Judging by what’s been said about the U.S. Patient Protection and Affordable Care Act (ACA), it’s no wonder it’s been perceived as too complex for any but the most dedicated Washington, D.C., policy experts to understand. Yes, the ACA is dense. No, compliance won’t be easy. And auditing readiness for compliance — and compliance itself — won’t be easy, either. But internal auditors who’ve been through the fire say that once you get an idea of your organization’s risk profile in relation to the act, you may be able to sit back for the time being and focus your attention on other risks that pose a bigger threat.
“It’s not as scary as you might think,” reports Annette Schandl, senior vice president of audit at CHAN Healthcare, based in Clayton, Mo., a subsidiary of Crowe Horwath LLP. “From an internal audit perspective, management should have specialists in place to implement the ACA. Once the implementation is complete, internal audit should perform testing of the process.” Internal audit, she adds, needs to have a seat at the table as ACA policies and procedures are developed, to make sure the right controls are considered. But the bottom line is this: Auditing is still auditing, no matter how Byzantine the beast.
That’s not to diminish the frustration and confusion organizations are experiencing in the face of something that’s received so much scrutiny and been the subject of so much commentary. “It’s just too complicated,” says Emily Friedman, an independent health policy and ethics analyst based in Chicago. “Even human resources professionals are having problems knowing what to do.”
Indeed, a recent report from human resources (HR) and payroll consultant ADP shows that more than half of companies with at least 1,000 employees are unprepared to comply with all of the ACA’s regulatory requirements. Key components of the law that pose particular compliance problems, ADP says, include Exchange notices, penalties, and reporting required to the U.S. Internal Revenue Service — all areas that internal audit will likely need to help rank order by risk and then compliance, which they’ll need to assess.
Additionally, many larger companies are using benefits strategies that shift more costs to employees in the wake of the excise tax on high-value health plans that becomes effective in 2018; others are limiting hours for some employees to avoid the coverage mandate. Employers now have to count “hours of service,” notes Jerry Healy, employee benefits counsel for Keenan & Associates, in Torrance, Calif., calling it “a new defined term not commonly used for benefits.” As such, he adds, the term not only has to assimilate into the workforce and its medical plans, but maybe also into collective bargaining agreements. Many firms don’t have the systems in place to track and report that new information.
Other items that need to be addressed, he adds, include special transition rules, communications to employees, U.S. Department of Labor audits of certain health plans, and the Mental Health Parity and Addiction Equity Act. Even if those are areas new to internal auditors, the tasks internal auditors need to perform in response are not. Complying with the ACA will be difficult for most firms, but those firms’ internal auditors can accomplish their part in it by focusing on performing tasks they are familiar with and not be daunted by the unfamiliarity of the entire act.
The trickiest part of compliance for Bellevue, Wash.-based Nordstrom was “anything related to the Cadillac tax,” notes Dominique Vincenti, vice president, internal audit and financial controls. But she adds that the difficulty was largely self-inflicted, because the company maintains both an HR and benefits department and a tax department, and “some of the taxes that the company had to deal with are managed by the HR department and not the tax department.” Each thought the other was taking care of it, so no one was taking care of it.
But a detailed risk assessment — which her department conducted specific to the ACA — turned up the fact that the management team had not thought clearly in terms of roles and responsibilities and the tax implications of the ACA. “We caught it very early,” she says now, “which allowed us to highlight to management the intricate complexities of the tax implications and to get both departments at the table to agree on allocation of roles and responsibilities.”
She adds that, because of that detailed risk assessment, her team’s role in helping the department store chain address the ACA is largely complete — at least for now. “The ACA, like any other law or other regulation we have to comply with, is part of this big compliance pool made up of a bunch of stuff,” she explains. “It’s no worse or better than the others. It’s one of many.” In fact, she states simply: “We feel at this point that the ACA doesn’t rise on any radar. It’s been very quiet.” The company’s general counsel maintains compliance oversight responsibility. Vincenti meets with him twice a month to “see if anything is starting to bubble up.”
Sharon Gipson, vice president, corporate audit, at Detroit-based Blue Cross Blue Shield of Michigan, agrees that a smart approach to ACA compliance starts with a comprehensive risk assessment. “You need to understand what pieces of the ACA are applicable to you and make some decisions about what to focus on,” she says. Essentially, she advises considering not only internal processes, but partners and vendors as well because, she notes, “they can introduce as much compliance risk into your organization as you can within the organization.” Then, of course, you “lay out how to address the higher-risk areas first,” she says. “Once you have an understanding of which portions of the ACA impact you and how they’ve been implemented and are operating within your organization, you can focus your efforts.”
Business as Usual
If that sounds a lot like what internal auditors do every day, that’s because it is. Ensuring employer readiness and compliance, says Gwendolyn Skillern, senior vice president and general auditor at CareFirst BlueCross BlueShield in Owings Mills, Md., involves “processes and types of audits that are familiar to an internal auditor.” It requires analysis of complex processes that many internal auditors likely have never faced before. But while “you may not be accustomed to the complexity,” she adds, “you do know how to initiate inquiries needed to assess risk. We worked very closely with the business to find the information needed.”
