managing healthcare risks through internal audit

Managing Healthcare Risks Through Internal Audit

2

Meet your presenters

Deb Bowes, CPA, CHFP

Partner

Healthcare Practice

Mark Laccetti, CPA, CGMA

Partner

Risk, Internal Audit and Cybersecurity Practice

3

Agenda

3

04

The role of internal audit

01

02

Trending issues in healthcare

03 Options for internal audit structure

Risk assessment process

Emerging issues in healthcare

5

Trending issues in healthcare

Financial sustainability

Pandemic and emergency

response planning COVID-19 funding Remote workforce

Furloughed employees

Physician employment

HIPAA enforcement

Hospital merger and acquisition

Increasing reliance on technology

High deductible health insurance

plans

Labor shortages Opioid epidemic Telehealth

Payor mix shift away from commercial

products

Physician practice losses

CybersecurityChanging

regulationsConsumerism

Aging of population and impact on medical care

needs

Transparency

The role of internal audit

Internal auditing is an independent, objective

assurance and consulting activity designed

to add value and improve an organization's

operations. It helps an organization

accomplish its objectives by bringing a

systematic, disciplined approach to evaluate

and improve the effectiveness of risk

management, control and governance

processes.

Institute of Internal Auditors, Definition of Internal Auditing

Definition of internal audit

8

Evolution of internal audit

Modern internal audit approach

9

Internal audit’s role

Internal

audit’s

role

Provides positive

assurance that

controls are

functioning as

intended

Identifies areas

in need of

improvement

Ensures

alignment of risk

management

with realization

of strategy

Serves as a

catalyst for

improving controls

over compliance,

financial and

operational

operations

10

Internal audit’s role in the organization

1st Line of Defense

Governing Body / Audit Committee

Senior Management

2nd Line of Defense 3rd Line of Defense

Management

Controls

Internal

Control

Measures

Internal Audit

Financial Controller

Security

Risk Management

Quality

Inspection

Compliance

Regula

tor

Exte

rnal A

udit

Three Lines of Defense Model

Options for internal audit structure

12

Possible internal audit structures

Traditional

internal audit

Co-sourced

internal audit

Shared services

internal audit

Increased risk-based approach

− Traditional in-house

internal audit department

compliance function,

‘policeman’ approach

and transaction based

on testing.

− Quality defined by

quantitative success

measures (i.e., number

of audit performed,

reports issued,

transaction questioned)

− Hybrid approach

− Quality defined by

quantitative success

measures coupled with

access to leading

practices and

methodologies and a

broader risk-based

approach

− Strategic risk-based

model that provides

insight to anticipate and

effectively react to

changing business

conditions

− Quality defined by Board

of Directors and senior

management resulting in

alignment with the

organization’s strategic

goals

13

Traditional internal audit

Key benefits Potential challenges

− Highest degree of control over internal audit

personnel, management and training

− Development of internal institutional

knowledge within internal audit

− Can provide an excellent training ground for

future executives in the organization

− When the function is properly established,

socialized and executed, an internally sourced

internal audit department can continuously

provide the organization with assurance over

the controls to mitigate risks that may prevent

the organization from meeting its objectives

− Lost opportunity to bring specialized

skills to bear or increase staffing to meet

short-term needs

− Administrative burden of recruiting

employees, staffing projects, maintaining

appropriate skills and training employees

− Difficult to retain professionals in a non-

mission focused role in the organization

− When the function is not properly

established, socialized and executed, a

negative reputation of internally sourced

internal audit departments can develop

14

Co-sourced internal audit


− Ability to leverage external resources for extra

capacity or specialized skills (e.g., fraud,

sponsored research and information

technology)

− Flexibility in staffing levels

− Access to leading practices and

methodologies

− Reduced administrative burden

− Increased independence and objectivity

− Co-sourced partner may not fit with the

organization’s culture and structure

− Reduced opportunity to develop internal

audit knowledge and skills in-house

− Time and resources required to select a

co-sourcing partner

15

Shared services internal audit


− Instantly leverages a network of internal audit

professionals and specialty expertise for

comprehensive, effective risk coverage

− Eliminates significant investments related to people

(recruiting, training, career development),

methodology, technology and knowledge

− Provides immediate access to benchmarking and

leading practices that can be leveraged for

improvements

− Provides the flexibility of variable costs vs. fixed

costs

− Internal audit not fully ingrained in the

organization, making it more difficult to build

relationships and/or fully keep pace with all

changes in the operating environment

− Higher average cost per audit

− Institutional knowledge rests with external

resources

16

Service models for internal audit: Shared services and co-sourcing

Does the organization

understand what risks are present and if intentional

decisions are made relative to

them (e.g., calculated risk

taking or mitigation)?

