Healthcare providers are buffeted by risks that can threaten an institution’s bottom line; expose it to government sanctions; or simply create a workplace environment that is difficult for employees. Establishing or enhancing a provider’s internal audit functionality can help mitigate many of the risks, and this was the subject of a May 1, 2019, Baker Tilly webinar.
Baker Tilly partner Deb Bowes (Healthcare Practice) provided a broad overview of the risks that providers deal with every day –
How can internal audit help address these risks? According to the Institute of Internal Auditors, internal audit “is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” Mark Laccetti (Risk advisory and Cybersecurity Practice partner) noted how the focus of the internal audit has evolved over time. Previously, an organization’s internal audit group acted as a kind of “gotcha police,” but this approach “created alienation between the internal audit department and the operating units,” making it harder for internal audit to be an effective adviser to the organization.
Now, internal audit provides a strategic, proactive role, helping to mitigate risk and fraud, while making sure that an organization stays in compliance, Laccetti said.
Laccetti explained that there are three options for resourcing internal audit – traditional, co-sourced and shared services.
While more than half of webinar attendees noted that that they were already using a traditional internal audit approach, almost 25 percent said they had no current internal audit function.
If an organization does not understand all the possible risks it faces or is not staffed properly to effectively manage the internal audit function, Laccetti said the shared service function is probably the best approach if an organization is looking to get something established quickly. The organization can learn what it needs to do to structure its own internal audit function even as the outside provider is executing essential audits.
Laccetti said “providers have a finite amount of resources so they have to spend those resources in the best place to mitigate risk.” If a provider performs an internal audit risk assessment, it has to “define the objectives. What's the scope? Who's responsible? What are the roles and responsibilities? And then who are we reporting to? Is there someone in senior management? Is it the audit committee? Is it some other board committee? Know where all that stands. And what this does is it helps to increase the confidence in our risk assessment.”
Risk assessment has a lifecycle, from the identification and assessment of risks, to prioritizing them, to reporting results to relevant stakeholders.
Laccetti said, “In identifying the risk, you want to cast as wide a net as possible [including] in-person interviews, small groups gathering together discussing risks, through surveys, or a combination of all of these.” Ultimately, he said, “you really want the people who own the risks, the operational folks, to weigh into that risk-gathering process.”
Laccetti stressed, “No risk exists in isolation. There has to be some understanding of how potentially risks could link together, which is the best approach to pull in together your internal audit plan or your risk mitigation plan.”
After gathering all the information on the impact and likelihood of certain risks, the provider has to prioritize. Laccetti suggested that the internal audit team take the first crack at prioritizing risks. Then “they can go back to the stakeholders and get some buy-in to the risk assessment and prioritization process, because, clearly, we want to make sure that the key stakeholders are on board with where the risk mitigation resources are being spent and how those risk mitigation strategies are being prioritized.”
Reporting is the conclusion of a provider’s risk assessment. Laccetti said, “You've outlined, `Here's the risk universe. Here's how we've assessed the risk. Here's how we prioritize the risk. And here's how we're ultimately going to mitigate those risks,’ whether it's some form of internal audit that's going to be performed or whether there's some type of compliance function that covers those risks.” The risk with the highest likelihood and impact on the organization should receive the most focus as part of any risk mitigation strategy.
Internal audit works in synch with an organization’s system of internal controls and governance functions to mitigate risk. It is a helpful ally for improving controls, improving compliance, and improving the financial operations of a healthcare organization.
The full recording of this webinar is available here. Baker Tilly will be hosting future webinars on the internal audit function within healthcare organizations.
For more information on this topic, or to learn how Baker Tilly healthcare specialists can help, contact our team.