Audit committees play an important role in helping hospitals and health systems achieve their strategic goals. Effective audit committees strengthen organizations by providing oversight of the internal control structure and making sure the organization is addressing relevant operational, information technology, clinical, regulatory, and compliance risks.
Establishing an effective audit committee starts with recruiting members with diverse backgrounds and expertise, including, but not limited to, healthcare experience as well as financial accounting, compliance, and IT expertise. Effective committees also focus on practical details such as meeting frequency, committee member education, and a formal process for creating effective meeting agendas. Here are tips for fine-tuning these core areas.
1. Meet at the Right Times, for the Right Duration, and With the Right People
Holding regular meetings is an essential function of any audit committee. To be effective, committees must establish an appropriate meeting frequency and be sure each meeting includes updates by essential members of management (finance, compliance, and legal) and assurance functions (internal audit and external audit).
With cybersecurity becoming a significant risk area across the healthcare industry, the audit committee also may want the organization’s chief information officer (CIO) or chief information security officer (CISO) to regularly attend and present at audit committee meetings if the organization does not have a separate IT governance committee to cover this area. These live presentations should be brief and focus on messages important for the committee to hear and possibly discuss; other information provided to the committee in the written meeting package also should be brief and limited to only the most important information committee members need to perform their oversight role.
Audit committee meetings should include presentations throughout the year by members of operational, IT, and clinical functions. These presentations should focus on committee education and should address the significant risks and industry or regulatory changes associated with the applicable function.
A best practice for audit committees is holding quarterly in-person meetings of two to three hours in duration. In organizations that release quarterly financial statements, audit committee members may serve as the organizations’ disclosure committee and meet by telephone prior to the release of financial statements. During these calls, finance management will present the financial statements to the committee and address any accounting or other issues committee members need to be aware of as well as any disclosures that are needed for inclusion in the financial statements prior to their release.
If the organization is facing a significant change (such as merger and acquisition activity or executive turnover) or a heightened sense of risk (such as about a regulatory issue or legal action) that needs the audit committee’s attention and input, the committee may meet more frequently to address these types of issues.
2. Make Continuing Education a Priority
An effective audit committee emphasizes continuing committee education, including thoroughly orienting new committee members and making sure the committee is keeping up to date with top issues facing the healthcare industry and the organization.
As part of the orientation process, new committee members should meet with the organization’s chief compliance officer, chief audit executive, and executive in charge of the external audit team. The new committee members also should meet with relevant members of the health system’s management team, including the chief operating officer, chief financial officer, chief marketing officer, CIO or CISO, and the organization’s executive responsible for strategy. Orientation meetings should focus on educating new members about the organization’s strategic plan and those risk areas that could affect the health system’s ability to achieve its strategic objectives. Organizations experiencing recurring or potential significant litigation may wish to have the new committee member meet with the institution’s chief legal counsel.
New audit committee members also should have a good understanding of the organization’s governance and committee structures and should be briefed on any applicable charters, including the audit committee charter and the internal audit and compliance department charters. Other helpful documents to share during new audit committee member orientation include the current and past year’s internal audit plans and compliance work programs as well as significant issues presented to the committee during the previous 12 months.
In addition, all committee members should keep up to date with current or emerging risks in the healthcare industry and how those risks affect the health system. The overall goal of continuing education is to help audit committee members become more aware of current and emerging risks facing the organization. Time also should be dedicated to educating committee members on conflict of interest rules, making sure committee members are appropriately disclosing conflicts, and verifying processes are in place to help management avoid real or perceived conflicts.
Effective audit committees take a proactive approach to continuing education by seeking out education from organizational management, from internal audit and compliance leaders, and from the external audit team. Continuing education should be a regular part of the audit committee’s agenda and could also be included in management and other regular quarterly presentations. Regardless of whether the health system has implemented a formal enterprise risk management (ERM) process, committee members should receive presentations related to the organization’s top risk areas at least annually.
3. Create Effective Agendas
A thorough and well-planned audit committee agenda is an essential component of a successful audit committee meeting. These agendas require careful thought, collaboration, and planning well in advance of the meetings.
A leading practice for audit committees within all industries is to have meeting agendas for the following fiscal year drafted before the fiscal year begins. Creating effective agendas starts with having multiple staff members work on them. In general, it is good practice to have the organization’s compliance officer, chief audit executive, and chief legal counsel develop each agenda with input from others – such as external auditors and financial management – across the organization.
The agendas should be laid out for the entire fiscal year to help the audit committee make sure it addresses all risk areas at least once per year. Typical topics and presentations to include on audit committee meeting agendas include:
Establishing an effective audit committee starts with recruiting members with diverse backgrounds and expertise, including, but not limited to, healthcare experience as well as financial accounting, compliance, and IT expertise. Effective committees also focus on practical details such as meeting frequency, committee member education, and a formal process for creating effective meeting agendas. Here are tips for fine-tuning these core areas.
