Internal audit and healthcare: A strategic partnership
Dr Kapil Mohan |
Increasing litigations/compensation claims and costs associated with it, revenue leakages, greater media scrutiny and complex legal and regulatory compliances call for greater efficiency in managing healthcare services. In today’s rapidly changing healthcare business environment, there is a marked increase in regulations, a greater focus on fraud and a heightened sense of need for risk management. Consequently, C-suite executives and corporate boards are under immense pressure from all stakeholders to achieve the objectives of the business without compromising on the quality of services provided, complying with all legal and regulatory requirements in a cost-competitive manner.
Abhilash David |
The need of the hour is a ‘Strategic Partner’ who can understand the complexities, analyse the trends, professionally assess organisational practices/core business operations, and provide cutting edge yet cost-effective and practical solutions for healthcare providers. A partner who can evaluate the effectiveness of healthcare providers’ risk management practices, control frameworks, and governance processes to help in achieving the strategic objectives by mitigating the risks involved or in removing the hindrances in achieving them. One who goes beyond assessing compliance, and adds value by working with management and improving governance, risk management, and internal controls to achieve strategic and business objectives.
Healthcare sector (facts & figures)*:
The healthcare industry, backbone of any nation’s well being, can be broadly divided into five segments, namely hospitals, pharmaceuticals, diagnostics, medical equipment, supplies and medical insurance. The Indian healthcare sector is expected to reach a size of $100 billion by 2015 from the current $79 billion, growing 20 per cent year-on-year, and aims to touch $280 billion by 2020, on the back of increasing demand for specialised and quality healthcare services.
- Indian pharma market is expected to grow at a compound annual growth rate (CAGR) of 15.3 per cent in the same period.
- Medicine exports from India are pegged at about Rs 64,000 crore ($11.62 billion), and about 50 per cent goes to the emerging markets.
- The hospital services market is expected to be worth $81.2 billion by 2015.
- The market for outsourced services to healthcare payors is expected to increase from $9 billion in 2011 to $15 billion in 2016.
The healthcare and life sciences sector has attracted approx. $817 million across 29 investments till August 2012, of which a significant contribution was from Private Equity (PE) and Venture Capital (VC).
The hospital and diagnostics centre segment in India has attracted Foreign Direct Investment (FDI) worth $1.48 billion, while drugs and pharma products and medical and surgical appliances industries registered FDI worth $9.78 billion and $571.91 million respectively during the period April 2000 to October 2012.
Risks in the business of healthcare providers
The demands on healthcare administration are increasing in this complex and highly competitive environment.
Risks are seemingly around every corner for healthcare organisations, from legislation and regulatory developments to operational and financial concerns. It is sometimes difficult to keep track of all existing and emerging risks while focusing on organisational strategy, mission and patient care.
Emerging and existing risks specific to healthcare: A snapshot
- Monetary:
- Revenue leakage/loss
- Reduction in market share
- Employee fraud
- Non-payment by health care payors
- Operational:
- Increased compensation claims for medical malpractices/negligence
- Unfulfilled expectations of general public
- Increased manpower cost
- Increased overall operational cost
- Legal:
- Penalties due to legal and regulatory non-compliances
- Inability to protect Intellectual Property Rights
- Personnel indulging in criminal/unethical conduct
- Reputation/ Brand:
- Negative media publicity
- Non-accreditation/cancellation of accreditation by accrediting councils
- Lack or inadequate ‘star doctors’
- IT/ Information security risks:
- Theft or sale of proprietary, classified or confidential information by employees or external parties.
- With this in mind, it is important to identify, prioritise and thoroughly evaluate the risks that impact organisations. While there are risks that are specific to the industry, there are also those that are likely to be specific to an organisation, depending on its mission, strategy and operations. Business risks are diverse in nature and arise due to innumerable factors, and may be broadly classified into two types, depending on their origin:
Internal risks: Those risks which arise from events taking place within the business enterprise. These risks can be forecast and the probability of their occurrence can be determined with reasonable accuracy. Hence, they can be controlled by management to an appreciable extent. Some of the various internal factors giving rise to such risks are – Human, Technological, Physical and Operational factors.
