Healthcare Internal Auditors Prioritise Cybersecurity, Business Performance and Technology Modernisation

Cybersecurity, Physical Security and Protecting Sensitive Information

Cybersecurity practices and posture tops the list of internal audit (IA) priorities in our 2023 survey. Healthcare organisations continue to be prime targets for cyber and ransomware attacks, with severe consequences including disruption of essential systems, revenue loss and compromised patient care. Attackers are taking advantage of the healthcare industry’s complex organisational structures, outdated technology, and cultural need to protect their patients more than anything else, which drives this as a top priority on IA plans. Other top priorities for IA teams include user access management and physical security.

Human Resources, Benefits and Workforce Challenges

Human resources, benefits and workforce challenges rank as the second highest priority in 2023. Employee time/expense reporting and payroll are critical personnel operations for healthcare organisations as they face rising cost pressures in the post-pandemic environment. Many healthcare organisations have chosen to reduce staff to maintain healthy margins, even as they grapple with meeting and maintaining adequate clinical staffing levels. Workforce issues, including employee retention, succession planning and total rewards, are an ongoing challenge that IA can help address through focused audit efforts.

Financial Integrity

Issues around financial integrity rank high in the list of priorities for internal auditors, with accounts payable (AP) coming in as the fifth highest priority in 2023. Changes to the ecosystem due to emerging technologies, and fragmentation of people and processes due to trends in outsourcing to external parties, add to risks that must be reviewed by IA when auditing AP. Finance and accounting departments must address changing regulations, new or updated payment methods, impacts of inflation, and new technologies to determine their impacts to the organisation. Lack of qualified staff and issues accessing data necessary to complete modeling analyses make it difficult for finance and accounting departments to keep up with requests for detailed analysis in addition to their monthly financial reporting duties. As the department grows increasingly busier, valuable IA projects would include validating analysis methods, components of modeling, and internal controls. Capital projects also continue to be an area of significant concern for healthcare IA functions to review within their organisations due to their complex nature, unpredictability, long-term planning requirements, and schedule and budget constraints.

Fraud, Risk and Compliance

U.S. healthcare industry fraud costs tens of billions of dollars each year. Minimising fraud, waste and abuse, including both employee and third-party threats, is a clear priority for healthcare organisations, ranking as the third highest priority in our survey. Reviewing comprehensive fraud management policies that can help guide organisations and protect themselves from financial losses, reputational damage, legal ramifications and financial penalties should be a priority, as well as looking at common and department-specific fraud scenarios. Pharmacy operations and drug distribution/management are also a priority area for internal auditors, especially as healthcare organisations address recent regulatory changes including those related to drug waste billing, 340B contract pharmacy-related restrictions and the Controlled Substances Act. Noncompliant pharmacy practices should be audited as noncompliance can lead to millions of dollars in lost revenue, hefty fines and lost patient confidence due to reputational harm. Provider compensation continues to remain an area of significant concern for health systems that IA can assist with, especially due to the federal government’s increased regulatory efforts in preventing and prosecuting healthcare fraud through the Anti-Kickback Statute and Stark Law provisions.

Revenue Integrity and Margin Improvement

Revenue integrity and margin improvement are a continuing battleground that is ripe for IA to be able to show some return on investment and be a strategic partner for their organisations. The conclusion of the PHE brought an end to pandemic-related federal funding streams, creating a financial challenge for healthcare organisations as they look for ways to improve revenue cycle and charge capture accuracy and generate a demonstrable return. Compliance with clinical documentation, coding and billing requirements can help organisations ensure accurate revenue and avoid revenue loss due to recoupments, refunds and fines.

Technology Modernisation and Leveraging Data

Adoption rates for new cloud-based technologies continue to increase as healthcare organisations update and/or implement new electronic health record (EHR) systems, enterprise resource planning (ERP) systems and more, and see benefits that include streamlined operations, improved efficiency and enhanced care. But cloud-based technology can create additional challenges that IA should focus on to help ensure that these applications are properly secured from the standpoint of sensitive access, segregation of duties, privacy and provisioning.

Additionally, while emerging technologies like artificial intelligence (AI) and machine learning (ML) rely heavily on data, the healthcare industry lacks effective data lifecycle management strategies and foundational data governance practices necessary to optimise data to drive insights and support decision making. Internal audit should be reviewing their organisations’ AI and ML strategies and data governance practices. Initiatives to drive data integrity and data-usage guidelines should be included on the IA plan when the organisations are developing roll-out strategies for these technologies.

Third-Party Risk, Supply Chain and Continuity of Operations

Healthcare organisations partner with third parties to outsource services, drive service excellence, increase efficiency, control costs and provide other competitive advantages. But there is tremendous pressure on organisations to ensure third-party vendors maintain compliance with internal policies and evolving regulations. Vendor risk management (VRM) has become a critical routine function; but while healthcare executives recognise its importance, few can credibly report they are doing it effectively. Internal audit is one way organisations can help grasp all of the risks associated with third parties, joint ventures, etc.

Additionally, resilience has been top of mind for supply chain leaders over the last three years and continues to be a priority to be looked at by IA, as capital equipment, supplies and purchased service costs are some of the largest costs for healthcare systems, usually only behind labor. Resilience and visibility into all processes and policies in each supply chain department is an ongoing priority for IA teams to ensure the organisation’s supply chains facilitate the quality, safety, continuity and lowest possible cost of patient care.

Business Continuity, Emergency Management and Pandemic Preparedness/Response continue to be among the top priorities for IA teams as they face a daunting risk horizon that includes sophisticated cybersecurity threats; gaps in technology resilience capabilities; enhanced regulatory scrutiny; complex supply (and value) chains informing all aspects of healthcare service delivery; unforeseen climate behavior increasing the risk of widespread geographical disruption; and a global marketplace that is hesitant to lock down again.

In Conclusion

As healthcare organisations continue to recover from the PHE and face disruptions from an uncertain economy, workforce challenges, cyberthreats, changing regulations and the increasing speed of emerging technology, the findings from our latest Healthcare Internal Audit Plan Priorities Survey point to the important role IA plays in helping organisations address their most urgent challenges