The Future of Internal Audit Is Today

By Scott C. Gerard, CPA
| 6/25/2019
The Future of Internal Audit Is Today

While some healthcare organizations are thinking about the future of healthcare internal audit and how to use big data, others are embracing the future today, taking advantage of available data to expand audit coverage and drive their internal audits.

With today’s technological advances and the nationwide implementation of complex electronic health record systems, organizations have access to large volumes of valuable medical and process-related data. The ability to use that data to make internal audit more effective and drive efficiencies is of great value, especially as audit and compliance risks within the healthcare industry become more complex. Innovative methods for assessing and managing risk are critical, so the use of data analytics and advanced technologies within healthcare internal audit should be thought of as crucial and not just “nice to have.”


Healthcare internal auditors should embrace technology and begin using sophisticated tools to reap the benefits of embedding technology within an internal audit function. Such benefits include:
  • Automating manual processes
  • Allowing for full population analysis and testing to reduce sampling bias and “needle in the haystack” exception identification
  • Supporting continuous and complete coverage without a need to sample
  • Helping to identify outliers, patterns, and trends not otherwise identifiable through more traditional audit procedures such as human review and analysis
  • Freeing up valuable internal audit resources for value-added activities such as investigation, root cause analysis, and remediation support


Even after considering the benefits of embracing technology, some auditors may be able to create a similar-size list of challenges to implementing technology. As with all worthwhile journeys, known and unknown challenges must be understood and overcome to achieve success. Challenges may include:
  • An inability to acquire talent or train team members on the necessary technology
  • Problems in developing or acquiring software to support the data analyses
Once an organization’s internal audit team has decided to move forward with a technology-driven strategy, it is likely to determine that the benefits of achieving the strategy will greatly outweigh the efforts and costs required to overcome the challenges and achieve those benefits. Engaging a third-party resource might help.

What to look for in an internal auditor

Internal auditors should be knowledgeable about data analytic software and techniques. In addition, they should use data analytic routines to take advantage of technology, expand the scope of internal audit testing, and enhance audit quality. The data analytic routines should cover many risk areas and internal audits across the full healthcare continuum. The use of data analytics within audits allows the auditor to test the full population of data for a specified period, allows for a more complete understanding of the process, and more efficiently leads to the identification of potential cost savings, revenue enhancements, and regulatory compliance issues. In addition, the use of data analysis allows auditors to focus more time on root cause analysis and remediation of issues as opposed to manually testing transactions.

Each data analytic test should start with a data request related to the risk area under audit. Information requests can include payroll files, accounts payable files, 837/835 claims data, dispensed drugs, or patient accounting detail, among others. Auditors can analyze the data and generate a series of reports identifying potential exceptions and issues for further analysis and investigation by the auditor and process personnel. The auditor then can perform exception or outlier analysis on the underlying transaction documentation, patient claims, and patient medical records to determine root causes and the impact of any potential issues identified. Once the auditor’s analysis has identified process issues, the auditor and process owner should collaborate to design an appropriate action plan to remediate the causes.

Using the full population of data in these audits shortens the time spent to conduct the audit, enhances the value provided to the process owners, increases the likelihood for the identification of root causes, and eliminates tedious transaction testing, which is prone to human error.

Areas to assess using data analytics

A technologically advanced internal audit can offer insights into several areas crucial to a healthcare organization.

340B Drug Pricing Program. Data analytic tests to evaluate 340B regulatory compliance of hospital and contract pharmacy operations include:
  • Identification of drugs provided to patients with an inpatient status
  • Identification of drugs not supported by dispensing data
  • Identification of drugs not ordered by eligible providers

