Audit-based Compliance Control (AC2) for EHR Systems

Traditionally, medical data is stored and processed using paper-based files. Recently, medical facilities have started to store, access and exchange medical data in digital form. The drivers for this change are mainly demands for cost reduction, and higher quality of health care. The main concerns when dealing with medical data are availability and confidentiality. Unavailability (even temporary) of medical data is expensive. Physicians may not be able to diagnose patients correctly, or they may have to repeat exams, adding to the overall costs of health care. In extreme cases availability of medical data can even be a matter of life or death. On the other hand, confidentiality of medical data is also important. Legislation requires medical facilities to observe the privacy of the patients, and states that patients have a final say on whether or not their medical data can be processed or not. Moreover, if physicians, or their EHR systems, are not trusted by the patients, for instance because of frequent privacy breaches, then patients may refuse to submit (correct) information, complicating the work of the physicians greatly. \ud \ud In traditional data protection systems, confidentiality and availability are conflicting requirements. The more data protection methods are applied to shield data from outsiders the more likely it becomes that authorized persons will not get access to the data in time. Consider for example, a password verification service that is temporarily not available, an access pass that someone forgot to bring, and so on. In this report we discuss a novel approach to data protection, Audit-based Compliance Control (AC2), and we argue that it is particularly suited for application in EHR systems. In AC2, a-priori access control is minimized to the mere authentication of users and objects, and their basic authorizations. More complex security procedures, such as checking user compliance to policies, are performed a-posteriori by using a formal and automated auditing mechanism. To support our claim we discuss legislation concerning the processing of health records, and we formalize a scenario involving medical personnel and a basic EHR system to show how AC2 can be used in practice. \ud \ud This report is based on previous work (Dekker & Etalle 2006) where we assessed the applicability of a-posteriori access control in a health care scenario. A more technically detailed article about AC2 recently appeared in the IJIS journal, where we focussed however on collaborative work environments (Cederquist, Corin, Dekker, Etalle, & Hartog, 2007). In this report we first provide background and related work before explaining the principal components of the AC2 framework. Moreover we model a detailed EHR case study to show its operation in practice. We conclude by discussing how this framework meets current trends in healthcare and by highlighting the main advantages and drawbacks of using an a-posteriori access control mechanism as opposed to more traditional access control mechanisms

Aspek Kepatuhan KAP BSR Berdasarkan Implementasi Reviu Pengendalian Mutu Perikatan Klien Perbankan

This study aims to determine the Public Accounting Firm (KAP) compliance aspects to the Quality Control Standards (SPM) design that has been previously established, through the implementation of Engagement Quality Control Review (EQCR) on banking institutional clients. To maintain the quality audit opinion results, the audit procedures start from pre-engagement, assigning audit process, concluding the review result by quality control reviewer engagement team by filling out checklist on EQCR Sheet document, based on standard containing general client data, financial data, completeness checklist documents, and draft report. The implementation EQCR document result show, from the compliance aspect KAP has carried out audit procedures guided by SPM manual design, although review and monitoring are needed in terms of documentation

The role of risk management and governance in determining audit demand.

Most prior research into audit fees has been based on a theoretical model which treats audit fees as the by-product of a production function (Simunic, 1980) hereby ignoring potential demand forces that may drive the level of the audit fee. In such a production-oriented view of auditing, alternative control mechanisms (such as internal auditing and corporate governance) are hypothesized to be substitutes for external auditing, and hence more of one control mechanism is expected to be negatively associated with the level of external auditing, and hence the audit fee. In this paper we examine the impact of risks and controls in the determination of audit fees. Inspired by prior 'anomalous' results, we take a different perspective by focusing on some omitted demand factors that may affect the level of the audit fee. Based on Hay and Knechel (2004), we argue that when multiple stakeholders are included in the analysis a positive association between various risk management / control mechanisms and external audit demand is a very likely outcome, which is attributable to sharing of control costs between stakeholders and positive control externalities amongst stakeholders. Using data collected from a sample of listed companies in Belgium, we consider both disclosures about risk and risk management and actual decisions about corporate governance to examine whether audit fees are higher when hypothesized demand forces exist. Consistent with our expectations, our results indicate that audit fees are higher when a company has an audit committee, discloses a relatively high level of financial risk management, and has a larger proportion of independent Board Members. Audit fees are lower when a company discloses a relatively high level of compliance risk management. The latter result indicates that controls are only complementary as long as they are voluntary, as mandated controls act as substitutes for non-mandated controls.Auditing; Belgium; Companies; Cost; Decision; Stakeholders;

Виробничі запаси як об’єкт внутрішнього контролю (на прикладі суб’єктів споживчої кооперації) (Inventories as object of internal control (evidence from the enterprises of consumer cooperation))

