Internal controls are designed to provide healthcare organization leadership with reasonable assurance that operational objectives are achieved, including effective and efficient operations, accurate and reliable financial reports, and compliance with laws and regulations. But if those internal controls aren’t effective, an organization can lose valuable resources in the form of both dollars and time.
Why Internal Controls?
Every healthcare organization needs to establish strong internal controls so that business processes run smoothly, are consistent, and assist in accomplishing strategic objectives. Internal controls represent specific activities or measures, such as reviews, reconciliations, and checks and balances. Controls that organizations implement should be consistent and repeatable. The control processes often are both manual and automated in nature, providing needed protection 24/7.
Having strong internal controls in place is critical because they contribute to an organization’s ability to:
- Conduct work in an orderly, efficient manner
- Safeguard assets, resources, and data
- Detect and minimize errors, fraud, and theft
- Meet regulatory requirements
- Collect accurate and complete accounting data
- Produce timely and reliable management and financial data
- Adhere to organizational policies and plans
When organizations establish strong internal controls, operations are more reliable and leaders have more time to devote to strategy and other areas such as growth and innovation.
Are Your Internal Controls Working?
Organization leaders often think that simply having internal controls in place is enough. In reality, however, many times the internal controls are not effectively designed to work in the best interest of the business or have a positive impact on the business’s bottom line.
The individuals who are involved in the day-to-day details of business processes sometimes are too close to see where control weaknesses exist. Having a third-party auditor examine the organization’s internal controls can help identify weaknesses in internal control design. An auditor can step back and consider the situation from an outsider’s perspective and identify weaknesses and opportunities for improvement that those who are very close to the situation may not notice.
Organizations benefit when auditors identify weaknesses that result in missed financial opportunities. During the audit process, auditors ask department managers for proof – documentation and demonstration – of how their internal controls are functioning. This is when department managers discover whether the controls are operating as they believe. In essence, an audit provides the discipline and expertise an organization needs to take a closer look at its processes.
Internal controls should provide organizations reasonable assurance that processes are working. Well-designed internal controls should not result in overcontrol – their function isn’t to identify every time a dollar may have been missed, and complete assurance likely would be cost-prohibitive. Rather, each organization should determine the most important functions within its operations over which it needs to have control. Some internal controls can be monitored periodically, but others should be continuously monitored because of the significance of what could go wrong.
Setting the Stage for Good Internal Controls
The strength of an organization’s internal controls has a direct correlation to its ability to achieve its primary goals and objectives. The characteristics of a strong, well-designed internal control environment include:
- Supportive leadership that sets the organizational tone
- Identification of risks that might hinder organizational objectives
- Established policies and procedures that are communicated and adhered to
- Technology and processes that support efficient communication
- Established and monitored performance metrics
An organization with strong internal controls demonstrates accountability and an understanding of risks. In a weak control environment, internal controls often are lacking or inconsistent. In these organizations, where the processes are not stable, the risk of negative outcomes is very high.
Savings Continue Year After Year
The savings organizations realize from well-designed internal controls are seldom one-time events but, rather, continue in perpetuity. The consequences of inadequate controls, however, can be very costly, resulting in missed revenue, unanticipated expenses, or excessive payments, sometimes to the tune of millions of dollars, year after year.
Take, for example, the experience of one healthcare center. An audit revealed that controls in place to monitor items such as pricing were not functioning properly. Costly outpatient treatments were being undercharged. As the result of the audit, better-designed controls were implemented – resulting in hundreds of thousands of dollars in increased reimbursement for the organization for a one-year period. But the savings didn’t stop there, because the center continued to bill appropriately for its outpatient treatments.
Another example is a case involving a hospital facility that was undergoing extensive renovation. An audit revealed that controls were not well designed or working as management expected. Concerns were noted relating to change order management and the overall monitoring of project expenses in relation to the contract. As a result of the audit, the hospital system was able to reduce the project costs by several million dollars.
Although there is a cost to performing an audit, the additional revenue and cost savings can more than compensate for that expense.
With the combination of well-designed internal controls and an organizational culture that supports internal controls from top-level management all the way throughout the organization, healthcare systems can collect all of the revenue they are due and pay only the expenses they legitimately owe. Benefits such as this can be expected to continue year after year.