding to the next. |
| |
|
| |
1. Product Deployment - Coordinated deployment and administration of new products.
Current rating: 3.5/5.0. |
| |
|
| |
| 1.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
2. Health Care Cost Management - Cost effective navigation and advice consistent with member engagement view.
Current rating: 4.0/5.0. |
| |
|
| |
| 2.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
3. Non-Competitive Cost Structure - High retention charges impacting ability to retain groups and attract new business.
Current rating: 4.25/5.0. |
| |
|
| |
| 3.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
4. CP-SS Migration - Date slippage of product releases and insufficient sales of new products resulting in delayed retirement of legacy systems.
Current rating: 5.0/5.0. |
| |
|
| |
| 4.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
5. Medicare Compliance - Compliance progam in place.
Current rating: 3.0/5.0. |
| |
|
| |
| 5.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
6. Medicare Advantage - Medicare Advantage program changes and reimbursement rates.
Current rating: 4.5/5.0. |
| |
|
| |
| 6.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
7. Data Center Failure - Physical and virtual plant failure resulting in inability to execute core business functions.
Current rating: 4.0/5.0. |
| |
|
| |
| 7.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
8. H1N1 - Internal and external readiness to respond, including financial impact of flu pandemic.
Current rating: 4.0/5.0. |
| |
|
| |
| 8.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
9. IT Resource Capacity - Resources to maintain legacy systems, support corporate projects and timely completion of service requests.
Current rating: 2.0/5.0. |
| |
|
| |
| 9.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
10. Provider Engagement - Transparency, reimbursement transformation and other business objectives.
Current rating: 2.0/5.0. |
| |
|
| |
| 10.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
11. Health Care Reform - Legislation inconsistent with Regence strategies; inability to quickly implement legislative changes.
Current rating: 4.5/5.0. |
| |
|
| |
| 11.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
12. Document Retention - Adherence to defensible document retention policy.
Current rating: 2.25/5.0. |
| |
|
| |
| 12.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
13. Operational Acuity - Maintaining quality of core functions while implementing business process and system changes.
Current rating: 3.25/5.0. |
| |
|
| |
| 13.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
14. Culture - Organizational impact of leadership gaps in some areas.
Current rating: 2.5/5.0. |
| |
|
| |
| 14.1. Has the risk changed significantly? |
| |
If yes, please describe the nature of the change. |
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| ADDITIONAL RISKS FOR CONSIDERATION BY ERM COMMITTEE |
| |
|
| |
| 1.1. Is there another risk that should be considered by the Enterprise Risk Management Committee? |
| |
|
|
| |
| 1.2. If yes to another risk that should be considered by the ERM committee, descibe new risk. | | |
|
|
| |
| |
|
|
|
| |
| 1.4. Probability (within an 18 month time horizon) |
| |
|
|
|
|
|
|
| |
Please do not click on the Continue button until you have completed the current page.
You will not be able to return to this page. |
| |
|
| |
| 2.1. Is there another risk that should be considered by the Enterprise Risk Management Committee? |
| |
|
|
| |
| 2.2. If yes to another risk that should be considered by the ERM committee, descibe new risk. | | |
|
|
| |
| |
|
|
|
| |
| 2.4. Probability (within an 18 month time horizon) |
| |
|
|
|
|
|
|
| |
Please do not click on the Submit button until you have completed the current page.
You will not be able to return to this page. |
| |
|
Loading...
