Healthcare Internal Audit Solutions

Healthcare Internal Audit Solutions

Healthcare organisations today are faced with a myriad of challenges and many are under-utilising one of their greatest assets: internal audit. Leading internal audit functions have moved well beyond checking the box on policy compliance and serve as a strategic partner to help ensure their organisations become more innovative and explore new technologies, identify and mitigate emerging risks, develop creative solutions to complex business challenges, and encourage best practises to enhance business functions. Protiviti’s industry-leading healthcare internal audit solutions are flexible with proven methodologies, provide access to a vast array of skills, are value-added and collaborative, incorporate tools/techniques such as robotic process automation (RPA) and advanced analytics, and allow us to be a strategic partner in helping your organisation confidently face the future.

The following provides an overview of the many ways Protiviti can partner with you to ensure you have a leading internal audit function implemented for your organisation.

  • Flexible and Collaborative Delivery Models
  • Breadth of Expertise
  • Targeted Assistance

“Protiviti has been a trusted and collaborative partner to us for several years and has truly become part of our organisation — from a cultural fit to having our best interests at heart in everything they do for us. We can rely on Protiviti and their deep expertise to help us solve problems with meaningful and creative ideas that align with our overall strategic direction.” 

— General Counsel and Chief Administrative Officer

Flexible and Collaborative Delivery Models

Whether a company is trying to determine if co-sourcing or outsourcing is the best solution, Protiviti has deep expertise working with clients all over the world in transforming their internal audit functions into leading practise, based on The Institute of Internal Auditors Standards.

Protiviti can meet all of your internal audit needs under a continuous full-service outsourcing arrangement by managing and executing the internal audit function, bringing our in-depth industry knowledge, proprietary tools, methodologies, training and experience to your organisation.

Alternatively, co-sourcing internal audit with Protiviti provides organisations with all of the technical and subject-matter resources they require on-demand, without the need to hire full-time staff. We offer the capabilities to easily and affordably flex the number of resources assigned to an internal audit function, keeping an organisation properly staffed during both peak and off-peak periods.

Protiviti can also provide support for an existing internal audit programme by providing training, qualified interim internal audit leadership (CAE) and/or supplemental staffing of experienced professionals (as outlined by the Internal Audit Sourcing Model below).

Protiviti believes internal audit can also support other functions, such as compliance, privacy, IT, finance and legal, through the performance of audits and investigations when those functions lack resources or skillsets needed. We emphasise collaboration across the organisation and prevention of silos, and encourage enterprise-wide accountability between audit, compliance and legal for achievement of the organisation’s goals and objectives.

Internal Audit Sourcing Model

Sound Methodologies

Protiviti is a principal partner of The Institute of Internal Auditors and our internal audit methodologies, policies and procedures (i.e., The Protiviti Way) are independently reviewed annually by an Accredited Internal Quality Assessment Validator.

In addition to The Protiviti Way’s approach to internal auditing, our Healthcare Center of Excellence has developed industry-specific quality assurance steps that are followed for all of our healthcare engagements.

Breadth of Expertise


Protiviti has extensive references and significant experience working with a variety of healthcare providers to address today’s challenges, including large integrated delivery systems, multi-hospital health systems with both domestic and international facilities, community hospitals, rehabilitation hospitals, specialty hospitals, children’s hospitals, post-acute delivery systems (LTAC, SNF, hospice, etc.), and physician groups. Not only do we understand the driving forces of regulatory change in the healthcare industry, but we also have the unique blend of operational, clinical and information technology knowledge needed to understand the implications that you are currently facing and will face in the future.

A key differentiator for Protiviti is our ability to provide our clients with a wide range of deep expertise through the internal audit function by performing audits covering, for example, the areas outlined below.

Revenue Cycle and Supply Chain

Protiviti helps organisations enhance their revenues and margins by improving strategy, processes, and system controls. Our approach is designed to improve net revenue, streamline costs and vendor management, accelerate cash flow, enhance operating performance, and prepare for future acquisitions or joint ventures. Areas of expertise include patient access; utilisation review; charge capture; charge description master (CDM); health information management (HIM) and coding; billing and collections; denials; and underpayments, overpayments and patient refunds. We can perform 835 claim analytics and benchmarking using proprietary tools and consolidated data to identify preventable denials and other revenue opportunities related to pricing, payment delays, and potential underpayments by payer, provider and facility. We can also use this data to test the integrity of internal denial and AR reporting.