She says her company formed a health reform steering committee that divided compliance into five tracks. “We embedded an internal auditor in each one,” she says, “so that as the company developed compliance strategies, we understood them and could efficiently direct our audit activity.” That’s critical, she emphasizes, “as the auditors cannot work in a vacuum. At the end of the day, we are in partnership with the business to mitigate the risk to the company. The ACA is too complex and too fast-moving. You can’t work in a silo and then show up to conduct an audit.”
Carl Mowery, managing director, compensation and benefits consulting at Grant Thornton LLP in Chicago, agrees that internal auditors won’t be mystified at the specific tasks required to audit for ACA readiness and compliance. “Conceptually, it’s the same thing,” he says. “If an internal audit department is accustomed to doing employee benefit audits, it’s similar to those, but a little bit more detailed.” In many benefits audits “some leeway can be had,” he adds, “but the ACA really does not provide much flexibility, so particular attention will have to be paid to the details.”
Many of the most challenging of those details will arise as internal auditors “really look at the controls processes and procedures that have been implemented to determine who is a full-time employee and track those employees from the perspective of the reporting and record-keeping requirements of the ACA,” Mowery adds. “If an organization does not have those controls processes in place when the external auditors come, it may have to record a contingent tax liability.”
Generally, there is a US$2,000 penalty per employee for not having offered coverage to 70 percent of full-time workers; that percentage rises to 95 percent next year. “Part of the compliance process is understanding who is a full-time employee and who is not,” Mowery notes. “Be sure to look at independent contractors as well as leased employees.” Under the ACA, the common law standard is used to define who is an employee; a full-time employee works on average 30 or more hours a week.
Some suggestions about what internal audit departments can do now to make sure those and other requirements are met include:
Make sure you have a seat at the planning table. “As the ACA is being rolled out, we follow several months behind with internal audits, giving management time to implement each aspect,” Schandl says. “Try to have a seat at the table throughout as management plans its approach to each stage of the law.”
Understand that ACA issues are not only concerns of the HR or benefits departments. “We highlighted the importance of coordinated, regular communication between HR and benefits and the many other stakeholders that need to be informed or consulted with,” Vincenti says. “An objective of the risk assessment was a robust inventory of all the implications of the ACA, which helped in categorizing them by ownership.”
Be prepared to do battle with an unknown foe. “The most challenging part is that you’re already into a process and your guidance is still being communicated,” Gipson points out. “As some of that guidance is finalized, you may have to go back and make adjustments. That’s a challenge to internal audit and the compliance team, both of which have to understand the state that is and the state that could be.”
Find out what your resources are. “The first step is to talk to your HR department or benefits function and ask whether the organization uses a benefit information system that has an ACA module,” Mowery says. “If the answer is no, that raises a big red flag. If the answer is yes, the next question concerns a commitment by providers to complete the necessary paperwork to comply with the law. Those are the kinds of things internal audit should be concerned about.”
Make sure you have a working understanding of what’s expected. “You have to have some basic understanding of the regulations,” Skillern urges, “and any operational and financial implications to your company if you don’t comply. When the business units have questions, you want to ensure that the audit staff is knowledgeable.” You can’t just turn it over to the insurance company. “We worked closely with our legal and compliance offices,” Skillern adds, “to ensure we had a correct understanding.”
Let management do its job first. “We haven’t discussed what to audit next,” Schandl reports. “We probably won’t consider any audits until the middle of calendar year 2016. We want to make sure management implements the appropriate processes, then allow them four to six months to have it up and running — and then test.”
Pick your battles. “I would go where the fire is burning,” Vincenti suggests, “meaning I would focus on anything that is coming up on a deadline. Then trace your way back to identify the owner of the process and do a quick validation that everything is ready and in place for things to go smoothly.” When all the deadlines have been looked at, she advises conducting an intermediate “lessons learned” reviewer with management. “Step back for a minute and reassess your plan,” she says.
Be realistic about what you can accomplish. “Don’t try to swallow the whole thing in one bite,” Schandl explains. “If you have a team of auditors, break the ACA up into pieces and give each person an area to be an expert in rather than trying to tackle it all.” She notes that even as a CAE, she doesn’t know every aspect of the act.
Get outside help when you need it. “We have a number of cosource internal audit relationships with the big firms,” Skillern reports. “We used them very strategically on complex issues where we wanted the benefit of their subject-matter expertise and insight across multiple insurers.” One example: There are many claims aggregation and reporting requirements tied to Centers for Medicare and Medicaid Services technology. “We partnered with a company that had auditors with experience with that type of technology,” she adds. “Internal audit shops don’t have the resources to have every type of expertise on staff.” Mowery agrees: “I’d really recommend using subject-matter experts at least in the initial audits because of the highly technical nature of the regulations. A number of systems will be involved in getting the reporting requirements together, including payroll and a benefits module, and you really need to understand the whole flow.”
A Smart Approach
The right approach to preparing for the ACA should make auditing for compliance fairly routine. “We’re not involved right now,” Schandl notes. “We’re talking about it. We’ll determine where the biggest concerns lie, perform a risk assessment and then build an audit calendar around that.” Vincenti is similarly sanguine. “It’s been a full year of execution under the ACA, and my team and I have not even gone to look at it,” she says. “We haven’t heard anything.” Is she surprised? Hardly. “A lot of the work was done ahead of the game,” she says. “The ACA is not considered a high risk anymore. Believe me, I have so many other things to do that pose bigger risks.”
To read more about health-care industry internal auditors' approaches to assessing risk around the Affordable Care Act, see "ACA Health Check."