Healthcare Internal Audit: In a Time of Transition

Transcription

1 The 2015 State of the Internal Audit Profession Study Healthcare Internal Audit: In a Time of Transition The healthcare industry in the United States is facing many challenges with the enactment of legislation affecting providers, payers, businesses and individuals. The Affordable Care Act (ACA) changed the requirements for employers to provide health insurance and the type of coverage offered by payers. The Act also forced many Americans to obtain some minimal level of health insurance coverage upon threat of tax penalties, which increase year to year. The law encourages the formation of Accountable Care Organizations (ACOs), which are changing both the payment structure for providers and their strategy for rendering services. In addition to ACA, healthcare payers and providers are facing a wide array of other regulatory requirements such as new medical coding standards (ICD-10), which are evoking substantial changes in processes and technology. In part because of these significant changes in the industry, 70% of the healthcare companies participating in the PwC 2015 State of the Internal Audit Profession Study - Finding True North in a period of rapid transformation have recently gone through, or are going through, a business transformation. An additional 15% anticipate going through a transformation in the next 18 to 24 months. These transformational changes within healthcare organizations require internal audit to change as well, and do so quickly, in order to remain relevant. This paper reflects the opinions of executives in the Healthcare sector who participated in the 2015 PwC State of the Internal Audit Profession Study as well as PwC s experience with leading practice internal audit functions. It explores how leading internal audit organizations continue to demonstrate value and relevance by evolving their functions to meet the needs of the changing healthcare sector. The changing risk landscape Healthcare organizations, now more than ever, are facing new and emerging risks, which require quick assessments and adaptation. The vast majority (78%) of healthcare organizations in our survey believe risks are increasing. Our study confirmed that healthcare executives are concerned with regulatory complexity, cyber security, and cost-containment (Figure 1). It should also be noted that these challenges/opportunities are very much interrelated as government policy and regulatory changes are driving cost pressures and the need for increased focus on data security and privacy. All of these new and emerging risks are outpacing the talent to address these issues.

2 Figure 1: Top challenges and opportunities in healthcare sector versus other industries Forces creating the biggest challenges Healthcare sector Global All Industries Regulatory complexity Regulatory complexity Data security and privacy Data security and privacy Government policy change Cost pressures Cost pressures Government policy changes Forces creating the biggest opportunities Healthcare sector Global All Industries Government policy change Changing consumer behavior Changing consumer behavior Urbanization Shifts in competition Shifts in competition Emerging technology Emerging technology 2 Healthcare Internal Audit: In a Time of Transition

3 It is no surprise that government policy and regulatory complexity were cited as the top opportunities and challenges respectively within the sector: The far-reaching ramifications of the ACA include reductions in Disproportionate Share Hospital (DSH) payments and lower reimbursement levels that are pressuring providers to address costs more aggressively The introduction of ICD-10 requires payers and providers to significantly upgrade their systems to account for a dramatic increase in the number of diagnosis and procedures codes, increasing revenue leakage risks and non-compliance with the new guidelines The transition to Electronic Medical Records (EMR) has significantly elevated IT security and privacy risk, requiring payers and providers alike to focus on preventing breaches of Patient Health Information (PHI) From a pharmaceutical perspective, increasing pricing pressure from government agencies and managed care organizations both domestically and abroad are impacting profitability Our study confirmed that healthcare executives are pursuing plans to realign their business models, revisit various pricing strategies and ensure privacy and security of patient information to address the numerous changes in the industry (Figure 2). Specifically, providers are re-thinking their service delivery models by merging with other hospitals to form networks that benefit from economies of scale: 59% of respondents are realigning their business models, but Internal audit is somewhat or heavily involved only 23% of the time. Payers are likewise engaged in mergers and acquisitions of smaller health plans in order to expand client bases. All of these initiatives introduce new areas of risk for the organization and the need for Internal audit to act as a trusted advisor to help the business address them. Figure 2: Top strategic initiatives in response to market change Focusing on cost reduction and/or lean initiatives 72% Implementing new controls to improve privacy and security Revisiting pricing strategies Developing new products and services Realigning the business model 65% 60% 60% 59% 0% 10% 20% 30% 40% 50% 60% 70% 80% The 2015 State of the Internal Audit Profession Study 3

