Why the internal audit function serves as a bulwark against risk for healthcare organizations
Mark Laccetti and Debra Bowes, partners with the Chicago-based advisory firm Baker Tilly.
Prior to the COVID-19 crisis, many health systems were contemplating establishing an internal audit function in their organizations, or enhancing the function they already had in place.
Although the crisis may have deterred many from moving ahead with these plans, it is exactly in a time such as this that organizations need a truly agile and strong internal audit function, according to Mark Laccetti and Debra Bowes, partners with the Chicago-based advisory firm Baker Tilly.
They advocated the profound benefits of continuing to develop this function in their presentation, “Managing healthcare risks through internal audit,” on the opening day, June 24, of HFMA’s 2020 Digital Annual Conference.
The need to address rising risk in healthcare
“There is a tremendous amount of risk in healthcare, and having an internal audit function [can] give you some peace of mind that at least these risks are being addressed by someone and mitigated,” said Bowes.
The sources of risks healthcare organizations are facing are many and COVID-19 has added to the complexity of the risk, and in many ways exacerbated it, she said. Many of the responses to the COVID-19 pandemic have challenged and even loosened adherence to policies that were carefully put in place to address compliance issues and risk. Just a few trending issues she cited include:
- Financial sustainability
- Pandemic and emergency response planning and COVID-19 funding
- Remote workforce and furloughed employees
- Physician employment
- Cybersecurity and HIPAA enforcement
- Labor shortages
Role of the internal audit function
Laccetti described the key elements of the internal audit function, citing the definition of internal audit adopted by the Institute of Internal Auditor:
Internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.
Its purpose, he said, is to fulfill four primary roles:
- Provide positive assurance that controls are functioning as intended
- Identify areas requiring improvement
- Ensure risk management is aligned with efforts to realize strategy
- Serve as a catalyst for improving controls of compliance, finance and operations
Free of external influences, internal audit should report through senior management and out to the organization’s governing committee.
3 internal audit structure types
Laccetti described three types of internal audit structures:
- The traditional model, where the function is entirely in-house as a department
- The co-sourced model, where staffing and skill sets can be drawn from in-house resources as well as from external resources
- The shared services model, where the organization is leveraging an external service provider
Each model presents its own benefits and challenges. For instance, the traditional model affords the greatest organizational control over internal audit, but it presents the greatest administrative burden. By contrast, the shared service model gives the organization greater access to a network of internal audit professionals with specialty expertise. But it does not allow for the internal audit function to be fully ingrained in the organization. These are only a few of the examples Laccetti presented.
The risk assessment lifecycle
Internal audit is all about assessing and managing risk, so performing a risk assessment is a core element in this function.
“Risk assessment starts with planning,” Laccetti said. “We want to define our objectives, roles and responsibilities – what’s the internal audit functions role, what’s management’s role, what’s the board’s role, what are the various stakeholder roles – and having an open line of communication to make sure everyone knows what’s going on.”
Other factors that increase confidence in the risk assessment, he said, include collaboration and a diversity of data, shareholders and participants.
Laccetti discussed the risk assessment lifecycle, an ongoing cyclical process that is performed by the internal audit group.
The lifecycle begins with identifying and categorizing risks (e.g., financial, operational, strategic, compliance and emerging), and considering them in the context of the overall enterprise as well as business units and departments.
The next phases are:
- Develop assessment criteria
- Assess the risks (using quantitative and qualitative information)
- Assess the risk interactions
- Prioritize the risks
- Report the information
Regarding assessing risk interactions, Laccetti cautioned. “No risk operates in a silo. And COVID-19 is the example.”
He noted that the pandemic presented a chain of events, each introducing new elements of risk. For example, at some locations, concerns about a flood of patients prompted the shut-down of elective services, which may have led progressively to the reduction of revenues, to the need to reduce the workforce and, ultimately, to the failure of the expected flood of patients to materialize.
“So when you are thinking about risk, you always want to think about the ‘what if?’ scenarios,” Laccetti concluded.