Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Transcription

1 Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance

2 INTRODUCTION Historic disruption. Risk-based contracting. Value-based purchasing. Population health management. Continuum of care. New operating models. Acquiring physician practices. Securing PHI. Connectivity and integration. Improving the patient experience. Fundamental transformation The U.S. healthcare industry is facing a number of critical and transformational questions: How do we maintain and increase profit margins in the face of declining reimbursements? How do we keep pace with new regulatory compliance requirements and new risks? How do we improve IT system integration and connectivity inside and outside the company? How do we identify acquisition targets that augment our capabilities and support our strategic objectives? The answers inevitably create new questions, and big challenges, for internal audit functions in healthcare organizations, which must ensure that new structures, processes, partners, data and IT systems are harmonious with organizational risk appetites. Not surprisingly, a 014 survey conducted by North Carolina State University s ERM Initiative and Protiviti concludes that healthcare organizations perceive themselves to be facing the greatest amount of risk relative to all other industries. 1 The results of the 014 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations from AHIA and Protiviti underscore this point. They present a portrait of a healthcare internal audit function that is intent on delivering assurance across multiple risk realms while simultaneously enhancing the efficiency and quality of their heavy workloads. Our results indicate that healthcare internal audit functions are concentrating their attention and resources in four key areas of priority, which we discuss further in our report: 1. Mastering regulatory risk and cost containment. Strengthening information security and risk management. Introducing more auditing automation and greater effectiveness 4. Partnering and persuading 1 Executive Perspectives on Top Risks for 014, North Carolina State University s ERM Initiative and Protiviti, 1

3 About the Survey Protiviti conducts its Internal Audit Capabilities and Needs Survey annually to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement and help stimulate the sharing of leading practices throughout the profession. This year, survey respondents answered close to 150 questions in the study s three standard categories: General Technical Knowledge, Audit Process Knowledge, and Personal Skills and Capabilities. In each category, respondents were asked to assess, on a scale of one to five, their competency in the different skills and areas of knowledge, with 1 being the lowest level of competency and 5 being the highest. They were then asked to indicate whether they believe they possess an adequate level of competency or if there is need for improvement, taking into account the circumstances of their organization and the nature of the healthcare industry. Respondents also answered a separate set of questions in a special section, Social Media Risk and the Audit Process. The overall results, which are based on information provided by all respondents (who numbered more than 600), are contained within the master report (available at Respondents from healthcare providers who comprise 14 percent (n=85) of the survey participants also answered questions in a unique section featuring internal audit areas specific to the healthcare industry. AHIA and Protiviti partnered to analyze these results and produce this report in order to equip internal audit executives and professionals in the healthcare industry with more targeted insights about the unique challenges within their domains.

4 MASTERING REGULATORY RISK AND COST CONTAINMENT Addressing regulatory risk is a challenging, yet important and necessary, objective. CAEs and their staffs appear to recognize the need to gain an in-depth understanding of new regulatory compliance requirements to assist their organizations effectively in managing this risk. The introduction of many new regulatory compliance requirements makes plain that mastery requires, first and foremost, keeping informed of them. Healthcare information exchanges (HIE), ediscovery and Meaningful Use compliance, respectively, represent three of the most important need to improve areas within the healthcare-specific technical knowledge category (see Tables 1 and ). Need to Improve Rank Table 1: Healthcare Industry-Specific Technical Knowledge Overall Results Areas Evaluated by Respondents Competency (5-pt. scale) 1 Health information exchanges.8 4 ediscovery. Meaningful Use compliance.8 Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT).5 Healthcare joint ventures.8 Physician compensation methodologies (e.g., wrvu).7 Risk pool/capitation accounting.4 Cost containment labor and non-labor.8 Delivery System Reform Incentive Payment (DSRIP) program.1 Hospital value-based purchasing.9 ICD-10 impact, readiness and implementation.9 Medicare Modernization Act.4 State-specific prompt payment laws.5 State-specific privacy/security laws.7 Of note, while respondents to our 01 survey did not identify Meaningful Use compliance among their top priorities for improvement, it returns as a top priority this year (as it was in 01 see Table ).

