The Kansas Health Policy Authority board has endorsed an audit protocol for use by the state's Medicaid inspector general that some say could limit auditor independence because of the unusual degree of agency input it allows before audits are approved or made public.
Inspector General Nick Kramer said the new procedures call for early and ample discussion with health policy authority managers while their programs are being audited so that solutions to problems can be pinpointed and implemented more quickly.
KHI file photo
“We think those informal review steps are good,” Kramer said. “They kind of force auditors and managers to get on the same page. We want to work together with them...make sure there is no misunderstanding in our test work and in that way come up with the best solution. We can have better solutions to problems once we have our heads together on it.”
In the protocol adopted last week by the health policy authority board, collaboration between auditors and managers is emphasized.
“It is the philosophy of the OIG to conduct performance audit operations in a transparent and collaborative manner,” according to the protocol document. “In each stage of the audit work, beginning with topic identification, through defining the audit objectives, completing audit test work, and preparing the audit report, the OIG's policy is to foster effective communication with (health policy authority) managers.”
The process for doing that includes discussing audit findings with managers before draft reports of audits are prepared, a subsequent review with managers of the draft audit in an “informal exit conference,” a later “formal exit conference,” with more opportunity for management input before the draft audit is issued for review by the agency's executive director.
According to the protocol, once the executive director responds to the audit findings the report would then be forwarded to the finance and audit subcommittee of the health policy authority board where it would be reviewed in executive session. After the subcommittee approved the audit, it could then be delivered to the full board and made public.
KHI News Service asked other current and former inspector generals with experience in state or federal government to review the protocol and offer comments.
“Although auditors are encouraged to communicate with the folks they are auditing throughout the audit, the stress here on collaborating and multiple opportunities for different levels of management to suggest edits and corrections could be problematic,” wrote one auditor in an email after reviewing the protocol document.
Another wondered what would happen if management chose not to respond to audit findings since the protocol calls for a response before an audit could be publicly released; or what would happen if the board subcommittee chose not to approve an audit.
“The additional opportunity for collaboration is positive,” said Gina Maree, a vice president at the Kansas Health Institute and former deputy regional inspector general for the U.S. Department of Health and Human Services. “However, there's a point in the process that gives rise for concern about the auditors' independence and the opportunities for the agency to limit the auditors' ability to report the findings they believe are appropriate.”
According to standards developed by the Institute of Internal Auditors, in order for independence to be maintained, “the internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.”
The various intermediary steps in the health policy authority protocol, the various former and current auditors said, could blur the distinction between management interference and “collaborative” input or feedback.
But Kramer said the OIG at the health policy authority has a different approach than some other inspectors general.
“When you talk to other OIG groups,” Kramer said, “I think they're a little more removed from the folks they're auditing. They have a little more of a compliance approach. With us it's more of a collaborative process. Every audit is different. We design every audit differently...not just ones that came out of a cookie cutter idea.”
The collaborative nature of the audit protocol developed by Kramer and his staff with input from agency management also contrasts sharply with the approach of his predecessor.
Robin Kempf, the state's first Medicaid OIG, resigned in late 2008, saying the office was unduly pressured by health policy authority management and board members. Kempf, an attorney and former auditor with the Kansas Legislative Division of Post Audit, later testified to lawmakers that the OIG should be moved out of the agency as a means of assuring its independence.
The health policy authority was created in 2005 to oversee Medicaid, the Children's Health Insurance Program and the state employees' health benefit plan. It accounts for about $2.3 billion a year in state health spending.
The OIG, created in 2007, reports to the health policy authority board and is under the management and administrative budgeting of the health policy authority's executive director, though the OIG's office has its own line item in the state budget.
Kempf took her concerns to the Legislature in 2009, and a bill was introduced that would have moved the Medicaid OIG under the umbrella of the Legislature's audit division. But lawmakers effectively tabled the proposal and instead asked the Kansas Judicial Council to review the question of where the OIG should be housed and to make its own recommendation.
Meanwhile, health policy authority Executive Director Marcia Nielsen resigned and was replaced by her former deputy, Andy Allison. Also, health policy authority board member Ned Holland left for a job in the Obama administration. Kempf said it was Nielsen and Holland who had tried to pressure her.
In response to the Legislature's request, the Judicial Council formed a nine-person committee that among others included Allison and the heads of the Kansas Medical Society and the Kansas Hospital Association. The committee also included Barbara Hinton, outgoing chief of the Kansas Legislative Division of Post Audit and Loren Snell, lead Medicaid fraud investigator for the Attorney General's Office.
The committee concluded that the 2007 law creating the OIG contained several safeguards of independence, including authority for the inspector general to take concerns and recommendations directly to the Legislature, something Kempf said she had been discouraged from doing by agency management. The inspector general also has civil service protections and cannot be fired by the health policy authority board or its management as easily as a political appointee could be.
Judicial Council report
The committee's report, released Feb. 8 this year, also concluded that the OIG auditors were bound to uphold the “Yellow Book,” which are the generally accepted government auditing standards promulgated by the U.S. Government Accountability Office. The Yellow Book has standards for independence for both “external” and “internal” government auditors. The OIG is empowered by law to do external and internal audits.
The Judicial Council report also cited the potential for trusting relationships between auditors and agency managers as one of the reasons for keeping the OIG nested at the health policy authority.
“Allowing the OIG to develop relationships within the agency will increase effectiveness of the office,” the report stated. “It is human nature for one to feel apprehension at the thought of being audited. This apprehension frequently causes one to be defensive and less forthcoming.
“Housing the OIG within the agency it is responsible for auditing allows the IG the opportunity to develop positive relationships with the staff thereby easing that fear and apprehension. The standards that auditors must follow make it very clear that independence and objectivity in every aspect of their work is paramount. As long as the auditor follows those standards as required, developing relationships with the people they audit can actually work to their advantage.”
Kramer said, as noted by the judicial council report, that the statutes governing the OIG assure it the independence it needs above and beyond the audit protocol, which he characterized as guidelines, “a cookbook.”
He also said the primary goal of the protocol was, “to accomplish recommendations that are implementable.”
The adopted protocol is silent on the process for audits of Medicaid programs in other state agencies such as the Kansas Department on Aging, the Kansas Department of Social and Rehabilitation Services or the Juvenile Justice Authority, which has its own inspector general. Nor is it specific about the process for auditing Medicaid providers, beneficiaries, or contractors, though the OIG statutes authorize those types of investigations.
“I didn't really take that into careful consideration,” Kramer said about the process for auditing programs at the other state Medicaid agencies. “But if they (other agency managers) have important suggestions, we would run through the same protocol with them, solicit their ideas for best ideas for test work.”
After Kempf resigned, it was 11 months before Kramer was hired in September 2009 from the Kansas Department of Revenue to replace her as head of the inspector general's office, which, including him has a staff of three auditors and an administrative assistant.
Since lawmakers created the office in 2007, it has published two audits and reviewed several complaints from the public or Medicaid providers.