YES

Are trustees and senior leadership

getting the desired level of confidence with

how the organization is managing risk?

YESDoes an internal function exist?

YES

Does the organization

understand what risks are present and if intentional

decisions are made relative to

them (e.g., calculated risk

taking or mitigation)?

YES

Shared service

END

Co- source

Do the results of internal audit

projects provide meaningful

feedback and compel

management to make valuable changes in risk management approaches?

Does internal audit have the

appropriate resource level and skill set?

NO NO NO NO

NO

YES

YES

NO

Risk assessment process

18

Types of risk assessments, serving many different purposes

— Internal Audit Risk Assessment

—Vendor Risk Management

—Enterprise Risk Management

—Fraud Risk Assessment

19

Planning your risk assessment

− Define objectives and scope

− Establish clear roles and responsibilities

− Maintain open lines of communication

What increases confidence in your risk assessment?

1. Diversity in data, stakeholders, and participants leads to greater risk insight

2. Technology, when used correctly, is highly effective

3. Collaboration and an embedded process lead to deeper analysis

20

Risk assessment lifecycle

Risk

assessment

lifecycle

Identify risksDevelop

assessment

criteria

Assess

risks

Assess

risk

interactions

Prioritize

risks

Reporting

Presentation Title | Date 21

− The goal is to produce a comprehensive list of risks, also known as the “Risk Universe”

• Tip: Use a wide net

− Organize the risks to aid in identification and assessment

• Risk categories (i.e., financial, operational, strategic, etc.)

• Sub-categories (i.e., market, credit, liquidity, etc.)

− Consider risks in the context of the enterprise, business units, and departments or functions

− Ensure alignment with objectives and stakeholder expectations

Identify risks

21

22

Sample risk universe

Financial

Financial Preparation and Reporting

Budgeting and Planning

Liquidity

Credit / Interest Rate

Currency

Fraud

Revenue Recognition

Payroll

Accounts Payable

Taxation

Commodity Pricing

Operational

Staffing Reliability

Patient Experience

Scheduling

Inventory Management

Procurement

Quality of Care

Business Continuity

Pricing

Vendor Management

Strategic

Strategic Plan and Execution

Mergers and Acquisitions

Strategic Relationships and Partnerships

New Business Development

Competition

Product Offering

Technology

IT Project Management

Logical Access

Data Availability and Integrity

Information Security

Network Connectivity

Disaster Recovery

Compliance & Legal

Contractual

Regulatory

Taxation

Environmental

Litigation

Record Retention

Product Liability

Organizational Policies

Human Resources

Talent Acquisition

Employee Retention

Succession Planning

Benefits and Compensation

Performance Management

Employee Development

Knowledge Management

Privacy

Governance

Board Oversight

Organizational Reporting

Strategic Alignment

Organizational Structure

Communication

Organizational Change Management

23

Emerging risks

Recent surveys from the IIA (2016 North American Pulse of Internal Audit) and other industry surveys have analyzed emerging risks, with a focus on:

− How effectively internal audit identifies and responds to emerging risks

− How internal audit expands to other areas and risks that have historically not been evaluated

− Management’s involvement with monitoring changes in the business environment and impact on the assumptions and risks inherent in corporate strategy

of respondents stated they are moderately,

slightly, or not at all confident in identifying

emerging risks65%


—Understand uncertainties inherent in business or operational strategy

—Use robust scenario analysis to evaluate management’s view of the future

—Look into the future, and consider global risks and macroeconomic risks

—Focus on organizational structure and risks

—Understand how often your audit plan is changing, and whether it is dynamic or static

