Compliance

Article Autumn Hines

High-profile fraud cases tied to federal funding continue to surface, not because rules are unclear, but because oversight too often prioritizes compliance over insight. The Uniform Guidance establishes clear expectations, yet fraud persists when monitoring becomes a checklist exercise rather than a risk-focused discipline. 

The problem with checkbox oversight 

Traditional monitoring frequently focuses on desk reviews, policy confirmation, and audit reports. While necessary, these steps rarely reveal whether controls are functioning in practice. Fraud typically thrives in the gap between documented compliance and actual operations. 

Monitoring requires presence, not just reports 

Effective oversight means understanding how programs operate day to day. Risk-based monitoring, informed by COSO principles, defines “normal” operations and flags deviations. In many of the largest fraud cases, basic verification such as capacity checks, operational observation, and participant validation could have surfaced concerns years earlier. 

Risk should drive rigor

Not all recipients present the same level of risk. Oversight resources are most effective when aligned to risk profiles, with more intensive monitoring for organizations experiencing rapid growth, limited controls, or leadership transitions, and streamlined approaches for mature organizations with proven control environments. 

The case for showing up 

Site visits, whether planned or unannounced, remain one of the most powerful fraud deterrents. Seeing operations firsthand provides insight that documentation cannot provide and reinforces accountability for both funders and recipients. 

Accountability requires investment

Strong internal controls are not free. Expecting organizations to manage complex federal requirements without adequate administrative resources invites failure. Fraud prevention is not overhead; it is an essential infrastructure.

A better path forward

Preventing fraud does not require new regulations. It requires disciplined implementation: risk-based monitoring, adequate resourcing, operational visibility, and cultures where concerns are raised early. Organizations that treat oversight as stewardship rather than bureaucracy are better equipped to protect public funds and sustain trust. 

Dean Dorton helps organizations move beyond compliance toward practical, effective oversight. Contact your Dean Dorton advisor to learn more about strengthening your monitoring and fraud prevention approach. 

Article Dean Dorton

No one wants their data to be hacked and used for nefarious gain. Employees, customers, clients, patients, students, and vendors are depending on your organization to protect their data. You have been entrusted with it and they have a reasonable expectation you are going to take steps necessary to keep it out of the wrong hands.

We all understand there is no such thing as 100% secure, therefore “reasonable” is a much more practical goal. Ideally, every organization would prioritize investing time and resources into having an adequately mature cyber security program. However, there are myriad pressures and objectives facing every organization. Sometimes cyber security does not get the attention it needs.

Numerous regulatory bodies have established requirements with the intent of attempting to ensure organizations are adhering to common measures of cyber standards. These requirements vary based on elements such as industry, type of data and geographic location. Once an organization finds themselves falling under data protection regulations, it is common to have multiple, applicable regulatory requirements. Compliance can get complex and seemingly overwhelming quickly. Below are examples of data protections requirements:

Japan – APPI
Brazil – LGPD
Canada – PIPEDA
China – PIPL
European Union – GDPR

CMMC
GLBA
FFIEC
HIPAA
PCI
SOX

Data Break Notification Laws
Data Privacy Laws
State Grants & Contracts

For organizations that want to comply, there are two paths typically taken when faced with this complexity. The first path involves a process that looks good on paper. All the boxes are checked but no value has been provided to the organization other than dodging the penalty and fine bullet for another year. This approach has been common with credit card compliance requirements.

The second path involves a process not only addressing compliance requirements, but also recognizes there are many other objectives that can be accomplished that bring value to the organization. For example, most data regulatory standards require a risk assessment be performed. However, each standard typically narrows the scope to just the applicable processes, systems and data being regulated. If you are performing a risk assessment, why not make it enterprise-wide? The resulting information not only assists with compliance but helps identify other initiatives that are needed.

As previously mentioned, the phrase adequately mature is intended to recognize that each organization has different cyber security needs. Even though this is the case, there are fundamental steps applicable to all organizations that are beneficial to data protection. These steps will help deal with the complexities and provide a clear path forward. See the demonstration below:

https://deandorton.com/wp-content/uploads/2021/10/Cyber-Pyramid-e1635186352566.jpg

Data Inventory
Determine what data you have, where it resides, and who is interested in the data. The “who” element can include internal stakeholders, but for the purposes of compliance make sure to identify external stakeholders. I.E., regulatory bodies. Relevant information to include in your data inventory:

Application/System Name
Version #
Vendor
System Owner
Data Owner
Function/Purpose
Users of System
Primary/Secondary Locations
Sensitive Data Elements*

Alumni/Students
Applicants/Employees
CUI
DOB/SSN/Passport/Visa
Name/Address/Telephone/ID
Patients/Customers/Vendors

Based on the sensitive data elements, identify the applicable regulatory bodies governing data protection.

Cybersecurity Control Framework
Many regulatory bodies recommend or require specific control frameworks. A control framework helps create a vision of what your organizational security program should look like. It provides a path and eliminates the need to create everything from scratch due to the many resources available. Your data inventory will drive selecting the right framework.

