KnowledgeLeader Blog

Taking Audit’s Temperature: Healthcare Industry Risks and Trends

Posted by Sharise Cruz on Wed, Sep 04, 2013 @ 11:40 AM

taking audit's temp blog captureIn the Protiviti and Association of Healthcare Internal Auditors (AHIA) joint study, Top Priorities for Internal Auditors in U.S. Healthcare Provider Organizations, healthcare organizations responding to Protiviti’s 2013 Internal Audit Capabilities and Needs Survey provided an updated picture of how they rate their technical knowledge and skill levels and what competencies most need improvement.

Understanding and addressing cutting-edge risks in such areas as cloud computing and social media, keeping pace with changing industry and regulatory compliance guidelines and regulations, and improving effectiveness, efficiency and quality all stood out. Feedback came from a survey field of more than 1,000 respondents, nine percent of whom were U.S. healthcare providers.

Healthcare industry results of the seventh annual survey, were reviewed along with the overall survey results in a recent webcast moderated by Kevin Donahue, senior director of editorial services for Protiviti. Participants included David Brand, global IT audit practice leader for Protiviti; Susan Haseley, managing director and industry leader for Protiviti’s healthcare and life sciences practice; and Michael Fabrizius, vice president-audit services for Carolina Healthcare System.

“It’s no surprise that social media is a hot topic in the industry, as many internal audit departments try to work through the proposition of ‘how and what should we do in auditing social media risk?’” said Brand.

Similarly, cloud computing also ranked as a high need-to-improve area as auditors wrestle with its inherent risks to their organizations.

“We’re talking about a lot of activities and processes that are outside our organizations’ immediate oversight control,” Fabrizius told the webcast audience. “When business associates use cloud computing, how vulnerable is their information? Are proper controls in place, and are they periodically evaluated? Do we put any restrictions in our contracts as to what we’ll permit them being stored on the cloud?”

Keeping pace with evolving standards and compliance demands also ranks as a major concern. Auditors felt least comfortable dealing with GTAG 16/GTAG 17 (data analysis technologies and auditing IT governance, respectively) and ISO 27000 (relating to information security management systems). One factor behind this, according to Brand, may be auditor curiosity about what other frameworks cover and how they stack up in terms of comprehensiveness.

“Security and privacy are strong focuses in the healthcare industry,” Haseley said. “Everyone is looking for ways to improve their processes and find frameworks on which to hang their hats in order to cover what’s necessary to satisfy requirements.”

Symptoms of IT governance problems have arisen. Brand cited applications that don’t necessarily provide user functionality, implement projects that miss milestones and exceed the budget, as well as cases of fairly widespread user dissatisfaction. As we determine the root cause of some of these issues, we need to understand IT governance and how it may be contributing to those problems.

Fabrizius agreed that weakness in information security and the potential for reputational risk is an area we can’t ignore.

As the industry continues to implement health information exchanges and pass more data among different organizations, having the framework in IT governance around controls to protect that data becomes extremely important.

Brand also noted that survey responders rated themselves as fairly competent, or 3.4 or on a 1-to-5 scale, when it comes to information security fraud risk management. This always will be an area where there’s a need to improve because of the importance it plays in our risk assessments in the organization and our ability to address those risks, he said.

Fraud risk management in IT seems to be top-of-mind with chief audit executives (CAEs). Brand said fraud risk evaluation is evolving from episodic reviews on individual audits to comprehensive reviews that look at the overall organizational posture and its ability to prevent and detect fraud.

Among questions internal audit is asking are: What are our fraud prevention policies? Do we do adequate background checks? What kind of information and training is provided to employees? Are there controls to monitor the risk of fraud? Is there a fraud response plan? Is there some overall ownership of the fraud program? Internal auditors can bring a lot of value to the organization and ultimately present a comprehensive assessment to the audit committee highlighting a program’s strengths and weaknesses.       


Healthcare industry responders were asked to rate their technical knowledge of 85 areas specific to the industry. Five areas most in need of improvement included health information exchanges, value-based purchasing, ICD-10 implementation, payment bundling and accountable care organizations.

The focus, Haseley said, is on the revenue side and technology.

“It’s interesting to me that ICD-10 readiness and implementation appear on this list,” said Haseley. “That’s a little bit concerning. Even with a delay in the deadline, I think most organizations should be in the implementation stage.”

The revenue cycle in healthcare and the supporting technology are going through a fundamental, comprehensive change. Brand said this poses a variety of risks. With health information exchanges, companies must assure that they don’t lose control of information that patients expect will remain secure. “Auditors are going to have to change their approach to the revenue cycle and be prepared to help their organizations transition to this new world. It’s an opportunity for audit to provide more consulting services at the front end.”

Physician credentialing has become a strategic area for CAEs, tying for second place as technical knowledge in need of improvement.

Many organizations are changing how they deal with physicians.

“Internal audit is getting pulled into some of the strategic decisions that are being made,” Haseley observed. “We’re seeing organizations asking internal audit to assist [by] not only looking at credentialing but also physician alignment, physician strategy and compensation.”

Fabrizius noted that if organizations don’t have their physicians enrolled and credentialed with their health insurers, their invoices will be treated as out-of-network or they will prohibit any payment.


