Setting Audit Committee Goals: What Should Be on Its Agenda?

By Scott C. Gerard, CPA, and Harry H. Kimball, CPA
| 7/24/2018
Healthcare Connection
With so much change going on in healthcare each year, it’s more important than ever for audit committees to have a focused annual plan regarding how to address organizational risks. Healthcare audit committees need to understand organizational risk areas – and how those risks are determined – in order to prioritize committee agenda items throughout the year and make the most impact on the organization.
Audit committees can determine top focus areas for the year and can help the organization address critical priorities that help it achieve its overall strategic goals by following this guidance:

Determine Overall Strategy for the Year

It is important to align the audit committee’s strategic goals with the organization’s strategic goals. The audit committee’s goals should be listed and agreed to by both the committee members and the board of directors. Each goal should have a specified time horizon with a clear distinction between short- and long-term goals as well as a description of how the goals align with the organization’s strategy. The audit committee should review these goals annually and make sure committee meetings scheduled throughout the year serve the strategic goals. This process should include an affirmation of the oversight role of the audit committee and the committee’s commitment to appropriate compliance. Any updates made to the audit committee’s charter or strategic goals should be discussed and communicated during the audit committee meetings. This process should be timed to align with the frequency of the audit committee’s meetings. 

Identify Risk Areas

Strategic, successful audit committees head into a new fiscal year with a game plan for addressing top organizational risk areas. To determine the areas on which to focus, audit committees must ask: What are the organization’s greatest concerns or areas of stress? What are some of the challenges the organization will face in the near future?
The audit committee should work with the hospital or healthcare system’s management team to understand the organization’s risk management strategy, including what the organization’s plans are for sufficiently addressing risk areas. Coordinating with management, the audit committee should:
  • Understand how the organization determines risk areas. It’s important for audit committee members to understand the process by which management team members determine organizational risk areas. For example, committee members should know whether the organization has a formal risk assessment process in place or has implemented an enterprise risk management process. If these processes are already established, the committee should understand how they will be updated during the year.
  • Learn what those risk areas are. The management team should routinely share the results of organizational risk assessments with the audit committee. In addition, committee members may want to gain an understanding of the general risks facing healthcare organizations throughout the country. Audit committee members and members of the management team can review these trends to help drive conversations that will shape priorities for the year. The "Top 20 Risk Areas" section at the end of this article contains a snapshot of the top risk areas healthcare organizations identified for 2018.
  • Identify stakeholders to address risk areas. Once audit committee members determine organizational priorities for the year, they should make sure management has appropriately identified the personnel responsible for taking ownership of mitigating the risk areas and keeping the audit committee up to date about these topics.

Make a Plan for Presentations

In addition to identifying risk areas and formulating a plan for addressing them, the audit committee also should make sure management has a plan for providing the committee with updates on relevant, appropriately timed subject matter.
Typically, audit committee members receive updates from areas such as finance, compliance, legal, IT, internal audit, and external audit at committee meetings throughout the year. The management team should work closely with the audit committee chair or management’s designee (for example, chief compliance officer, chief audit executive, or general counsel) to plan meeting agendas for the year that cover topics relevant to each organizational risk area. Including these updates in a formal plan helps make sure important topics are not forgotten.
In addition, the audit committee should have a plan in place for how management will communicate to the committee information regarding significant organizational changes such as joint ventures, mergers, or other transactions. Working with management, the audit committee should decide to what extent – and how frequently – it wishes to be briefed on major organizational changes.

Write It Down

It may seem simple, but having all plans in writing is the best way to make sure stakeholders are focusing on the same information. The annual plan should be shared with all audit committee members and management and should be revisited throughout the year. Committee meeting agendas and minutes also are ideal places to record risk areas and progress made in addressing organizational risks.
When various operational, financial, and regulatory changes affect the organization, the plan may need to be revisited and, if necessary, updated to reflect shifting organizational priorities.

Top 20 Risk Areas

These risk areas were identified through analysis of risk assessments performed across 262 healthcare entities. Organized into five critical healthcare areas, the list provides insight for organizations and their audit committees planning their agendas for the year. The risks listed here are not ranked in any particular order:
Care Transformation
  • Quality and patient safety
  • 340B Drug Pricing Program compliance
  • Health Insurance Portability and Accountability Act (HIPAA) compliance
  • Pharmacy inventory management
  • Physician contracting and compensation
Healthcare Operations
  • Care (case) management
  • Health information management
  • Joint ventures
  • Physician practices
  • Third-party vendor management
Information Technology
  • Cybersecurity
  • Disaster recovery and service continuity
  • IT governance
  • System access management
  • Systems implementation
Revenue Cycle Management
  • Billing and collections
  • Charge capture and charge description master
  • Denials management
  • Inpatient and outpatient coding
  • Patient access

Source: Crowe analysis, December 2017

Contact us

Scott Gerard