1. Meet at the Right Times, for the Right Duration, and With the Right People
Holding regular meetings is an essential function of any audit committee. To be effective, committees must establish an appropriate meeting frequency and be sure each meeting includes updates by essential members of management (finance, compliance, and legal) and assurance functions (internal audit and external audit).
With cybersecurity becoming a significant risk area across the healthcare industry, the audit committee also may want the organization’s chief information officer (CIO) or chief information security officer (CISO) to regularly attend and present at audit committee meetings if the organization does not have a separate IT governance committee to cover this area. These live presentations should be brief and focus on messages important for the committee to hear and possibly discuss; other information provided to the committee in the written meeting package also should be brief and limited to only the most important information committee members need to perform their oversight role.
Audit committee meetings should include presentations throughout the year by members of operational, IT, and clinical functions. These presentations should focus on committee education and should address the significant risks and industry or regulatory changes associated with the applicable function.
A best practice for audit committees is holding quarterly in-person meetings of two to three hours in duration. In organizations that release quarterly financial statements, audit committee members may serve as the organizations’ disclosure committee and meet by telephone prior to the release of financial statements. During these calls, finance management will present the financial statements to the committee and address any accounting or other issues committee members need to be aware of as well as any disclosures that are needed for inclusion in the financial statements prior to their release.
If the organization is facing a significant change (such as merger and acquisition activity or executive turnover) or a heightened sense of risk (such as about a regulatory issue or legal action) that needs the audit committee’s attention and input, the committee may meet more frequently to address these types of issues.
2. Make Continuing Education a Priority
An effective audit committee emphasizes continuing committee education, including thoroughly orienting new committee members and making sure the committee is keeping up to date with top issues facing the healthcare industry and the organization.
As part of the orientation process, new committee members should meet with the organization’s chief compliance officer, chief audit executive, and executive in charge of the external audit team. The new committee members also should meet with relevant members of the health system’s management team, including the chief operating officer, chief financial officer, chief marketing officer, CIO or CISO, and the organization’s executive responsible for strategy. Orientation meetings should focus on educating new members about the organization’s strategic plan and those risk areas that could affect the health system’s ability to achieve its strategic objectives. Organizations experiencing recurring or potential significant litigation may wish to have the new committee member meet with the institution’s chief legal counsel.
New audit committee members also should have a good understanding of the organization’s governance and committee structures and should be briefed on any applicable charters, including the audit committee charter and the internal audit and compliance department charters. Other helpful documents to share during new audit committee member orientation include the current and past year’s internal audit plans and compliance work programs as well as significant issues presented to the committee during the previous 12 months.
In addition, all committee members should keep up to date with current or emerging risks in the healthcare industry and how those risks affect the health system. The overall goal of continuing education is to help audit committee members become more aware of current and emerging risks facing the organization. Time also should be dedicated to educating committee members on conflict of interest rules, making sure committee members are appropriately disclosing conflicts, and verifying processes are in place to help management avoid real or perceived conflicts.
Effective audit committees take a proactive approach to continuing education by seeking out education from organizational management, from internal audit and compliance leaders, and from the external audit team. Continuing education should be a regular part of the audit committee’s agenda and could also be included in management and other regular quarterly presentations. Regardless of whether the health system has implemented a formal enterprise risk management (ERM) process, committee members should receive presentations related to the organization’s top risk areas at least annually.
3. Create Effective Agendas
A thorough and well-planned audit committee agenda is an essential component of a successful audit committee meeting. These agendas require careful thought, collaboration, and planning well in advance of the meetings.
A leading practice for audit committees within all industries is to have meeting agendas for the following fiscal year drafted before the fiscal year begins. Creating effective agendas starts with having multiple staff members work on them. In general, it is good practice to have the organization’s compliance officer, chief audit executive, and chief legal counsel develop each agenda with input from others – such as external auditors and financial management – across the organization.
The agendas should be laid out for the entire fiscal year to help the audit committee make sure it addresses all risk areas at least once per year. Typical topics and presentations to include on audit committee meeting agendas include:
- A consent calendar, which contains routine committee reports such as prior meeting minutes and other items that do not require discussion but might require approval and action
- Status updates from members of the management team
- Updates from internal and external audit and compliance teams
- Legal updates
- Presentations on industry or organizational topics that contribute to continuing education of the audit committee
- Follow-up items identified at prior meetings
Meeting agendas should be comprehensive; however, information should be summarized and should highlight essential takeaways. Streamlined agendas that do not overwhelm committee members help drive effective meetings and allow committee members to focus on the most pressing issues.
Along with effective agendas, successful audit committee meetings also feature strong follow-up processes that help make sure committee members’ questions and concerns are addressed at future meetings. To enhance the accountability of management and the oversight role of the audit committee, a member of the organization’s management team should be accountable for verifying follow-up items are included on future meeting agendas and appropriate discussions are held at future meetings.
An Engaged, Effective Audit Committee
By focusing on essential areas such as efficient meetings, continuing education, and well-structured meeting agendas, an audit committee can make sure it is not only engaged but effective, efficient, and successful.
