Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations Key Areas for Improvement Include Compliance, Information Security, Social Media and Quality Assurance

1PROTIVITI Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

INTRODUCTION

Historic disruption. Risk-based contracting. Value-based purchasing. Population health management. Continuum of care. New operating models. Acquiring physician practices. Securing PHI. Connectivity and integration. Improving the patient experience. Fundamental transformation

The U.S. healthcare industry is facing a number of critical and transformational questions:

How do we maintain and increase profit margins in the face of declining reimbursements?

How do we keep pace with new regulatory compliance requirements and new risks?

How do we improve IT system integration and connectivity inside and outside the company?

How do we identify acquisition targets that augment our capabilities and support our strategic objectives?

The answers inevitably create new questions, and big challenges, for internal audit functions in healthcare organizations, which must ensure that new structures, processes, partners, data and IT systems are harmonious with organizational risk appetites. Not surprisingly, a 2014 survey conducted by North Carolina State Universitys ERM Initiative and Protiviti concludes that healthcare organizations perceive themselves to be facing the greatest amount of risk relative to all other industries.1

The results of the 2014 Internal Audit Capabilities and Needs Survey of Healthcare Provider Organizations from AHIA and Protiviti underscore this point. They present a portrait of a healthcare internal audit function that is intent on delivering assurance across multiple risk realms while simultaneously enhancing the efficiency and quality of their heavy workloads.

Our results indicate that healthcare internal audit functions are concentrating their attention and resources in four key areas of priority, which we discuss further in our report:

1. Mastering regulatory risk and cost containment

2. Strengthening information security and risk management

3. Introducing more auditing automation and greater effectiveness

4. Partnering and persuading

1 Executive Perspectives on Top Risks for 2014, North Carolina State Universitys ERM Initiative and Protiviti, www.protiviti.com/TopRisks.


About the SurveyProtiviti conducts its Internal Audit Capabilities and Needs Survey annually to assess current skill levels of internal audit executives and professionals, identify areas in need of improvement and help stimulate the sharing of leading practices throughout the profession. This year, survey respondents answered close to 150 questions in the studys three standard categories: General Technical Knowledge, Audit Process Knowledge, and Personal Skills and Capabilities.

In each category, respondents were asked to assess, on a scale of one to five, their competency in the different skills and areas of knowledge, with 1 being the lowest level of competency and 5 being the highest. They were then asked to indicate whether they believe they possess an adequate level of competency or if there is need for improvement, taking into account the circumstances of their organization and the nature of the healthcare industry.

Respondents also answered a separate set of questions in a special section, Social Media Risk and the Audit Process.

The overall results, which are based on information provided by all respondents (who numbered more than 600), are contained within the master report (available at www.protiviti.com/IAsurvey).

Respondents from healthcare providers who comprise 14 percent (n=85) of the survey participants also answered questions in a unique section featuring internal audit areas specific to the healthcare industry. AHIA and Protiviti partnered to analyze these results and produce this report in order to equip internal audit executives and professionals in the healthcare industry with more targeted insights about the unique challenges within their domains.


MASTERING REGULATORY RISK AND COST CONTAINMENT

Addressing regulatory risk is a challenging, yet important and necessary, objective. CAEs and their staffs appear to recognize the need to gain an in-depth understanding of new regulatory compliance requirements to assist their organizations effectively in managing this risk.

The introduction of many new regulatory compliance requirements makes plain that mastery requires, first and foremost, keeping informed of them. Healthcare information exchanges (HIE), eDiscovery and Meaningful Use compliance, respectively, represent three of the most important need to improve areas within the healthcare-specific technical knowledge category (see Tables 1 and 2).

Table 1: Healthcare Industry-Specific Technical Knowledge Overall Results

Need to ImproveRank

Areas Evaluated by RespondentsCompetency(5-pt. scale)

1 Health information exchanges 2.8

2 (tie)

eDiscovery 2.3

Meaningful Use compliance 2.8

3(tie)

Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT) 2.5

Healthcare joint ventures 2.8

Physician compensation methodologies (e.g., wRVU) 2.7

Risk pool/capitation accounting 2.4

4(tie)

Cost containment labor and non-labor 2.8

Delivery System Reform Incentive Payment (DSRIP) program 2.1

Hospital value-based purchasing 2.9

ICD-10 impact, readiness and implementation 2.9

Medicare Modernization Act 2.4

State-specific prompt payment laws 2.5

State-specific privacy/security laws 2.7

Of note, while respondents to our 2013 survey did not identify Meaningful Use compliance among their top priorities for improvement, it returns as a top priority this year (as it was in 2012 see Table 3).


