Your browser version is outdated. We recommend that you update your browser to the latest version.

Internal Controls and Project Risk Assessment

 

Client:

Regional hospital

Duration:

8 weeks

Key Roles/ Services Performed:

Internal Controls assessment

Project Risk assessment

Details:

Led an assessment of the Meditech system being implemented to numerous departments in this Southern Ontario hospital.  Managed two team members, for an assessment of the effectiveness of the controls environment as applicable to the hospital’s business processes, as well as the project implementation and conversion practices being utilized for the implementation.  The review focused on three primary areas:

  • Internal controls assessment on the modules implemented and their impact on the   related business processes
  • IT general controls assessment over the Meditech system environment
  • Project risk assessment

The modules in scope for the internal controls assessment were the Admissions, Medical Records, General Ledger, Accounts Payable, Materials Management, Laboratory and Pharmacy modules.  Over several months, the team and I interviewed project staff and user personnel as well as examined system documentation and supporting procedural documentation. 

For each business functional area impacted by the modules, an understanding was obtained of the key processes within the affected departments and the risks and controls associated with these processes.  Further, system interfaces, audit trails, backup procedures and legislative requirements were reviewed in relation to the implemented modules. 

In the IT general controls assessment, an understanding was obtained of the controls surrounding the operation and maintenance of the computer systems which provided the Meditech functions for the hospital.  Controls such as system security, backup and recovery, and change management controls were assessed and evaluated against the significant IT risks impacting the hospital.

In the project risk management review, project personnel were interviewed throughout the implementation timeframe to determine the appropriateness of the processes followed, testing and conversion strategies, training, support processes and documentation supporting the implementation. 

Feedback was provided on a timely basis throughout the engagement through weekly meetings and on the spot recommendations.  At the conclusion of the assessment, a detailed report was provided to management and the audit committee on the results of our review including a summary of how the major risks were managed and areas for improvement.

Benefits to Client:

Senior management and the audit committee obtained comfort on the processing integrity of the new system.  Controls and processes were able to be updated in a responsive manner as concerns were identified.