Healthcare Internal Audit During a Pandemic — Going From React to Rethink

Rebecca Nilson, Director Enterprise Risk Management Healthcare Lead
Bryon Neaman, Director Northeast Region Healthcare Practice Lead

The past 20 years have presented three distinct crises that have had profound worldwide implications: the terrorist attacks of 9/11, the financial crisis of 2008, and now the global pandemic that is COVID-19. Each of these crises was considered unprecedented and presented real risks to our world, society and the economy. The benefit of living through unprecedented events is that the experience brings wisdom. What have we learned, and how can we leverage the new insights to make us better at what we do in all aspects of our lives?

The COVID-19 pandemic has brought unique challenges to the healthcare industry. Not only has the industry been impacted financially through the loss of patients’ jobs and insurance, their hesitation to go to a physician’s office or the emergency room, and the mandatory halt of elective and non-life-threatening procedures, it has also been tough for the industry to keep the institutions clinically staffed during the pandemic, after budget cuts due to financial losses, and in case of a surge, which has also had a direct impact on front-line workers treating COVID-19 patients.

The sudden onset of unknown and devastating consequences has forced healthcare organizations to respond quickly and dramatically to the pandemic. Those of us who serve as healthcare internal audit professionals bring a unique perspective to our organizations, providing a holistic view by complementing our understanding of the industry culture and regulatory complexities with the mission, strategies and goals for the organization. We better understand the risks and know where vulnerabilities now exist or potentially exist. Most importantly, we know how to partner, advise and develop constructive solutions that address real risks. The skills we have cultivated in our roles have always been essential to what we do — especially now.

So, what are healthcare internal audit teams doing during the COVID-19 pandemic?

We have the privilege of supporting many leading healthcare organizations throughout the country. What we have seen since the onset of the pandemic is that internal audit is up to the challenge. How internal audit addresses this challenge can be identified in three distinct phases: (1) reacting at the onset of COVID-19, (2) responding effectively to COVID-19 in the near term, and (3) rethinking and repositioning internal audit post-COVID-19 for the long term.

Reacting at the Onset of COVID-19

At the onset of the COVID-19 crisis, savvy internal audit functions quickly recognized that their existing work and future work (as defined by their internal audit plan) may no longer be relevant. A real-time evaluation of the organization and assessing where to focus attention has been crucial. They have been asking, “What does the organization’s revenue stream and payer mix look like? Have all funding sources been accessed, and what controls have been put into place to meet the requirements? What third-party vendors have we contracted with in order to obtain much needed supplies? What are the disruption risks? How will privacy and security be affected with telehealth? What business continuity plans, including levers, are in place to ensure that the organization has the financial strength to weather the storm?”

Armed with this knowledge, internal audit has been well positioned to evaluate how to defer existing efforts, if applicable, as well as redeploy to other critical areas. A key component in this evaluation is to inform the audit committee and the C-suite on the agility of the internal audit plan and advise where they believe it should focus, redeploy, seek support and move forward to support the organization’s changing environment and add the most value. This approach clearly demonstrates that internal audit is being proactive and not passively waiting for direction.

Responding Effectively to COVID-19 in the Near Term

We have seen internal audit’s efforts be most effective when there is a clear understanding of new priorities (i.e., the risks that are affecting the organization) and then deploying skilled and knowledgeable internal audit professionals with the right expertise. Additionally, because the nature of a crisis is so fluid, it is not uncommon for internal audit’s efforts and resources to be redeployed in nontraditional audit roles to address critical business needs such as overseeing cost containment initiatives, managing third parties, enacting security and privacy protocols, performing analytics, or managing transactions.

This pandemic has posed fast moving and expansive changes to address the depth and breadth of the impact. We have seen examples of internal audit overseeing underlying processes and controls regarding CARES Act funding, designing and collaborating on new security and privacy protocols governing telehealth and a remote workforce, and managing projects like COVID-19 response efforts with key supply chain providers. While these new roles will not be permanent, they do serve an immediate need and are equally important as the organization benefits from the skills and talents of internal audit in newfound ways.

During this phase, it is essential for internal audit to maintain consistent and effective communication with stakeholders. The audit committee and C-suite (including the executive[s] to whom internal audit reports) should be informed and approve any nontraditional work of internal audit during the crisis. This will allow internal audit to both respond effectively and set the stage for how the function can continue to meet professional standards governing independence and objectivity. For example, any work internal audit performs in the first or second line of defense during the pandemic should be precluded from future internal audit plan efforts for a period of time. Alternative approaches can be considered, including utilizing a strategic third-party co-sourced partner or engaging other organizational departments to perform audits in potentially conflicted areas.

Rethinking and Repositioning Internal Audit Post-COVID-19 for the Long Term

This final phase is premised on leveraging what has been learned during the crisis. Although this is still an ongoing issue for the foreseeable future, especially as it relates to healthcare organizations, there are lessons to be learned. What has internal audit done well? Where are the opportunities for internal audit to work differently in the new environment? Reflecting on previous crises, the world never reverts to the same way as it was before. Doing so would ignore the lessons learned and result in a failure to seize the opportunity to rise up, innovate and improve. This should also be true for internal audit. Embracing an event to support better ways for internal audit to deliver superior quality includes:

  • Employing new risk models, including stress testing, that leverage the learnings from the pandemic to redefine organizational risk capacity and risk tolerance
  • Utilizing new high-impact communication methods that provide timely, concise and relevant insight to the organization on critical risks and how they should be handled (e.g., mitigate, accept, transfer)
  • Embracing agile auditing by focusing on dynamic insights generated from continuous monitoring and near real-time risk assessments that enable timely value-adding evaluations and recommendations
  • Leveraging emerging technologies such as robotic process automation, process mining and the increased use of actionable analytics to drive new service delivery models

Internal audit’s influence will surely grow as we continue to adapt and extend our capabilities in new ways during and after a crisis like COVID-19. While crises are challenging, they can also be catalysts to innovate and improve ourselves to be better than we were before. As with 9/11, the 2008 financial crisis, and now COVID-19, internal audit is up to the challenge and pivoting to address the areas most critically impacted by the pandemic such as emergency management, cybersecurity, telehealth, preservation of funding sources, 1135 waivers and vendor risk management, to name a few.

Add comment