Table 2: Healthcare Industry-Specific Technical Knowledge CAE Results

Need to ImproveRank

Areas Evaluated by RespondentsCompetency(5-pt. scale)

1 Health information exchanges 2.8

2(tie)

IRB and clinical trials 3.3

Meaningful Use compliance 3.1

Physician compensation methodologies (e.g., wRVU) 3.0

3 (tie)

Case management 3.0

Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT) 2.8

Delivery System Reform Incentive Payment (DSRIP) program 2.3

eDiscovery 2.6

Healthcare joint ventures 3.2

Pandemic planning/business continuity 2.8

Physician organizations 3.3

Risk pool/capitation accounting 2.8

Many, but not all, of the compliance-related priorities identified by this years survey respondents stem from the Patient Protection and Affordable Care Act (ACA), a primary catalyst driving the proliferation of risks throughout the industry and, by extension, internal audit workloads that include auditing, monitoring and consulting activities related to the strategic challenges healthcare provider organizations are facing.

Other compliance requirements that qualify as internal audit priorities include ICD-10, state-specific prompt-payment laws and state-specific privacy/security laws. Additionally, our respondents revealed that their healthcare-specific general technical knowledge objectives extend beyond compliance into strategic and operational issues, such as healthcare joint ventures, cost containment and hospital value-based purchasing.


Table 3: Healthcare Industry-Specific Technical Knowledge Overall Results, Three-Year Comparison

2014 2013 2012

Health information exchanges Health information exchanges Meaningful Use compliance

eDiscovery Value-based purchasing Health information exchanges

Meaningful Use compliance ICD-10 implementation Accountable care organizations

Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT)

Payment bundling Electronic health records

Healthcare joint ventures Accountable care organizations ICD-10 readiness

Physician compensation methodologies (e.g., wRVU)

Clinical documentation Coding (CPT, ICD-9)

Risk pool/capitation accounting ICD-10 impact and readiness Patient Protection and

Affordable Care Act provisions

Cost containment labor and non-laborPay-for-performance quality standards

(CMS core measures and HCAHPS)

Clinical systems

Delivery System Reform Incentive Payment (DSRIP) Program

State-specific privacy/security laws

Hospital value-based purchasing

ICD-10 impact, readiness and implementation

Medicare Modernization Act

State-specific prompt payment laws

State-specific privacy/security laws

= Three-year trend

Table 4: Healthcare Industry-Specific Technical Knowledge CAE Results, Three-Year Comparison

2014 2013 2012

Health information exchanges Health information exchanges Accountable care organizations

IRB and clinical trials Payment bundling Health information exchanges

Meaningful Use compliance ICD-10 implementation Electronic health records

Physician compensation methodologies (e.g., wRVU)

Pay-for-performance quality standards (CMS core measures and HCAHPS)

Meaningful Use compliance

Case management Physician credentialing ICD-10 readiness

Coding knowledge (ICD-9, ICD-10, HCC, HCPCS, CPT)

Value-based purchasing Hospital billing

Delivery System Reform Incentive Payment (DSRIP) program

Durable medical equipment IRB and clinical trials

eDiscovery eDiscovery

Managed care contracting

Healthcare joint ventures HIPAA 5010

Pandemic planning/business continuityPhysician alignment and employment strategies

Physician organizations Physician organizations

Risk pool/capitation accountingProfessional fee billing

Quality of care

= Three-year trend


STRENGTHENING INFORMATION SECURITY AND RISK MANAGEMENT

Technology primarily in the form of data and the applications in which the data resides represents an increasingly crucial component of an effective organizational risk management capability. Healthcare data and information must be kept secure and private amid growing cybersecurity risks as well as the growing need to exchange patient data with external partners (e.g., insurers and pharmacies) and other entities (e.g., HIEs).

The strength of information security and the quality of enterprise risk management in healthcare organizations are complicated by the emergence of new and disruptive technologies first and foremost, social media and mobile applications as well as new forms of guidance related to managing and communicating these risks. Both the risks internal auditors are addressing and the way they are addressing them are changing.

