Next Generation Internal Audit

By Jerry Lear
| 11/17/2015

Industry evolution and the Affordable Care Act have led to unprecedented changes in healthcare, greatly increasing the scope and complexity of risk and compliance.

hc-160002-004a-250x250Healthcare internal auditors must alter their approach to provide more in-depth, strategic risk coverage that keeps pace with the changes. The next generation of internal audit demands a shift from the traditional, transaction-based approach to a strategic, dynamic, multidimensional approach that transforms audit into an insightful and powerful risk enterprise tool with material impact on the control environment.

The next generation model can be thought of as a best practice for internal auditors to work toward to extend their function’s effectiveness and value within the organization.

Next Generation Pillars

Four pillars are the foundation of this model:

  • A robust, comprehensive risk assessment to identify high-risk issues in a broad range of clinical, strategic, and operational areas as well as traditional transaction-based functions
  • An infrastructure based on the deft use of sophisticated data analytics to support more efficient and effective coverage of traditional audit areas while creating a platform for coverage of new industry risks
  • Flexible staffing that draws on specialist expertise in a wide range of clinical and other functions, such as nursing, pharmacy, and information technology, to generate business intelligence and results in new and emerging complex risk areas
  • A risk culture of strategic alignment and close collaboration between internal auditors as risk advisers and the senior leadership, management, and governance teams

The concepts underlying these pillars are relatively straightforward. However, bringing them to fruition in a hospital or healthcare system can be very complex.

Internal audit often is seen as an isolated project function rather than as a strategic business partner responsible for expert independent appraisal and reporting on such matters as complex physician arrangements and cybersecurity. Healthcare internal auditors have some resistance to overcome to change this perception.

At a recent Crowe webinar, participants raised questions about the challenges of implementing the next generation model. Following are some of the questions and the related recommendations.

Our audit department is small, with few people and a low budget. What is a good starting point for moving to the next generation model?

The first step is evaluating your risk assessment process and determining ways to broaden its breadth and depth in nontraditional areas. If you can provide some strong results that show the true risks facing the organization, you will open eyes and demonstrate the need for expanded risk coverage.

Start by building connections with people in nontraditional areas. Discussions with these people will help you begin to pick up on new risks that need to be touched by your function – risks that can have a significant impact on the organization.

The next step is to get creative with resource planning. Once you present the risk assessment and have created the demand, you will need to show how you are going to provide the coverage with specialist expertise. This will begin to raise awareness that will help open the door to next generation coverage.

We have an audit committee that is happy with the status quo. How would you recommend that we begin engaging them in dialogue about transitioning to the next generation and moving away from an exclusive focus on the traditional audit cycle?

Many audit committee members believe that the way internal audit operates in other industries is how healthcare internal audit should operate as well. A common misconception is that internal audit should cycle through traditional financial processes and controls. Healthcare internal audit is a different animal, with a unique set of issues and nuances. Healthcare internal auditors can begin to win acceptance for the next generation model from their audit committee members through the ongoing sharing of knowledge and insight about the unique challenges of the regulatory environment and healthcare internal audit’s potential contributions within that environment.

Governance first must understand healthcare’s new and emerging risks to appreciate the control and specialized oversight needed to monitor and address these risks. Internal audit can serve as a valuable resource in this regard. With education, audit committee members can begin to appreciate the need for a strategic and comprehensive approach to risk that extends far beyond conventional boundaries.

How can our internal audit department begin to integrate our work with the work of other departments, such as compliance, quality, and legal?

The ideal scenario in the next generation environment is one in which all of these areas use their resources while appreciating and taking full advantage of internal audit’s resources and unique capabilities as an important extra set of eyes.

There are some extremely robust and effective compliance, quality, and legal departments in healthcare. However, all of these departments could be made exponentially more effective through a strong collaboration with internal audit.

The goal is to complement each other without duplicating efforts, beginning with a risk assessment followed by an open dialogue regarding how to work together to provide risk coverage. A strong, seamless, tag-team approach between internal audit and these other functions can strengthen the organization as a whole.


How can our organization use data analytics to drive risk assessment in the next generation model?

Data analytics do not stand alone, but they can be used to supplement and support risk assessment findings. For example, CHAN Healthcare, a subsidiary of Crowe, uses data analytics to evaluate specific areas within the revenue cycle, beginning to provide a summarized view of outliers that point to potential process issues within the charge description master, charge reconciliation, claims processing, and other, larger processes that could increase risk.

As an example, in addition to conducting interviews to identify areas of potential risk within high-volume ancillaries and service lines, CHAN has used data analytics to show the potential financial losses of certain types of missed charges. These results can be used to initiate a conversation about processes and also to reveal the potential lost reimbursement amounts associated with missed charges in specific areas. Presenting the results of these analytics to support the outcomes of your risk assessment can be very powerful.


Transitioning to the next generation of internal audit will not be easy, but it can be done, and the transition is worth making. Take advantage of the model; start using it where you can; educate leadership, governance, and key stakeholders about it; and measure yourself against the areas of next generation internal audit on which you are already delivering or on which you could begin to deliver.


In This Issue

Contact us