Organizations might choose to outsource their internal audit function for any number of reasons. They may perceive an opportunity to cut costs, they might want to avail themselves of a fresher or broader perspective, or they may need expertise that is not found within their current team. And ultimately, when partners stay flexible and find a shared vision, an isolated engagement can turn into a synergistic relationship opening opportunities to do great work together.
This is what occurred when the chief administrative officer (CAO) of a large healthcare system considered ways to derive greater value from the organization’s internal audit function. Through research and conversations with industry peers, the CAO became convinced that outsourcing the function was the best approach to obtain the higher value she was after. Once she and the board agreed on an outsourced approach and selected Protiviti as a partner, this executive stayed heavily involved and worked closely with Protiviti to identify opportunities for improvement and contribute expertise on a wide variety of business problems.
“Protiviti has been a trusted and collaborative partner to us for several years and has truly become part of our organization — from a cultural fit to having our best interests at heart in everything they do for us. We can rely on Protiviti and their deep expertise to help us solve problems with meaningful and creative ideas that align with our overall strategic direction.”
— Chief Administrative Officer, healthcare organization
As a first step, Protiviti worked with stakeholders in the organization to develop a communication plan to the entire enterprise explaining the organizational change to leverage Protiviti as an outsourced internal audit partner. The transition from an in-house function to an outsourced function was driven by an ever-expanding plan that included reviewing audits in progress, determining which of those audits to oversee to completion and which to defer until the Protiviti team could assess overall risk in its role as the new outsourced partner.
The first risk assessment was ready within two months of the decision to transition the function and became the basis for the organization’s new internal audit plan. The plan was designed to cover a broad variety of enterprise risk areas within the first twelve months, including information security, Meaningful Use, accounts payable and duplicate payments, physician partnerships and community benefit, physician contracting and incentive compensation, and revenue integrity. The team performed a detailed review and analysis of findings that surfaced from past audits to gain insight into the organization and retain the value of those audits.
Almost immediately, the client’s senior management invited Protiviti to facilitate the journey toward implementing an enterprise risk management (ERM) program. The work began by engaging directly with the board and executive leaders to help develop a position paper on how the company might implement ERM. At this point, the relationship had transcended the confines of internal audit, and Protiviti had assumed the position of a true strategic business partner. This elevated level of trust was earned through everyday demonstration of the depth and breadth of Protiviti’s expertise, tapping into Protiviti’s technology, compliance, healthcare and other subject-matter expertise to solve specific problems for the healthcare organization. For their part, by asking, “What do other organizations do in terms of dealing with this issue?” company executives were able to gain insight into best practices, and informally benchmark their organization against industry peers. The breadth of experience Protiviti brought to the table helped deliver insights in ways the former in-house internal audit function could not.
“What the organization wanted was an internal audit function that could be a strategic business partner to the organization; one that would help them be better positioned to accomplish their strategic business objectives. The board needed to have greater trust and confidence in the risk messages management was communicating to them. Those are the reasons why they wanted a partner with depth of experience and industry expertise, able to address the most serious issues that could surface.”
— Richard Williams, Managing Director, Protiviti
Following the risk assessment, the Protiviti team worked with the board and senior management to identify various management committees where Protiviti could add value in an advisory capacity. These management committees focused on specific business areas, and Protiviti’s input quickly made a broad and impactful contribution of value to these areas. This was especially true in the areas of revenue cycle, compliance, and information technology and security.
The organization was experiencing more denied claims than usual in hospital and physician group settings. By assessing these denial statistics against industry benchmarks, the team identified gaps and helped quantify the profitability and margin gains that would result from improving revenue cycle processes.
Due to the complex nature of the regulatory environment and the wide range of topics being addressed routinely, the organization’s compliance group had been struggling to articulate findings and issues to the board in a clear and concise manner. Protiviti worked with the compliance group, sharing valuable insights into effective techniques for executive-level reporting based on experiences at other healthcare organizations. The compliance group began leveraging the audit team’s annual risk assessment process and results to develop their own work plan. Once the board observed the effectiveness and clarity of the new reports coming from internal audit, they asked the audit team to remodel the reports for the compliance group as well. By studying those reformatted and restructured reports — including uniform risk rating and an executive summary reporting format — the board could more readily focus on the areas of greatest concern.
The Protiviti team helped identify security vulnerabilities across a wide range of areas. As a result, Protiviti security experts were invited to help remediate those weaknesses and support the organization’s information security group with ongoing testing efforts. Protiviti was also engaged to help complete the organization’s HIPAA Security Risk Analysis efforts underway — a synergistic effort that cut the anticipated completion period in half. In addition to these efforts and thorough remediation planning, the organization was able to take advantage of Protiviti’s technical expertise to conduct a wide range of penetration testing, social engineering and vulnerability assessments.
In addition to addressing the key areas above and performing the various audits planned following the annual risk assessment process, Protiviti executed numerous ad-hoc special projects requested by executive leadership and the board to assist the organization with new and emerging issues.
The internal audit team also implemented a project risk management function, via checkpoint audits, throughout and after the organization’s electronic health records (EHR) system implementation.
By proactively seeking value, staying inquisitive, looking outside the box, and ultimately investing in an outsourced relationship with a multifaceted and experienced internal audit partner, this energetic healthcare organization was able to achieve more material and meaningful audit findings, in an arrangement that proved to cost less than an in-house internal audit function. While the search for value began by seeking access to a highly experienced team of auditors, through its relentless drive for improvement in all areas, the organization ended up cultivating a strategic partner with broad expertise across a variety of business functions — a partner who could consult at the highest level and communicate directly with the board on a regular basis to support the organization’s mission and strategic objectives. The vision shared by both parties continues to enable impactful contributions daily, with value that is reflected in the bottom line as well.