Improving the internal audit process with technology

Delivering more value and efficiency

Sarah ColeMike WitekNatalie Peter
10/10/2022
Improving the internal audit process with technology

Continually emerging risks, competing priorities, and constrained resources often are the norm for internal auditors today. In this climate, it can be easy for auditors to feel like they’re not able to do enough – that there aren’t enough hours in the day or staff members on the team to adequately cover risks.

Despite these challenges, audit teams can expand their work capacity without increasing head count – through the use of technology tools, which can organize and streamline their work, and with more efficient internal audit processes.

How technology can increase value in the internal audit process

Technologies, such as audit workflow tools that can automate and standardize auditors’ work, can expand capacity of the audit team without increasing the number of employees. Although organizational leaders historically have viewed internal audit as an expense, the use of efficient internal audit technologies and processes can make it possible to save money.

Auditors can make the case to leaders and potentially help justify the cost of new tools. One way to do this is by demonstrating how using such tools can increase efficiency, risk coverage, and the value of internal audit without the expenses of expanding the team. Many of today’s subscription audit workflow tools, for example, are available for a fraction of the cost of hiring full-time equivalent employees.

The following case studies help demonstrate how technology can be an asset to internal audit and can help prove audit’s value to the organization.

Case study: Finding at-risk patients

The opioid epidemic that persists in the U.S. has made analyzing drug prescription trends even more important than ever. Use of data analytics can help healthcare organizations find patients at risk of opioid overuse and identify providers who are overprescribing these drugs.

The audit approach: Auditors reviewed a hospital’s real-time drug dispensing data to find patients who had received high volumes of opioid drugs. Using data analytics, the audit team:

  • Identified instances when opioids were dispensed at high volume to the same patients
  • Compared those patients to average patients, categorized by drug type
  • Determined which physicians had ordered the drugs
  • Uncovered potential red flags within the data, such as patients being self-pay, which indicated to auditors that further investigation was needed

The audit team then reviewed medical records to determine if the patients receiving the opioids had a medical necessity for them. Auditors also analyzed which physicians had prescribed the drugs and reviewed the Centers for Disease Control and Prevention’s Prescription Drug Monitoring Program database to check which, if any, other drugs the patient had received at any medical facility or physician office across the U.S. Data analytics provided auditors a big-picture view to determine whether these were high-risk cases and helped them close risk gaps before more patients were affected.

Risks prevented: By reviewing 100% of the data related to opioid prescribing – compared to just samples had the team used manual processes – auditors were able to quickly identify patients whose health was at risk due to the overprescribing of opioid medications. In addition, in-depth audits such as this helped prevent reputational risk to the hospital that might have occurred if opioid overprescribing had not been identified and had been allowed to propagate throughout the organization.

Case study: Finding risks in P2P

Audits of accounts payable (AP) and supply chain processes – also known as procure-to-pay, or P2P – are crucial for preventing financial and other risks. Due to workforce shortages, many hospitals have struggled recently with oversight of purchase approvals while demand for supplies only has increased. Some hospitals have resorted to relaxing approvals of requisitions, which carries big risks. When changes such as these occur in an organization’s control environment, auditors can help get things back on track or work with management to implement compensating controls.

The audit approach: Auditors in this example conducted pre- and post-implementation audits of an organization’s new enterprise resource planning (ERP) system. Prior to implementation, auditors met with AP staff to discuss control design. The audit team also participated in implementation team meetings and created a flowchart of current processes.