Data analysis tools and data manipulation placed as the top need-to-improve area in audit process knowledge. It was closely followed by a three-way tie between quality assurance and improvement programs (IIA Standard 1300), external assessment (Standard 1311) and fraud risk assessment.

A core component of how most companies audit fraud, data analytics has ranked high in the need-to-imrpove area since Protiviti began conducting its survey. Respondents are confident but don’t feel they are doing enough of it, said Brand. A decade ago, if anyone tried to use data analytics tools, it was tough slogging. The tools were hard to use, required some scripting and, worse, the data wasn’t easy to access. Even though the tools existed, using them was impractical.

Fast forward to today – without data analytics, the implementation of ERPs wouldn’t have taken place over the last five years, nor would the emergence of data warehousing or big data relating to all these common data stores being built. Now data manipulation tools have matured to provide point-and-click access and then link to continuous auditing and continuous monitoring, two technologies fraud control-minded internal auditors are starting to implement as they sift through huge masses of data.

One can’t help but be impressed by how data analytics is maturing, Brand said, citing how it can extract information from disparate systems and match payroll data to HR information. A data analytics can even quickly red flag a situation where an employee’s address is identical to that of a vendor.

Among CAEs, new technologies in auditing IT rate high on their process radar screen, followed by enterprise risk management. Brand stressed the importance of internal audit departments being linked with ERM initiatives within their organizations. Haseley noted, “I see a challenge with ERM in terms of leadership. It’s something that spans across so many different departments, and internal audit is generally actively involved – sometimes leading the charge, sometimes not. Leadership must be on point to take the program throughout the organization.”


Overall results for personal skills and capabilities that were identified as areas for improvement related to both reports internal audit delivers and to personal interaction between auditors and other departments.

By rank, these soft skills included:

  1. Presentation/public speaking

  2. High-pressure meetings and dealing with confrontation

  3. Persuasion and mastering new technology and applications

“Public speaking is a life-long skill,” said Brand. “I don’t care how much or how often we do it, I doubt that any of us would say ‘I don’t need to improve on that.’”

He added that survey  results reflect the thinking at all levels of internal audit where everyone in the industry is doing more with less – more audits, trying to find more value within the organization – with fewer people.

Regardless of organizational size, the number of people in the department, skills capability, or the issues you might face with some of your technical or process knowledge, we’re all facing the same challenges, he said.

Top-ranked personal skills with room for improvement highlighted specifically by CAEs were coaching and mentoring, which tied with negotiation, high-pressure meetings, dealing with confrontation, presentations, persuasion and strategic thinking.

Haseley said even though coaching and mentoring rated a high 3.9 out of 5 competency, she was encouraged to see it listed so prominently.


Some 64 percent of survey respondents use social media for external communication and 44 percent use it for internal communication, and the numbers keep growing. Only 53 and 57 percent, however, have a social media strategy and social media policy in place, respectively. Given those figures, Brand raises a compliance issue: how are companies to deploy this channel and still hold users accountable?

Many companies have yet to spell out who is authorized to post, what types of material and content are appropriate for social media exposure, and from an ethical standpoint, what’s acceptable and what’s not when it comes to employee or client information.

Only 49 percent of those surveyed address social risk during the risk assessment process. By now, Brand said, you would expect this to be a discrete auditable unit or at least part of the risk universe. But only 20 percent have it in their audit plan, although it should be in the risk assessment process and over some period of time – probably a short horizon – 100 percent of the audit plan.

The highest social media risks facing the healthcare industry were identified as compliance, brand reputation, data security (company information), data leakage (employee personal data), and viruses and malware.

Among roadblocks to successful social media auditing, the survey found, were HR policies (10 percent), perceived cost (11 percent), data availability (14 percent), lack of IT support (17 percent), inadequate technology (18 percent), inadequate training (30 percent), perceived risk (30 percent), and lack of management support (27 percent). By and large, social media auditing is a complex, not-easily-understood component of the organization that’s often disseminated through multiple departments, and it doesn’t have clear ownership. 

While 39 percent said reduced reputation risk is the greatest perceived value of social media monitoring, Brand observed that “the value of social media is about driving business performance – not about reputation.”

“Without de-emphasizing compliance, the conversation on social media needs to be directed more at what are we trying to do with it and why is it important to our business,” Brand said. “I think there’s a disconnect about why we’re using it and why companies are energized about using social media – 84 percent of organizations rate their social media risk assessment capability as either not effective or only moderately so.”

Brand added that to achieve business value, a conversation that brings together social media users, PR and marketing in order to understand the business strategy and risks to the organization will need to occur.


Click here to listen to the recorded version of the March 2013 webcast and view the examples discussed in this article. 

You also have the opportunity to benchmark yourself against other organizations. Launch the benchmarking tool here.

Register for future Protiviti webinars by following this link.


This article was written by Thomas Witom and originally appeared on the KnowledgeLeader website. 


Download this article:

Tags: training & development, Hot Issues, internal audit, IT audit, social media risk, audit planning, healthcare, Thomas Witom

Subscribe To Our Blog

About KnowledgeLeader

KnowledgeLeader, provided by Protiviti, is the premier resource for internal audit and risk management professionals.

With over 1,400 customizable tools and 1,300 articles by industry experts, we offer the most comprehensive service on the market.

For more information:

View Our Site Tour