Healthcare internal auditors today are being called on to do more with fewer resources amid increasing risks. To thrive in this environment, auditors should consider moving from manual and potentially time-consuming methodologies, like risk assessment interviews and sample testing, to more advanced tactics, such as using data and continuous monitoring to identify risks during risk assessment, audit planning fieldwork, and follow-up.
Following are four steps internal auditors can take to find the right tools to fit their organization’s unique needs and to help their team evolve with the industry and their organization.
Step 1: Evaluate the organization’s current audit program
Internal auditors spend time evaluating other departments’ policies and procedures, but how often do they look at their own? Auditors should evaluate their current audit processes, workflow management, and any tools they are using. They should consider all areas of the internal audit function, from performing risk assessment, planning audits, and completing and reviewing audits to issuing audit reports and following up on action plans. If the department uses any tools, such as audit software or analytics packages, auditors should consider whether the team is taking advantage of their fullest capabilities. Does the audit team truly have the knowledge and expertise to get the most out of its analytics tools, or is it only scratching the surface?
After getting a good idea of where they stand currently, auditors should ask themselves where they want their department to be in a year, two years, and five years. They should consider questions such as:
- What value does internal audit bring to the organization, and how can that value be increased?
- Is the internal audit team a trusted business partner and adviser?
- Does the audit team feel comfortable that it’s assessing risk adequately within the organization, or is the team relying solely on interviews and past results, which can limit audit scope?
Step 2: Consider what’s missing
After evaluating the organization’s current internal audit function, auditors should consider what is missing that is preventing the audit team from getting to its ideal state. They should conduct research to assess where the team might have deficiencies and to better understand the capabilities of current tools.
When auditors assess what their audit function is missing, questions might include:
- Does the audit team have something that provides structure to its work, such as a workflow management tool?
- If so, what does the team hope to get out of its workflow management tool?
- Does the audit team have the right tools and information to help senior management and the audit committee feel comfortable that auditors are addressing critical risks?
During this step, it’s important to acknowledge that some team members might have blind spots; it can be easy for individuals to feel as though the way they do something is the best way. Adopting a mindset of “What else should we or could we be doing?” can help an audit team overcome any existing resistance to change. In addition, organizations could consider seeking out a third-party consultant to conduct a quality assessment of its internal audit function and any audit tools it is using.
Step 3: Investigate available tools
Once internal auditors identify deficiencies in their workflows and tools, they can begin researching technologies that can help close gaps and provide what they need to begin improving their department’s functionality and bring more value to the organization.
To start, the auditors should develop criteria that fit the organization and then use these criteria as a guide when searching for tools. It can be helpful to make a list that denotes “needs” versus “wants.” Some questions to consider when vetting a potential internal audit tool include:
- What kind of information does the tool contain? (For example, is it healthcare specific?)
- Does the tool offer automated reporting functionalities and automated follow-up? (For example, can it generate automated follow-up emails and customizable, on-demand reporting?)
- Does the tool provide a knowledge management function that can specify risks and outline audit steps?
- If so, how recent is the information included in the knowledge management function? (For example, is it built off the up-to-date research of subject-matter specialists and the experience of a community of internal audit peers?)
- Does the tool offer training information and documents for staff?
- Can the tool provide data that helps the organization benchmark itself against others in the field?
- Are analytics built into the tool, or can the tool link to analytics the organization is currently running? (For example, can the tool monitor claims data for potential reimbursement issues?)
- Does the tool allow for continuous monitoring of organizational risks?
- Can the tool identify patterns, trends, and outliers in the data and potentially detect fraudulent activity?
- Can the tool be used for risk assessment, audits, compliance projects, special projects, and investigations?
- Does the tool help internal auditors fully leverage their unique judgment and expertise in concert with data and analytics?
- Can employees who work remotely access and use the tool to its full capabilities?
After identifying available options and which tools might best help the organization achieve its internal audit objectives, auditors should arrange to participate in product demonstrations of those tools to help narrow down their selection. These demos provide the opportunity for auditors to see how a tool functions and ask specific questions about how the tool can benefit their organization.