Healthcare IA Benchmarking

Protiviti and the Association of Healthcare Internal Auditors (AHIA) conducted an annual survey on IA functions, demographics, structures, processes, innovative initiatives, next-generation auditing progress, personnel experience, and top IA plan priorities for healthcare providers, payers and integrated delivery systems. 

The 2023 Healthcare Internal Audit Plan Priorities Survey results can be found in the jointly published Healthcare Internal Auditors Prioritise Cybersecurity, Business Performance, and Technology Modernisation. The publication also provides commentary on suggested practices to improve auditing of top priorities, many of the changes underway within the industry, and how the changes are affecting IA functions.

This article provides additional insight into detailed benchmarks around many of the other aspects of an IA function including size, budgets and certifications. The insights are explored from various data points and provide additional context on what the survey data portends for the future of healthcare organisations’ IA functions.

Methodology

For the last two years, Protiviti and AHIA have partnered to jointly conduct and publish a benchmarking survey to allow IA leaders to compare the knowledge and skills of their teams, identify areas of opportunity, and add value to their organisations. In the spring of 2023, surveys consisting of 70 questions of varying response types were sent to all AHIA members and many healthcare organisations across the country. The survey responses provide a snapshot of the current state of healthcare IA functions and professionals.

Completed surveys were received from 56 healthcare organisations. The responses represent 37 healthcare provider organisations, 17 integrated payer and provider delivery systems, and two healthcare payer organisations.

Survey results

Reporting structure

Most respondents (55%) stated that their IA function reports administratively (on a day-to-day basis) to either the chief financial officer (CFO) or the chief legal officer (CLO), with another 18% reporting to the chief executive officer (CEO). The remaining respondents report to the chief compliance officer (CCO, 9%), audit and compliance committee (7%), board of directors (2%), chief operating officer (COO, 2%), or other (7%).

Although administrative reporting relationships varied, the majority of respondents (91%) report functionally to an audit and compliance committee or other committee of the board, a trend that was similarly highlighted in the 2022 survey results. The reporting structure to a board committee emphasises the importance of closely aligning the relevant board committee with the IA function, allowing the committee to provide oversight and strategic direction.

Relationships with compliance, operations and other areas

Most (77%) of respondents have a stand-alone IA function with a separate compliance function, compared to 14% of respondents that have a combined IA and compliance function. The remaining 9% of respondents have a standalone IA function with no compliance function.

Respondents were also asked to characterise their organisation’s perception of IA, with 95% of respondents agreeing that their organisation views IA as a value-added service/function that is aligned with the organisation’s strategic objectives. Small numbers of respondents were unsure (3%) or did not believe that their organisation viewed their IA function as a value-added service/function (2%).

Exhibit 1 lists various functions with which IA might coordinate. For risk assessments, the majority of respondents coordinate with compliance (71%), risk management (57%), information technology (IT, 55%) and security (50%). For coordination on internal controls over financial reporting, IA most commonly coordinates with a public accounting firm (30%) or IT (21%). Forenterprise risk management (ERM), IA most commonly coordinates with risk management (43%) and compliance (34%).

The majority of respondents coordinate assurance (audit) work with compliance (68%), IT (64%) and security (50%), followed by public accounting firms (48%). Finally, respondents coordinate advisory (consulting) work the most with legal (50%), compliance (39%) and IT (36%).

Exhibit 1 – Coordination of activities

Professional standards and quality assurance reviews

When asked if their IA function adheres to The Institute of Internal Auditors (The IIA) professional standards, 52% of respondents indicated that they adhere to all of the standards, including quality assurance reviews (QARs) and establishing and maintaining an IA charter. Fewer respondents (32%) adhere to all of the Standards except QARs. Only 11% of respondents adhere to most of the Standards except QARs and establishing and maintaining an IA charter, and 5% of respondents answered that their adherence either varied or they were unsure.

Among those organisations who perform QARs, the majority (64%) stated that they perform QARs every five years, which is in line with The IIA’s guidance, with an additional 22% stating that they perform QARs more frequently, e.g., 1 to 4 years. Only 14% of respondents perform QARs less frequently than every five years, e.g., every 6 or more years. Exhibit 2 outlines the most current type of QARs conducted by respondent organisations.

Half of respondents either do not perform formal QARs (43%) or are unsure whether they conduct formal QARs (7%). Among those who stated that their organisation does not conduct formal QARs, 42% reported the reason was because QARs were not required by governance/leadership. The remaining reasons for not conducting a QAR include not seeing the benefit (21%), cost (16%), or other (21%).

Exhibit 2 summarises the latest types of QARs that respondents obtained. Over half (54%) of respondents had QARs that involved an IA professional services provider.

Exhibit 2 – Latest type of QAR

Image

Fraud risk management

According to The IIA’s Three Lines Model, IA functions serve as a third line of defense of internal controls and provide “independent and objective assurance and advice on all matters related to the achievement of objectives,” inclusive of fraud risk management efforts. Over half of all respondents (54%) noted that their IA function plays a role in monitoring the organisation’s fraud risk management efforts.

