In the coming years, internal auditors will play an important role in ensuring compliance and identifying risks related to the U.S. Affordable Care Act (ACA). Many will need to become intimately familiar with the law to help ensure their organization is going down the right path. The extent to which auditors are involved in the issues will depend heavily on the size of their organization and the industry in which it operates. Those in professional firms with robust benefit plans may see few changes, whereas auditors in the health-care sector and those in industries with part-time and contingent workers could face several complexities in the coming years.
Experts say the main challenge auditors will face is the need to stay abreast of the changing laws to help identify risk and guide their organization. Also among their duties will be providing oversight and ensuring that other departments in the organization are maintaining compliance and acting within the bounds of the new laws.
Uncertainty Poses Challenges
Todd Tuten, senior public policy adviser with the Patton Boggs law firm in Washington, D.C., says the complex nature of the ACA, the difficulties in implementation, and the possibility for further changes means auditors could have a tough task ahead. He says that uncertainty compounds the challenge of ensuring compliance because all the rules have yet to be written.
“We don’t even know all the rules that the employers need to know to be ready to go a year later in 2015,” he says. “The fact that there are technical problems and delays in implementation is quite significant.”
Delays in certain elements of the ACA, along with political wrangling and regular revelations of problems, add to the uncertainty of the law. Auditors first need to be able to fully identify compliance before they can help ensure it. Alden Bianchi, practice group leader for the Employee Benefits and Executive Compensation Practice at Mintz, Levin, Cohn, Glovsky, and Popeo in Boston, says despite the confusion, he doesn’t expect many changes in the law as it relates to employers.
Bianchi recommends auditors prepare based on the elements of the law that exist today. Those include employer-shared responsibilities, rules to calculate the number of full-time employees, and any information employers are required to give their employees. Moreover, because the ACA impacts such a broad population, Bianchi warns that emotion and personal opinions can creep into the workplace.
“If you’re an internal auditor, whatever happens with the individual mandate is irrelevant,” he says. “It doesn’t matter if the exchanges are working. It’s not your concern when it comes down to your job or organization.”
Bruce Elliott, manager of compensation and benefits for the Society for Human Resources Management in Alexandria, Va., says one of the biggest responsibilities employers will have is to ensure they send out the required notifications. Depending on the size of the company and the coverage, employers will be required to notify their employees of plan options, exchanges, and various dates and deadlines. While this responsibility will lie mainly with human resources, Elliott says internal auditors will need to maintain oversight. “It’s important for the internal audit function to ensure that human resources and finance are making the filings because the penalties can be big,” he says.
The complexity of audit related to the health-care law changes will depend on not only the size of the organization but the industry in which it resides. One of the biggest changes for employers is the Employer Shared Responsibility Provisions, which applies to employers with 50 or more full-time equivalent (FTE) employees. Employers will have to offer coverage that meets certain minimum standards and may have to make an Employee Shared Responsibility Payment (a fine) if at least one of their employees qualifies to save money in the ACA marketplace.
To be deemed “affordable,” an employee’s share of the premium’s cost cannot exceed 9.5 percent of his or her yearly household income. A health plan meets the minimum value if the plan’s share of the total costs of covered services is at least 60 percent. The fine for not offering insurance is US $2,000 per FTE (excluding the first 30 employees). If a company does offer insurance but doesn’t meet the minimum requirements, the fine is US $3,000 per employee who qualified for premium savings in the marketplace.
“There is a lot of complexity, and some of it is state specific,” Tuten says. “There are a lot of calculations to think about, and from an audit perspective you’ve got to work with the assumptions you have now.”
Requirements to Vary by Industry
So far, employers have only been required to notify workers that the new health insurance exchanges have opened. When the employer mandate starts in 2015, employers with 50 or more FTE employees will not only need to provide coverage but ensure that it meets the federally mandated plan minimums and carries the new “essential health benefits.” Companies with fewer than 50 employees won’t have to do anything. Some employers with fewer than 25 workers may be eligible for a federal tax credit (Form 8941) if they cover at least half the premiums for all employees and have average wages of less than US $50,000.
“When the employer mandate goes into effect next year, it’s going to create a host of issues and risks for employers with 50 or more employees,” Elliott says.
Internal auditors in some industries may find few changes or risks related to the new law. Bianchi says because most employers with highly paid workers already offer excellent health insurance to retain employees, they are unlikely to undergo any major changes other than a few reporting requirements. Those policies are likely already compliant and offer most of the new essential health benefits. Many law firms, engineering firms, accounting firms, financial institutions, and professional services organizations will have little to worry about.
The big complexities will be seen in organizations with a large, variable pool of hourly, seasonal, and contingent workers. These can include businesses in the restaurant, staffing, hospitality, retail, and construction industries. Bianchi says because many employers in these industries don’t offer strong benefits, they’ll have to make the biggest organizational changes to maintain compliance. “These people have traditionally not been offered robust health benefits, so there will now be an issue to focus on compliance and the risks that come with that,” he says.
Determining the number of full-time workers in such an industry isn’t as easy as it sounds, especially for a large organization, Bianchi says. There are several complex factors and calculations to determine FTE workers that include total hours worked, number of employees, and annual wages. U.S. Internal Revenue Service documents explain the calculations, but auditors may be required to monitor staffing and hours periodically to check the number of FTEs and help ensure that the organization remains in compliance.