How to evaluate or identify emerging risks


Example emerging risks

Regulatory changes

Resistance to change /

ability to attract or retain

top talent

Reliance on third parties /

vendor management

Organizational culture

Cybersecurity

Constant changes in regulatory environment and

increasing scrutiny

Aging workforces and millennials who may job jump

several times during their career

Increased use of third parties, and greater regulatory

compliance with vendor management practice

Evaluating the role of culture in governance

Lack of expertise and lack of business continuity

response plans for cyber attacks

Use of data analyticsIncreased use by organizations for strategic decisions, but

how reliable is the data and analysis


Risk assessment life cycle

Risk

assessment

lifecycle


assessment

criteria

Assess

risks

Assess

risk

interactions

Prioritize

risks

Reporting

27

Develop assessment criteria

To enable a successful and relevant risk assessment, develop a common set of assessment criteria

2Establish a scale for meaningful differentiation and prioritization− Five point scales vs. three point scales

− Customize scale to fit your organization and needs

1Start with impact and likelihood, and consider other relevant criteria− Vulnerability

− Velocity (or speed of onset)

3Determine if you are looking for inherent or residual risk − You may want both

28


Impact (or consequence)

− Refers to the extent to which a risk event might affect the enterprise

− Assessment criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer and operational impacts

− When assigning an impact rating to a risk, assign the rating for the highest consequence anticipated

− Can also be used for opportunities as well as risks

29

Impact assessment criteria

Example 1Rating Definition

5 - Extreme o Financial loss of $X million or more

o Long-term negative media coverage; game-changing loss of market share

o Significant prosecution and fines, litigation including class actions, incarceration of leadership

o Significant injuries or fatalities to employees or third parties, such as patients/residents or vendors

o Multiple senior leaders leave

4 - Major o Financial loss of $X million up to $X million

o Long-term negative media coverage; significant loss of market share

o Report to regulator requiring major project for corrective action

o Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice

3 - Moderate o Financial loss of $X million up to $X million

o Short-term negative media coverage

o Report of breach to regulator with immediate correction to be implemented

o Widespread staff morale problems and high turnover

2 - Minor o Financial loss of $X million up to $X million

o Local reputational damage

o Reportable incident to regulator, no follow up

o General staff morale problems and increase in turnover

1 - Incidental o Financial loss up to $X million

o Local media attention quickly remedied

o Not reportable to regulator

o Isolated staff dissatisfaction

30


Likelihood

− Possibility that a given event will occur

− Can be expressed in many different ways

− Qualitative terms (frequent, likely, possible, unlikely, rare)

− Percent

− Probability

− Frequency

− Establish the relevant time period for the likelihood assessment

− Examples include annual frequency or probability over the life of the project or asset

31


Vulnerability

− Susceptibility of the entity to a risk event

− Related to preparedness, agility and adaptability

− Good measure or gauge of how well risks are being managed

− Assessment criteria may include capabilities to anticipate events, prevent events, respond and adapt quickly as events unfold, as well as ability to withstand the event

− The more vulnerable the entity is to the risk, the higher the impact should the event occur

32


Velocity

− Refers to the time it takes for a risk event to manifest itself

− The time that elapses between occurrence of an event and the point in which the entity first feels its effects

− Less time equals more risk

− Very useful when developing risk responses



Risk

assessment

lifecycle


assessment criteria

Assess risks

Assess risk

interactions

Prioritize risks

Reporting

34

Assess risks

For most organizations, risk assessments rely almost exclusively on qualitative techniques

The addition of quantitative techniques can help to improve the overall quality and effectiveness of assessment procedures

− Interviews

− Questionnaires or Surveys

− Workshops

− Data analysis

− Benchmarking

− Modeling

35

Assess risks

Technique Advantages Disadvantages

Qualitative − Relatively quick and easy

− Information is easily

understood by large number of

employees and stakeholders

− Provides information beyond

financial impact and likelihood,

such as vulnerability, velocity,

and non-financial impacts

− Limited differentiation

between levels of risk (i.e.

high, medium, low)