Table 5: General Technical Knowledge Overall Healthcare Industry Results

Need to Improve Rank

Areas Evaluated by RespondentsCompetency (5-pt. scale)

1 (tie)

Recently enacted IIA Standard: Overall Opinions (Standard 2450) 2.9

Social media applications 2.8

2 Mobile applications 2.5

3 (tie)

Recently enacted IIA Standard: Audit Opinions and Conclusions (Standards 2010.A2 and 2410.A1)

3.1

GTAG 16 Data Analysis Technologies 3.0

NIST Cybersecurity Framework 2.2

4 (tie)

GTAG 6 Managing and Auditing IT Vulnerabilities 2.7

GTAG 15 Information Security Governance 2.9

5 (tie)

Recently enacted IIA Standard Functional Reporting Interpretation (Standard 1110)

3.1

GTAG 10 Business Continuity Management 2.9

ISO 27000 (information security) 2.4

Reporting on Controls at a Service Organization SSAE 16/AU 324 (replaces SAS 70)

3.1

Several recently enacted standards from The Institute of Internal Auditors (The IIA) such as Standards 2450, 2010.A2, 2410.A1, and 1110 figure as top priorities (see Table 5). Most of these standards provide guidance as to how internal auditors communicate and present their work, including unfavorable findings, to their business partners. The updated Standard 1110 outlines the functional reporting structures and activities that should be in place (e.g., having the CAE report functionally to the board of directors, having the board review and approve the risk-based audit plan, etc.) to achieve organizational independence while enabling the function to fulfill its growing list of risk-related responsibilities.

Of note, a majority of the top priority areas survey respondents cited in the General Technical Knowledge category relate to technology. The same holds true to an even greater extent, in fact for CAE respondents (see Table 6).


Table 6: General Technical Knowledge Healthcare Industry CAE Results



1(tie)

Mobile applications 2.7

NIST Cybersecurity Framework 2.5

Social media applications 2.7

2(tie)

Cloud computing 2.7

ISO 27000 (information security) 2.6

3 (tie)

GTAG 6 Managing and Auditing IT Vulnerabilities 2.9

GTAG 15 Information Security Governance 2.8

4 (tie)

GTAG 3 Continuous Auditing 3.1

GTAG 4 Management of IT Auditing 3.1

GTAG 9 Identity and Access Management 3.1

GTAG 10 Business Continuity Management 3.1

GTAG 14 Auditing User-developed Applications 2.8

GTAG 16 Data Analysis Technologies 3.2

GTAG 17 Auditing IT Governance 3.0

IT governance 2.8

The Guide to the Assessment of IT Risk (GAIT) 2.8

Social media, in particular, bears close monitoring as a growing risk. In a separate section of the survey (Social Media Risk and the Audit Process), specific types of social media concerns CAEs and their staffs identified include brand/reputational damage, regulatory or compliance violations, employee defamation, data security (company information), data leakage (employee personal information), and viruses and malware, respectively (see Figure 1).

Figure 1: Top Social Media Risks (10-point scale) Overall Healthcare Industry Results

0.0

Brand/reputational damage 7.2

Regulatory and compliance violations 6.8

Employee defamation 6.4

Data security (company information) 5.5

Data leakage(employee personal information) 4.9

Viruses and malware 3.9

Interrupted business continuity 3.6

Loss of employee productivity 2.8

Loss of intellectual property 2.4

Financial loss 2.3

1.0 3.02.0 4.0 6.0 8.0 9.07.05.0 10.0


Table 7: General Technical Knowledge Overall Results, Three-Year Comparison

2014 2013 2012

Recently enacted IIA Standard: Overall Opinions (Standard 2450)

Cloud computing Social media applications

Social media applications GTAG 16 Data Analysis Technologies Cloud computing

Mobile applications ISO 27000 (information security) GTAG 16 Data Analysis Technologies

Recently enacted IIA Standard: Audit Opinions and Conclusions (Standards

2010.A2 and 2410.A1)GTAG 17 Auditing IT Governance Fraud risk management

GTAG 16 Data Analysis Technologies Social media applicationsGTAG 13 Fraud Prevention and Detection

in an Automated World

NIST Cybersecurity Framework Fraud risk management GTAG 3 Continuous Auditing

GTAG 6 Managing and Auditing IT Vulnerabilities


GTAG 12 Auditing IT Projects

GTAG 15 Information Security Governance

IT governance


GTAG 10 Business Continuity Management

ISO 27000 (information security)

Reporting on Controls at a Service Organization SSAE 16/AU 324

(replaces SAS 70)

= Three-year trend


INTRODUCING MORE AUDITING AUTOMATION AND GREATER EFFECTIVENESS

The growing importance of information security and privacy in determining overall risk management effectiveness is evident in the realm of Audit Process Knowledge in our survey, which covers the insights, techniques and technology internal auditors deploy to improve their work continuously. In this area, various types of IT audits feature as prominent priorities, including auditing new technologies, program development, security, computer operations and continuity (see Tables 8 and 9).