4 To evolve quickly as the business moves into new and uncharted territory, internal audit functions need a clear vision to guide the development of the capabilities and skills they need to be valuable and relevant to the business. While every internal audit function s path will be different, our main study identifies four actions that will be critical to pointing internal audit in the right direction. Healthcare company respondents also considered the same four factors as critical enablers for internal audit to be a more valued contributor (Figure 3). While stakeholder support is also identified by respondents as important to success, it is largely earned through s repeated demonstration of relevant contribution. Figure 3: Top areas enabling internal audit to contribute to transformational initiatives 55% 52% 55% 57% 71% 62% 44% 41% 35% 34% Talent/resource skills to offer valuable insight Business acumen and understanding Focus on the right risk at the optimal time in the process Alignment with Enterprise Risk Management and other lines of defense Proficient use of data analytics to provide powerful insights Healthcare Global - all industries 4 Healthcare Internal Audit: In a Time of Transition

5 Focusing on the right risks at the optimal time in the process Leading internal audit functions are proactively identifying and monitoring key risks associated with strategic initiatives, enabling them to provide relevant input ahead of risk occurrence. For example, provider internal audit functions may be ensuring that Finance is projecting the impact of decreased DSH payments on the organization and has realistic plans in place to mitigate that risk, or they may be reviewing processes that promote accurate ACO or quality reporting, reduce the incidence of readmissions, ensure overpayments are remitted within 60 days of identification or make sure the organization has adequately considered all of the risks related to telemedicine. On the payer side, leading internal audit functions may be reviewing the processes critical to driving the 5 Star Rating and controls over the risk adjustment process. As an industry, our study revealed that healthcare sector internal audit functions are generally aligned with other industries in the level and timing of their involvement in strategic risks (Figure 4). Figure 4: How healthcare internal audit participates in business initiatives compared to other sectors Providing a proactive perspective and recommendations on internal control before risk occurrence 40% 54% Identifying risk during the annual risk assessment process 8% 22% Auditing processes and controls for mitigating risk once they are in place, but before risk occurrence 29% 25% Auditing processes and controls for mitigating risk after risk occurrence (in response to risk occurrence) 8% 11% Don't know 2% 2% Global - all industries Healthcare internal audit The 2015 State of the Internal Audit Profession Study 5

6 Our study also showed that healthcare executives want internal audit involved more actively in transformational initiatives beyond its responsibility to provide assurance on the effectiveness of internal controls. Just 19% of healthcare survey respondents indicate internal audit is currently proactive, providing valueadded services and prospective strategic advice on risk. Yet, nearly half (47%) believe this will be internal audit s mandate within five years. Points to consider Participating in strategic initiatives puts internal audit in a position to provide input before processes and controls are developed, and to make recommendations on design while maintaining objectivity. To get there, internal audit functions should: Establish relationships from the onset and regularly participate in strategic business meetings to keep an ongoing pulse on the business without making decisions on behalf of management or voting as part of the committees/meetings Consider structuring the internal audit function to align with how the business is organized so that resources can gain a deeper understanding of a particular area, more easily build relationships and keep pace with the company s rate of transformation Operate with a dynamic audit plan to align with the changing business landscape Align more closely with the other risk management functions to drive a common definition of risk and improve the organization s overall risk management effectiveness Build stakeholder support from the top Developing the talent and business acumen to be relevant and offer valuable insight To focus audit efforts on the areas of highest risk and provide valuable insights to help manage those risks, healthcare organizations need internal auditors with very specific knowledge and experience, ranging from operations to highly specialized areas such as Financial Alignment Initiatives, ICD-10, cyber security, benefit design or billing and compliance. The internal audit team must also be able to leverage technology to focus audit efforts, analyze data, and translate the impact of control breakdowns in business terms. Finding auditors who have these non-traditional skills and experiences has proven to be difficult according to our research. Our interviews confirmed that talent recruitment is often a struggle among CAEs because the supply of talent lags demand. In our experience, CAEs are facing the greatest challenges finding talent in the areas of IT, data analytics and technical areas. In our study, 44% of healthcare respondents said that lack of skills is the top barrier to internal audit contributing to healthcare companies strategic initiatives. Only 53% of healthcare respondents ranked internal audit as performing well at obtaining, training and/or sourcing the right talent for audit needs. The talent challenge is compounded by the fact that executives are looking for a new type of auditor an auditor who not only provides independent and objective assurance but also offers valuable suggestions to maximize operational efficiencies and manage risk. The war for talent has spurred a greater use of co-sourcing to gain access to individuals with specific experience in highly specialized and emerging risk areas such as cybersecurity, ICD-10, Meaningful Use, Payment Card Industry (PCI) standards, 340B drug pricing program compliance, physician compensation and risk sharing arrangements, and the business acumen to combine technical skills with understanding of the business. In response to this high demand for specialized talent, we have observed an increase in full outsourcing of the IT audit function for organizations of all sizes and full internal audit outsourcing for smaller or start up organizations. Points to consider To source, develop and retain the talent needed to keep pace with the business: The 2015 State of the Internal Audit Profession Study 7

