managing healthcare risks through internal audit
TRANSCRIPT
Managing Healthcare Risks Through Internal Audit
2
Meet your presenters
Deb Bowes, CPA, CHFP
Partner
Healthcare Practice
Mark Laccetti, CPA, CGMA
Partner
Risk, Internal Audit and Cybersecurity Practice
3
Agenda
3
04
The role of internal audit
01
02
Trending issues in healthcare
03 Options for internal audit structure
Risk assessment process
Emerging issues in healthcare
5
Trending issues in healthcare
Financial sustainability
Pandemic and emergency
response planning COVID-19 funding Remote workforce
Furloughed employees
Physician employment
HIPAA enforcement
Hospital merger and acquisition
Increasing reliance on technology
High deductible health insurance
plans
Labor shortages Opioid epidemic Telehealth
Payor mix shift away from commercial
products
Physician practice losses
CybersecurityChanging
regulationsConsumerism
Aging of population and impact on medical care
needs
Transparency
The role of internal audit
Internal auditing is an independent, objective
assurance and consulting activity designed
to add value and improve an organization's
operations. It helps an organization
accomplish its objectives by bringing a
systematic, disciplined approach to evaluate
and improve the effectiveness of risk
management, control and governance
processes.
Institute of Internal Auditors, Definition of Internal Auditing
Definition of internal audit
8
Evolution of internal audit
Modern internal audit approach
9
Internal audit’s role
Internal
audit’s
role
Provides positive
assurance that
controls are
functioning as
intended
Identifies areas
in need of
improvement
Ensures
alignment of risk
management
with realization
of strategy
Serves as a
catalyst for
improving controls
over compliance,
financial and
operational
operations
10
Internal audit’s role in the organization
1st Line of Defense
Governing Body / Audit Committee
Senior Management
2nd Line of Defense 3rd Line of Defense
Management
Controls
Internal
Control
Measures
Internal Audit
Financial Controller
Security
Risk Management
Quality
Inspection
Compliance
Regula
tor
Exte
rnal A
udit
Three Lines of Defense Model
Options for internal audit structure
12
Possible internal audit structures
Traditional
internal audit
Co-sourced
internal audit
Shared services
internal audit
Increased risk-based approach
− Traditional in-house
internal audit department
compliance function,
‘policeman’ approach
and transaction based
on testing.
− Quality defined by
quantitative success
measures (i.e., number
of audit performed,
reports issued,
transaction questioned)
− Hybrid approach
− Quality defined by
quantitative success
measures coupled with
access to leading
practices and
methodologies and a
broader risk-based
approach
− Strategic risk-based
model that provides
insight to anticipate and
effectively react to
changing business
conditions
− Quality defined by Board
of Directors and senior
management resulting in
alignment with the
organization’s strategic
goals
13
Traditional internal audit
Key benefits Potential challenges
− Highest degree of control over internal audit
personnel, management and training
− Development of internal institutional
knowledge within internal audit
− Can provide an excellent training ground for
future executives in the organization
− When the function is properly established,
socialized and executed, an internally sourced
internal audit department can continuously
provide the organization with assurance over
the controls to mitigate risks that may prevent
the organization from meeting its objectives
− Lost opportunity to bring specialized
skills to bear or increase staffing to meet
short-term needs
− Administrative burden of recruiting
employees, staffing projects, maintaining
appropriate skills and training employees
− Difficult to retain professionals in a non-
mission focused role in the organization
− When the function is not properly
established, socialized and executed, a
negative reputation of internally sourced
internal audit departments can develop
14
Co-sourced internal audit
Key benefits Potential challenges
− Ability to leverage external resources for extra
capacity or specialized skills (e.g., fraud,
sponsored research and information
technology)
− Flexibility in staffing levels
− Access to leading practices and
methodologies
− Reduced administrative burden
− Increased independence and objectivity
− Co-sourced partner may not fit with the
organization’s culture and structure
− Reduced opportunity to develop internal
audit knowledge and skills in-house
− Time and resources required to select a
co-sourcing partner
15
Shared services internal audit
Key benefits Potential challenges
− Instantly leverages a network of internal audit
professionals and specialty expertise for
comprehensive, effective risk coverage
− Eliminates significant investments related to people
(recruiting, training, career development),
methodology, technology and knowledge
− Provides immediate access to benchmarking and
leading practices that can be leveraged for
improvements
− Provides the flexibility of variable costs vs. fixed
costs
− Internal audit not fully ingrained in the
organization, making it more difficult to build
relationships and/or fully keep pace with all
changes in the operating environment
− Higher average cost per audit
− Institutional knowledge rests with external
resources
16
Service models for internal audit: Shared services and co-sourcing
Does the organization
understand what risks are present and if intentional
decisions are made relative to
them (e.g., calculated risk
taking or mitigation)?
