5 Steps to Transforming Internal Audit

By Daniel Yunker
| 5/19/2020
5 Steps to Transforming Internal Audit

Within an increasingly complex healthcare environment, today’s organizations face an equally complex array of risks, from cyber and regulatory to clinical and beyond, all while working with limited resources. Most recently, hospitals and health systems are facing risks as a result of the COVID-19 pandemic. To successfully manage risk amid such pressures, healthcare organizations need a modernized approach that allows them to mitigate their specific risks while thriving – and staying competitive.

In this challenging environment, it’s more important than ever for healthcare organizations to get a return on the investments they make in business processes throughout their enterprises. As industry complexities grow, the risk gap – between new and increasing risks and unchanging risk coverage – continues to expand.

New and increasing risks strain execution of audit plans that already lack resources. The industry can’t afford to simply add consulting hours or the full-time equivalents needed to test and assess risk mitigation controls and processes.

Organizations need a new approach to internal audit that lessens the gap between risks that matter most to them and their ability to mitigate those risks.

This new approach is called “return on risk.” Organizations achieve a return on risk when they better align their risk coverage with the actual risks to which they are exposed. This alignment involves making a shift from a conventional internal audit structure to a new, modernized vision for internal audit. Following are five steps healthcare leaders can take to adopt this more modern approach to transforming their internal audit functions.

Sign up to receive updates on the latest healthcare industry trends, developments, and business needs.

Step one: Align internal audit efforts with goals and objectives

The first step in moving to a return on risk approach is for leadership to identify the risks to which the organization is most exposed, rather than focusing on a healthcare industry list of generalized top risks. Organizations should focus on risks that relate to their unique goals and objectives. Some examples include opening a new service line, forming a joint venture relationship with another entity, moving patient populations to new care settings, increasing the use of remote medical monitoring devices, or testing preparedness for unexpected events such as a pandemic.

One goal for every organization should be making data a key tenet of its risk assessment approach. Management should identify data sources that offer quantifiable, meaningful performance indicators to best measure the associated risks of each objective. This approach can help the organization maximize the closure of risk gaps. It also can help the organization avoid expending unnecessary resources or energy on low-risk areas.

Step two: Take advantage of internal expertise to develop an action plan

Once leadership has aligned its risk assessment activities with the organization’s overall goals, the next step is for the organization to bring together a multidisciplinary team composed of staff from internal audit, compliance, and digital security and IT functions to develop an action plan for narrowing the organization’s risk gaps. Leadership should take advantage of the human resources that exist within its healthcare enterprise. This includes providing necessary tools and advancing the skill sets of workers who will be charged with creating a new risk management plan and, ultimately, leading the transformation from conventional internal audit to a modernized approach. The risk-related action plan should focus on the risk areas the organization identified in step one.

Step three: Adopt the most effective technology

In order to execute the action plan, organizations need to systematize necessary efforts and activities by adopting knowledge-based workflow and report generation software that can help support organizationwide best practices for completing risk audits.

The ideal software should:

  • Be able to link to tools that detect risks – in real time – so the internal audit process can be accelerated
  • Be capable of generating actionable reports that help organizations measure performance improvement or growing gaps
  • Feature workflow technology that can assist with increased risk monitoring
  • Include cloud-based solutions so risk projects can continue remotely if needed

Step four: Identify data elements

To power the internal audit software, organizations need data-driven analytics. Full data sets can provide organizations with the most comprehensive overview of their risks and help accelerate the automation of manual internal audit business processes.

For example, a typical accounts payable audit might comprise 20 manual steps. Using advanced data analytics, organizations can incorporate automation into the audit process to accelerate the acquisition of the information needed to detect and mitigate risk. This, in turn, contributes to overall transformation of the audit process.

Step five: Connect with a knowledgeable community

The size, scope, and complexity of risk within the healthcare industry have grown substantially in recent years. Most organizations no longer have the team size and internal subject-matter expertise needed to manage risk successfully. Today’s healthcare organizations should seek access to a networked internal audit user community that can function as a knowledge base and information exchange, broadening risk identification across risk, audit, and compliance functions. This knowledge can contribute immensely to improved audits and risk detection and assessment.

An internal audit transformation

Carefully executing these steps can help an organization evolve to a return on risk approach to internal audit by narrowing risk coverage gaps and enhancing overall organizational performance.

But these steps are just the beginning. It will take a dedicated team to accelerate these types of transformational ideas and processes. Working with internal audit specialists can help healthcare organizations set themselves on a path to lasting internal audit transformation – moving to a modernized approach that positions them for future success and the return on risk gained by improving their risk coverage.

Want more insights on addressing coronavirus-related challenges?
Go to the Crowe COVID-19 resource center for more analysis and updates.

Contact us

Learn more about how Crowe can provide industry-specific financial, regulatory, and technology expertise for your healthcare organization.
Daniel Yunker
Daniel T. Yunker