Analysis: The Mess at UMMS—Part II: Legislative action must be stronger than HB 1428

This is the second of two parts by career government auditor Charlie Hayward addressing the “Mess at UMMS,” and the legislative reaction to it.

The University of Maryland Medical System includes 13 hospitals with 28,000 employees and $4.4 billion in annual revenue.

The first part detailed many red flags that trained auditors look for to assess the seriousness of problems, so they can create audit steps designed to fully address them. In this Part II Hayward :

•   Argues that proposed emergency legislation is unlikely to be fully responsive to red flags;
•   Describes why American Hospital Association guidance UMMS proposes using as best practices can be improved;
•   Lists some of the elements of a credible audit.

By Charlie Hayward

For MarylandReporter.com

The type of audit cited in legislation, and who controls the audit, will be pivotal to whether all, or only a few of the red flags, are considered by the auditor. HB 1428 would require the University of Maryland Medical System Corporation (UMMS) to hire an: “independent certified public accountant (CPA) to conduct a performance audit of its administrative and financial offices – specifically to evaluate the efficiency and effectiveness of financial management practices, including procurement and contracting.”

Professional auditing standards describe several kinds of audits. Performance auditors examine internal controls for efficiency and effectiveness and recommend prospective improvements. They don’t investigate possible wrongdoing or reconstruct previous transactions or events; they typically don’t examine source documents or verify transactions; they don’t assess motives; and they don’t perform any forensic work—unless the mandate requires it and the legislation does not.

A “performance audit” is jargon for a non-critical review whose principal objectives are aligned with future improvements of economy and efficiency. The legislature needs to tighten up language describing the audit to include an investigation covering at least three years prior, including forensic work.

Hospital system hires the auditor

Proposed legislation also requires UMMS to identify and hire the audit firm, and pay for the audit. This means designing the audit, selecting audit procedures, overseeing fieldwork, and choices about language in the final report will be overseen by substantially the same management who presided over these problems,  assuming Robert A. Chrencik, the CEO on leave of absence, is completely removed from any role with the audit.

Although UMMS executives want to know what happened, they also have deep-seated incentives for assuring the audit is as painless as possible. Recognizing these incentives, the legislative language needs change. A couple options include:

•   Requiring UMMS to contract with and pay an impartial entity — possibly the legislature’s own Office of Legislative Audits — to hire and pay the auditor and manage the work.
•   Requiring auditors to report to the board’s audit and compliance committee (assuming committee members have no business ties to UMMS.)

Red flags cited in Part I raise questions about abuses of public trust. A stronger audit mandate and impartial oversight of the work are necessary to get to the truth.

American Hospital Association guidance can be improved upon.

On March 22, three mid-level executives of UMMS testified regarding HB 1428, before the House Health and Government Operations

Committee. Testimony begins with introductions at 23:39 of the video.

They promised legislators that UMMS would utilize American Hospital Association guidance and best practices for benchmarking existing policy, and using the guidance to implement audit recommendations. Presumably, UMMS will instruct auditors to use AHA criteria in their assessments.

AHA is a well-respected advocacy group whose strongest resources appear to involve community health and patient care and treatment. However, their guidance about boards of directors and conflicts of interest is generic and abridged. It also suggests there’s one set of best practice for nonprofit hospitals, and another for all other similarly-sized entities. Since AHA’s guidance is neither comprehensive nor robust, UMMS should use stronger, more objective, due-processed criteria.

Fortunately, it need not reinvent the wheel. The Maryland State Health Services Cost Review Commission’s “Maryland Survey of Nonprofit Hospital Board Governance: Report to the Maryland General Assembly” is a good place to start. It covers a full assessment of best practice for Non-profit hospitals:

•   Governance Structure
•   Transparency
•   Conflict of Interest Policy
•   Governance Policies and Practices

Legislators should consider naming in their legislation, the soundest benchmarks for guiding improvements.