Using data analytics, auditors tested the existing system to determine the effectiveness of the internal controls. Auditors used analytics to review purchasing and invoice transactions – assessing 100% of the population – to identify gaps in approvals, segregation of duties, and adherence with policies. Using the data, auditors:

  • Compared current employees with users processing purchasing transactions
  • Compared buyers to employees receiving goods
  • Assessed payment dates against approval, order, and invoice dates
  • Assessed differences in quantities between purchase orders, receiving reports, and invoices
  • Inquired about instances when a three-way match was not performed
  • Analyzed role-based access assigned to each user for proper segregation of duties

After gathering feedback from the audit, the internal audit team suggested more efficient controls for the organization to consider incorporating with the new ERP system. Following implementation of the system, auditors then tested the new controls for efficacy. Finally, the auditors implemented a process for continuous auditing of role-based user access to the organization’s ERP system.

Risks prevented: The potential for risks within P2P processes is high if proper controls are not in place. Some common risks include:

  • Lack of segregation of duties among purchasing, receiving, inventory management, and payment teams
  • Lack of a three-way match among purchase orders, invoices, and receiving documents prior to payment
  • Nonexistent or not upheld defined purchasing approval thresholds
  • Improperly configured or monitored role-based access
  • Unaligned ERP supervisor hierarchy with purchasing approvals
  • Elimination of requisitions to allow for faster purchasing
  • No approval requirement for purchase orders from approved vendors

As in the previous case study, the internal audit team achieved a better audit outcome due to its ability to assess 100% – not just a sample – of the population. This helped identify more risks and led to quicker resolution of risk gaps.

Case study: Fixing the financial close process

Finance and accounting teams face several challenges during the monthly financial close process, which are underscored by today’s staffing shortages. These challenges not only affect the department but also present risks to the integrity of the organization’s overall financial statement.

Fortunately, organizations can use the account balance data they already have to help identify errors in the close process and alleviate some of these challenges. When auditors gain insights from data, they can draw conclusions about whether something is wrong in the general ledger, cuing them to dig deeper to understand the issues at hand.

The audit approach: Auditors analyzed 18 months’ worth of account balance data to identify accounts with at least one of the following criteria:

  • Outliers and balance changes
  • Incorrect balances
  • No changes for consecutive months
  • No offsetting changes for consecutive months

The audit team then investigated outlier accounts to narrow the search and ultimately selected “very high outlier” accounts for further review. For the first audit, the team selected the organization’s pharmacy AP account. After analyzing monthly data for that account, the team discovered an outlier change in period three was considered a “very high outlier,” with the change resulting in an incorrect debit balance for that liability account.

To determine what could be causing the sudden change in balance, auditors investigated further and found that a new process had been implemented at the time the change in balance occurred. The process automatically booked pharmacy AP invoices to the general ledger; however, the AP team at the time had continued to manually book the invoices as well, which resulted in what appeared to be a double payment on the general ledger. Following the audit, the entries were corrected, and the pharmacy AP was resolved, resulting in a zero balance.

Risks prevented: Risks associated with the financial close process include post-close adjustments, long close periods, manual processes that result in errors, and staffing issues related to remote or inexperienced teams. The auditors in this example were able to run data analytics daily during close to identify errors in the month when they occurred. Use of dashboards helped auditors visualize data and contributed to efforts to move toward continuous monitoring of account balances.

It’s time to review internal audit processes

These case studies demonstrate how internal audit technology can help healthcare internal auditors increase capacity and their ability to assess organizational risk – even in difficult times. Data analytics and workflow tools can help auditors identify risks faster and more efficiently, providing even more value to their organizations.

It’s a great time to review internal audit processes and see where improvements can be made. As auditors review their departments and consider future goals, they can share their ideas with management to gain buy-in and make the case that – like other departments – internal audit also needs resources to grow, improve, and succeed. Many departments regularly receive technology enhancements via new versions or updates. The internal audit department should be no different. Technology can help improve internal audit processes as well.

For assistance with planning and determining how technology can help an organization’s audit department deliver more value and efficiency, audit teams should consider working with third-party specialists in this area.

Contact us

Sarah Cole
Sarah Cole
Healthcare Risk Consulting Leader, Office Managing Partner, St. Louis
Mike Witek
Mike Witek
Healthcare Consulting