Charge description master (CDM). Data analytic tests to assess the overall accuracy and completeness of the CDM include:
  • Comparison of charge code pricing against Medicare ambulatory payment classification (APC) rates
  • Identification of invalid or terminated current procedural terminology (CPT) codes
  • Comparison of pricing against Medicare fee schedules
  • Identification of charge codes priced at $0.00
Drug diversion. Drug diversion data analytic tests include:
  • Identification of instances in which drugs were dispensed with the same employee and witness ID
  • Identification of drugs being dispensed by personnel not scheduled to work or working on a different unit
  • Identification of instances when drugs were wasted with no associated witness
Length of stay (LOS). A number of LOS tests are based on Medicare Severity Diagnosis Related Groups (MS-DRGs) and patient admission and discharge dates. Data for all inpatients within a specified period is analyzed to:
  • Identify patients whose LOS is greater than the Centers for Medicare & Medicaid Services (CMS) mean LOS for that diagnosis code
  • Identify LOS trends by physicians to highlight those physicians whose lengths of stay are outside the norm
  • Identify inpatient accounts where the patient was admitted and discharged on the same day
System access and segregation of duties. IT security analytics based on human resource (HR), payroll, and supply chain roles include:
  • Identifying users with conflicting security permissions
  • Listing potential conflicts based on HR, payroll, and supply chain segregation of duties matrices
  • Identifying users with system access beyond their termination date
Fraud detection. Tests for fraud detection include searches for:
  • Potential duplicate employees
  • Duplicate payroll payments
  • Employee pay rate changes in timekeeping systems
  • Employee Social Security numbers in the Social Security Administration’s Death Master File database of deceased persons
  • Multiple deposits into the same bank account
  • Unusual manual adjustments to paid time off balances

Using technology to reduce compliance risk

CMS has numerous ways to identify improper payments, fraud, and abuse. Even for inadvertent errors, penalties can reach thousands of dollars per claim under the False Claims Act.

Data analytic technology can be designed and used to conduct internal audits of entire data populations and can help identify and reduce a healthcare provider’s risk. Internal auditors can use innovative tools to support the annual risk assessment process, to support an internal audit project, or to help identify and reduce risk. Some tools monitor claims and billing data in real time (or periodically), which can help healthcare providers detect issues and mitigate risk.

The right tools can proactively analyze claims data to help detect issues before they escalate into costly errors. Additionally, they can help free up skilled clinical and case management employees to focus on higher-value tasks.

The right tools also can provide a comprehensive view of risk by analyzing 100% of a hospital’s inpatient and outpatient 837 claims and 835 payment data. A number of sophisticated tests can help diagnose potential coding and billing vulnerabilities. Examples of analyses using innovative tools include:

Observation versus one-day stay. Tests can identify negative trends related to situations with a high risk related to observation patients given an inpatient status.

Length of stay. Technology can identify and point the auditor and hospital staff to areas and service lines that are increasing LOS.

Readmissions. Using technology for a readmissions internal audit can help reduce the hospital’s number of readmissions, the hospital’s penalties, and the hospital’s reputational risk.

Emergency department levels. Technology allows auditors to analyze Level 5 encounters and identify higher-risk areas. Coding and clinical auditors can use technology to analyze 100% of the hospital’s data instead of performing random sampling. This allows auditors to focus more time on root cause analysis and remediation as opposed to detailed testing of controls.

Wound care. Technology can support an audit focused on patient care and on Office of Inspector General/CMS compliance for billing of wound care and hyperbaric oxygen therapy. A tool that analyzes 100% of wound care 837 claims submissions and identifies trends in clinical, coding, or operational anomalies can give auditors time to focus on root cause analysis and remediation as opposed to detailed testing of controls.

Inpatient-only procedures performed on outpatients. Technology can support an audit focused on reviewing claims where the hospital potentially has “left money on the table” by billing for an inpatient-only procedure for a patient classified as an outpatient (for example, when CMS pays $0 and does not allow the provider to rebill for the service). A tool that identifies these situations can support root cause analysis and enhance the process going forward.

2020 and beyond

As we move to 2020 and beyond, healthcare providers continue to create significant amounts of data every day. Healthcare management should look for internal auditors to leave old audit methods and sampling techniques in the past, include data analytics as part of every internal audit project, and embrace and use the latest advanced technology.

Contact us

Scott Gerard