7 Perform a forward-looking capabilities assessment that identifies the skills needed to stay aligned with the business and its key risks Find productive ways to attain core skills, including training, rotational models, and hiring from the business Consider sourcing as a strategy for managing talent. This gives organizations the skills they need real time while also allowing them to be organizationally lean Focus on business acumen by increasing alignment with the business and other lines of defense, providing challenging work environments and encouraging intellectual curiosity Strengthening alignment with Enterprise Risk Management (ERM) and other second line of defense functions In many healthcare organizations ERM is an under-developed function but it is slowly gaining traction as a department independent from compliance and internal audit. As these ERM programs mature, internal audit can provide value to the Board and executive leadership by providing perspectives on ERM program effectiveness and through validating the risk mitigation actions in place to reduce the impact or likelihood of key risks materializing. According to the study, 40% of healthcare executives align audit plans with the company s ERM process. Thirty percent believe internal audit plays an active role as a member of the ERM committee. However just 15% audit the ERM process or framework to provide assurance that the organization is focusing on the right risks, although this is expected to grow to 60% within five years. Less than half (46%) create an integrated view of risk across the company (Figure 5). Figure 5: Internal audit alignment with risk management programs Routinely leverage test results performed by each line of defense 35% 48% Create an integrated view of risk across the company with adequate rik coverage 48% 46% Routinely create ongoing interaction between the second and third line of defense to discuss company risks and their management Routinely develop a specific agreement between Internal Audit and risk management groups on responsibilities of each 38% 52% 57% 60% Integrate the perspectives and results of other lines of defense into Internal Audit's risk assessment process 59% 69% Global - all industries Healthcare internal audit The 2015 State of the Internal Audit Profession Study 7

8 Aligning the risk management process, language and framework across the three lines of defense (business functions as the first line, ERM and other risk, compliance and quality functions as the second line, and internal audit as the third line) results in enhanced risk management and reduced audit fatigue. All risk management functions are more efficient, and information regarding risks is more clearly and consistently presented to stakeholders. Our research shows that the bestfunctioning healthcare organizations have routine coordination and communication between the three lines of defense. For example, Legal, Internal Audit, Compliance, ERM and representatives from the business meet on a regular basis to discuss emerging risks, mitigation effectiveness and coordination of audit/monitoring activities and define a common risk language. Points to consider Evaluate the company s risk and compliance ecosystem; understand roles and responsibilities across the lines of defense Work together across ERM, other second lines of defense, and internal audit to build a common risk framework As part of internal audit's role as the third line of defense: Evaluate the effectiveness of the ERM function and other second lines of defense Once comfort over the second line is established, better leverage their work to create efficiency in internal audit processes resulting in a lack of redundancy and reduction in audit fatigue from the business Harnessing the power of data to provide better insights into the business Data analytics is no longer optional; it is a necessary tool for business, a tool that has already been harnessed by regulators during their compliance audits and is now being used more and more by the business units. Our survey and interviews revealed that most, if not all, internal audit functions are thinking about how they can better leverage data to not only be more efficient but far more effective. Most are experimenting with expanding its use including its wider application across the audit life cycle. The use of technology was a major focus area for many healthcare audit executives specifically the use of data analytics to enhance the efficiency of audits and better articulate the impact of audit observations for stakeholders. However, only 41% of executives believed that internal audit is performing well in the area of data analytics. Furthermore, only roughly 24% of healthcare internal audit functions reported using data analytics to review risks (Figure 6). Figure 6: Use of Data Analytics to Review Risks Healthcare Internal Audit functions currently use data analytics to review risks Do not use data analytics for risk review but plan to 24% 33% Have no plans to use them in this area 37% 8 Healthcare Internal Audit: In a Time of Transition