“There’s a very complex set of rules dealing with variable hourly employees,” Bianchi says. “Human resources, management, and consultants will likely design a program, but internal audit will be the backup.” Internal audit, that is, would serve to provide assurance with regard to ACA compliance.
Tuten says there are multiple federal and state departments developing and implementing the rules and because markets can vary across state lines, it means auditors have a lot to consider. He adds that auditors need to proceed based on what they know now and prepare for the coming changes.
“There is a need to act now,” he says. “You can’t wait until all the systems are in place because that may drag out. You don’t have all the rules yet, but you just have to move forward and hope the assumptions play out favorably.”
Auditors working in any part of the health-care industry, from insurance to hospitals, may see the biggest challenges in audits. Annette Schandl, vice president of audit for CHAN Healthcare, says one major change will be the implementation of the electronic health-care record system. Because these records are designed to be accessed by insurers, doctors, and health-care facilities across the country, she says there could be privacy concerns, and issues related to the U.S. Health Insurance Portability and Accountability Act (HIPAA), should information get in the wrong hands. Schandl says many hospitals and facilities have yet to train their workers on procedures and policies for handling electronic records, and auditors will have to be on the lookout for systemic errors and fraud vulnerabilities.
The ACA will change so many procedures and processes, Schandl says that auditors will have to commit to ongoing education about the law. She says there will be changes in the entire health-care process, from the time a patient sees a doctor to the time the insurance company reimburses the physician or hospital.
“The auditor has to have a [comprehensive] understanding of the processes, their risks, and their opportunities — we could audit that area forever,” Schandl says. “There are so many different facets to the ACA and lots of areas that affect hospitals, health care, and everything around it.”
The U.S. Department of Health and Human Services has also developed annual reporting requirements for insurers related to quality of care. They are designed to improve health outcomes, implement activities to prevalent hospital admissions, reduce medical errors, and implement health and wellness promotion activities.
In light of these requirements, Schandl says auditors in the health-care industry will have to possess more operational knowledge about the actual care of patients. She says there has been a tremendous shift from financial to operational and compliance audits, and she expects that trend to continue. Schandl says up to 70 percent of CHAN’s audits are now focused on operations and compliance.
Because few traditional auditors have extensive medical backgrounds, her team has started recruiting nurses to serve as operational auditors. Schandl says they can walk into the role with an understanding of patient care and terminology that would take a typical auditor months or years to learn.
“We’ve hired nurses to train as internal auditors,” she explains. “It’s very helpful for them to have that clinical background. It’s not just about the financial [aspects] anymore. They need that operational and clinical experience and knowledge.” For audit practitioners without this type of background, expertise such as coding certifications can be of great value for audits within clinical settings.
Karen Thiel, partner and specialist in public policy and health care at Patton Boggs, says the quality reporting requirements and oversight of medical records implementation will also be a critical role for auditors in the health-care industry. As part of the health-care changes in recent years, Medicare providers who don’t use electronic medical records by 2015 will face fines.
Thiel says while the technology has many advantages, it also comes with greater vulnerabilities for fraud. She says companies will not only have to ensure that they’re complying with HIPAA privacy rules but that their vendors do so as well. “If there is a breach, the business associate and main facilities could both be liable for the breach,” Thiel says. “Auditors will need to know the processes and regulations.”
Quality reporting requirements will be required for employer group health plans, including self-insured plans and individual plans. They’ll be required to report on their quality improvement activities regarding plan or coverage benefits and provider reimbursement structures. These provisions are all designed to help improve health outcomes, prevent hospital readmissions, improve patient safety, reduce medical errors, and implement health and wellness promotion activities.
Elliott says to try to control their own costs, some employers are shifting more health costs to employees by making them pay more of the premiums or migrating to plans with higher deductibles. The 2013 Employer Health Benefits Survey by the Kaiser Family Foundation found that the average annual deductible of a U.S. employer-sponsored plan is now US $1,135 and rising. Employers have always acted to reduce health insurance costs, but doing it in the world of new rules and regulations is going to be more tricky, Elliott says.
“There are ways to meet the thresholds with plan benefits if the organization is creative enough in wanting to take a little bit out of the pot,” he says. “But auditors will need to identify the risks and have a strong understanding of the ACA.”
Auditors will also have to be cognizant of overall systemic risks in the future of the insurance market. Margarita Fernandez, chief of public affairs for the California State Auditor, says her office is required to identity “high risk” issues in annual reports. These are issues that may be of interest to the citizens or state or could have a potential for fraud. In a 47-page report in July 2013, the auditor identified Covered California — the new state-operated health exchange — as a high-risk entity.
The report noted that although the exchange developed a comprehensive certification process for qualified health plans, it hadn’t yet developed a process for how to monitor, recertify, and decertify them. One of the biggest concerns, and one that has been noted as a risk with many state exchanges, is analyzing whether its operations can be sustained under a range of enrollment scenarios.
“These aren’t audits but assessments of what should be closely monitored and brought to the attention of decision makers,” Fernandez says. “Until the exchanges reach the target enrollment, the solvency could be uncertain.”
As the remaining parts of the ACA go into effect in the coming years, internal auditors will be responsible to find out how the laws apply to their own organizations. Human resources, finance, and legal departments will ultimately mandate policy, but internal audit will be a critical backstop in ensuring compliance and the right course of action.