5 Need to Improve Rank Table : Healthcare Industry-Specific Technical Knowledge CAE Results Areas Evaluated by Respondents Competency (5-pt. scale) 1 Health information exchanges.8 IRB and clinical trials. Meaningful Use compliance.1 Physician compensation methodologies (e.g., wrvu).0 Case management.0 Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT).8 Delivery System Reform Incentive Payment (DSRIP) program. ediscovery.6 Healthcare joint ventures. Pandemic planning/business continuity.8 Physician organizations. Risk pool/capitation accounting.8 Many, but not all, of the compliance-related priorities identified by this year s survey respondents stem from the Patient Protection and Affordable Care Act (ACA), a primary catalyst driving the proliferation of risks throughout the industry and, by extension, internal audit workloads that include auditing, monitoring and consulting activities related to the strategic challenges healthcare provider organizations are facing. Other compliance requirements that qualify as internal audit priorities include ICD-10, state-specific prompt-payment laws and state-specific privacy/security laws. Additionally, our respondents revealed that their healthcare-specific general technical knowledge objectives extend beyond compliance into strategic and operational issues, such as healthcare joint ventures, cost containment and hospital value-based purchasing. 4

6 Table : Healthcare Industry-Specific Technical Knowledge Overall Results, Three-Year Comparison Health information exchanges Health information exchanges Meaningful Use compliance ediscovery Value-based purchasing Health information exchanges Meaningful Use compliance ICD-10 implementation Accountable care organizations Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT) Payment bundling Electronic health records Healthcare joint ventures Accountable care organizations ICD-10 readiness Physician compensation methodologies (e.g., wrvu) Risk pool/capitation accounting Cost containment labor and non-labor Delivery System Reform Incentive Payment (DSRIP) Program Hospital value-based purchasing ICD-10 impact, readiness and implementation Medicare Modernization Act State-specific prompt payment laws State-specific privacy/security laws Clinical documentation ICD-10 impact and readiness Pay-for-performance quality standards (CMS core measures and HCAHPS) State-specific privacy/security laws Coding (CPT, ICD-9) Patient Protection and Affordable Care Act provisions Clinical systems = Three-year trend Table 4: Healthcare Industry-Specific Technical Knowledge CAE Results, Three-Year Comparison Health information exchanges Health information exchanges Accountable care organizations IRB and clinical trials Payment bundling Health information exchanges Meaningful Use compliance ICD-10 implementation Electronic health records Physician compensation methodologies (e.g., wrvu) Pay-for-performance quality standards (CMS core measures and HCAHPS) Meaningful Use compliance Case management Physician credentialing ICD-10 readiness Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT) Delivery System Reform Incentive Payment (DSRIP) program ediscovery Value-based purchasing Durable medical equipment ediscovery Healthcare joint ventures HIPAA 5010 Pandemic planning/business continuity Physician organizations Risk pool/capitation accounting Physician alignment and employment strategies Physician organizations Professional fee billing Quality of care Hospital billing IRB and clinical trials Managed care contracting = Three-year trend 5