Surprisingly, 21% of respondents indicated that their IA function’s role was to lead the organisation’s overall internal fraud risk management efforts. While specific organisational circumstances might cause variance, fraud risk management’s ownership under the Three Lines Model is better aligned with a second line function of management.

Exhibit 3 provides a deeper view into how healthcare organisations rank various areas of the business as potentially susceptible to fraud risks. Respondents ranked their top three significant risks to their organisation as revenue integrity (31%), financial accounting and reporting (35%) and regulatory compliance (41%).

Exhibit 3 –Top three fraud risk areas (highest in bold)

Annual internal audit budget/spend

Exhibit 4 summarises the responses for the annual IA budget relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately $1,291,822 of annual IA budget/spend.

Exhibit 4 – Annual IA budget/spend by revenue

Annual internal audit plan hours and breakouts

Exhibit 5 depicts the total hours budgeted on an annual IA plan relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately 7,985 hours on their IA plans.

Exhibit 5 – Annual IA plan hours by revenue

Exhibit 6 shows a breakout of IA plan hours budgeted by top risk category audit areas. The top four audit areas consume 76% of plan hours.

Exhibit 6 – Annual IA plan hours by top risk categories

Image

Internal audit years of experience

Exhibit 7 shows the average years of experience by staff level, broken out by years of audit experience, healthcare experience and total experience.

Exhibit 7 – Average years of experience by level and experience type

Internal audit function size

Exhibit 8 highlights the IA function’s size relative to the organisation’s annual revenue and its co-sourcing status. Approximately 10% of respondents do not co-source any audit work and they normally employ between 1 to 9 IA staff; most of these respondents have revenue of less than $5 billion. The majority of respondents (90%) co-source a portion of their IA work.

Exhibit 8 – Co-sourcing by staff count and revenue size

Co-sourcing

A co-sourcing arrangement is used by 61% of respondents as a means to obtain and recruit different skillsets into their IA function. Remote/hybrid work arrangements (75%), salary increases/bonuses (45%) and other benefits/amenities (20%) were other methods used to obtain and recruit different skillsets into the IA function.

Acquiring and retaining IA talent whose skills align with a healthcare organisation’s top priorities and internal strategies can be challenging, especially in more specialised and technical areas. Co-sourcing with a strategic partner or third party allows an IA function to achieve its strategic priorities regardless of its internal capabilities. When asked the areas their organisation co-sources, respondents most commonly co-source IT audits (71%), followed by coding (45%), revenue cycle (41%), compliance (32%), clinical (30%), operational (30%), financial and accounting (29%) and third parties/joint ventures (29%).

The areas that are co-sourced also align with the top fraud risk areas and top IA plan priorities, highlighting the importance of the areas in the current healthcare environment. Exhibit 8 indicates that most IA functions across all size categories supplement internal resources by co-sourcing.

Anticipated staffing trends

Exhibit 9 summarises anticipated staffing changes. The majority of respondents do not anticipate a change in the size of their IA function within the next 12 months (75%) or within the next 24 months (59%). The responses are consistent with last year's results, pointing to similar outlooks on IA function growth.

Exhibit 9 – Anticipated staffing changes

Staff attributes, sources, development and certifications

Experience in auditing, healthcare and data analytics were ranked as the top three most important attributes that respondents valued on their staff. Furthermore, respondents indicated that their current staff members were experienced hires from another industry (40%) or from another healthcare organisation (30%).

Continuing education is essential in remaining up to date on the latest trends and best practices across the various sectors within IA and the healthcare industry. Certifications and designations are avenues to obtaining additional professional education and often are required for advancement within an IA function. The majority of respondents (63%) at the manager level and above are required to possess either a certification or an advanced degree.

Additionally, all respondents indicated that at least one of their staff members has a professional designation. Exhibit 10 summarises the prevalence of professional designations with 84% of respondents reporting at least 50% of staff having a credential.

Exhibit 10 – Staff with a professional designation

Audit projects and hours per project

Exhibits 11, 12 and 13 depict the total number of IA projects across assurance (audit), advisory (consulting), and other types of projects relative to the organisation’s annual revenue. Overall, the respondents reported a majority of assurance projects on their IA plans, with a weighted average of approximately 18.5 assurance projects. Respondents reported a weighted average of approximately 11.5 advisory projects on their IA plans.

Exhibit 11 – Number of assurance projects by revenue

Exhibit 12 – Number of advisory projects by revenue

Exhibit 13 – Number of other projects by revenue

Exhibits 14, 15 and 16 depict the hours allocated per project split across assurance (audit), advisory (consulting) and other types of projects relative to the organisation’s annual revenue. Across all respondents, assurance projects were allotted more hours (286.5) on a weighted average than advisory projects (226.3). Organisations with revenue less than $0.5 billion allotted on an average 175 hours across all audit types. Respondents with a revenue of $1 to $4.999 billion allotted the most hours to assurance projects, spending on average 283 hours on such projects.

