Blockchain, RPA, Machine Learning, AI

An Auditor’s Initial Checklist

By Scott C. Gerard, CPA, and Robert L. Malarkey, CISSP, CISA
| 8/27/2019
Blockchain, RPA, Machine Learning, AI

New technology options on the horizon offer promising results for healthcare organizations in areas including patient care and the revenue cycle. Although blockchain, robotic process automation (RPA), machine learning (ML), and artificial intelligence (AI) may not currently be used widely in the healthcare industry, as these technologies eventually move beyond buzzword status to become fully integrated into healthcare operations, organizations need to be ready for their adoption and knowledgeable about all their potential benefits – and risks.

Often, the risks new technologies introduce are overlooked in favor of focusing on the rewards they promise. But having a thorough understanding of risks involved and potential impacts to the organization can make for a smoother implementation when an organization takes the leap to adoption. Audit, risk, governance, and compliance personnel can play an important role in helping to prepare healthcare organizations to reap the most benefit from emerging technologies while helping to identify and mitigate potential risks. Following is a compilation of some of the main risk areas of four of the most talked about technologies and sample audit questions to consider.

While this isn’t a comprehensive list of audit questions, it should serve as a helpful starting point to guide auditors when assessing their organizations’ technology plans and potential risk areas.


Known for its ability to make data records immutable, blockchain technology has the potential to improve healthcare services, as it acts as a single source of data truth for patient records, supply chain information, and other areas. This technology also has the potential to reduce the risk of data manipulation and even fraud.

Risk area: Interaction with affiliates not using blockchain
Sample audit questions:

  • How will the organization using blockchain technology interact with networks, affiliate entities, or departments within its own organization that are not using blockchain?
  • Does interacting with nonblockchain networks prevent the organization from achieving blockchain’s anticipated rewards or prevent new records from being created?
  • Can the organization using blockchain rely on its security and efficiencies fully if other entities with which it works are not using the technology?

Risk area: Data security and user access
Sample audit questions:

  • How will the organization define who can access the data within the blockchain?
  • Who creates the data within the blockchain, and how are those individuals authorized?
  • Does everyone who has access to the blockchain data have full access, or do certain individuals have access to only parts of the blockchain data?
  • How does the organization validate that the blockchain is immutable?
  • Can “super users”/system administrators change code on the blockchain?
  • Who has the encryption keys to unlock the data, and can those keys be lost?

Risk area: Health Insurance Portability and Accountability Act (HIPAA) compliance
Sample audit questions:

  • Is the concept of minimum necessary disclosure (that the amount of protected health information being used is limited to the minimum necessary to accomplish the task) being adhered to in relation to use of blockchain technology?
  • What controls are in place to make sure confidential data is secure?
  • What individuals have access to the blockchain, and are they able to access patient data? Is that access excessive, and can those individuals see records that would violate HIPAA requirements?
  • Do super users have excessive access to sensitive protected health information?

Risk area: Business continuity and bandwidth issues
Sample audit questions:

  • Is blockchain data available during a downtime event (for example, when internet connectivity is not available)?
  • How has downtime availability been tested and validated?
  • Does blockchain technology use a considerable amount of bandwidth and affect system performance, employee productivity, and, potentially, operations?

Robotic process automation

RPA technology uses robots, or bots, to automate repetitive manual tasks. This technology has the potential to reduce manual errors made by humans.

Risk area: Data quality
Sample audit questions:

  • Have quality data sets been used as the basis of RPA?
  • Who is able to create and edit the automated processes? Are there enough or too many people able to do this?
  • Which human touchpoints remain? Should there be more?
  • Is the RPA achieving the results management expected (are efficiencies being realized)?
  • How are results from the tasks performed documented and monitored?

Risk area: Data security and user access
Sample audit questions: Same questions as with blockchain

Risk area: Business continuity and bandwidth issues
Sample audit questions: Same questions as with blockchain, plus:

  • What processes are in place to allow RPA to continue during downtime?

Artificial intelligence and machine learning

Machine learning and AI use predictive analytics and smart technology/concepts to perform tasks such as analyzing medical records, data, and images for trends, anomalies, and results that humans may not always identify; providing surgical assistance; and even suggesting treatment plans to clinicians.

Risk area: Data security and user access
Sample audit questions: Same questions as with blockchain and RPA

Risk area: Data quality
Sample audit questions: Same questions as with RPA

Risk area: Expertise and confidence in results
Sample audit questions:

  • Who creates the algorithms and logic for use with ML and AI?
  • Who provides the data, knowledge, and expertise to the developers and programmers? Are they sufficiently independent, or is there potential for bias related to data or information used or anticipated outcomes?
  • How is the expertise of those developing ML routines, AI logic, and cognitive rule sets validated?
  • Can clinicians have confidence in ML- and AI-driven data in their work? Do they trust data and results too much without proper review or validation?
  • Have clinicians been involved up front regarding how ML and AI will affect their work, enabling trust in these technologies?

Risk area: Return on investment
Sample audit questions:

  • Is the organization capturing information about investments and costs associated with this technology?
  • How much has the organization invested in this technology?
  • Is the organization seeing a return on investment (ROI)?
  • Are ROI goals realistic?

Risk area: Human oversight and involvement
Sample audit questions:

  • Are the computers driving independent tasks (without human involvement), and are humans monitoring the operations related to those tasks?
  • Is there enough human oversight over ML and AI? Too little? Too much?
  • Are controls in place to monitor security and approved access?

Don’t be afraid of these technologies; get a seat at the table

The healthcare industry faces more technology options today than ever before, with new technologies offering greater efficiencies and optimal results for patient care, the revenue cycle, and many other areas. As these technologies mature and healthcare organizations begin to adopt them, audit, risk, governance, and compliance personnel should ask questions and start understanding how the technologies are being used. A lack of familiarity should not be an excuse to overlook these technologies. Associated risks need to be understood and identified so healthcare organizations can mitigate them before experiencing unforeseen impacts.

Audit, risk, governance, and compliance personnel need to have a seat at the table. These professionals can provide management with valuable insight by asking questions, revealing risk areas, and evaluating those risks through audits or other forms of assessment.

Many of these technologies might seem futuristic, but they are already here. Getting ahead of and gaining knowledge of risks and associated benefits will make eventual implementation more realistic and successful.

Contact us

Scott Gerard