7 STRENGTHENING INFORMATION SECURITY AND RISK MANAGEMENT Technology primarily in the form of data and the applications in which the data resides represents an increasingly crucial component of an effective organizational risk management capability. Healthcare data and information must be kept secure and private amid growing cybersecurity risks as well as the growing need to exchange patient data with external partners (e.g., insurers and pharmacies) and other entities (e.g., HIEs). The strength of information security and the quality of enterprise risk management in healthcare organizations are complicated by the emergence of new and disruptive technologies first and foremost, social media and mobile applications as well as new forms of guidance related to managing and communicating these risks. Both the risks internal auditors are addressing and the way they are addressing them are changing. Need to Improve Rank 1 Table 5: General Technical Knowledge Overall Healthcare Industry Results Areas Evaluated by Respondents Competency (5-pt. scale) Recently enacted IIA Standard: Overall Opinions (Standard 450).9 Social media applications.8 Mobile applications Recently enacted IIA Standard: Audit Opinions and Conclusions (Standards 010.A and 410.A1) GTAG 16 Data Analysis Technologies.0 NIST Cybersecurity Framework. GTAG 6 Managing and Auditing IT Vulnerabilities.7 GTAG 15 Information Security Governance.9 Recently enacted IIA Standard Functional Reporting Interpretation (Standard 1110) GTAG 10 Business Continuity Management.9 ISO 7000 (information security).4 Reporting on Controls at a Service Organization SSAE 16/AU 4 (replaces SAS 70) Several recently enacted standards from The Institute of Internal Auditors (The IIA) such as Standards 450, 010.A, 410.A1, and 1110 figure as top priorities (see Table 5). Most of these standards provide guidance as to how internal auditors communicate and present their work, including unfavorable findings, to their business partners. The updated Standard 1110 outlines the functional reporting structures and activities that should be in place (e.g., having the CAE report functionally to the board of directors, having the board review and approve the risk-based audit plan, etc.) to achieve organizational independence while enabling the function to fulfill its growing list of risk-related responsibilities. Of note, a majority of the top priority areas survey respondents cited in the General Technical Knowledge category relate to technology. The same holds true to an even greater extent, in fact for CAE respondents (see Table 6). 6

8 Table 6: General Technical Knowledge Healthcare Industry CAE Results Need to Improve Rank 1 4 Areas Evaluated by Respondents Competency (5-pt. scale) Mobile applications.7 NIST Cybersecurity Framework.5 Social media applications.7 Cloud computing.7 ISO 7000 (information security).6 GTAG 6 Managing and Auditing IT Vulnerabilities.9 GTAG 15 Information Security Governance.8 GTAG Continuous Auditing.1 GTAG 4 Management of IT Auditing.1 GTAG 9 Identity and Access Management.1 GTAG 10 Business Continuity Management.1 GTAG 14 Auditing User-developed Applications.8 GTAG 16 Data Analysis Technologies. GTAG 17 Auditing IT Governance.0 IT governance.8 The Guide to the Assessment of IT Risk (GAIT).8 Social media, in particular, bears close monitoring as a growing risk. In a separate section of the survey ( Social Media Risk and the Audit Process ), specific types of social media concerns CAEs and their staffs identified include brand/reputational damage, regulatory or compliance violations, employee defamation, data security (company information), data leakage (employee personal information), and viruses and malware, respectively (see Figure 1). Figure 1: Top Social Media Risks (10-point scale) Overall Healthcare Industry Results Brand/reputational damage 7. Regulatory and compliance violations 6.8 Employee defamation 6.4 Data security (company information) 5.5 Data leakage (employee personal information) Viruses and malware.9 Interrupted business continuity.6 Loss of employee productivity.8 Loss of intellectual property.4 Financial loss

9 Table 7: General Technical Knowledge Overall Results, Three-Year Comparison Recently enacted IIA Standard: Overall Opinions (Standard 450) Cloud computing Social media applications Social media applications GTAG 16 Data Analysis Technologies Cloud computing Mobile applications ISO 7000 (information security) GTAG 16 Data Analysis Technologies Recently enacted IIA Standard: Audit Opinions and Conclusions (Standards 010.A and 410.A1) GTAG 16 Data Analysis Technologies GTAG 17 Auditing IT Governance Social media applications Fraud risk management GTAG 1 Fraud Prevention and Detection in an Automated World NIST Cybersecurity Framework Fraud risk management GTAG Continuous Auditing GTAG 6 Managing and Auditing IT Vulnerabilities GTAG 15 Information Security Governance Recently enacted IIA Standard Functional Reporting Interpretation (Standard 1110) Recently enacted IIA Standard Functional Reporting Interpretation (Standard 1110) GTAG 10 Business Continuity Management ISO 7000 (information security) Reporting on Controls at a Service Organization SSAE 16/AU 4 (replaces SAS 70) IT governance GTAG 1 Auditing IT Projects = Three-year trend 8