9 Points to consider In our interviews, CAEs commonly cited lack of funds as an obstacle to better leveraging data analytics. To enhance data analytics capabilities in an environment of tight cost control, internal audit should consider several steps: Champion internal audit's need for data analytics with the board and executive management to gain buy-in, highlighting the benefits of better risk coverage and ultimate rise in efficiency Incorporate into resource planning the need for deep data analytics skills either in-house or through third parties Reallocate funds from an open position and leverage existing training budgets to develop a data analytics plan, enhance tools and provide training for the internal audit team Leverage tools and licenses already purchased by other departments in the organization, such as HIM, IT, Finance, and Special Investigations units (SIUs) Identify pilot projects and quick wins to build data analytics momentum and share successes broadly to reinforce the value of data analytics and need to further invest Where possible, develop and hand off analytics to the business to improve their control effectiveness and improve the value of analytics story Mature the use of analytics over time and identify areas tomigrate to continuous monitoring and continuous auditing Making the Journey Given the complexity and pace of change within the healthcare sector, internal audit functions must serve as a lighthouse for the organization not only protecting the foundational control environment, but shining light on that next set of issues and to help the organization either avoid it or put in place a solid plan to manage them. To do that, internal audit must earn its place in executive meetings so that auditors are able to provide meaningful perspectives to leadership when strategic objectives are discussed. The keys to success lie in forming the right team with the right tools focused on the right risks. Such an audit team is able to execute efficient audits that result in recommendations that support the attainment of the organization s mission and further position internal audit to contribute greater value to the organization. To make this journey, CAEs and stakeholders begin by determining how and where internal audit should be contributing, with a vision that challenges the status quo and pushes internal audit to think beyond standard objectives and deliverables. That vision comes to life by way of an internal audit strategic plan where the function s true north is defined, charting a path to where the function should move, not constrained by current limitations. This new vision almost always begins with a mind-set shift. As our research indicates, such a plan will include a focus on the right risk at the right time, intentional and proactive talent development, alignment with other lines of defense, and the use of data throughout the internal audit life cycle. The 2015 State of the Internal Audit Profession Study 9

10 To have a deeper conversation about how this subject may affect your business, contact: Jason Pett, Partner US Internal Audit Services Leader jason.pett@pwc.com Michelle Hubble, Partner US Internal Audit Services Center of Excellence Leader michelle.hubble@pwc.com Princy Jain, Partner Internal Audit Services princy.jain@pwc.com Thomas Snyder, Partner Internal Audit Services thomas.h.snyder@pwc.com Lisa Adinolfi-Tejera, Partner Healthcare Internal Audit Services lisa.adinolfi-tejera@pwc.com Terry Puchley, Partner Health Industries National Risk Assurance Leader terry.puchley@pwc.com 2015 PwC. All rights reserved. PwC and PwC US refer to PricewatehouseCoopers LLP, a Delaware limited liability partnership, which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity. This document is for general information purposes only and should not be used as a substitute for consultation with professional advisors. PwC US helps organizations and individuals create the value they re looking for. We re a member of the PwC network of firms, with 169,000 people in more than 158 countries. We re committed to delivering quality in assurance, tax, and advisory services. Tell us what matters to you and find out more by visiting us at