See example of cyber security control frameworks:

https://deandorton.com/wp-content/uploads/2021/10/Screenshot-2021-10-20-151610.png

To summarize, one path does take more work and effort, but the results speak for themselves. Subscribe to Dean Dorton Insights to stay up-to-date with the latest regulatory changes.

Explore IT Audit and Compliance Services

Kevin W. Cornwell | IT Audit Associate Director
kcornwell@ddaftech.com
502.566.1011

Article Dean Dorton

The U.S. Department of Education announced today that an additional $21.2 billion is now available to institutions of higher education (IHEs) to serve students and ensure learning continues during the COVID-19 pandemic. This funding is allocated to the Higher Education Emergency Relief Fund II (HEERF II) by the Coronavirus Response and Relief Supplemental Appropriations Act (CRRSAA), which was signed into law by President Donald J. Trump on Dec. 27, 2020.

In total $20.5 billion is available to public and non-profit colleges and universities and $681 million is available to proprietary schools. Public and non-profit schools can use their awards for financial aid grants to students, student support activities, and to cover a variety of institutional costs, including lost revenue, reimbursement for expenses already incurred, technology costs associated with a transition to distance education, faculty and staff trainings, and payroll. Proprietary schools must use their awards exclusively to provide financial aid grants to students.

Allocations to institutions are based on a formula that includes the relative shares of Federal Pell Grant recipients, the relative shares of non-Pell Grant recipients, and the relative shares of Federal Pell and non-Pell Grant recipients exclusively enrolled in distance education prior to the coronavirus emergency.

Public and private non-profit IHEs that already have approved CARES Act HEERF awards are not required to submit a new or revised application to receive additional funding under the CRRSAA. Public and private nonprofit IHEs that did not receive HEERF Student Portion and/or Institutional Portion awards under the CARES Act, as well as proprietary institutions, may apply for funding under the CRRSAA via Grants.gov.

For more information on HEERF II and the CRRSAA please visit the link below.

CRRSAA: Higher Education Emergency Relief Fund (HEERF II)

Lance Mann, CPA, CFE, CGMA
Assurance Director
lmann@deandortonstg.wpenginepowered.com | 502.566.1005

Article Dean Dorton

In late December 2020, the Office of Management and Budget (OMB) released the much-anticipated addendum to the 2020 OMB Compliance Supplement. The addendum’s main focus is COVID-19 awards that were funded under the following Acts:

  • Coronavirus Preparedness and Response Supplement Appropriations Act
  • Families First Coronavirus Response Act
  • Coronavirus Aid, Relief, and Economic Security Act (CARES)
  • Paycheck Protection Program and Health Care Enhancement Act

The addendum is effective for fiscal years beginning after June 30, 2019 and should be in used in conjunction with the original issued 2020 Compliance Supplement from August 2020. Additionally, it provides for a three-month extension for any entity with year ends through September 30, 2020 that received COVID-19 funding.

The OMB also added requirements related to the testing of the Federal Funding Accountability and Transparency Act (FFATA) reporting.

From a higher education perspective, there is specific guidance related to presentation of the schedule of expenditures of federal awards (SEFA). On the SEFA, all COVID-19 funding should be specifically identified as such and the individual breakdown of program number 84.425, which includes both the Education Stabilization Fund and Higher Education Emergency Relief Funds, should be presented on individual line items and disaggregated based upon the ‘lettered’ distinctions of A through P.

For the Education Stabilization Fund (ESF), compliance requirements include Activities Allowed or Unallowed; Allowable Cost Principles; Cash Management; Matching, Level of Effort, and Earmarking; Reporting; and Subrecipient Monitoring.  For the Higher Education Emergency Relief Fund (HEERF), compliance requirements include Activities Allowed or Unallowed; Allowable Cost Principles; Matching, Level of Effort and Earmarking; Period of Performance; Procurement Suspension & Debarment; and Reporting. Although the Department of Education and OMB have identified each of the areas as potential areas of compliance, it is up to the auditor to determine which requirements are direct and material (i.e. required to be audited) to the individual institution based upon their application of the funding.

Key areas institutions should focus on in preparation for audit testing include the following:

  • Well-documented policies and procedures around the use of funds and decisions made by each institution
  • Internal controls related to each applicable compliance area
  • Detailed listing of expenditures and calculations
  • Compliance with reporting and other requirements

Dean Dorton is always available to consult and help prepare for the single audit related to the funds.

Lance Mann, CPA, CFE, CGMA
Assurance Director
lmann@deandortonstg.wpenginepowered.com | 502.566.1005

Article Dean Dorton

Quality Assurance, Compliance, and Monitoring

The Office of Inspector General (OIG) first issued compliance guidance for physician practices almost 20 years ago, yet many practices still struggle with a cost-effective, pre-emptive approach, while keeping patient care the highest priority. The adoption and enhancement of a voluntary, well-designed compliance program can boost the practice’s ability to provide quality patient care, and demonstrates to the community that the practice has a strong commitment to honest and fair dealings, as well as sound business leadership. Additionally, a compliance program aids in mitigating risks associated with leading a medical practice, in addition to preventing fraud, waste, and abuse.

