Managing risk in healthcare

Strategies for using internal audit to help healthcare organizations manage risk

Healthcare providers are buffeted by risks that can threaten an institution’s bottom line; expose it to government sanctions; or simply create a workplace environment that is difficult for employees. Establishing or enhancing a provider’s internal audit functionality can help mitigate many of the risks, and this was the subject of a May 1, 2019, Baker Tilly webinar.

Baker Tilly partner Deb Bowes (Healthcare Practice) provided a broad overview of the risks that providers deal with every day –

  • Scrutiny by governmental regulators
  • Pressure from patients and payers to reduce costs and improve quality
  • Physicians transitioning from being independent practitioners to provider employees
  • HIPAA violations
  • Cybersecurity and the overall reliance on technology in healthcare settings
  • Uncertain effect of mergers and acquisitions

What is internal audit?

How can internal audit help address these risks? According to the Institute of Internal Auditors, internal audit “is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” Mark Laccetti (Risk advisory and Cybersecurity Practice partner) noted how the focus of the internal audit has evolved over time. Previously, an organization’s internal audit group acted as a kind of “gotcha police,” but this approach “created alienation between the internal audit department and the operating units,” making it harder for internal audit to be an effective adviser to the organization.

Now, internal audit provides a strategic, proactive role, helping to mitigate risk and fraud, while making sure that an organization stays in compliance, Laccetti said.

Three options for internal audit

Laccetti explained that there are three options for resourcing internal audit – traditional, co-sourced and shared services.

  • Under a traditional internal audit function, all employees of that department are employees of the healthcare provider and the provider has complete control over the audit process. One of the biggest challenges keeping this function totally in-house is making sure audit employees are appropriately trained. Employees will have to stay current on cybersecurity defenses, new regulations, and new code sets or related coding changes, among other things.
  • Providers who co-source the internal audit function can leverage the unique skill sets of an outside organization, and offload some audit functions. One of the co-sourcing challenges is that the provider has a reduced opportunity to develop audit knowledge and skills in-house, and also has to expend resources finding and keeping a good partner.
  • The shared services internal audit option allows a provider to instantly leverage a network of internal audit professionals and specialty expertise for comprehensive, effective risk coverage. This is the most expensive type of internal audit, however, and it eliminates significant investments related to people (recruiting, training, career development), methodology, technology and knowledge.

How do you decide?

While more than half of webinar attendees noted that that they were already using a traditional internal audit approach, almost 25 percent said they had no current internal audit function.

If an organization does not understand all the possible risks it faces or is not staffed properly to effectively manage the internal audit function, Laccetti said the shared service function is probably the best approach if an organization is looking to get something established quickly. The organization can learn what it needs to do to structure its own internal audit function even as the outside provider is executing essential audits.

Risk assessment

Laccetti said “providers have a finite amount of resources so they have to spend those resources in the best place to mitigate risk.” If a provider performs an internal audit risk assessment, it has to “define the objectives. What's the scope? Who's responsible? What are the roles and responsibilities? And then who are we reporting to? Is there someone in senior management? Is it the audit committee? Is it some other board committee? Know where all that stands. And what this does is it helps to increase the confidence in our risk assessment.”

Risk assessment has a lifecycle, from the identification and assessment of risks, to prioritizing them, to reporting results to relevant stakeholders.

Laccetti said, “In identifying the risk, you want to cast as wide a net as possible [including] in-person interviews, small groups gathering together discussing risks, through surveys, or a combination of all of these.” Ultimately, he said, “you really want the people who own the risks, the operational folks, to weigh into that risk-gathering process.”

Laccetti stressed, “No risk exists in isolation. There has to be some understanding of how potentially risks could link together, which is the best approach to pull in together your internal audit plan or your risk mitigation plan.”

Prioritization risks

After gathering all the information on the impact and likelihood of certain risks, the provider has to prioritize. Laccetti suggested that the internal audit team take the first crack at prioritizing risks. Then “they can go back to the stakeholders and get some buy-in to the risk assessment and prioritization process, because, clearly, we want to make sure that the key stakeholders are on board with where the risk mitigation resources are being spent and how those risk mitigation strategies are being prioritized.”

Reporting risks

Reporting is the conclusion of a provider’s risk assessment. Laccetti said, “You've outlined, `Here's the risk universe. Here's how we've assessed the risk. Here's how we prioritize the risk. And here's how we're ultimately going to mitigate those risks,’ whether it's some form of internal audit that's going to be performed or whether there's some type of compliance function that covers those risks.” The risk with the highest likelihood and impact on the organization should receive the most focus as part of any risk mitigation strategy.


Internal audit works in synch with an organization’s system of internal controls and governance functions to mitigate risk. It is a helpful ally for improving controls, improving compliance, and improving the financial operations of a healthcare organization.

The full recording of this webinar is available here. Baker Tilly will be hosting future webinars on the internal audit function within healthcare organizations.

For more information on this topic, or to learn how Baker Tilly healthcare specialists can help, contact our team.

Busy crosswalk
Next up

Developers can join in on Opportunity Zone benefits by ‘expanding the pie’