YES
Are trustees and senior leadership
getting the desired level of confidence with
how the organization is managing risk?
YESDoes an internal function exist?
YES
Does the organization
understand what risks are present and if intentional
decisions are made relative to
them (e.g., calculated risk
taking or mitigation)?
YES
Shared service
END
Co- source
Do the results of internal audit
projects provide meaningful
feedback and compel
management to make valuable changes in risk management approaches?
Does internal audit have the
appropriate resource level and skill set?
NO NO NO NO
NO
YES
YES
NO
Risk assessment process
18
Types of risk assessments, serving many different purposes
— Internal Audit Risk Assessment
—Vendor Risk Management
—Enterprise Risk Management
—Fraud Risk Assessment
19
Planning your risk assessment
− Define objectives and scope
− Establish clear roles and responsibilities
− Maintain open lines of communication
What increases confidence in your risk assessment?
1. Diversity in data, stakeholders, and participants leads to greater risk insight
2. Technology, when used correctly, is highly effective
3. Collaboration and an embedded process lead to deeper analysis
20
Risk assessment lifecycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment
criteria
Assess
risks
Assess
risk
interactions
Prioritize
risks
Reporting
Presentation Title | Date 21
− The goal is to produce a comprehensive list of risks, also known as the “Risk Universe”
• Tip: Use a wide net
− Organize the risks to aid in identification and assessment
• Risk categories (i.e., financial, operational, strategic, etc.)
• Sub-categories (i.e., market, credit, liquidity, etc.)
− Consider risks in the context of the enterprise, business units, and departments or functions
− Ensure alignment with objectives and stakeholder expectations
Identify risks
21
22
Sample risk universe
Financial
Financial Preparation and Reporting
Budgeting and Planning
Liquidity
Credit / Interest Rate
Currency
Fraud
Revenue Recognition
Payroll
Accounts Payable
Taxation
Commodity Pricing
Operational
Staffing Reliability
Patient Experience
Scheduling
Inventory Management
Procurement
Quality of Care
Business Continuity
Pricing
Vendor Management
Strategic
Strategic Plan and Execution
Mergers and Acquisitions
Strategic Relationships and Partnerships
New Business Development
Competition
Product Offering
Technology
IT Project Management
Logical Access
Data Availability and Integrity
Information Security
Network Connectivity
Disaster Recovery
Compliance & Legal
Contractual
Regulatory
Taxation
Environmental
Litigation
Record Retention
Product Liability
Organizational Policies
Human Resources
Talent Acquisition
Employee Retention
Succession Planning
Benefits and Compensation
Performance Management
Employee Development
Knowledge Management
Privacy
Governance
Board Oversight
Organizational Reporting
Strategic Alignment
Organizational Structure
Communication
Organizational Change Management
23
Emerging risks
Recent surveys from the IIA (2016 North American Pulse of Internal Audit) and other industry surveys have analyzed emerging risks, with a focus on:
− How effectively internal audit identifies and responds to emerging risks
− How internal audit expands to other areas and risks that have historically not been evaluated
− Management’s involvement with monitoring changes in the business environment and impact on the assumptions and risks inherent in corporate strategy
of respondents stated they are moderately,
slightly, or not at all confident in identifying
emerging risks65%
Presentation Title | Date 24
—Understand uncertainties inherent in business or operational strategy
—Use robust scenario analysis to evaluate management’s view of the future
—Look into the future, and consider global risks and macroeconomic risks
—Focus on organizational structure and risks
—Understand how often your audit plan is changing, and whether it is dynamic or static
How to evaluate or identify emerging risks
Presentation Title | Date 25
Example emerging risks
Regulatory changes
Resistance to change /
ability to attract or retain
top talent
Reliance on third parties /
vendor management
Organizational culture
Cybersecurity
Constant changes in regulatory environment and
increasing scrutiny
Aging workforces and millennials who may job jump
several times during their career
Increased use of third parties, and greater regulatory
compliance with vendor management practice
Evaluating the role of culture in governance
Lack of expertise and lack of business continuity