Whether you’re a seasoned provider of Telehealth services, or not, it will be prudent to include Telehealth services into your existing compliance program.

Seven Essential Elements of an Effective Compliance Program

An effective compliance program must be a continual process, and consists of the following seven elements:

  1. Written standards of conduct, policies and procedures
  2. Designation of a compliance officer or contact
  3. Effective education and training
  4. Monitoring and auditing
  5. Reporting and investigating- establishing open lines of communication
  6. Appropriate enforcement and disciplinary mechanisms
  7. Response, prevention, and corrective action of systemic problems

Every organization and practice is different, and there is not a “one size fits all” answer for compliance program effectiveness. A practice’s commitment to compliance can be evaluated by the active application of compliance principles and written standards, demonstrated in the practice’s day-to-day operations.

Here are a few items to consider for Quality Assurance and Compliance/Monitoring:

  • Regular chart audits – conduct monthly, quarterly, or biannually depending on results of a baseline audit
  • Random or targeted chart audits – examples include inpatient, outpatient, E/M (evaluation & management), outpatient surgery
  • Provider documentation education – focus education based on audit results
  • Coding audits and education – random audit of all chart types a coder has coded and provide education where needed
  • Billing requirements – POS Codes/modifiers/payer requirements
  • Pre-payment/post-payment audits – pre-bill avoids the potential of any paybacks relating to the audit

Dean Dorton’s healthcare consulting team would be happy to offer compliance program guidance, review the effectiveness of your existing compliance program, as well as assist you in building telehealth services into your current compliance program. Additionally, Dean Dorton has experts available to assist you in all telehealth matters including: compliance, billing, coding, and documentation.

Please do not hesitate to reach out to our experienced team with any questions you may have. We are committed to serving any of your healthcare needs.

For more information on how the Coronavirus is impacting businesses across multiple industries, visit our COVID-19 resource page:

COVID-19 Resources

Article Dean Dorton

A conversation with Adam Shewmaker, director of healthcare consulting services at Dean Dorton, on how to address the financial and compliance challenges facing healthcare organizations today.

Q: What are the main challenges that healthcare clients share with you?
A: First, there are downward pressures on reimbursement, as payments to providers and hospitals are decreased. Another challenge is cybersecurity, especially documenting practices, providing training, and monitoring in the face of rapid technological change. Third, practices often lack the ability to access and use meaningful data to improve their business. For example, reviewing claims and payments and comparing actuals vs. expected can highlight areas for improvement. Managing all the moving parts of an independent physician practice—HR, staff, accounting, physicians—is not easy. Often, a trusted partner such as a CPA or attorney can help identify where improvements can be made.

Q: What trends do you see emerging in the healthcare industry?
A: Consolidation is a significant trend that has evolved in most markets. It occurs in one of two ways: first, hospitals and hospital systems acquire physician practices; and second, similar physician groups—e.g., dermatology and gastroenterology—are joining forces.

Regulatory enforcement is another big trend that especially impacts smaller practices who may lack the resources to manage risk and compliance. Again, an outside consultant such as a CPA or attorney can help proactively mitigate risk within the confines of the regulatory framework.

Finally, smaller practices struggle to identify and retain experienced, qualified talent—especially as big providers can offer larger salaries. These practices need to effectively manage resources and cost in order to remain competitive.

Q: What can healthcare professionals do to solve their pain points and stay relevant in a changing industry?
A: Be proactive by taking a strategic, holistic look at your practice and your business. This means assessing and identifying ways to mitigate your technical, financial, and compliance risks. For example, continually review your medical coding and documentation in the medical chart to ensure it’s audit-ready. Another example is looking at managed-care reimbursements. Some practices may go years without negotiating rates from payers. To get the most competitive rates, check them out every year or two.

Consider where you may need to invest in software or partner with a consultant to address issues that the practice cannot cost-effectively manage on its own. Another strategy is partnering with similar providers to cover the services that you currently may be unable to deliver. By pooling resources and expertise, former competitors can become formidable partners.

Q: How can financial management technology, such as Sage Intacct and Dean Dorton’s advisory services, help with these challenges?
A: A third party gives you access to a broader, relevant perspective. At Dean Dorton, we’ve worked with many similar practices and can identify new, effective strategies for our clients. On the technology side, financial management software provides automation, so practices can effectively manage costs and run the business more efficiently. Only about 75% of practices can produce timely financial statements and put them in the hands of their physician. Cloud-based financial management software provides real-time, efficient reporting, enabling practices to proactively identify areas for potential business improvement.

You can reduce your practice’s risk and grow the business with the right financial software and expertise. Learn more about Dean Dorton’s healthcare consulting services and Sage Intacct, best-in-class financial management software today.

sage intacct product tour for healthcare organizations