Is your internal audit function delivering value? Or is it just checking the box?
If you lead the internal audit function at a U.S. healthcare provider, there’s a good chance that the vast majority of your time is spent on compliance.
It’s likely not where you want your resources to be focused. But, after years of regulatory change, mergers, system integrations and IT upgrades, ensuring compliance – managing a seemingly-endless stream of check-box exercises – is what keeps the business out of trouble.
New world, new expectations
Risks in healthcare are evolving rapidly due to technological, economic, operational and regulatory changes. At the same time, public expectations and the demand for greater transparency are on the rise. This leads to a myriad of compliance requirements and feeds the incessant “check-the-box” exercise vs. elevating the internal audit function to a more strategic, value-focused contributor within the organization.
All of this is placing significant pressure on healthcare provider internal audit functions. Most are already largely overwhelmed with their existing compliance exercises; few have the resources or capacity to take on more. Fewer still have the capabilities, tools or experience to identify control failures, let alone to analyze the root causes of those failures or be proactive in risk management.
Analytics in action
Healthcare provider internal audit functions need to be taking a much more analytical approach to managing controls. Data and analytics can play a valuable role.
Recently, we helped assess the accuracy, efficiency and reliability of the control environment for one major provider organization. Upon first review, it seemed that the organization was (for the most part) in compliance with Medicare billing regulations. However, after a deeper dive that included running some of the provider’s transactional data through analytics tools, we discovered that their employees were finding ways to bypass the controls. Items and services were being billed in a non-compliant way. This created significant financial implications for the organization as more and more reimbursement requests were denied.
By applying data and analytics to our approach, we accelerated the identification of instances of non-compliance, determined the root causes of those control failures and provided recommendations to help remediate them.
Elevating the value of internal audit
Beyond compliance and control efficiency, leading healthcare provider organizations unlock significant value by adopting more sophisticated analytics in the internal audit function.
For one, internal audit professionals are now able to proactively identify risks and instances of non-compliance before they become a systemic problem. That means not only improved risk management, but also better financial control.
Data and analytics can also help the internal audit function provide strategic advice to decision-makers based on historic data, real-time analysis and predictive analytics. They can better explain the exact ‘mechanism of operation’ for different controls and how they influence business operations and growth. Analytics also offer internal audit a new level of insight to better advise on the risks of new corporate strategies before they are activated.
Simply put, the application of data and analytics can help the internal audit function take on a much more strategic, forward-looking and proactive role in the efficient and effective management of the organization and support its greater mission.
Operationalizing it
We are not suggesting providers develop sophisticated analytics capabilities within their internal audit functions. Co-sourcing or outsourcing for these types of tools and services provides an easy route to incorporate this on an as-needed basis. Internal audit functions do need to give due consideration to incorporating these types of analytics into their auditing plan and processes in some capacity. Some providers may want start by identifying the areas where the risk of practical non-compliance are highest or most severe. Others may prefer to do a more continuous and thorough review of the efficiency of their controls as part of the regular audit process.
The operating models involved are varied and can be tailored to meet the specific needs of the internal audit function at various times in its journey. In some cases, that may mean one-off engagements to troubleshoot a specific problem or to prepare for a new strategy. In other cases, the model may involve creating a continuous analytics-as-a-service partnership with an experienced and technology-enabled managed service provider.
Get more from internal audit
Looking ahead, we see the application of analytics as a potential catalyst to sustainable transformation in the internal audit function. The shift will force the organization to rethink the way its controls and compliance are managed and monitored. It will drive deeper conversations about how internal audit is involved in the business decision-making process. And it will encourage a capability shift within the internal audit function itself.
Given the growing pressure on the healthcare provider internal audit function, our advice is to think seriously about how analytics can help your organization reduce risk, improve compliance and drive value.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.