10 INTRODUCING MORE AUDITING AUTOMATION AND GREATER EFFECTIVENESS The growing importance of information security and privacy in determining overall risk management effectiveness is evident in the realm of Audit Process Knowledge in our survey, which covers the insights, techniques and technology internal auditors deploy to improve their work continuously. In this area, various types of IT audits feature as prominent priorities, including auditing new technologies, program development, security, computer operations and continuity (see Tables 8 and 9). Need to Improve Rank 1 Table 8: Audit Process Knowledge Overall Healthcare Industry Results Areas Evaluated by Respondents Quality Assurance and Improvement Program (IIA Standard 100) Periodic Reviews (IIA Standard 111) Competency (5-pt. scale) Statistically based sampling.7 Auditing IT new technologies.9 Marketing internal audit internally. Auditing IT program development.0 Auditing IT security.0 Computer-assisted audit tools (CAATs).4 Quality Assurance and Improvement Program (IIA Standard 100) External Assessment (Standard 11) 4 Assessing risk emerging issues In addition to focusing closely on the IT function, internal auditors are concentrating on improving the quality of their work. Survey respondents identified as priorities components of the update to The IIA s International Standards for the Professional Practice of Internal Auditing that took effect in early 01. The update consists of 18 revisions that are designed to strengthen internal audit s effectiveness. Our respondents cited a desire to learn more about the updated Standards, particularly by increasing their focus on the Quality Assurance and Improvement Program and its guidance regarding external assessments as well as ongoing and periodic reviews. Our respondents also expressed a desire to enhance their fraud-prevention efforts, along with all of their other work, by introducing more automation to their endeavors, in the form of practices like statistically based sampling and computer-assisted audit tools (CAATs). 9

11 Table 9: Audit Process Knowledge Healthcare Industry CAE Results Need to Improve Rank 1 Areas Evaluated by Respondents Competency (5-pt. scale) Auditing IT new technologies. Auditing IT security. Marketing internal audit internally.8 Assessing risk emerging issues.8 Quality Assurance and Improvement Program (IIA Standard 100) External Assessment (Standard 11) Quality Assurance and Improvement Program (IIA Standard 100) Periodic Reviews (IIA Standard 111) Statistically based sampling.6 Auditing IT change control.6 Auditing IT computer operations.6 Auditing IT continuity.5 Auditing IT program development.4 Data analysis tools data manipulation.6 Data analysis tools statistical analysis Table 10: Audit Process Knowledge Overall Results, Three-Year Comparison Quality Assurance and Improvement Program (IIA Standard 100) Periodic Reviews (IIA Standard 111) Statistically based sampling Auditing IT new technologies Marketing internal audit internally Data analysis tools data manipulation Quality Assurance and Improvement Program (IIA Standard 100) External Assessment (IIA Standard 11) Quality Assurance and Improvement Program (IIA Standard 100) Ongoing Reviews (IIA Standard 111) Quality Assurance and Improvement Program (IIA Standard 100) Periodic Reviews (IIA Standard 111) CAATs Continuous auditing Continuous monitoring Data analysis tools data manipulation Auditing IT program development Fraud fraud risk assessment Data analysis tools sampling Auditing IT security Enterprisewide risk management Data analysis tools statistical analysis CAATs Fraud monitoring Marketing internal audit internally Quality Assurance and Improvement Program (IIA Standard 100) External Assessment (Standard 11) Assessing risk emerging issues Assessing risk emerging issues Fraud auditing Fraud fraud detection/investigation Fraud fraud risk assessment 10

