The next generation internal audit is a best practice that increases an internal audit department’s effectiveness and positive impact on the organization overall (see Exhibit 1). The four foundational blocks of the next generation internal audit model are robust risk assessment, data analytics, specialized expertise, and risk culture. The second foundational block of this model, data analytics, is a dynamic and powerful tool to supplement and support risk assessment findings.
Exhibit 1: Next Generation of Healthcare Internal Audit
Source: Crowe analysis
- Strategy driven
- Continuous connection to C-suite, leaders, managers, and stakeholders
- Data driven
- Multidisciplinary and flexible team
- Deep specialization
- Responsive and real-time
- Risks covered through continuous monitoring and data analytics
Audit Plan Areas
- Traditional plan coverage
- Clinical protocols
- Process redesign
- Quality and performance measures
- Third-party risk
- Flexible care delivery models
- Regulatory compliance
- Continuous auditing dashboard
- Benchmarking against peers
- Multilevel deliverable
- Comprehensive risk analysis
- Robust governance and management education
The Value of Data Analytics
Exhibit 2 illustrates the three-pronged approach of data analytics. With the identification, gathering, validation, analysis, and interpretation of various forms of data using computerized tools to provide meaningful intelligence, internal auditors gain enhanced risk awareness and a quantified, data-driven risk assessment. Data analytics encourages the strategic deployment of resources to high-risk areas while expediting fraud detection. It also reduces cost through increased audit efficiency, faster audit response times, and reduced business disruption during audits. In addition, data analytics delivers a more robust analysis of significant issues facing organizations and provides quantifiable audit results.
Exhibit 2: Three-Pronged Approach of Data Analytics
- Quantified risk assessment
- Deployment of resources to high-risk areas
- Testing 100% of population
- Expedited fraud detection
- Reduced time spent on lower-risk areas
- Repeatable audit testing
- Audit efficiency
- More time spent on high-risk and complex areas
- Quantified results
- Insight into client operations
- Identification of patterns, outliers, and trends
Source: Crowe analysis
Injecting data analytics into business processes has a significant impact on any organization’s control environment and extends risk coverage considerably. Data analytics allows testing of 100 percent of any population, providing much broader and more in-depth strategic risk coverage than could ever be achieved with the traditional sampling approach that has long been used by internal audit. All of this leads to more meaningful and actionable insight into operations while bolstering management’s control structure.
But it is worth noting that a culture shift may be required among internal auditors to embed data analytics into their daily work because, despite the incredible advantages of data analytics, some may view its implementation as a necessary evil. On the contrary, data analytics can help support more effective internal audits. Traditional internal audits without the widespread use of data analytics are typically very labor intensive and limited to sampling. The scope of audit services also can be somewhat narrow because of limited resources. When data analytics is embedded into the audit process, audit coverage is expanded and insight into organizational operations is greatly enhanced. Specialized audit resources are freed up to focus on more high-risk and emerging issues.
Data Analytics and a Robust Risk Assessment
Every audit team should strive for a comprehensive risk assessment that is not bound by a specific or limited skill set or tempered by management. This will allow for the development of a proactive audit plan that focuses on the right risks with the right allocation of resources. A traditional risk assessment approach meets all of the professional standards, but in the end, it is more of a box-checking exercise. In the traditional risk assessment, it is not uncommon to use questionnaires sent to relevant personnel via email or to carry out interviews with a limited number and scope of leaders by just asking them what their concerns are. The resulting audit plan generally matches the skills of the auditors conducting the risk assessment, often missing significant areas of risk to the organization. The approach driven by data analytics, however, truly can take the pulse of an organization, speedily identifying risks.
To take internal audit to the next, more effective, level, internal auditors must do their homework prior to risk assessment interviews – a much better strategy than simply collecting lists of management concerns. Auditors should review the organization’s strategic plan, financial reports, and budgets. In addition, they should study available public data and perform data analytics to gain knowledge and insight that can help make risk discussions more impactful. A data-driven risk assessment offers quantified information that is both objective and independent. Without an effective risk assessment, internal audit is not identifying the right risks to the right depth. The results of the risk assessment will not provide the highest value to the management and governance teams.
Data analytics is a great tool to help develop an organization’s key performance indicators (KPIs). These KPIs can use nationally publicized metrics from organizations such as the Centers for Medicare & Medicaid Services, or they can be internally developed. With this type of data analytics, hospitals within a health system can be compared to each other, highlighting areas of risks across the entire system. Having this information arms the auditor with questions related to the areas that ranked as high risks and allows them to demonstrate their understanding of the organization’s operations and risk environment.
Data Analytics in Audit Fieldwork: The Opioid Crisis and Drug Diversion
The benefits of data analytics can be especially valuable when considering the risks posed by the nation’s opioid crisis, which has reached alarming levels. Gaps and weak controls over the dispensing and administering of controlled substances exist at many healthcare organizations. By bringing together disparate data from time accounting systems, electronic medical records, and automated dispensing machines, data analytics can provide a more holistic view of the process. As an example, a drug diversion audit at one hospital revealed the following shocking results:
- 674 narcotic dispenses not documented as administered in the medical record
- 382 instances of nurses dispensing drugs from multiple dispensing stations on differing floors on the same shift
- 18 instances of nurses dispensing drugs on their day off
This information does not directly identify drug diversion, but it shows anomalies, trends, and patterns that might indicate a potential drug diverter and allow the hospital to take action.
The Auditors’ Mission Made Easier
When discussing the implementation of data analytics with their organizations’ leadership, internal auditors can make strong cases for the improved business strategy brought by data analytics. Incorporating data analytics into all aspects of the audit process will give internal audit a new level of insight into operations. Data analytics is the ultimate investigative partner, able to analyze huge amounts of information at incredible speeds and freeing up internal audit’s scarce resources to focus on risks in new and emerging areas and to detect changes and vulnerabilities in processes that could expose the organization to undue and unplanned risk. Data analytics helps organizations thrive in today’s ever-changing and challenging healthcare environment.