Protiviti can assist healthcare organisations in maturing their compliance function by performing compliance programme effectiveness assessments and compliance risk assessments; training on compliance hot topics; and executing projects on a compliance work plan and specialty audits/investigations, including HIPAA gap evaluations, physician coding audits, conflict of interest assessments, Business Associate Agreement reviews, mock independent review organisation (IRO) audits, corporate integrity agreement (CIA) audits, etc.

Information Technology and Security

Protiviti helps healthcare organisations strategically align technology with the business and proactively mitigate security risks. We have deep IT skillsets to support organisations in more specialised areas including cybersecurity, HIPAA compliance, medical device management, effectiveness of EHR utilisation and optimisation, ERP management, data integrity, third-party/vendor management, business continuity management and disaster recovery, etc. In the area of security, Protiviti provides a range of services, including technical penetration testing and vulnerability scans, incident response, security programme assessments, firewall management, and Payment Card Industry (PCI) compliance. Protiviti also helps healthcare organisations manage the risk of disruptive innovation, embrace opportunities presented by new and emerging technologies (e.g., RPA, advanced analytics, Internet of Things, artificial intelligence, telehealth, etc.), enhance customer engagement, digitise products/services, make better-informed decisions, and improve operational performance.


Protiviti is a global leader in helping organisations address Sarbanes-Oxley and internal controls over financial reporting requirements. Our areas of expertise include scoping to determine financial statement risks, documenting relevant process areas, identifying controls to effectively mitigate those risks, evaluating the design and testing the operational effectiveness of controls. Protiviti also provides assistance with the new FASB accounting standards around revenue recognition and lease accounting, data analytics to identify duplicate AP payments and payroll payment variances, forensic services and investigations, and initial public offering (IPO) readiness support.

Targeted Assistance

Risk Assessments

A great way to determine the focus of an internal audit function is to perform a comprehensive annual risk assessment by identifying internal and external risk factors specific to your environment, emerging issues/trends and hot topics, and using Protiviti’s proprietary methodology to develop a risk-based audit plan that is responsive to the needs of the organisation. Annual risk assessments are most successful when performed jointly with compliance and other key risk management functions to implement efficiencies, achieve resource optimisation, and demonstrate a strategic partnership with senior leadership and other risk functions in the management of risks.

Enterprise Risk Management

A major goal of enterprise risk management (ERM) is to provide management and the board with information on risks and opportunities that may influence key decision-making. Protiviti can help facilitate the ERM journey that organisations wish to take. We can help organisations determine the appropriate focus on strategic execution risk as part of the overall ERM programme implementation.

Board Reporting and Education

With the release of practical guidance for healthcare governing boards, Protiviti can assist with evaluating various risk management function’s reporting process to the board and audit committee (e.g., presentation decks, dashboards, KPIs, other reporting packages, etc.); preparing, presenting and training the audit committee on regulatory risk and other hot topics in the industry; and assessing the composition of the audit committee, its charter and whether the committee is successfully fulfilling its roles to the organisation.

Assess, Benchmark and/or Implement

Based on tried and proven methodologies, coupled with Protiviti’s deep healthcare internal audit expertise and experience, we can evaluate the structure and effectiveness of your overall internal audit function. This includes the purpose and role within the organisation; collaboration efforts with other risk management functions/third parties; structure and reporting capabilities; current resource capabilities as compared to the needs of the organisation and IIA Audit Intelligence Suite survey data; tools, analytics and methodologies used; the audit universe considered, risk assessment process and audit plan development/coverage; the audit approach (i.e., planning, fieldwork, reporting and wrap-up); and audit follow-up process. The impact of an internal audit programme assessment can be dramatic as internal audit functions are provided a roadmap to improve their processes and/or move their maturity level higher up the Capability Maturity Model ladder. In addition, Protiviti can perform formal external quality assessments, which are recommended by The IIA every five years.