У статті проаналізовано вітчизняну та міжнародну практику проведення внутрішнього контролю виробничих запасів на прикладі суб’єктів споживчої кооперації. Розкрито методичні та організаційні підходи внутрішнього контролю як інформаційної бази внутрішнього аудиту результативності проведення операцій із виробничими запасами. Досліджено формат обліково-аналітичного забезпечення таких операцій у межах статутної діяльності споживчих товариств з урахуванням вимог щодо збалансованості підприємницької діяльності. (Inventory management as an administrative process is based on the accounting and analytical maintaining for the stocks’ movement. Such information is important to monitor the compliance of relevant internal and external regulations. National and international practice of internal control of inventory is analyzed in case of consumer cooperatives in this research. Methodological and organizational approaches of internal control are revealed as the information base for internal audit of effectiveness the operations. Format of accounting and analytical providing for the operations of inventories within statutory activity of consumer societies with the requirements as to balance their business activities is studied. Accounting and analytical maintaining of the operations with stocks is offered to use like a knowledge base for internal control and internal audit in accordance to the stages of movement the inventories. Relevant to International Standard on Auditing ISA 315, internal control isn’t an identification or form of internal audit, it functions as a specific component of this audit. The article recommends using sufficiently transparent, simple and detailed sequence of stages of internal control like defining objectives to control, assessment of controls, procedures of control and tests for confirmation of study. International auditing standards define the internal audit following to the areas of internal control. However, the key word in this meaning is evaluation: the evaluation of effectiveness business’ management; the evaluation of legitimacy and reliability of financial reports; the evaluation of accounting accuracy (financial audit); the evaluation of regulations compliance (compliance audit). The problem of internal audit operations is revealed in the work by the example of operations with inventories.

Lifting the lid: a clinical audit on commode cleaning

Many healthcare-associated infections (HCAIs) are preventable by infection control procedures designed to interrupt the transmission of organisms from a source. Commodes are in use constantly throughout healthcare facilities. Therefore commode surfaces are constantly handled, and any pathogens present have the potential to be transferred to not only other surfaces but also, more importantly, to patients, thus compromising patient safety. In order to examine the effectiveness and thoroughness of cleaning commodes an audit was undertaken to assess compliance with evidence-based practice. This audit demonstrates a cycle which includes defining best practice, implementing best practice, monitoring best practice and taking action to improve practice. The audit results confirmed an issue that the authors had long suspected. That is, that commodes allocated to individual patients are not always cleaned after every use. Using adenosine triphosphate (ATP) bioluminescence as an indicator of organic soiling also demonstrated that commodes that were considered clean were not always cleaned to a high standard. Implementing the audit recommendations improves staff knowledge through education, standardises cleaning procedures and ultimately improves patient safety

The Risk-based Role of Internal Audit within Albania, Public Organizations

The aspiration of Albania for European integration has added mandatory requirements for public sector to modernize the internal audit function in adherence with International Internal Auditing Standards. According to such Standards supported by Picket (2005) and CIPFA (2003) the internal audit is an assurance function that provides independent opinion on the effectiveness of internal controls that support the achievement of the organizations objectives. Internal auditors can provide consultancy service, in particular to aid management to improve the organization control environment. Meanwhile, Diamond (2002) explains that the internal audit role, remit, scope and activities are driven by the macroeconomic objectives and political stabilization. For those countries with governance problems the first objective is to ensure compliance with financial laws and regulations. Therefore, the most suitable approach for the internal audit is the compliance auditing to attain macroeconomic stabilization objectives. Therefore, the main question around which this paper is based is whether the public sector in Albania is ready to adopt the modern model of internal audit moving beyond the traditional compliance and financial remit to comply with recognized International Internal Audit Standards. This paper finds that although changes in Albanian normative framework since 2007, internal audit within government organizations are still adopting traditional approach of internal audit involving financial inspections rather than performance auditing activities aiming to provide opinion on risk management, control and governance. This paper analyzes that the embryonic risk culture of Albanian public sector, the lack of skilled internal audit resources and a little understanding of both managers and internal auditors with regard to the contribution of internal audit in risk management and corporate governance system aimed at achieving the government organizations objectives are the main reasons why the risk based model and consultancy role of internal auditors is not yet applied. Therefore, this paper recommends the internal auditors to perform additional consultancy tasks to enhance the internal control system and build the risk management methodologies and structures due to the management lack of knowledge. As soon as the organizations become risk mature the internal auditors can provide assurance appraisal service based on risks. The Practice Advisory Standard 1000 recommends principles which should be used as guidance for regulatory framework of internal audit function within Albania, public sector, guiding internal auditors in order for them to maintain their independence, objectivity and due professional care while conducting consulting service