Elements of a credible audit

A credible audit is one performed free from conflicted oversight and control. The audit entity who is awarded this work should be free to design its own audit work plan, complete the work, and prepare a final report without inappropriate influence.

To be fully independent, he audit entity should have the authority to (1) expand the audit as may be warranted by its findings, and (2) make referrals of suspected illegal activity to the Attorney General, as the auditor and contracting authority deems necessary—without having to survive bureaucratic delays.

If the Office of Legislative Audits oversees the audit, it has fraud auditors and technical expertise on staff and an existing protocol for making such referrals.

UMMS’ performance audit should not simply evaluate internal controls, and economy and efficiency. It also needs to have a component encompassing certain kinds of investigative procedures such as the following:

1. How many board members received contract awards from UMMS? What were amounts, dates, and scope of work for each contract? If contracts were amended what was the rationale, terms, and amounts of increases?
2. Were contracts between board members and UMMS written? To the extent they weren’t is there any evidence oral contracts were used to conceal the substance?
3. To the extent contracts were written, did their terms and conditions conform with UMMS’ procurement policy and procedure?
4. Were sole-source contract awards justified under prevailing procurement laws and regulations?
5. Is there any evidence UMMS evaluated (prior to award) proposed contract costs and were costs negotiated and, if so, what evidence exists about effectiveness of such negotiation?
6. Were procurements made exclusively for ordinary and necessary goods and services?
7. What were the internal controls designed to assure UMMS received what it paid for? Test such controls to determine if they were effective.
8. Fully test compliance with UMMS’ written Conflict-of-Interest policy by performing the following assessments:

•      Does UMMS comply with policy requiring the “Office of General Counsel is responsible for collecting and maintaining disclosures from all of the Governing Board(s) associated with The University of Maryland Medical System.”
•      Did board members comply with the “Duty to Disclose” reported potential conflicts corresponding with “…direct or indirect remuneration” specified in policy?
•      Test compliance by members of the board with the policy requirement that “…If there is no Financial Interest to disclose, this must be certified to the requesting party.” Specifically, were board member certifications (purporting to convey no potential conflicts) accurate and complete?
•      Since disclosures must be made by vendors, test to assure board members (in their roles as vendors) complied with the policy requirement that “Any vendor, supplier, or other contractor must disclose any actual or potential transactions with any University of Maryland Medical System officer, board member, employee, or member of the medical staff, as applicable, including family member.”
•      To the extent of positive disclosure of potential conflicts, determine if “Management Plans” required by policy are available, were reasonable to mitigate conflicts, and were complied with.
•      Did UMMS’ Office of General Counsel inform the Maryland Health Services Cost Review Commission where required expressly by policy?
•      Make a judgment about whether amounts paid by UMMS are consistent with value received in an arms’ length transaction for each contract.
•      To the extent of the lack of evidence of arms’ length procurement, assess whether there may have been any quid-pro-quo received by UMMS? If so, what was the substance?
•      Evaluate whether any payments should be treated as lobbying on IRS Form 990, Report of Exempt Organizations.
•      Determine if UMMS complied with Internal Revenue Service compensation reporting requirements, including IRS Forms 1099 used to report non-employee compensation.

9. Did UMMS break laws or regulations of federal, state, and local regulatory bodies applicable to endowments (see Maryland Uniform Prudent Management of Institutional Funds Act) or governmental resources it is entrusted with?

These are a few of the forensic or investigative procedures that should be considered. The bulk of the audit would incorporate other procedures (not cited above) addressing the control environment, with an eye towards prospectively strengthening the process.

Audit results in the form of the final report should be made public.

Charlie Hayward spent more than 30 years performing Government Accountability Office audits and served as a partner in two accounting firms. He retired in 2007 from Cotton & Company LLP, where he was a partner and principal financial auditor of the firm’s audit practice group. Since retiring, he has been a contributing writer for MarylandReporter.com and Bloomberg BNA. He can be reached at hungrypirana@verizon.net.