Healthcare Internal Auditors Prioritize Cybersecurity, Business Performance and Technology Modernization
On the heels of the lengthy and exhausting public health emergency (PHE), the healthcare industry has been facing the challenges of the financial downturn and ongoing struggle to return to business as usual. Healthcare providers and payers are working to address a number of unique issues, including some that existed pre-pandemic, while facing the reality of the current landscape.
According to the latest Healthcare Internal Audit Plan Priorities Survey conducted by Protiviti and the Association of Healthcare Internal Auditors (AHIA), the top audit priorities for healthcare organizations in 2023 are encompassed in seven themes which are highlighted below and discussed in further detail in the report that follows.
Cybersecurity, Physical Security and Protecting Sensitive Information
Cybersecurity practices and posture tops the list of internal audit (IA) priorities in our 2023 survey. Healthcare organizations continue to be prime targets for cyber and ransomware attacks, with severe consequences including disruption of essential systems, revenue loss and compromised patient care. Attackers are taking advantage of the healthcare industry’s complex organizational structures, outdated technology, and cultural need to protect their patients more than anything else, which drives this as a top priority on IA plans. Other top priorities for IA teams include user access management and physical security.
Human Resources, Benefits and Workforce Challenges
Human resources, benefits and workforce challenges rank as the second highest priority in 2023. Employee time/expense reporting and payroll are critical personnel operations for healthcare organizations as they face rising cost pressures in the post-pandemic environment. Many healthcare organizations have chosen to reduce staff to maintain healthy margins, even as they grapple with meeting and maintaining adequate clinical staffing levels. Workforce issues, including employee retention, succession planning and total rewards, are an ongoing challenge that IA can help address through focused audit efforts.
Issues around financial integrity rank high in the list of priorities for internal auditors, with accounts payable (AP) coming in as the fifth highest priority in 2023. Changes to the ecosystem due to emerging technologies, and fragmentation of people and processes due to trends in outsourcing to external parties, add to risks that must be reviewed by IA when auditing AP. Finance and accounting departments must address changing regulations, new or updated payment methods, impacts of inflation, and new technologies to determine their impacts to the organization. Lack of qualified staff and issues accessing data necessary to complete modeling analyses make it difficult for finance and accounting departments to keep up with requests for detailed analysis in addition to their monthly financial reporting duties. As the department grows increasingly busier, valuable IA projects would include validating analysis methods, components of modeling, and internal controls. Capital projects also continue to be an area of significant concern for healthcare IA functions to review within their organizations due to their complex nature, unpredictability, long-term planning requirements, and schedule and budget constraints.
Fraud, Risk and Compliance
U.S. healthcare industry fraud costs tens of billions of dollars each year. Minimizing fraud, waste and abuse, including both employee and third-party threats, is a clear priority for healthcare organizations, ranking as the third highest priority in our survey. Reviewing comprehensive fraud management policies that can help guide organizations and protect themselves from financial losses, reputational damage, legal ramifications and financial penalties should be a priority, as well as looking at common and department-specific fraud scenarios. Pharmacy operations and drug distribution/management are also a priority area for internal auditors, especially as healthcare organizations address recent regulatory changes including those related to drug waste billing, 340B contract pharmacy-related restrictions and the Controlled Substances Act. Noncompliant pharmacy practices should be audited as noncompliance can lead to millions of dollars in lost revenue, hefty fines and lost patient confidence due to reputational harm. Provider compensation continues to remain an area of significant concern for health systems that IA can assist with, especially due to the federal government’s increased regulatory efforts in preventing and prosecuting healthcare fraud through the Anti-Kickback Statute and Stark Law provisions.
Revenue Integrity and Margin Improvement
Revenue integrity and margin improvement are a continuing battleground that is ripe for IA to be able to show some return on investment and be a strategic partner for their organizations. The conclusion of the PHE brought an end to pandemic-related federal funding streams, creating a financial challenge for healthcare organizations as they look for ways to improve revenue cycle and charge capture accuracy and generate a demonstrable return. Compliance with clinical documentation, coding and billing requirements can help organizations ensure accurate revenue and avoid revenue loss due to recoupments, refunds and fines.
Technology Modernization and Leveraging Data
Adoption rates for new cloud-based technologies continue to increase as healthcare organizations update and/or implement new electronic health record (EHR) systems, enterprise resource planning (ERP) systems and more, and see benefits that include streamlined operations, improved efficiency and enhanced care. But cloud-based technology can create additional challenges that IA should focus on to help ensure that these applications are properly secured from the standpoint of sensitive access, segregation of duties, privacy and provisioning.
Additionally, while emerging technologies like artificial intelligence (AI) and machine learning (ML) rely heavily on data, the healthcare industry lacks effective data lifecycle management strategies and foundational data governance practices necessary to optimize data to drive insights and support decision making. Internal audit should be reviewing their organizations’ AI and ML strategies and data governance practices. Initiatives to drive data integrity and data-usage guidelines should be included on the IA plan when the organizations are developing roll-out strategies for these technologies.
Third-Party Risk, Supply Chain and Continuity of Operations
Healthcare organizations partner with third parties to outsource services, drive service excellence, increase efficiency, control costs and provide other competitive advantages. But there is tremendous pressure on organizations to ensure third-party vendors maintain compliance with internal policies and evolving regulations. Vendor risk management (VRM) has become a critical routine function; but while healthcare executives recognize its importance, few can credibly report they are doing it effectively. Internal audit is one way organizations can help grasp all of the risks associated with third parties, joint ventures, etc.
Additionally, resilience has been top of mind for supply chain leaders over the last three years and continues to be a priority to be looked at by IA, as capital equipment, supplies and purchased service costs are some of the largest costs for healthcare systems, usually only behind labor. Resilience and visibility into all processes and policies in each supply chain department is an ongoing priority for IA teams to ensure the organization’s supply chains facilitate the quality, safety, continuity and lowest possible cost of patient care.
Business Continuity, Emergency Management and Pandemic Preparedness/Response continue to be among the top priorities for IA teams as they face a daunting risk horizon that includes sophisticated cybersecurity threats; gaps in technology resilience capabilities; enhanced regulatory scrutiny; complex supply (and value) chains informing all aspects of healthcare service delivery; unforeseen climate behavior increasing the risk of widespread geographical disruption; and a global marketplace that is hesitant to lock down again.
As healthcare organizations continue to recover from the PHE and face disruptions from an uncertain economy, workforce challenges, cyberthreats, changing regulations and the increasing speed of emerging technology, the findings from our latest Healthcare Internal Audit Plan Priorities Survey point to the important role IA plays in helping organizations address their most urgent challenges