Healthcare organizations should address top risk and control areas

Preparing your healthcare organization for the next disruptive event: top 8 risks and controls to address

The pandemic has affected all aspects of the healthcare industry. Even with all of the efforts taken by federal and state governments and the healthcare organizations themselves, the Baker Tilly healthcare practice identified a number of areas that were acutely disrupted and deserve added attention, either to prevent further issues during this pandemic or to better prepare for the next catastrophic event. The most pressing areas are as follows.

Supply chain strain

For most health systems, the supply chain for personal protective equipment (PPE) was pushed to the breaking point and procurement staff had to look outside of their standard sources to obtain needed PPE, often under extreme time constraints.


  • Your organization had no back-up plan for when your usual vendor or vendors were not able to deliver needed supplies.
  • To meet demand, you had to purchase PPE from unqualified vendors which created some risk or the equipment was not up to par from a safety perspective.
  • With time constraints and remote working, protocols for authorizing purchases were not followed.

Control considerations:

  • Has your organization established an appropriate minimum level of PPE inventory?
  • Have you created a list of authorized PPE suppliers, including current and back-up vendors? They should be routinely checked to ensure they are still qualified to source your organization
  • Have you developed a procedure for emergency authorizations of new vendors and/or purchases?

Coronavirus Aid, Relief, and Economic Security (CARES) Act provider relief funding/other funding requirements

Some types of CARES Act funding have a Catalog of Federal Domestic Assistance (CFDA) number assigned to them, so organizations that previously may not have qualified for a single audit will now require one.


  • Your organization accepted funding to help with revenue shortfalls and additional expenses incurred because of the pandemic, but, because they were grants, you needed to adhere to rules around grant compliance, which may not have been followed.
  • Your organization received a sudden influx of a new kind of funding, which meant proper documentation for record keeping was not in place.
  • Depending on the amount your organization received, you may be open to an after-the-fact government review/audit in addition to a single audit.

Control considerations:

  • Have you established strong internal controls over record keeping?
  • Has your organization engaged internal audit to perform reviews of compliance with funding requirements (e.g., appropriate costs are captured, required reporting is accurate and complete, etc.)?
  • Have you verified that your organization received the correct amount of federal and state funds? If you mistakenly received money, how do you return that?

Business continuity planning gaps

Healthcare organizations have plans in place for how their emergency rooms should deal with all types of catastrophes, even a pandemic, but back-office workers, budgets and supply chains are not typically a part of those plans.


  • Your organization has had to move a good portion of nonessential staff to remote work environments when your workers are typically always on-site.
  • Your organization had to compete for scarce supplies of PPE with every other healthcare organization, not to mention the federal and state governments and the general public.
  • You had to shut down elective procedures, leaving your organization with an enormous budget shortfall.

Control considerations:

  • Have you assessed your organization’s reactions to the adversities it faced, including staff working remotely, supply chain disruption and significant revenue loss?
  • Have you identified the problem areas and discerned what worked and what didn’t?
  • Have you incorporated the lessons your organization learned into the creation of (or updating of) an emergency preparedness and response plan?

Telemedicine demand

Telemedicine usage rapidly and exponentially increased from the onset of the pandemic. Many organizations were not prepared for the unexpected surge.


  • The federal government temporarily relaxed some of the rules regarding security and privacy under HIPAA.
  • Your telemedicine system lacks the necessary infrastructure for capturing patients’ billing information.

Control considerations:

  • What steps have been taken to put in place controls to manage patients’ security and privacy since HIPAA regulations are expected to be fully enforced again?
  • Have you implemented procedures for gathering relevant intake information in order to properly charge for services?

Remote workforce security issues

Healthcare organizations have had to revisit their policies in how their staffers work remotely.


  • Your organization had to move large numbers of people who typically work on-site to off-site.
  • Your organization had to quickly employ new technology like virtual private networks (VPNs) and other cybersecurity measures and then had to remotely train staff.

Control considerations:

  • Has your organization created best practices for remote employees so they are aware of potential cybersecurity issues?
  • Is your IT staff readily available to all employees?

For more on this topic, read our article, “Cybersecurity hygiene for individuals working or learning remotely.”

Policy and procedure compromises

Policies and procedures provide an organization with an outline of what to do when and by whom, but the urgency caused by the pandemic drove some organizations to make exceptions, defying their carefully thought-out plans.


  • Time constraints forced decisions on people in your organization who were not actually authorized to make them.
  • You are finding that some things fell through the cracks or things happened that should not have because policies and procedures were not being followed.

Control considerations:

  • Do your policies and procedures have appropriate latitude so a small group of individuals can make decisions, rather than hanging the responsibility on one or two people?
  • Can you build executive oversight into enforcement of policy and procedures?
  • Have you identified areas where your organization fell short and looked at what would have normally been done to address what should be done going forward?

Fraud concerns

As a result of a newly remote workforce, organizations changed processes that can potentially lead to openings for fraudulent behavior.


  • You have a complicated staffing situation with some workers coming back after working remotely, some still working remotely, furloughed or formerly furloughed employees as well as temporary hires.
  • For a variety of reasons, staff did not follow approval processes and you are now sifting through unauthorized expenses for anything that would not normally be permitted.

Control considerations:

  • What changes have occurred for accounting and financial processes?
  • Are reconciliations being performed timely?
  • Is everything urgent and not adhering to internal controls?
  • Are hourly timesheets being reviewed?
  • Is inventory being properly managed, counts being performed?

Employee safety in returning to work

As administrative staff returns to work, practices and policies need to be in place that put employee safety first. Various regulatory organizations are providing guidance/rules to be adhered to prior to bringing employees back into the office.


  • Your organization has to make sure the administrative staff returning after months working remotely is following safety protocols so they can interact safely with the clinical staff who has continued to work on premises throughout the pandemic.

Control considerations:

  • Who is ensuring that the appropriate guidance has been reviewed, actions being taken are appropriate, and that various office locations are following the prescribed procedures?
  • Do your plans include regular testing? Are you using an app for recording temperatures?
  • What is the plan for quarantining if someone tests positive for COVID-19?

While a healthcare organization may not have to be concerned with all of the areas discussed above, even just one of the issues could eventually create larger problems. Ensuring appropriate, effective controls are in place can circumvent greater challenges and impacts to the organization.

Our specialists are here to help.

Mark E. Laccetti
View of greater London skyline
Next up

The fall of LIBOR and the rise of SOFR