As the world is rapidly changing before our eyes, organizations are becoming increasingly self-aware about vulnerabilities within their operations and infrastructure that, just a couple of months ago, may have seemed like a distant possibility. The current environment’s intense pressures are leading to new challenges and opportunities, which are perfect catalysts for innovation.
Amid the current environment, one of the areas that is likely to see a continued transformational change is the process by which the compliance and internal audit functions partner with executive leadership to identify and monitor the organization’s overall risk. With greater technological capabilities and reporting resources than ever before, the method by which organizations achieve analytic insight over the next 12 months is sure to be a silver lining from the current chaos.
When it comes to risk awareness, the status quo for the past several years has been to conduct an annual risk assessment that established the compliance and internal audit plans for the year. In some cases, those were being performed only every two to three years. Based on a recent poll that was taken during a webinar titled Focusing on the Risk Assessment Process in a Dynamic Environment, approximately 50% of the respondents indicated that they conduct a risk assessment annually or even less frequently. Audit hours would then be focused on executing projects from the plan with little regard to changes in the environment throughout the year. Occasionally, something would surface that shifted audit’s focus from the annual plan to an event at hand that warranted attention, but this has been the exception rather than the rule. It is not acceptable or viable simply to move forward with the way things have always been done. Internal audit and compliance must retool themselves to leverage data in new ways to help prioritize their focus.
The next generation of audit is heavily focused on identifying and responding to the organization’s needs in a dynamic fashion. As auditors, it is our job to sit in the passenger seat for our organizations and keep an eye on the GPS, road conditions and the overall health of the vehicle to ensure that our organizations reach their destination in the safest, most efficient and compliant way possible.
We must alert the business to external conditions that are changing, whether that be in terms of regulatory matters, payer behavior, payment models, customer population or other obstacles the industry is experiencing. We need to keep an eye on the overall health of the company and advise management when the tread on their tires is wearing thin, such as when minor issues arise that could escalate into something more significant or when proper preventive maintenance is not being done that could lead to problems down the road. We need to identify when parts are susceptible to breaking, and when they break unexpectedly, we need to ensure that issues are addressed as expediently as possible. We need to let our organizations know if there is a better way to perform from a best-practice process, technology and/or automation perspective.
Overall, we need to continuously assess our organization’s risk environment and let the business know which things are going well and where attention is needed. Furthermore, we need to provide insight on what type of attention is needed, whether it’s a diagnostic look under the hood, a routine checkup or a complete in-depth process review.
To be an effective partner going forward, audit will need to keep a real-time pulse on the health of the organization. One way to do this is by implementing a continuous monitoring dashboard (driven by automation/analytics, for example) that alerts audit to problem areas for further review. For instance, a revenue analytics dashboard could monitor day-to-day adjustments by claim adjustment reason code and generate an alert when a specific daily adjustment exceeds an established threshold (for example, two standard deviations against the monthly average daily adjustment). Other areas ripe for continuous monitoring include identifying excessive opioid prescribing patterns, irregular controlled substance dispensing (based on automated dispensing machine logs), duplicate payments in accounts payable and/or payroll, excessive overtime, user access changes, and validating for appropriateness.
An action plan matrix should be established that outlines the protocols to follow for each type of alert, who to contact, and who is responsible for carrying out any investigation/remediation. This matrix should establish a clear divide between alerts are informational only so management can determine the next steps and alerts that are audit’s responsibility to investigate further and determine whether processes and management’s responses are sufficient. Standard reporting formats, frequencies and the intended audience for each type of report would also need to be defined.
The leaders of the new era will be those who can glean actionable insight from dynamic data. By leveraging different enabling technologies such as analytics, automation and process mining, for instance, and continuously monitoring different areas, audit shops can assemble actionable insights around compliance, revenue cycle, finance, human resources and payroll while also using the data to dynamically assess the risk to the organization.
Good insight alone is not enough. We must act on the insight that we receive and measure the success of that action. Audit will play a key role in assisting organizations in developing high-impact reporting that succinctly demonstrates what is working and what is not in a highly visual and intuitive fashion. Through this, audit will be able to ensure that organizations are focused on the right metrics and help get them back on track when they steer off course. All of this will be a journey with multiple roads leading to the same destination. If we can effectively retool audit to operate in a way that is guided by dynamic insight and use our overall risk awareness to adjust our course effectively throughout the year, then we will be in a great place to help our organizations drive into the future.
Read additional posts on The Protiviti View related to Internal Audit.