External risks: Those risks which arise due to events occurring outside the business organisation. Such events are generally beyond the control of management. The resulting risks cannot be forecast and the probability of their occurrence cannot be determined with reasonable accuracy. Some of the varied external factors which may give rise to such risks are – Economic, Natural and Political factors.
Internal audit
The ever increasing requirement for organisations to adopt and demonstrate good corporate governance practices is gradually forcing a change in the traditional approach to control assessment in order to fulfil both compliance and operational demands. A strong, strategic internal audit framework integrates compliance, controls and sophisticated risk management with the organisation’s mission, vision, and stakeholder expectations. As such, it can help in shaping a new governance and risk management paradigm — anticipating issues, increasing effectiveness, eliminating duplication, and identifying areas of potential performance improvement. Using a risk-based approach, a skilled internal audit function can provide the necessary focus to co-ordinating an organisation’s response to these new demands.
Risk assessment is an important activity in any industry; however, in the healthcare sector it takes on a more significant emphasis as inadequate assessment of risk factors can have ramifications on patients and also on the professional staff charged with their care.
At its simplest, risk assessment involves an appraisal of potential difficulties or hazards in any given situation. This often takes the form of an internal audit of obvious and known danger areas; however, nowadays it also includes a more sophisticated approach to identifying additional factors that could adversely affect the organisation. Internal auditors provide a broad range of audit services designed to help and organisation meet its objectives. One of the key roles is to monitor risk responses and ensure that the controls in place are adequate to mitigate significant identified risks.
An effective internal audit function is a cornerstone of corporate governance— along with the board and executive management – helping organisations comply with new legislation and regulations for enhanced corporate governance. A professional healthcare internal auditor provides solutions to complex issues with clarity, courtesy, credibility, and consistency. He/she acts as a coach, an advocate, controls expert, efficiency specialist and a problem solving partner all at the same time. In essence, a professional Healthcare internal audit systematically assists the organisation in better managing and mitigating business risks including fraud risks, establishing robust internal controls and legal/regulatory compliance mechanisms, providing independent risk and control assurance, and meeting standards of corporate governance set by regulators and the industry.
Domain areas for internal audits in hospitals | |
Sr. No | Domain areas |
1. | Corporate governance: Mergers and acquisitions, internal control framework, due diligence review, medical strategy and service excellence, capacity management, marketing and branding etc. |
2. | Medical and quality: Allied health operations, operation theatre, critical care units, diagnostic services, ambulance services, medical/surgical services, blood bank management, medical records, patient safety – incident management, nurse/ doctors bay etc. |
3. | Operations support: Procurement, inventory management, food and beverages, laundry and housekeeping, mortuary management, pharmacy, engineering services, bio-medical engineering, energy and water consumption, IT General/Application controls, ERP, business continuity & DRP etc. |
4. | People management: HR – Planning and recruitment, employee training, hospital and clinician relationship management, attrition level management, leadership development initiatives, payroll management, salary benchmarking etc. |
5. | Finance and accounting: Budgeting, accounts receivable/payable, fixed assets management, cash and bank management, discharge and billing, capital expenditure, treasury, taxation, financial reporting etc. |
6. | Compliance management: Legal and regulatory compliances, environment, occupational health & safety (OHS), internal policies, ISO/ JCI/NABH standards compliance, safeguarding IPRs etc |
Conclusion
Risk-resilient healthcare organisations assume risks profitably while effectively managing the complexities of a rapidly evolving business and regulatory compliance environment. By integrating risk management, internal control and compliance systems, management decisions can be made with increased confidence and clarity.
The current business atmosphere of healthcare provider organisations is very complex and competitive. There are pervasive risks in all facets of operations and an increasing amount of regulatory requirements that the organisation must comply with. As management sets objectives and identifies processes, a comprehensive risk assessment and internal audit can help identify risks and prioritise risk responses within operations, as well as identify potential opportunities. This process will allow the organisation to more efficiently determine where resources should be allocated. Internal auditors are uniquely positioned as an ‘embedded’ resource leading the organisation to deeper insights into Governance, Risks and Controls (GRC). A strategic approach to help identify, assess, map, evaluate, treat and report existing and emerging risks needs a strategic partner, and no one meets this need better than a professional healthcare internal auditor.
[*Source – India Brand Equity Foundation (IBEF)]