− Imprecise by nature

− Difficult to aggregate or

address risk correlations and

interactions

− Limited ability for cost-benefit

analysis

Quantitative − Improved precision and

differentiation

− Allows for numerical

aggregation

− Permits cost-benefit analysis

− Can be time consuming and

costly

− Choosing units of measure

can be problematic

− Data is limited


Can be done one-on-one or facilitated meetings

May be more appropriate for Senior Management and Board Members

Be aware of siloed thinking

Facilitate knowledge sharing and consideration

of risk interactions

Includes diverse individual and different

vantage points

Requires careful planning and an eye on the

clock

May not work well if company culture that

discourages free sharing of information or

divergent opinions

Assess risks

Interviews Cross functional workshops

37

Assess risks

Surveys

Useful for large, complex and geographically distributed entities

Helpful in situations where culture does not permit or encourage open communication

Results can be sorted and stratified by employee level, operating unit, location, etc.

Response rates can be low and questions are subject to interpretation

Do not allow for collaboration or interactions across functions or silos


Collaborative process amongst a group of entities

Focused on specific events or processes using common metrics

Availability and applicability of data can be problematic as no two companies, units, or departments are the same

Defining one or more risk scenarios and key assumptions (conditions or drivers) to assess or estimate the impact on a key objective

Could be tied to financial metrics or measures (i.e. EBITDA, Net Revenue)

Assess risks

Benchmarking Scenario analysis



Risk

assessment

lifecycle


assessment

criteria

Assess

risks

Assess

risk

interactions

Prioritize

risks

Reporting


Assess risk interactions

1

3

4

Risks do NOT exist in isolation

2 As risks interact with other events and conditions

the potential for greater impact or likelihood can

increase

Think about causality, chain of events, and

interdependencies

Consider the “what if” scenarios



Risk

assessment

lifecycle


assessment

criteria

Assess

risks

Assess

risk

interactions

Prioritize

risks

Reporting

z


Prioritize risks

Prioritization is not an easy, one-step process

Consider all qualitative

and quantitative factors

and criteria, as well as

alignment with

objectives

Determine if risk

tolerance or thresholds

have been established

Collaborate and discuss

the prioritization of risks

with stakeholders

− Compare against

previous years

− Compare to industry

trends to identify any

gaps or unusual results



Risk

assessment

lifecycle


assessment

criteria

Assess

risks

Assess

risk

interactions

Prioritize

risks

Reporting

44

Reporting

Although there are many options for reporting results of the risk assessment procedures, an easy way to

show risk prioritization and assessment results is through a visual depiction such as a risk map.

− A risk map represents the likelihood of occurrence and the potential impact of the identified risks.

− Risks with higher likelihood and impact will receive the highest priority when developing a plan to manage risks.

− Develop appropriate risk metrics and measurements.

Potential impact

Likelihood of occurrence

High impactModerate likelihood

High impactHigh likelihood

Moderate impactModerate likelihood

Moderate impactHigh likelihood


− bakertilly.com/healthcare

− bakertilly.com/internal-audit

− bakertilly.com/rcminnovation

Resources

Case studies, insights and

on-demand webinars

Revenue Cycle Innovation Center

HIPAA: Five steps to ensuring

your risk assessment

complies with OCR guidelines

Drug diversion prevention and

detection: using a

comprehensive risk and

internal audit approach

../PPT Need to be Reviewed/bakertilly.com/healthcare

../PPT Need to be Reviewed/bakertilly.com/internal-audit

../PPT Need to be Reviewed/bakertilly.com/rcminnovation

https://go.bakertilly.com/hipaa-risk-assessment

https://go.bakertilly.com/LP=1558

46

Connect with us

[email protected]

+ 1 (570) 651 1741

[email protected]

+ 1 (215) 557 2217

Deb Bowes, CPA, CHFP

Partner

Healthcare Practice

Mark Laccetti, CPA, CGMA

Partner

Risk, Internal Audit and Cybersecurity Practice

mailto:[email protected]

mailto:[email protected]

47

Disclosure

The information provided here is of a general nature and is not intended to address the

specific circumstances of any individual or entity. In specific circumstances, the services of

a professional should be sought.

Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of

Baker Tilly International Ltd., the members of which are separate and independent legal

entities. © 2020 Baker Tilly Virchow Krause, LLP.

managing healthcare risks through internal audit

Documents