response plans for cyber attacks
Use of data analyticsIncreased use by organizations for strategic decisions, but
how reliable is the data and analysis
Presentation Title | Date 26
Risk assessment life cycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment
criteria
Assess
risks
Assess
risk
interactions
Prioritize
risks
Reporting
27
Develop assessment criteria
To enable a successful and relevant risk assessment, develop a common set of assessment criteria
2Establish a scale for meaningful differentiation and prioritization− Five point scales vs. three point scales
− Customize scale to fit your organization and needs
1Start with impact and likelihood, and consider other relevant criteria− Vulnerability
− Velocity (or speed of onset)
3Determine if you are looking for inherent or residual risk − You may want both
28
Develop assessment criteria
Impact (or consequence)
− Refers to the extent to which a risk event might affect the enterprise
− Assessment criteria may include financial, reputational, regulatory, health, safety, security, environmental, employee, customer and operational impacts
− When assigning an impact rating to a risk, assign the rating for the highest consequence anticipated
− Can also be used for opportunities as well as risks
29
Impact assessment criteria
Example 1Rating Definition
5 - Extreme o Financial loss of $X million or more
o Long-term negative media coverage; game-changing loss of market share
o Significant prosecution and fines, litigation including class actions, incarceration of leadership
o Significant injuries or fatalities to employees or third parties, such as patients/residents or vendors
o Multiple senior leaders leave
4 - Major o Financial loss of $X million up to $X million
o Long-term negative media coverage; significant loss of market share
o Report to regulator requiring major project for corrective action
o Some senior managers leave, high turnover of experienced staff, not perceived as employer of choice
3 - Moderate o Financial loss of $X million up to $X million
o Short-term negative media coverage
o Report of breach to regulator with immediate correction to be implemented
o Widespread staff morale problems and high turnover
2 - Minor o Financial loss of $X million up to $X million
o Local reputational damage
o Reportable incident to regulator, no follow up
o General staff morale problems and increase in turnover
1 - Incidental o Financial loss up to $X million
o Local media attention quickly remedied
o Not reportable to regulator
o Isolated staff dissatisfaction
30
Develop assessment criteria
Likelihood
− Possibility that a given event will occur
− Can be expressed in many different ways
− Qualitative terms (frequent, likely, possible, unlikely, rare)
− Percent
− Probability
− Frequency
− Establish the relevant time period for the likelihood assessment
− Examples include annual frequency or probability over the life of the project or asset
31
Develop assessment criteria
Vulnerability
− Susceptibility of the entity to a risk event
− Related to preparedness, agility and adaptability
− Good measure or gauge of how well risks are being managed
− Assessment criteria may include capabilities to anticipate events, prevent events, respond and adapt quickly as events unfold, as well as ability to withstand the event
− The more vulnerable the entity is to the risk, the higher the impact should the event occur
32
Develop assessment criteria
Velocity
− Refers to the time it takes for a risk event to manifest itself
− The time that elapses between occurrence of an event and the point in which the entity first feels its effects
− Less time equals more risk
− Very useful when developing risk responses
Presentation Title | Date 33
Risk assessment life cycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment criteria
Assess risks
Assess risk
interactions
Prioritize risks
Reporting
34
Assess risks
For most organizations, risk assessments rely almost exclusively on qualitative techniques
The addition of quantitative techniques can help to improve the overall quality and effectiveness of assessment procedures
− Interviews
− Questionnaires or Surveys
− Workshops
− Data analysis
− Benchmarking
− Modeling
35
Assess risks
Technique Advantages Disadvantages
Qualitative − Relatively quick and easy
− Information is easily
understood by large number of
employees and stakeholders
− Provides information beyond
financial impact and likelihood,
such as vulnerability, velocity,
and non-financial impacts
− Limited differentiation
between levels of risk (i.e.
