menucloseContact UsEventsNewssearchclose
Services
Industries
Insights
About Us
Careers
Contact UsEventsNews
searchclose

Internal audit tools in action: Taking on today’s biggest risks

Sarah Cole, Cody Loup, Bea McNamee
Healthcare Connection
| 3/6/2024
Internal audit tools in action

Gain control of ever-expanding risks with smarter internal audit tools.

Today’s chief audit executives (CAEs) and their teams know all too well about the growing number of risks facing healthcare provider organizations. They also know that even within an environment of expanding risks, they still need to exercise control while bringing value to their organizations – all despite shrinking financial resources and teams.

How can internal auditors do this? They need to start with the right tools. Following are three examples of how healthcare-specific internal audit workflow tools, such as Audivate, can help internal auditors uncover and address some of the industry’s biggest risks.

Get the latest information from healthcare industry specialists
Receive Healthcare Connection and other valuable healthcare thought leadership from Kodiak Solutions.
Subscribe now

Internal audit tools in action: 3 case studies 

Case study 1: SSI rates

The risk

While performing an annual risk assessment at a health system, internal auditors noticed surgical site infection (SSI) rates were higher at one medical center than at others within the system. A deeper review using data analytics revealed a spike in SSI rates at Medical Center A during November and December. By analyzing the data, auditors found the medical center’s infection rates were higher than others within the health system even though it did not perform the most surgeries. This alarming trend led internal auditors and health system leadership to add a surgical safety audit of Medical Center A to the health system’s upcoming audit plan.

How internal audit tools helped

By using Audivate, a healthcare-specific internal audit workflow tool, the internal auditors could gather and review detailed background information about surgical safety. The audit team was then ready to perform on-site observations of multiple surgical areas and conduct interviews with staff in several departments. After reviewing and observing surgery site prep in pre-op and in the operating room, the audit team could not find any anomalies and decided further investigation was needed to determine why Medical Center A had a high SSI rate.

Additional discussions between the audit team and medical center executives revealed new information: The medical center’s supply team recently had worked on a product cost reduction project. The auditors again used analytics found within Audivate on all product changes made at Medical Center A in the last quarter. They discovered that the skin prep agent used on patient surgical sites had been changed to a cost-saving alternative during that time.

Interviews with additional staff members revealed that the medical center’s supply chain team had not informed surgical leadership about the product change. As a result, clinicians were unaware that the new product had a longer dry time than the one previously used. The skin prep needed to remain wet longer than the previous product – three minutes versus two minutes – or it would not work properly to kill bacteria. Not adhering to the longer dry time had resulted in surgical site infections. Without the ability to conduct a deeper audit using analytics, that mistake might not have been uncovered, putting more patients at risk and costing the medical center even more due to the costs associated with treating SSIs.

Case study 2: No Surprises Act compliance

The risk

Internal auditors at Hospital B used Audivate to help rank the organization’s risks and determine which warranted an audit. Compliance with the No Surprises Act (NSA) turned up as a top risk area for the hospital. This complex regulation, which became effective Jan. 1, 2022, aims to protect patients from unexpected balance billing and has been a leading risk area for many healthcare organizations since its inception due to penalties and reputational damage that could result from noncompliance.1

How internal audit tools helped

To better focus its audit on the hospital’s NSA compliance, the internal audit team leaned on the knowledge-management features of Audivate to get up to speed with the latest on this evolving legislation. The tool, which is frequently updated to include new risk areas and regulations, allowed them to examine information quickly and efficiently. Between the research tools and conversations with hospital executives, auditors were better able to understand the organization’s main business objectives related to the NSA:

  • Defining, implementing, and maintaining policies, processes, and controls that adhere to NSA regulations
  • Preventing surprise medical bills and balance billing

With those objectives in mind, the internal auditors continued audit planning by collecting essential information, such as documentation related to implementing requirements for NSA compliance; other policy, procedure, and workflow documents; and data about work queues used to monitor NSA accounts. The audit team also interviewed staff in relevant departments, including revenue cycle, patient experience, and compliance. The information gathered through interviews was used along with the background intelligence from the internal audit workflow tool to develop the audit scope and objectives.

To help determine testing areas, the team used Audivate’s risk and control matrices (RACMs) feature. Some of the areas identified to test included:

  • NSA notice policies and public notices
  • Balance billing policy
  • Balance billing consents
  • Good faith estimate policies and procedures
  • Patient-provider dispute resolution policies and procedures
  • Network contract termination policies and procedures
  • Provider directory update policies and procedures

Moving forward, the audit team can remain up to date with the NSA using the background information in Audivate to guide future NSA compliance audits.

Case study 3: IT user access and user provisioning 

The risk

After discovering a former employee still had access to several software systems despite leaving the organization, Hospital C wanted to gain an understanding of which internal users had access to technology systems and what level of access they were granted.

How internal audit tools helped

While planning their approach, internal auditors collected background information on the topic from Audivate, professional organizations that specialize in healthcare IT, and other industry groups. The background document from Audivate included common IT risks and example controls. Auditors also met with stakeholders to discuss processes and procedures in place for system access and user provisioning. These data points helped guide the internal auditors toward developing the audit scope.

The background information revealed to auditors several areas that would be beneficial to test, such as fraud due to inappropriate access (for example, data confidentiality breaches). The team also considered performance standards (for example, the speed at which user access is granted or removed after initial request and the controls in place to limit modification, destruction, or disclosure of data), the ability to identify separation-of-duties violations, and policies in place for password configuration requirements.

These examples were just some among a list of many areas identified for potential testing. With so many risks, it can sometimes be overwhelming to determine the testing plan and how best to test each item. The internal audit team received help from Audivate, which used RACMs to generate a lengthy list of risks and controls and provided information to auditors about how best to test them.

To streamline this audit, the auditors used another feature of Audivate: an accelerator that allows testing several areas at once. Auditors could cover more ground while still testing the full population of data (not just a sample). As a result, they were able to conduct this audit more quickly and had time to fit in additional risk coverage during their workdays.

Expand risk coverage

Now can feel like a treacherous time for healthcare internal auditors, who face a seemingly never-ending stream of complicated risks to identify and mitigate. However, it quite possibly has never been a better time to demonstrate how efficient and effective internal audit tools can be a value to healthcare organizations.

Internal audit workflow tools designed specifically to address healthcare risks can build your team’s knowledge base and comfort level when auditing even the trickiest areas. For additional support, find out how internal audit specialists can partner with you or how tools like Audivate can expand risk coverage even further.

1 Rebecca Welker, Shameka Smith, and Rich Costello, “Surprise! Are You Ready for the No Surprises Act?,” Crowe Healthcare Connection, March 7, 2022, https://www.crowe.com/insights/healthcare-connection/are-you-ready-for-the-no-surprises-act

Contact us

Sarah Cole
Sarah Cole
Vice President, Risk and Compliance, Kodiak Solutions
+1 314 802 2049
Cody Loup
Cody Loup
Kodiak Solutions
+1 314 802 2040
Bea McNamee
Bea McNamee
Kodiak Solutions
+1 314 802 2038