Table 8: Audit Process Knowledge Overall Healthcare Industry Results



1(tie)

Quality Assurance and Improvement Program (IIA Standard 1300) Periodic Reviews (IIA Standard 1311)

3.4

Statistically based sampling 3.7

2(tie)

Auditing IT new technologies 2.9

Marketing internal audit internally 3.3

3 (tie)

Auditing IT program development 3.0

Auditing IT security 3.0

Computer-assisted audit tools (CAATs) 3.4

Quality Assurance and Improvement Program (IIA Standard 1300) External Assessment (Standard 1312)

3.4

4 Assessing risk emerging issues 3.4

In addition to focusing closely on the IT function, internal auditors are concentrating on improving the quality of their work. Survey respondents identified as priorities components of the update to The IIAs International Standards for the Professional Practice of Internal Auditing that took effect in early 2013. The update consists of 18 revisions that are designed to strengthen internal audits effectiveness. Our respondents cited a desire to learn more about the updated Standards, particularly by increasing their focus on the Quality Assurance and Improvement Program and its guidance regarding external assessments as well as ongoing and periodic reviews.

Our respondents also expressed a desire to enhance their fraud-prevention efforts, along with all of their other work, by introducing more automation to their endeavors, in the form of practices like statistically based sampling and computer-assisted audit tools (CAATs).


Table 9: Audit Process Knowledge Healthcare Industry CAE Results



1(tie)

Auditing IT new technologies 3.3

Auditing IT security 3.3

Marketing internal audit internally 3.8

2(tie)

Assessing risk emerging issues 3.8

Quality Assurance and Improvement Program (IIA Standard 1300) External Assessment (Standard 1312)

3.5

Quality Assurance and Improvement Program (IIA Standard 1300) Periodic Reviews (IIA Standard 1311)

3.5

Statistically based sampling 3.6

3 (tie)

Auditing IT change control 3.6

Auditing IT computer operations 3.6

Auditing IT continuity 3.5

Auditing IT program development 3.4

Data analysis tools data manipulation 3.6

Data analysis tools statistical analysis 3.4

Table 10: Audit Process Knowledge Overall Results, Three-Year Comparison

2014 2013 2012

Quality Assurance and Improvement Program (IIA Standard 1300) Periodic

Reviews (IIA Standard 1311)Data analysis tools data manipulation CAATs

Statistically based samplingQuality Assurance and Improvement

Program (IIA Standard 1300) External Assessment (IIA Standard 1312)

Continuous auditing

Auditing IT new technologiesQuality Assurance and Improvement

Program (IIA Standard 1300) Ongoing Reviews (IIA Standard 1311)

Continuous monitoring

Marketing internal audit internallyQuality Assurance and Improvement

Program (IIA Standard 1300) Periodic Reviews (IIA Standard 1311)

Data analysis tools data manipulation

Auditing IT program development Fraud fraud risk assessment Data analysis tools sampling

Auditing IT security Enterprisewide risk management Data analysis tools statistical analysis

CAATs Fraud monitoring Marketing internal audit internally

Quality Assurance and Improvement Program (IIA Standard 1300) External

Assessment (Standard 1312)Assessing risk emerging issues

Fraud auditing

Assessing risk emerging issuesFraud fraud detection/investigation

Fraud fraud risk assessment


PARTNERING AND PERSUADING

During periods of significant change and disruption, it is critical for internal auditors to develop, sustain and strengthen effective relationships at all levels of the organization and beyond the company, as well. Within rapidly changing organizational environments, internal auditors must persuade their colleagues throughout the business to operate in a risk-savvy manner. The desire for this type of partnership and persuasion is evident in our survey results (see Tables 11 and 12).