high, medium, low)
− Imprecise by nature
− Difficult to aggregate or
address risk correlations and
interactions
− Limited ability for cost-benefit
analysis
Quantitative − Improved precision and
differentiation
− Allows for numerical
aggregation
− Permits cost-benefit analysis
− Can be time consuming and
costly
− Choosing units of measure
can be problematic
− Data is limited
Presentation Title | Date 36
Can be done one-on-one or facilitated meetings
May be more appropriate for Senior Management and Board Members
Be aware of siloed thinking
Facilitate knowledge sharing and consideration
of risk interactions
Includes diverse individual and different
vantage points
Requires careful planning and an eye on the
clock
May not work well if company culture that
discourages free sharing of information or
divergent opinions
Assess risks
Interviews Cross functional workshops
37
Assess risks
Surveys
Useful for large, complex and geographically distributed entities
Helpful in situations where culture does not permit or encourage open communication
Results can be sorted and stratified by employee level, operating unit, location, etc.
Response rates can be low and questions are subject to interpretation
Do not allow for collaboration or interactions across functions or silos
Presentation Title | Date 38
Collaborative process amongst a group of entities
Focused on specific events or processes using common metrics
Availability and applicability of data can be problematic as no two companies, units, or departments are the same
Defining one or more risk scenarios and key assumptions (conditions or drivers) to assess or estimate the impact on a key objective
Could be tied to financial metrics or measures (i.e. EBITDA, Net Revenue)
Assess risks
Benchmarking Scenario analysis
Presentation Title | Date 39
Risk assessment life cycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment
criteria
Assess
risks
Assess
risk
interactions
Prioritize
risks
Reporting
Presentation Title | Date 40
Assess risk interactions
1
3
4
Risks do NOT exist in isolation
2 As risks interact with other events and conditions
the potential for greater impact or likelihood can
increase
Think about causality, chain of events, and
interdependencies
Consider the “what if” scenarios
Presentation Title | Date 41
Risk assessment life cycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment
criteria
Assess
risks
Assess
risk
interactions
Prioritize
risks
Reporting
z
Presentation Title | Date 42
Prioritize risks
Prioritization is not an easy, one-step process
Consider all qualitative
and quantitative factors
and criteria, as well as
alignment with
objectives
Determine if risk
tolerance or thresholds
have been established
Collaborate and discuss
the prioritization of risks
with stakeholders
− Compare against
previous years
− Compare to industry
trends to identify any
gaps or unusual results
Presentation Title | Date 43
Risk assessment life cycle
Risk
assessment
lifecycle
Identify risksDevelop
assessment
criteria
Assess
risks
Assess
risk
interactions
Prioritize
risks
Reporting
44
Reporting
Although there are many options for reporting results of the risk assessment procedures, an easy way to
show risk prioritization and assessment results is through a visual depiction such as a risk map.
− A risk map represents the likelihood of occurrence and the potential impact of the identified risks.
− Risks with higher likelihood and impact will receive the highest priority when developing a plan to manage risks.
− Develop appropriate risk metrics and measurements.
Potential impact
Likelihood of occurrence
High impactModerate likelihood
High impactHigh likelihood
Moderate impactModerate likelihood
Moderate impactHigh likelihood
Presentation Title | Date 45
− bakertilly.com/healthcare
− bakertilly.com/internal-audit
− bakertilly.com/rcminnovation
Resources
Case studies, insights and
on-demand webinars
Revenue Cycle Innovation Center
HIPAA: Five steps to ensuring
your risk assessment
complies with OCR guidelines
Drug diversion prevention and
detection: using a
comprehensive risk and
internal audit approach
46
Connect with us
+ 1 (570) 651 1741
+ 1 (215) 557 2217
Deb Bowes, CPA, CHFP
Partner
Healthcare Practice
Mark Laccetti, CPA, CGMA
Partner
Risk, Internal Audit and Cybersecurity Practice
47
Disclosure
The information provided here is of a general nature and is not intended to address the
specific circumstances of any individual or entity. In specific circumstances, the services of
a professional should be sought.
Baker Tilly Virchow Krause, LLP trading as Baker Tilly is a member of the global network of
Baker Tilly International Ltd., the members of which are separate and independent legal
entities. © 2020 Baker Tilly Virchow Krause, LLP.