News | Audit and Internal Controls

Why the internal audit function serves as a bulwark against risk for healthcare organizations

News | Audit and Internal Controls

Why the internal audit function serves as a bulwark against risk for healthcare organizations

Mark Laccetti and Debra Bowes, partners with the Chicago-based advisory firm Baker Tilly.

Prior to the COVID-19 crisis, many health systems were contemplating establishing an internal audit function in their organizations, or enhancing the function they already had in place.

Although the crisis may have deterred many from moving ahead with these plans, it is exactly in a time such as this that organizations need a truly agile and strong internal audit function, according to Mark Laccetti and Debra Bowes, partners with the Chicago-based advisory firm Baker Tilly.

They advocated the profound benefits of continuing to develop this function in their presentation, “Managing healthcare risks through internal audit,” on the opening day, June 24, of HFMA’s 2020 Digital Annual Conference.

The need to address rising risk in healthcare

“There is a tremendous amount of risk in healthcare, and having an internal audit function [can] give you some peace of mind that at least these risks are being addressed by someone and mitigated,” said Bowes.

The sources of risks healthcare organizations are facing are many and COVID-19 has added to the complexity of the risk, and in many ways exacerbated it, she said. Many of the responses to the COVID-19 pandemic have challenged and even loosened adherence to policies that were carefully put in place to address compliance issues and risk. Just a few trending issues she cited include:

  • Financial sustainability
  • Pandemic and emergency response planning and COVID-19 funding
  • Remote workforce and furloughed employees
  • Physician employment
  • Cybersecurity and HIPAA enforcement
  • Labor shortages
  • Telehealth
  • Consumerism

Role of the internal audit function

Laccetti described the key elements of the internal audit function, citing the definition of internal audit adopted by the Institute of Internal Auditor:

Internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.

Its purpose, he said, is to fulfill four primary roles:

  1. Provide positive assurance that controls are functioning as intended
  2. Identify areas requiring improvement
  3. Ensure risk management is aligned with efforts to realize strategy
  4. Serve as a catalyst for improving controls of compliance, finance and operations

Free of external influences, internal audit should report through senior management and out to the organization’s governing committee.

3 internal audit structure types

Laccetti described three types of internal audit structures:

  1. The traditional model, where the function is entirely in-house as a department
  2. The co-sourced model, where staffing and skill sets can be drawn from in-house resources as well as from external resources
  3. The shared services model, where the organization is leveraging an external service provider

Each model presents its own benefits and challenges. For instance, the traditional model affords the greatest organizational control over internal audit, but it presents the greatest administrative burden. By contrast, the shared service model gives the organization greater access to a network of internal audit professionals with specialty expertise. But it does not allow for the internal audit function to be fully ingrained in the organization. These are only a few of the examples Laccetti presented.

The risk assessment lifecycle

Internal audit is all about assessing and managing risk, so performing a risk assessment is a core element in this function.

“Risk assessment starts with planning,” Laccetti said. “We want to define our objectives, roles and responsibilities – what’s the internal audit functions role, what’s management’s role, what’s the board’s role, what are the various stakeholder roles – and having an open line of communication to make sure everyone knows what’s going on.”

Other factors that increase confidence in the risk assessment, he said, include collaboration and a diversity of data, shareholders and participants.

Laccetti discussed the risk assessment lifecycle, an ongoing cyclical process that is performed by the internal audit group.

The lifecycle begins with identifying and categorizing risks (e.g., financial, operational, strategic, compliance and emerging), and considering them in the context of the overall enterprise as well as business units and departments.

The next phases are:

  • Develop assessment criteria
  • Assess the risks (using quantitative and qualitative information)
  • Assess the risk interactions
  • Prioritize the risks
  • Report the information

Regarding assessing risk interactions, Laccetti cautioned. “No risk operates in a silo. And COVID-19 is the example.”

He noted that the pandemic presented a chain of events, each introducing new elements of risk. For example, at some locations, concerns about a flood of patients prompted the shut-down of elective services, which may have led progressively to the reduction of revenues, to the need to reduce the workforce and, ultimately, to the failure of the expected flood of patients to materialize.

“So when you are thinking about risk, you always want to think about the ‘what if?’ scenarios,” Laccetti concluded.

About the Author

Eric C. Reese, PhD,

is a writer and editor, HFMA, Westchester, Ill.


Related Articles | Audit and Internal Controls

News | Coronavirus

Public health emergency extended, $20 billion more in provider aid to be released

The COVID-19 public health emergency was extended to January and a new round of federal funding was issued for ongoing pandemic-response expenses.

Blog | Coronavirus

Everything you wanted to know about the CARES Act PRF but HHS was afraid to answer through July 16

HFMA's Chad Mulvany says taxing for-profit providers’ PRF funding seems counterproductive, counterintuitive and counter to Congress’s intention, and could particularly hurt independent physician practices.

News | Coronavirus

CARES Act accounting implications will vary by healthcare type

The accounting rules for providers receiving funding through the CARES Act will vary widely by provider type.

News | Value-Based Payment

One health system finds 'millions' of reasons to audit value-based payments

A health system identified millions of dollars in underpayments that it should have received as part of two value-based payment arrangements in recent years.