The Risk-based Role of Internal Audit within Albania, Public Organizations

The aspiration of Albania for European integration has added mandatory requirements for public sector to modernize the internal audit function in adherence with International Internal Auditing Standards. According to such Standards supported by Picket (2005) and CIPFA (2003) the internal audit is an assurance function that provides independent opinion on the effectiveness of internal controls that support the achievement of the organizations objectives. Internal auditors can provide consultancy service, in particular to aid management to improve the organization control environment. Meanwhile, Diamond (2002) explains that the internal audit role, remit, scope and activities are driven by the macroeconomic objectives and political stabilization. For those countries with governance problems the first objective is to ensure compliance with financial laws and regulations. Therefore, the most suitable approach for the internal audit is the compliance auditing to attain macroeconomic stabilization objectives. Therefore, the main question around which this paper is based is whether the public sector in Albania is ready to adopt the modern model of internal audit moving beyond the traditional compliance and financial remit to comply with recognized International Internal Audit Standards. This paper finds that although changes in Albanian normative framework since 2007, internal audit within government organizations are still adopting traditional approach of internal audit involving financial inspections rather than performance auditing activities aiming to provide opinion on risk management, control and governance. This paper analyzes that the embryonic risk culture of Albanian public sector, the lack of skilled internal audit resources and a little understanding of both managers and internal auditors with regard to the contribution of internal audit in risk management and corporate governance system aimed at achieving the government organizations objectives are the main reasons why the risk based model and consultancy role of internal auditors is not yet applied. Therefore, this paper recommends the internal auditors to perform additional consultancy tasks to enhance the internal control system and build the risk management methodologies and structures due to the management lack of knowledge. As soon as the organizations become risk mature the internal auditors can provide assurance appraisal service based on risks. The Practice Advisory Standard 1000 recommends principles which should be used as guidance for regulatory framework of internal audit function within Albania, public sector, guiding internal auditors in order for them to maintain their independence, objectivity and due professional care while conducting consulting service

INTERNAL AUDIT IN CORPORATE GOVERNANCE

Internal Audit, compared with verification of transactions and compliance with established procedures, identify risks and assess the effectiveness of risk management.Internal audit based on risk analysis assesses the adequacy and effectiveness of internal control in all areas of activity, helps management in its task by analyzing the causes and consequences, with recommendations concerning the activities examined, whereas both shareholders and existing and potential investors are interested in how the entity is governed

JUMLAH TEMUAN AUDIT ATAS SISTEM PENGENDALIAN INTERN DAN JUMLAH TEMUAN AUDIT ATAS KEPATUHAN TERHADAP OPINI LAPORAN KEUANGAN PEMERINTAH DAERAH

The purpose of examination of financial statements is to provide opinions on the fairness of financial information presented in the financial statements. Based on Law Number 15 of 2004, the criteria for giving opinion are: conformity with Government Accounting Standards, adequacy of disclosure, compliance with laws and regulations, and effectiveness of internal control systems. This study aims to examine the effect of the number of audit findings on the internal control system and the number of audit findings on compliance with the opinion of the financial statements of local governments in West Java. Population in this research is 52 Reports of Result of Inspection on Local Government Financial Report (LKPD) in city/ district in West Java during 2014-2015. The sample in this study is the entire population. The partial test results of the audit findings on the SPI and the number of audit findings on each compliance have no significant effect on LKPD opinion, and simultaneously the number of audit findings on the SPI and the number of audit findings on compliance have no significant effect on the LKPD opinion of the city / district in Java West in 2014-2015.Tujuan pemeriksaan laporan keuangan adalah untuk memberikan pendapat/opini atas kewajaran informasi keuangan yang disajikan dalam laporan keuangan. Berdasarkan Undang-undang Nomor 15 tahun 2004, kriteria pemberian opini adalah : kesesuaian dengan Standar Akuntansi Pemerintah, kecukupan pengungkapan, kepatuhan terhadap peraturan perundang-undangan, dan efektivitas sistem pengendalian intern. Penelitian ini bertujuan untuk menguji pengaruh jumlah temuan audit atas sistem pengendalian intern dan jumlah temuan audit atas kepatuhan terhadap opini laporan keuangan pemerintah daerah kota/kabupaten di Jawa Barat. Populasi dalam penelitian ini adalah 52 Laporan Hasil Pemeriksaan atas Laporan Keuangan Pemerintah Daerah (LKPD) kota/kabupaten di Jawa Barat selama tahun 2014-2015. Sampel dalam penelitian adalah seluruh populasi tersebut. Hasil pengujian secara parsial jumlah temuan audit atas SPI dan jumlah temuan audit atas kepatuhan masing-masing tidak berpengaruh signifikan terhadap opini LKPD, dan secara simultan jumlah temuan audit atas SPI dan jumlah temuan audit atas kepatuhan tidak berpengaruh signifikan terhadap opini LKPD kota/kabupaten di Jawa Barat tahun 2014-2015