Exhibit 14 – Hours per assurance project by revenue

Exhibit 15 – Hours per advisory project by revenue

Exhibit 16 – Hours for other types of projects by revenue

Exhibit 17 – IA findings follow-up frequency

Image

Next-generation methodology maturity level

Survey respondents were asked to consider the maturity level of each of their next-generation methodology components: dynamic risk assessment, agile audit approach, high-impact reporting and continuous monitoring. Most respondents (57%) indicated that their IA function has the necessary talent and skills (or has access to the necessary talent and skills) to perform or integrate all methodology components.

When asked to rank the maturity level of each component, most respondents reported that their functions had an advanced level of maturity in high-impact reporting (70%), agile audit approach (57%) and dynamic risk assessment (55%).

However, most respondents (54%) reported a low level of maturity in the continuous monitoring component, highlighting a potential disconnect as the same respondents (80%) also believe they have the necessary skills and talent to conduct continuous monitoring. The disparity indicates an opportunity for organisations to better leverage existing talent and skills within their IA functions and co-sourcing partners to increase the current maturity level of their continuous monitoring efforts. IA functions should reassess whether their resources of available staff time and co-source budgets can actually increase their maturity in this area.

Findings follow-up frequency

Timely follow up and validation of management’s remedial actions on IA findings is a critical activity performed by IA as part of its control environment monitoring role. Exhibit 17 shows how frequently respondents perform audit findings follow-up efforts.

Most respondents (48%) perform follow-up efforts on individual findings based on individual due dates. Performing follow-up efforts on an individual basis has the potential of spreading already limited IA resources thin, resulting in lessthan- optimal efficiency.

IA functions should consider adopting a more standardised periodic follow-up frequency (e.g., monthly, quarterly, etc.) or aligning the follow-up intervals with the meetings of their assigned board committees. In a periodic follow-up process, management action owners are sent reminders of upcoming finding due dates using emails or workflow capabilities, and IA then follows up according to the set frequency.

Periodic follow up helps process owners better manage their workload and commitments to IA, builds goodwill and fosters cooperation, and enables a more structured reporting cycle to management and the functional reporting committee.

Risk assessments

Risk assessments are essential to regularly identifying the organisation’s top risks, prioritising risks and developing strategic plans to mitigate the risks. Most respondents (61%) reported that they perform a risk assessment annually, while 21% of respondents indicated that they conduct continuous risk assessments. Risk assessments were conducted quarterly by 7%, with another 7% conducted two or three times a year. Surprisingly, 4% continue to perform risk assessments less than once a year (e.g., audit plans spanning two years, three years, etc.). No respondents from the previous year’s survey indicated that they conduct risk assessments less than once a year.

Many respondents (59%) stated that they perform engagement or process-level risk assessments for each project, both during the annual risk assessment and prior to project kick-off. Another 32% stated that this assessment is only completed prior to the project kickoff.

Responsibility for compliance audits

Compliance and IA often work together to perform certain compliance-based audits across an organisation. Each function’s involvement depends on a variety of factors, including the specific skills needed to perform the audit and the capability and capacity of each function.

Exhibit 18 identifies the functions—compliance, IA or other function—that are responsible for each of the compliance audit areas. Survey results indicate that compliance alone is responsible for conducting the majority of compliance audits, but does collaborate with IA often in several areas, including on 340B pharmacy drugs and billing price transparency/No Surprises Act audits.

Exhibit 18 – Responsibility for performing compliance audits

Implementation of Sarbanes-Oxley

A majority of healthcare respondents (70%) reported that their organisations, mostly not-for-profit, are not required to be Sarbanes-Oxley Act (SOX)-compliant, and they have not implemented the requirements. However, many healthcare organisations see the benefit of maintaining compliance and have therefore implemented a robust but cost-effective system of internal controls over financial reporting. Exhibit 19 summarises the implementation of SOX.

Exhibit 19 – SOX Implementation

ERM processes help to identify and assess risks pertaining to specific segments of an organisation. In addition to looking at current risks, ERM is forward-looking and attempts to identify potential risks to the organisation.

For 84% of respondents, their organisation’s ERM process is led by either the chief audit executive (36%), chief compliance officer (30%), chief risk officer (28%), others (17%), general counsel (15%), or the chief executive officer (6%) or some combination thereof.

Exhibit 20 identifies the role that IA plays in the respondents’ ERM process. Most respondents see IA as a facilitator to help identify and evaluate risks (45%), reviewer of key risk management (43%), champion of the establishment of ERM (41%), and evaluator of the ERM process (41%). Only 2% of respondents see IA’s role as implementing risk responses on management’s behalf.

Among the respondents who indicated that their organisation does not have an ERM process (16%), the majority (67%) cited a lack of executive support as the primary reason they do not. The remaining respondents cited a lack of perceived benefit (11%), lack of necessity (11%) and other (11%) as reasons for not implementing an ERM process.

Exhibit 20 – Internal audit role in ERM

Image

Exhibit 21 – Primary industry

Image

Exhibit 22 – Total number of employees

Exhibit 23 – Annual revenue (billions)

Image

Survey respondent demographic information

Exhibits 21, 22 and 23 provide additional respondent demographic information, including their primary industry, total number of employees and the organisation’s annual revenue.