The scope and complexity of risk in the present highly regulated, value-driven healthcare environment require healthcare organizations to rethink their use of internal audit. To adapt to the industry’s shift from volume to value, healthcare organizations must be willing to expand their internal audit activities beyond a traditional focus to include clinical audits. Clinical audits unite clinicians and internal audit professionals to measure compliance of healthcare delivery and operations against industry standards, with the goal of identifying actions to assist in improving care delivery and patient outcomes.
Three Lines of Defense
In a 2013 position paper, the Institute of Internal Auditors (IIA) described a model for effective risk management and control consisting of three lines of defense, with management control serving as the first line of defense, the various risk management and compliance oversight functions as the second, and independent assurance as the third. “All three lines should exist in some form at every organization, regardless of size or complexity,” according to the IIA.1
In healthcare, the quality improvement initiatives most hospital and health system clinical departments have been immersed in for years represent the first line of defense. The additional work of internal quality and compliance departments to monitor these clinical efforts provides the second line of defense. The third line of defense uses an independent resource (the organization’s internal audit department, an outside firm, or a team consisting of internal audit professionals from both within and outside of the organization) to examine clinical processes from both the design and operations perspectives to identify gaps in elements that are needed to produce strong care delivery processes. Audit activities at each line of defense provide different perspectives that are necessary to drive performance improvement.
The significance of the work performed by the first and second lines of defense is without question. The third line of defense – review by an independent resource – takes a cohesive look at the workflow design, technology, culture, education, training, communication, policies, protocols, and metrics related to a given aspect of clinical care (see exhibit). Each one of these areas can have an impact on the efficiency and effectiveness of care delivery. This clinical audit focus provides a clear picture of what is working and what is not working that creates the potential for care delivery risk.
Exhibit: Clinical Audit Focus
Considering the complexity and demands of the current regulatory environment, this third line of defense is essential. For example, a third-party clinical audit might help a healthcare organization that is struggling to comply with evidence-based practices for the management and treatment of ventilator-associated pneumonia discover that the root cause of an issue actually stems from inconsistent use of available electronic medical record technology and incomplete order sets. This lack of clarity hinders the organization’s ability to provide timely care that aligns with evidence-based care protocols. The clinical audit can help pinpoint these performance gaps and provide the insight needed to develop sustainable solutions.
Steps to Success
For many healthcare organizations, the clinical audit represents a new strategy to provide a third line of defense against clinical quality risk and patient safety risk. The following steps can help an organization enhance performance improvement efforts and achieve clinical objectives.
- Conduct a robust risk assessment to define areas of focus. Deciding where to focus should grow out of a collaborative discussion between clinical leadership and internal audit leadership. It should identify the organization’s areas of greatest strategic importance and the clinical areas most challenged to show performance improvement (the big picture) before delving into greater detail. Within the larger category of patient safety, for example, the organization might be dealing with issues such as event reporting, patient falls, never events (such as wrong-site or wrong-side surgeries), retained foreign bodies, fires, medication errors, and hospital-acquired infections.
- Engage both senior executives and front-line managers in the audit process, and clearly define participants. A clinical audit will not be successful without the support and involvement of relevant stakeholders. Therefore, all projects should solicit the engagement and commitment of senior leaders, including the chief nursing officer and the chief medical officer. Front-line managers and clinical staff from the selected area must be involved so they understand how their role in the process aligns with regulatory protocols and fits in with the care delivery continuum. Documenting care delivery controls with process owners often identifies gaps before any testing occurs.
- Use data, establish metrics, and monitor outcomes. Organizations should report and track care delivery performance and patient outcomes against internal goals, regional competitors, and national benchmarks to identify opportunities for improvement. Clinical audits allow organizations to capture a snapshot of data related to specific care processes, some of which could affect outcomes in other areas. As a result of a clinical audit, for example, one organization learned that in addition to placing significant focus on adhering to evidence-based care in order to reduce central line-associated bloodstream infections (CLABSIs), attention also must be paid to reducing the central line insertions altogether.
- Review priorities regularly. Knowing what regulations are on the horizon and considering the emerging clinical risks related to these regulations will allow organizations to prepare for additional performance improvement. As the organization changes, priorities also will change. Focusing too many resources on one area could lead the organization to lag behind in other areas that might become higher priorities.
- Ask “Why?” five times. The right root cause of a problem must be identified – otherwise time and resources might be spent “fixing” the wrong part of the process. That, in turn, could cause another problem rather than solving the original problem. Likewise, if compliance begins dropping off after corrective actions have been implemented, it is important to determine the reasons why. Healthcare’s inherent complexity carries many unintended consequences. A drop-off in desired behavior might stem from an indirectly related factor, such as a computer programming change that interferes with the timely delivery of alerts. Such changes can have serious implications.
- Build action plans based on continuous monitoring to assess the effect of incremental changes. Changes come in a variety of forms – large and small. The most effective change often is incremental, in which the first step in a series must be correctly implemented before the next step in the series can be taken, and so on. Not all change results in improvement. Sometimes change does not achieve the desired result. The only way to know whether a new process is working is by monitoring the change on an ongoing basis and using data to assess whether it has had the desired impact.
- Create accountability. Responsibilities must be assigned to make sure improvements are made until the desired outcome is achieved and sustained. Many organizations create new policies to fix problems. However, these policies often are forgotten unless individuals are held accountable for their responsibilities. To achieve the absolute compliance that is needed in patient care, clinicians and other staff must know that a given measure or element of performance is being monitored and that they are responsible.
The need for clinical audits will grow as reimbursement becomes increasingly tied to organizations’ ability to demonstrate value and meet federal standards for quality and safety. It is incumbent upon organizations to begin exploring ways to make clinical audits a regular and ongoing part of their internal audit activities. Working together, clinicians and internal audit professionals can begin to deliver the deeper level of risk coverage required in the current value-driven environment.
1 Institute of Internal Auditors, “IIA Position Paper: The Three Lines of Defense in Effective Risk Management and Control,” January 2013, https://na.theiia.org/standards-guidance/Public Documents/PP The Three Lines of Defense in Effective Risk Management and Control.pdf