12 PARTNERING AND PERSUADING During periods of significant change and disruption, it is critical for internal auditors to develop, sustain and strengthen effective relationships at all levels of the organization and beyond the company, as well. Within rapidly changing organizational environments, internal auditors must persuade their colleagues throughout the business to operate in a risk-savvy manner. The desire for this type of partnership and persuasion is evident in our survey results (see Tables 11 and 1). As discussed in a recent issue of The Bulletin from Protiviti, internal auditors must collaborate effectively with other independent functions focused on managing risk and compliance. Collaboration is a vital skill on many fronts in any discipline, and especially for internal audit. Of necessity, auditors should undertake a collaborative approach with independent risk management and compliance functions to coordinate roles, responsibilities and assurance plans, as well as share risk information and available resources. Further, in Protiviti s recent editions of Internal Auditing Around the World (specifically, Volumes 9 and 10), internal audit leaders in numerous companies cite the critical importance of collaboration and partnerships in their organizations, which serve to enhance the effectiveness of their internal audit functions and processes. Need to Improve Rank Table 11: Personal Skills and Capabilities Overall Healthcare Industry Results Areas Evaluated by Respondents Competency (5-pt. scale) 1 Presenting (public speaking).5 Developing other board committee relationships.4 Developing outside contacts/networking.8 Leadership (within your organization).6 Persuasion.6 Time management.7 Using/mastering new technology and applications.7 Dealing with confrontation.6 Developing audit committee relationships.5 Negotiation.6 For all respondents as well as CAEs, the lists of priorities in this category are dominated by skills such as developing relationships, negotiation, persuasion and presenting. Clearly, effective collaboration and partnerships are viewed as critical components for internal auditors in healthcare organizations as they address the many other priorities identified and discussed earlier in our report. The Bulletin, Volume 5, Issue 6, The Future Auditor: The Chief Audit Executive s Endgame, available at For more information about Protiviti s Internal Auditing Around the World series, visit World.aspx. 11

13 Need to Improve Rank Table 1: Personal Skills and Capabilities Healthcare Industry CAE Results Areas Evaluated by Respondents Competency (5-pt. scale) 1 Using/mastering new technology and applications.7 4 Developing audit committee relationships 4. Developing other board committee relationships 4.0 Developing outside contacts/networking 4. Negotiation.8 Presenting (public speaking) 4.1 High-pressure meetings.8 Persuasion 4.0 Creating a learning internal audit function 4. Dealing with confrontation 4.0 Developing rapport with senior executives 4. Leadership (within your organization) 4. Strategic thinking 4. Time management.9 Table 1: Personal Skills and Capabilities Overall Results, Three-Year Comparison Presenting (public speaking) Presenting (public speaking) Developing outside contacts/networking Developing other board committee relationships High-pressure meetings Leadership (within your organization) Developing outside contacts/networking Dealing with confrontation Negotiation Leadership (within your organization) Persuasion Dealing with confrontation Persuasion Time management Using/mastering new technology and applications Dealing with confrontation Developing audit committee relationships Negotiation Using/mastering new technology and applications Persuasion High-pressure meetings = Three-year trend 1

14 IN CLOSING While the burden of the healthcare industry s ACA compliance remains, a weighty collection of interconnected technology and strategy concerns are adding to these already significant burdens. As the very strategy and structure of healthcare provider organizations undergo major changes in the coming year, it will be increasingly important for CAEs and their internal auditing functions to keep their eyes on their priority lists, regardless of how long those lists become. 1

15 ABOUT AHIA Founded in 1981, the Association of Healthcare Internal Auditors (AHIA) is a network of experienced healthcare internal auditing professionals who come together to share tools, knowledge and insight on how to assess and evaluate risk within a complex and dynamic healthcare environment. AHIA is an advocate for the profession, continuing to elevate and champion the strategic importance of healthcare internal auditors with executive management and the board. If you have a stake in healthcare governance, risk management and internal controls, AHIA is your one-stop resource. Explore our website ( for more information. If you are not a member, please join our network. Contact Heidi Crosby AHIA Board Chair ABOUT PROTIVITI Protiviti ( is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 0 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index. Contacts Brian Christensen Executive Vice President Global Internal Audit [email protected] Susan Haseley Managing Director Healthcare Industry Leader [email protected] 14

16 Education Networking Resources Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services Protiviti Inc. An Equal Opportunity Employer M/F/D/V. PRO-0814-PKIC097