As discussed in a recent issue of The Bulletin from Protiviti, internal auditors must collaborate effectively with other independent functions focused on managing risk and compliance. Collaboration is a vital skill on many fronts in any discipline, and especially for internal audit. Of necessity, auditors should undertake a collaborative approach with independent risk management and compliance functions to coordinate roles, responsibilities and assurance plans, as well as share risk information and available resources.2

Further, in Protivitis recent editions of Internal Auditing Around the World (specifically, Volumes 9 and 10), internal audit leaders in numerous companies cite the critical importance of collaboration and partnerships in their organizations, which serve to enhance the effectiveness of their internal audit functions and processes.3

Table 11: Personal Skills and Capabilities Overall Healthcare Industry Results



1 Presenting (public speaking) 3.5

2(tie)

Developing other board committee relationships 3.4

Developing outside contacts/networking 3.8

Leadership (within your organization) 3.6

Persuasion 3.6

Time management 3.7

Using/mastering new technology and applications 3.7

3 (tie)

Dealing with confrontation 3.6

Developing audit committee relationships 3.5

Negotiation 3.6

For all respondents as well as CAEs, the lists of priorities in this category are dominated by skills such as developing relationships, negotiation, persuasion and presenting. Clearly, effective collaboration and partnerships are viewed as critical components for internal auditors in healthcare organizations as they address the many other priorities identified and discussed earlier in our report.

2 The Bulletin, Volume 5, Issue 6, The Future Auditor: The Chief Audit Executives Endgame, available at www.protiviti.com.3 For more information about Protivitis Internal Auditing Around the World series, visit www.protiviti.com/en-US/Pages/IA-Around-the-

World.aspx.


Table 12: Personal Skills and Capabilities Healthcare Industry CAE Results



1 Using/mastering new technology and applications 3.7

2(tie)

Developing audit committee relationships 4.2

Developing other board committee relationships 4.0

Developing outside contacts/networking 4.3

Negotiation 3.8

Presenting (public speaking) 4.1

3 (tie)

High-pressure meetings 3.8

Persuasion 4.0

4(tie)

Creating a learning internal audit function 4.2

Dealing with confrontation 4.0

Developing rapport with senior executives 4.3

Leadership (within your organization) 4.2

Strategic thinking 4.3

Time management 3.9

Table 13: Personal Skills and Capabilities Overall Results, Three-Year Comparison

2014 2013 2012

Presenting (public speaking) Presenting (public speaking) Developing outside contacts/networking

Developing other board committee relationships

High-pressure meetings Leadership (within your organization)

Developing outside contacts/networking Dealing with confrontation Negotiation

Leadership (within your organization) Persuasion Dealing with confrontation

Persuasion

Using/mastering new technology and applications

Persuasion

Time management

High-pressure meetings

Using/mastering new technology and applications

Dealing with confrontation

Developing audit committee relationships

Negotiation

= Three-year trend


IN CLOSING

While the burden of the healthcare industrys ACA compliance remains, a weighty collection of interconnected technology and strategy concerns are adding to these already significant burdens. As the very strategy and structure of healthcare provider organizations undergo major changes in the coming year, it will be increasingly important for CAEs and their internal auditing functions to keep their eyes on their priority lists, regardless of how long those lists become.


ABOUT AHIA

Founded in 1981, the Association of Healthcare Internal Auditors (AHIA) is a network of experienced healthcare internal auditing professionals who come together to share tools, knowledge and insight on how to assess and evaluate risk within a complex and dynamic healthcare environment. AHIA is an advocate for the profession, continuing to elevate and champion the strategic importance of healthcare internal auditors with executive management and the board. If you have a stake in healthcare governance, risk management and internal controls, AHIA is your one-stop resource. Explore our website (www.ahia.org) for more information. If you are not a member, please join our network.

ContactHeidi Crosby AHIA Board Chair +1.303.422.2615

ABOUT PROTIVITI

Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 40 percent of FORTUNE 1000 and FORTUNE Global 500 companies. Protiviti and its independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies.

Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

ContactsBrian Christensen Executive Vice President Global Internal Audit +1.602.273.8020 [email protected]

Susan Haseley Managing Director Healthcare Industry Leader +1.469.374.2435 [email protected]

Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

www.protiviti.com 2014 Protiviti Inc. An Equal Opportunity Employer M/F/D/V. PRO-0814-PKIC097

Education Networking Resources

Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations

Healthcare

Transcript of Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations