0% found this document useful (0 votes)
160 views21 pages

Internal Auditing

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
160 views21 pages

Internal Auditing

Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

NP

New Perspectives
A Publication of the Association of Healthcare Internal Auditors
Vol. 7 No. 2 Winter 2020
on Healthcare Risk Management, Control and Governance

U
h The Value of Internal Audit Pharmacists
U Stress Management in the Workplace
h
U Transform Your Internal Audit Approach
h
U Compliance Policies and Procedures 101
h
Table of
Contents Vol. 7 No. 2 Winter 2020

From the Editor 3


Revisit Basic Risks
By Mike Fabrizius, CHIAP™, CIA, CPA 4
The Value of Internal
Audit Pharmacists
Enhance your focus on care and safety
By Troy Watson, PharmD, Chenette Burks, PharmD, BCPS,
and Nancy Elrod, PharmD, BCPS

7 Transform Your
Internal
11 Audit
Stress Management in the Workplace
Use audit skills to control stress Transform Your Internal
By Cindy Glennon, MPH, CIA, RYT-500 Audit Approach
Cover relevant risks quickly
By Tim Bruhn, CPA, CIA, CISA,
Rebecca M. Welker, CHIAPTM, CIA,
FHFMA, and Daniel T. Yunker

Compliance Policies and Procedures 101


Ensure an effective foundation
By Litany Webster, JD, CHC,
and Meagan R. Parker, MHA, CHC, CMA (AAMA)

15
NP Digital Insights NP Digital Insights is refereed and peer-reviewed. Our focus is on topics of value and interest to healthcare internal auditors and
Published by AHIA, Inc. compliance professionals involved in risk management, control and governance. NP Digital Insights is published semiannually in June
and December for members of the Association of Healthcare Internal Auditors, Inc. You may send inquiries to: Editor, Association
Editor: of Healthcare Internal Auditors, Inc., 4400 College Blvd, Suite 220, Overland Park, KS 66211 USA. Phone: (303) 327-7546
Mike Fabrizius, CHIAP , CIA,CPA
TM

Toll Free: (888) 275-2442 Fax: (720) 881-6101 [email protected].


(410) 707-3274
[email protected] NP Digital Insights, its editors and the Association of Healthcare Internal Auditors, Inc., are not responsible for the opinions and
statements of its contributors and advertisers. The authors do not necessarily reflect the official policies of AHIA, nor does AHIA endorse
any products. AHIA does not attest to the originality of the author’s content.
Editorial Committee and
Board of Directors members’ Reprints of any portion of NP Digital Insights may be used for educational or instructional purposes only, provided the following
names can be found at statement appears on each reprint: “Reprinted with permission from NP Digital Insights, a publication of the Association of Healthcare
AHIA.org. Internal Auditors, Inc., Volume [#], Number [#], [Year], Association of Healthcare Internal Auditors, Inc.”
Copyright 2020, Association of Healthcare Internal Auditors, Inc.

2 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


From the
Editor

Revisit Basic Risks


By Mike Fabrizius, CHIAP™, CIA, CPA

T he pandemic upended internal audit. Our mandate


to stay on top of internal controls and ensure that
risks are adequately addressed has been at least partially
Do unresolved issues currently exist and do the issues
have the attention of the appropriate level of management?
Changed profile – What adjustments in staffing, systems,
superseded by other pressing needs in our organizations.
processes, policies and procedures have been made?
Internal auditors have justifiably and admirably pivoted to Wholesale changes may suggest that the control
assist management in a consulting and supporting role. environment has changed dramatically. Many new
For example, internal auditors have temporarily redeployed employees raise concerns about the adequacy of their
to provide assistance to compliance with government skills and training for their positions, and the need for
support programs. more training, coaching and oversight. Dramatic
changes in systems and processes may merit post-
Meanwhile, changes in internal controls have occurred
implementation assessments.
in many organizations. Management was pressed to
respond to dramatic changes in patient care needs Current performance – How has area performance
with little preparation and less than optimal resources. changed? Look for symptoms of problems. Excessive
Of course, they prioritized the needs of patients and backlogs of system access requests, performance
quickly implemented workarounds and shortcuts and reviews, regulatory reports, transaction processing, edit
in the process may have rationalized compromises of and reject resolution, approvals and reconciliations are red
controls in the interest of expediency. flags. Outstanding issues, such as patient and staff safety
matters and system downtime, merit your attention.
Control changes may have occurred in areas that
before the pandemic had stabile processes, seasoned Gain an understanding of the effect of staff working from
management, onsite staff and highly consistent, excellent home. Has performance been at acceptable levels?
performance over many years. The areas did not score Are some tasks better performed onsite and should be
as being very risky on your previous enterprise risk reassigned to onsite staff? Conversely, should more tasks
assessments and you may not have audited them for be assigned to staff that work from home?
a few years.
Control variations – Ask what exceptions and overrides
Time for a pause. The basic control environment needs a to controls and risk acceptance have been made. The
good shakedown before you move forward with assessing answers combined with your observations and insights
other identified risks. You need to verify that key processes can begin a healthy dialogue on whether the changes are
and activities are in control and not jeopardizing core acceptable. If not, can you facilitate the identification of
services and supporting functions. solutions to reduce risks to an acceptable level?
The verification does not have to be deep but should Summarize and rank the results of your high-level
quickly determine the extent each key area was affected assessment. Share the results, especially control gaps,
by the pandemic. Limited time and effort can ascertain with management. Decide your next steps, which may
each area’s operational challenges, changed profile, include a deeper dive into areas where risk profiles have
current performance and control variations. changed significantly.
Operational challenges – What operational challenges have Your agility and contribution of insight into the overall
occurred in this area because of the pandemic? Many control environment in this dynamic and changing
areas have been affected by staffing, space and supply environment will not go unappreciated by your
issues. How have these challenges been met? management and board. DI

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 3


Fe a t u r e

THE VALUE OF INTERNAL AUDIT PHARMACISTS


ENHANCE YOUR FOCUS ON CARE AND SAFETY

By Troy Watson, PharmD, Chenette Burks, PharmD, BCPS, and Nancy Elrod, PharmD, BCPS

Patient care requires the availability and integrity of medications, policies and processes for safe
medication practices, and regulatory compliance. Because of the potential for regulatory fines, loss of
accreditation and licenses, and medication-related employee and patient harm, internal auditors need to
regularly evaluate the unique risks posed by pharmacy services. The risks are multiplied for healthcare
systems with numerous hospital pharmacies.

P harmacies are a highly specialized area of a hospital


that requires specific knowledge to navigate and assess
complex operations and compliance requirements. Although
pharmacists provide these services, and they must maintain
compliance with state and federal regulations.
Hospital pharmacists are well versed in relevant laws
pharmacists are uniquely positioned to support internal audit
because they must pass the Multistate Pharmacy
assessments in this area, few internal audit departments
Jurisprudence Examination, which tests a candidate’s
employ their expertise as team members.
mastery of pharmacy laws for state licensure.2 The
compliance knowledge required for passing the examination
Benefits of internal audit pharmacists makes pharmacists logical candidates to serve as subject
HCA Healthcare is a large healthcare system consisting matter experts in pharmacy-related audit activities.
of surgery centers, urgent care centers, freestanding Many pharmacy regulations are historical mainstays, but
emergency departments, physician clinics, and over some were enacted as a result of serious patient harm,
180 hospitals.1 All of HCA’s healthcare facilities provide such as the Drug Quality and Security Act (DQSA)3 and
pharmaceutical services, although in different capacities the Compounding Quality Act (CQA) of 2013.4 The federal
and frameworks. The hospitals have dedicated pharmacy regulations resulted from a fungal meningitis outbreak in
departments in which pharmacy technicians and 2012 that was attributed to contaminated compounded

1
https://hcahealthcare.com/util/forms/press-kit/HCA-presskit-fact-sheet-a.pdf
2
https://nabp.pharmacy/programs/mpje/
3
www.fda.gov/drugs/drug-supply-chain-security-act-dscsa/title-ii-drug-quality-and-security-act.
4
www.fda.gov/drugs/human-drug-compounding/text-compounding-quality-act.

4 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Regulatory compliance is an increased focus by the DEA to minimize medication diversion.

steroid injections.5 The outbreak and the federal acts Compounded medications play a vital role in the care of
focused on the risks associated with compounded patients, but not without risk. Even with the most stringent
medications. Consequently, the HCA Healthcare Internal regulations, a chance always exists that the product may
Audit department established an Internal Audit Pharmacy become contaminated, ineffective or made with poor quality
Compliance (IAPC) team with a staff of pharmacists. ingredients that have the potential to lead to patient harm.
Compliance with standards and regulations set forth by
The internal audit department expanded their capability to
the United States Pharmacopeia (USP),8 the FDA and other
positively effect patient care through nontraditional reviews.
regulatory bodies decrease the risk of patient harm.
The benefit is especially apparent when partnering with
corporate pharmacy leaders in reviewing implementation With their knowledge and experience in medication
of specific, organization-wide pharmacy policies affecting compounding practices, standards and requirements,
all hospitals within the organization. internal audit pharmacists were able to design and execute
targeted audits and provide valuable, objective feedback for
Internal audit pharmacists are a key resource, not only
better, safer care for the patients. Medication compounding
in pharmacy regulatory compliance, but also in other
audits include reviews of compounding processes for
clinical spaces. Some of the high-impact pharmacy areas
medications compounded by hospital pharmacy staff
that pharmacists have been a part of include medication
and medications purchased from third-party pharmacy
compounding processes and regulatory requirements,
compounding vendors.
medication diversion prevention processes, controlled
substance regulatory requirements, and medication By reviewing outsourced compounding vendors,
safety practices. pharmacists can ensure that thorough vetting of the
facilities occurs. They can also verify that the product
The majority of the IAPC team focus is on medication
being outsourced can be tracked from purchasing by
diversion prevention processes and medication
the pharmacy department to patient administration,
compounding requirements. Additionally, internal audit
which is important in the event of a recall. Pharmacists
pharmacists have developed key relationships across the
can tour vendor facilities to ensure compliance with
organization. The relationships have allowed collaborative
applicable standards.
auditing efforts in areas such as telehealth, provider
credentialing and licensure, information and technology, Medication diversion
core quality measures, inpatient rehabilitation facilities,
and inpatient psychiatric facilities. Pandemic-related unemployment, depression and isolation
have led to more drug use. Many users have turned toward
Medication compounding hospitals as a source for drugs. Hospitals must securely
store and track medications susceptible to diversion to
Medication compounding is defined by the U.S. Federal
protect patients and staff.
Drug Administration (FDA) as “combining, admixing, mixing,
diluting, pooling, reconstituting, or otherwise altering a drug Physical security includes the storage of medications, but
or bulk drug substance to create a drug.”6 Compounded also includes the processes around stocking, inventorying,
medications can be tailored to the needs of an individual tracking and documenting chain of custody. Controls should
patient or can be prepared in larger batches by outsourcing be implemented to limit access to appropriately licensed
to compounding facilities in anticipation of needs for multiple individuals for areas necessary to perform their patient
patients. Drug shortages can make the use of outsourced care role.
compounded medications more likely because a hospital Wasting procedures need to comply with both Drug
may only be able to obtain a limited supply of manufactured Enforcement Agency (DEA) standards and state regulations.
products from a wholesaler.7 The procedures should include where to properly dispose
5
www.cdc.gov/hai/outbreaks/meningitis.html
6
www.fda.gov/drugs/human-drug-compounding/text-compounding-quality-act
7
www.ncbi.nlm.nih.gov/pmc/articles/PMC7489216/
8
www.usp.org/

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 5


of the medication as well as the necessary documentation • Transfer of controlled substances between
for the waste. Frequent monitoring and reconciliation are DEA registrants
controls that should be implemented to limit and detect
• Return of controlled substances through
diversion as early as possible.
a reverse distributor
Because of their familiarity with pharmacy dispensing
Internal audit pharmacists can add value by identifying
processes and operations, internal audit pharmacists can
patterns and trends across a healthcare system to allow
provide an objective review of hospital controls around
controlled substances and medication diversion surveillance. corporate pharmacy leaders to develop more precise
They can also evaluate processes for gaps in controls by education and tools to assist with compliance.
benchmarking the processes used by hospitals across your
system. The pharmacists can provide hospital leadership
Conclusion
with objective feedback to strengthen their processes and Not all healthcare systems are large enough to justify
minimize the risk of medication diversion. employing full-time pharmacists in internal audit, but
consulting arrangements are possible to periodically
Regulatory compliance supplement your staff. Consider incorporating pharmacists
Hospitals and healthcare systems have seen some of into your program to assess medication practices and
the highest fines ever from the DEA related to controlled regulatory compliance. Pharmacists have a unique skill set
substance requirements.9 10 Regulatory compliance and subject matter expertise that will enhance the value,
has become an increased focus from the DEA to depth and credibility of your work in an area that is important
minimize medication diversion in hopes of curbing the to patient care and safety. DI
opioid epidemic. Disclaimer: This article was supported in whole or in part by HCA
Compliance focus areas have included: Healthcare and/or an HCA Healthcare affiliated entity. The views
expressed in this publication represent those of the authors and
• DEA and state recordkeeping requirements for the do not necessarily represent the official views of HCA Healthcare
purchasing and ordering of controlled substances or any of its affiliated entities.

9
www.dea.gov/press-releases/2018/05/16/southern-district-georgia-announces-largest-hospital-drug-diversion-civil
10
www.dea.gov/press-releases/2018/08/30/record-settlement-reached-university-michigan-hospital-drug-diversion

Troy Watson, PharmD, is a Compliance Audit Manager on the Pharmacy Compliance


team of Internal Audit at HCA Healthcare. He specializes in health system pharmacy
administration, pharmacy operations, regulatory compliance, medication safety,
medication compounding, and medication diversion. Troy can be reached at
[email protected] and (615) 290-2443.

Chenette Burks, PharmD, BCPS, is a Compliance Audit Manager on the Pharmacy


Compliance team of Internal Audit at HCA Healthcare. She specializes in health system
pharmacy administration, regulatory compliance, medication safety, and medication
diversion with additional expertise in ambulatory surgery pharmacy services. Chenette
can be reached at [email protected] and (615) 568-9126.

Nancy Elrod, PharmD, BCPS, is a Compliance Audit Senior Manager on the


Pharmacy Compliance team of Internal Audit at HCA Healthcare. She is responsible
for leading the team in auditing key pharmacy-related regulatory areas and developing
strategies and processes to support internal audit initiatives. Nancy can be reached
at [email protected] and (615) 344-1733.

6 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Fe a t u r e

Stress Management in the Workplace


Use audit skills to control stress
By Cindy Glennon, MPH, CIA, RYT-500

Everyone in the workplace experiences stress, and the Covid-19 pandemic has introduced new challenges
that contribute to stress. Overwhelming stress can make you reactive, hinder your performance and
productivity, and affect your mental, emotional and physical well-being. Identify and analyze issues to
recognize stressors and manage your reactions to create the best outcomes.

B reak down the components of a moment of acute and


overwhelming stress to empower yourself and get back
to being your best. To effectively manage stress, you must:
an impact in either direction, or you could feel neutral about
the stressor.

Good stress is mobilizing. An example of good stress is an


• Recognize the triggers that are the root causes. exciting goal that you are motivated toward that mostly feels
• Determine an immediate corrective action to recenter good. Perhaps you are given an opportunity to work on a
in stressful moments. new audit topic that will further your career. Your stressor
• Identify preventive and monitoring controls that lessen is the event of taking on the new topic, and the challenge
the impact of future stressors and triggers. mobilizes you to learn, hone skills and work toward
completing the project goals.
Understand stress
A stressor is a circumstance or event—something that However, the term stress most often refers to a negative
happened—like a condition identified in an audit. Stress reaction to a stressor. The reactions can be feelings of being
comes from your reaction to that circumstance or event. overwhelmed, irritated, angry, hurt, scared and anxious.
The stressor may seem to be the root cause, but your
Stress can be positive and negative. A stressor could have reactions determine the amount of stress you feel.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 7


Recognize the root causes of your stress You are already beginning to be less immersed in your
stress and are starting to step out of your condition to be an
When you recognize the stress and take a moment to pause,
observer. When you have these moments of stepping out of
you shift from reactive mode to response mode in a calmer
the stress—moments of clarity and recognition—you have
and more collected way. Learn to recognize when you are
some space to work with and make a shift to move forward.
stressed, so you can do something about it.
Recognizing and then responding thoughtfully rather than
Mentally, stress turns all attention toward the threat or
reacting is a skill you can build. Be patient with yourself as
problem. Today, threats can manifest as a big presentation
you work to develop this skill over time.
to the board, too many incoming emails, a massive task list,
constant distractions, and so on. Determine actions to recenter – When you recognize that
a stressor is triggering you, you can empower yourself to
In the days when humans were at constant risk from animal
intervene and counteract it. The practice of recognizing
predators, being part of a group provided protection from
the start of a stressful moment begins by stepping out of
attacks. Fighting off a predator by yourself is difficult, but if
the stress for a higher perspective. You allow yourself to
you have some help, everyone is much more likely to survive.
evaluate and take immediate action to respond thoughtfully.
Conforming to norms and expectations kept people in good Relief from acute stress can occur in just seconds.
graces with the group, but deviating from those norms could
result in being outcast from the group. Scientists who study Respond to immediate stressors
the evolution of behavior believe that this need for inclusion These responses are simple, effective and require less than
is at the root of why humans are social creatures. In today’s a minute.
workplace, this need shows up as stress in relationships with • Take one deep, slow breath followed by
other people. a slower exhale.
Social stress appears when crossing the line from • Turn your phone face down.
collaboration to people-pleasing. Think about how often
• Lock your computer screen.
you fear that others will think you are dropping the ball or
are not committed if you miss one email or task. Self-critical • Gaze at a favorite object, photograph or an
thoughts are sneaky, and you are not alone if you have a inspirational quote.
sense of not being or doing enough. The good news is that If you have at least one minute, you can work a little more
you can develop skills to rein your mind back in and reduce at allowing the stress sensation to arise and pass by using
this type of stress. these techniques:

Identify – The first step in managing workplace stress is • Take several deep breaths.
early identification. Taking a moment to say to yourself: • Stand up.
I am stressed. Acknowledgement is quite powerful. When
• Walk or move around your desk, office or room.
you identify the stress, you are not only owning it, you are
opening a doorway to gain perspective on the situation. • Focus on each of your physical senses—sight, sound,
You can then empower yourself to act to recenter yourself. touch, smell and taste.

Analyze – When the severity of a stressful moment has • Stretch at your desk by moving your wrists and ankles
passed, you can ask yourself: Why am I stressed? Analysis or by leaning to each side.
will help you identify your triggers. Keep in mind that one When a full break is possible, use the time to center yourself.
single event likely did not trigger you into stress, but a When stressed, your tendency may be to keep working.
compilation of many events and circumstances did. You However, frantically doing more tasks keeps you in the same
employ the root cause analysis technique of asking why, stressed-out state, which is not optimal for you or your work
to understand your own stress and the related triggers. relationships or products.

Break down the components of your acute and overwhelming stress to get back to being your best.

8 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Your reaction is what determines the amount of stress you feel.

• Play a mindfulness and meditation application (e.g., Monitor – You can apply a monitoring technique to check
Insight Timer, Headspace, Calm). in with yourself periodically. Measure how you are doing
• Go outside and use your physical senses to become with your stress level and your intention. Notice how you
more aware of your surroundings. start, execute and end your tasks, meetings, emails and
interactions. Set reminders to check in with yourself at
• Clear up one pile of clutter.
lunchtime and at the end of the day.
• Go for a walk and feel your feet with each step.
All these actions provide a moment to turn your attention If you catch yourself starting to become stressed, use your
away from the stressor and your reaction to it. The activities intention as an anchor and ask yourself: Am I acting and
lift you out of your overwhelmed state. As you practice these thinking from my intention right now? Be nonjudgmental
actions, acknowledge your frustration, stress or anger. Then with yourself and use your repertoire of immediate corrective
slowly release the stress by allowing the action to take up actions to get back on course while you remind yourself of
more of your mind than the stress. your intention.

Let the moment move through instead of burying or ignoring


it. You may say to yourself: I am stressed right now, but the
stress will pass. When you feel calmer, bring yourself back
to the task, conversation or to-do list, and tackle the activity
with a renewed perspective.

Identify controls
You have learned to identify root causes of stress and take
immediate corrective action to recenter yourself. The next
step is to plan preventive controls to lessen the impact of
future stressors and monitoring controls to check in with
yourself throughout the day.
Prevent – To lessen the impact of future stress, be proactive Exercises
to create a center within yourself for mindfully responding
1. Identify two to five stressors that triggered you
rather than reacting. A simple strategy is to set an intention
in the past at work, home or any other area of
early in your day. Frame your intention in terms of how
your life.
you want to be today. Examples include: patient, focused,
friendly, creative, calm, resilient or light-hearted. Choose just 2. Write down two to five stressors that are themes
one. The intention can change daily, or you may choose to in your life right now.
stick with it for many days, weeks, months or years. 3. Which actions resonate with you? What additional
Form a habit to set your intention for the day. Place a actions might work well for you? Write down these
reminder note that you will see early in your morning routine actions and keep the list in your workspace.
or replace the word alarm on your phone with set intention, 4. Try out your potential actions. Practice them.
or with the intention itself, such as be patient today. One may work in one situation, another in a
Many professionals are adopting a morning meditation different situation.
practice to begin the day from a place of calm. Even one 5. When and where in your early morning routine
minute to focus on breath and set that intention can produce can you set your intention? Set up a reminder to
a meaningful shift in your day. Form an intention just before yourself now so you can start tomorrow.
you open your laptop, taking a brief pause before you launch
into your tasks.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 9


Employ root cause analysis to understand your stress and the situations that trigger it.

Conclusion You also can help yourself head off stress through
prevention, which is like throwing yourself a lifesaver to climb
Stress is a fact of life and everyone has different triggers to
onto when you need it. Give yourself the gift of setting up
stressors. Take a few moments to follow the suggestions
your day with purpose and intention and come back to these
above to reflect and plan your self-management strategy.
goals throughout your day. If you do, you are already on
Identify your common stressors and triggers so you can
your way to a calmer, happier and more productive state
recognize them when they arise. Choose some immediate
of well-being! DI
actions to take the next time you begin to feel stressed.
Practice relieving the acute stress, which should eventually
help with underlying stress as well.

Cindy Glennon, MPH, CIA, RYT-500, is Director of Internal Audit at Commonwealth Care
Alliance, a nonprofit care delivery system. She is also a certified yoga and meditation teacher
who specializes in stress management skillsets in the workplace. Cindy can be reached at
(617) 426-0600 and [email protected].

10 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Fe a t u r e

Transform Your

Internal Audit
Approach
C OV E R R E L E VA N T R I S K S Q U I C K LY

By Tim Bruhn, CPA, CIA, CISA, Rebecca M. Welker, CHIAPTM, CIA, FHFMA, and Daniel T. Yunker

Healthcare organizations are experiencing an array of new risks emerging out of an increasingly complex
healthcare environment. The coronavirus pandemic has added additional risks and uncertainties.
Consequently, organizations and their internal auditors must be nimbler than ever, quickly evolving to
keep pace with new risks that could permanently change healthcare.

H ealthcare internal auditors are ideally positioned to


help their organizations navigate and mitigate new
risks. To do so successfully, internal auditors need to
But how can auditors cover more ground and close risk
gaps when resources and talent are limited and, in some
cases, are being reduced as healthcare organizations face
shift from traditional audit approaches and adopt more steep budget shortfalls? To start, organizations and their
modern processes that leverage professional expertise internal auditors should focus on those specific risks that
and technology. are most likely to impact their organization, rather than
attempting to assess and mitigate a list of generalized
Cover more with less healthcare industry risks.
The coronavirus pandemic has been eye opening for Reprioritizing risks requires a shift in thinking—from
healthcare, by exposing vulnerabilities to the effects of considering all the things that could go wrong to considering
major disasters. Existing risks for many organizations have what is actually going wrong or underperforming in the
been amplified, and new risks have surfaced. As a result, organization, and determining what specific risks deserve
internal auditors will need to cover more ground in their day- attention. The shift also requires a new work approach—
to-day work, and they will need to do so more effectively one that uses data analytics, automation and other tools
and efficiently. throughout the entire audit process.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 11


Traditionally, internal auditors, using mainly manual In addition, using full data sets to identify risks allows the
processes, have made limited use of data sets throughout organization to benchmark itself against other organizations
the entire auditing cycle. The manual audit steps—such as to help inform performance objectives and plans.
conducting surveys, interviewing management and other
You can facilitate meaningful discussions with management
key stakeholders, and reviewing organizational goals and
by aligning the intelligence revealed by the risk assessment
objectives—were used to make educated guesses about
with the organization’s business objectives and strategic
the state of an organization’s risks.
goals. These discussions can help foster the development
Auditors then created annual audit plans that required of smarter audit plans.
manually intensive planning and walkthroughs to be
For example, while reviewing service line performance,
conducted as part of performing individual audits. Once
an auditor at one large healthcare system noticed a sharp
audit testing took place, many individual audit steps were
decrease in the distribution of emergency department (ED)
performed manually, and analytics were used only as part
coding levels at one of the system’s hospitals compared to
of transactional testing.
the others. During continuous risk assessment discussions,
A more modern internal audit approach uses risk ED leadership indicated that new coding software had been
identification and control testing with data analytics to installed with an expected increase in the distribution, not
analyze full data sets. Using data analytics allows you to a decrease.
identify and target an organization’s critical risk areas and
ED management found the objective information provided by
opportunities for process improvement.
the auditor to be extremely valuable and timely as they had
Utilizing data throughout the entire internal audit process not performed an analysis. The identification of the variation
offers benefits to: in coding distribution compared to expectations led to
• Streamline the risk identification process, enabling the adding a post-implementation audit to the internal audit plan
organization to focus on, and when possible, quantify to examine ED documentation and coding processes.
the most important risks
Develop a smarter audit plan
• Facilitate acceleration of manual audit steps Once you have used data to identify the critical risk areas
• Create validated risk baselines and benchmarks of the that should be audited, you have an incredibly valuable
current state baseline to develop and implement audit plans and monitor
processes. The essential areas to spend time on within each
• Enable continual monitoring of newly implemented
audit will have been identified by the risk indicator analytics
processes designed to mitigate identified risks
prior to conducting the audit. You can use this identification
Move to automated audits to allocate your valuable time in a more focused manner to
To embark on a modern approach to internal audit—one assess those risks, identify specific controls, and design
that uses data at every possible point in the process—you further analytics to test the controls.
should consider the following steps. Smarter, more informed audit plans that incorporate
Perform a digital risk assessment data throughout each step in the audit process also
Identify data sources that provide quantifiable, meaningful encourage automation of steps that in the past were manual.
performance indicators to measure the risk areas that relate Analysis of the risk indicators can benefit from feedback
most closely to overall organizational goals and business from a continual monitoring process. At each iteration, the
objectives. Using data to identify the risks that have the analytics become more refined and robust based on the
biggest potential impact on the organization helps accelerate information gained.
closure of risk gaps and allows the organization to avoid For example, the internal audit team for a multihospital health
using costly resources—including limited staff time—on system had been performing 340B drug pricing program
assessing and monitoring low-risk areas. audits for several years. Initially, the team took the approach
When you measure your organization’s risk gaps, you can used by the Health Resources and Services Administration
better determine in the future whether risk exposures are and selected small samples to test for Medicaid duplicate
improving or when identified risks no longer pose a threat. discounts and other billing requirements.

12 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Modern internal audit approaches use data at every possible point in the process.

Because of the high volume of 340B transactions, internal can provide access to transactional data in digital form and
audit team members wondered how any anomalies could enable many of manual processes to be accelerated or
be identified with such a small sample. The team then spent completed automatically.
time developing automated testing to shift from sampling to Audit automation streamlines testing of full data sets and
a complete review of the transactions. identification of anomalies. You can then use your valuable
The team was amazed to find that while many transactions budgeted time and expertise to assess the anomalies and
were correct, almost as many were incorrect. The insight identify root causes.
led to program improvements that strengthened 340B
An example of automation combined with auditor expertise
compliance. Now the automated tests run continuously
that improved the audit process and outcome occurred in
and alert the team to any process breakdowns that can be
an oncology charge capture audit at a large hospital system.
addressed quickly and more efficiently.
Analytics had been developed to identify inappropriate
Conduct a modern audit billing patterns related to intensity-modulated radiation
You should consider the manual steps in the traditional therapy (IMRT).
audit process that can be completed or benefitted by using
An analysis of the IMRT exceptions produced by the
data or information from technology sources. Technology
automated testing led the auditor to inquire about other
solutions and information generated from automations
radiotherapy treatment planning and delivery approaches
can help you complete audits faster and more efficiently,
such as stereotactic body radiotherapy. The results of this
ultimately reducing the number of manual audit steps.
inquiry led to a discussion with management, which led to
For example, improve your performance by using identifying other questionable billing patterns. The auditor’s
knowledge-based workflow and report generation software, knowledge of the process and the data insights led to
in conjunction with data analytics, to: identifying additional risks that had not been part of the
• Systematize the planning of required audit steps original scope of the project.

• Assess risks and control testing in real time with full Internal auditors are uniquely positioned to understand
data sets identified risks in the context of an organization’s overall
goals, business objectives and vision for its future. Health-
• Generate actionable reports that help organizations
care clinicians have long been encouraged to practice at
measure performance improvement or rising
the top of their licenses, meaning they should work to
risk gaps
the full extent of their education and training. You can
• Offer workflow technology to assist with additional practice at the top of your internal audit credentials by
risk monitoring using leading practices.
• Allow audit and risk monitoring activities to be By adopting a modern approach to internal audit, you
conducted remotely, if necessary, through cloud- have an opportunity to elevate and demonstrate the value
based solutions proposition you bring to your entire healthcare organization
Today, your expertise is needed more than ever to interpret by identifying and managing risk. Practice at the top of your
data, provide insight and guidance to your organization, and credentials to the full extent of your education, training and
to reduce the time gap between risk identification and audit experience with a modern approach.
coverage. When considering the manual processes that can Monitor risks continually
be automated, look for routine or repetitive steps that should Your auditing process should not stop once risks are
not require a human touch or an auditor’s expertise. identified and process improvements to manage risks are
Many traditional test steps require auditors to acquire implemented. One of the most important components of a
sample source documents, analyze those documents, and modern internal audit approach is continual monitoring for
then manually record their results in workpaper summaries. sustainability. Using complete data sets can assist you in
The technology in place at many healthcare organizations continually scanning for and assessing emerging risks.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 13


An example of the value of continuous monitoring was specific, unique risks that they are exposed to, they can
demonstrated by an internal audit team at a multihospital achieve better risk management outcomes.
system when assessing patient observation services. To successfully implement a new internal audit approach,
Compliance was to be evaluated with Medicare guidelines management must invest in the internal audit function and
for assigning patients to observation (outpatient) status recognize its ability to contribute to better risk management
rather than admitting as inpatients. for the organization. Providing internal audit with access
The team obtained transactional data for a two-year period to valuable data sets is an important first step. With real-
and performed an observation status assignment analysis time access to available data, internal audit can implement
across all the hospitals. During a meeting to scope the audit, automations throughout the entire internal audit process to
care management leadership indicated that an observation create efficiencies that will translate into covering more risk
process at one hospital had recently been modified and areas with the same resources.
a plan was in place to apply the same process at the The internal audit area also must invest in their function by
other hospitals. committing time to implement new automations in areas
However, after the internal auditors reviewed the data with where data allows. Automation is not a once-and-done
care management leadership, the leaders realized that the project, but rather an ongoing evolution that must build
modifications at the first hospital did not fix the process and over time to anticipate risks rather than react to risks.
should not be rolled out elsewhere. The leaders recognized
that more work was necessary, and the auditors could
Conclusion
provide an independent perspective through continuous Most healthcare organizations find themselves in increasingly
monitoring that would be helpful in improving the process competitive markets. Internal auditors who adopt the
across the entire system. smartest, most efficient processes can create a competitive
advantage for their organizations, helping to meet their
Invest for better risk coverage missions, thrive within their markets, and satisfy their
The constantly changing healthcare landscape will require patients’ expectations. Healthcare industry complexities will
a new internal audit approach to help organizations attain continue to grow over time, but you can help to close risk
better—and smarter—risk coverage. When healthcare gaps and expand your organization’s ability to mitigate the
organizations can better align their risk coverage with the risks that matter most at a critical time. DI

Tim Bruhn, CPA, CIA, CISA, is a Senior Manager at Crowe Healthcare Risk Consulting
LLC. He specializes in the digital acceleration of the audit model. Tim can be reached
at [email protected] and (314) 802-2821.

Rebecca M. Welker, CHIAPTM, CIA, FHFMA, is a Managing Director at


Crowe Healthcare Risk Consulting LLC. She leads the clinical operations
team of clinical, coding and compliance professionals. Rebecca can be
reached at [email protected] and (314) 802-2055.

Daniel T. Yunker is a Principal at Crowe Healthcare Risk Consulting LLC.


He is responsible for leading strategic direction and the transformation
of healthcare internal audit services. Dan can be reached at
[email protected] and (312) 899-1514.

14 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Fe a t u r e

Compliance Policies and Procedures 101


Ensure an effective foundation
By Litany Webster, JD, CHC, and Meagan R. Parker, MHA, CHC, CMA (AAMA)

The Office of Inspector General (OIG) first issued compliance guidance for organizations over 20 years
ago. Yet many organizations still struggle with a cost-effective, preemptive approach when designing and
maintaining their organization’s compliance program. Make sure your organization has the right policies
and procedures, as well as a code of conduct, to support an effective compliance program.

T he adoption and enhancement of a voluntary,


well-designed compliance program can boost an
organization’s ability to provide quality services and
Policies and procedures listed in OIG and DOJ guidance
are the first element of effective programs, and they serve
as important and valuable resources for organizations and
demonstrate a strong commitment to honest and fair workforce members because they:
dealings to their community. A compliance program with
comprehensive policies and procedures aids in mitigating • Document how the organization conducts business in
the risk of fraud, waste and abuse. compliance with ethical standards and applicable state
If wrongdoing is detected, an effective program may be the and federal laws and regulations
difference between onerous fines/penalties or a corporate • Standardize processes and operations across multiple
integrity agreement with the Department of Justice (DOJ). activities and locations
Accordingly, both the OIG’s and DOJ’s guidance for
• Provide the workforce with clear, concise guidance
compliance programs has highlighted the importance of
well-developed policies, procedures and a code of conduct. • Reduce institutional risk through accountability

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 15


incorporate the culture of compliance into its day-to-
day operations.”3
Elements of an effective
compliance program The program’s ability to meet these standards may affect the
ultimate form of resolution to an investigation, including the
An effective compliance program must be a amount of monetary penalties and the scope of compliance
continual process that consists of the following obligations in a corporate integrity agreement.
elements as set forth by the OIG*:
1. Written policies, procedures and standards Code of conduct, policies and procedures
of conduct As a starting point, a code of conduct should set forth
2. Compliance officer and compliance committee the organization’s expectation that staff members are
3. Effective training and education committed to ethical business practices and compliance
4. Effective lines of communication with applicable laws and regulations.4 The code should
incorporate the following:
5. Internal monitoring and auditing
• The organization’s missions, vision and values
6. Enforced standards through well-publicized
disciplinary guidelines • Clear and concise language about how and to
whom to report actual or suspected misconduct or
7. Prompt responses to detected offenses and
noncompliance with organizational expectations
prompt corrective action
*https://oig.hhs.gov/compliance/provider-compliance-training/files/
• A prohibition of retaliation for good faith reporting
Compliance101tips508.pdf
• An annual requirement that each staff member will
attest and document receipt and acknowledgement
of the code of conduct
DOJ compliance program evaluations
Compliance policies and procedures should give “both
Policies and procedures are so vital to a compliance
content and effect to ethical norms” and “address and
program that the DOJ’s Evaluation of Corporate Compliance
aim to reduce risks identified by the company as part of
Programs guidance states that “prosecutors should
its risk assessment process”5 Therefore, most compliance
examine the ‘comprehensiveness of the compliance
programs include policies and procedures that fall into
program’… ensuring that there is not only a clear message
two categories: compliance program operations and
that misconduct is not tolerated, but also policies and
compliance risks.
procedures—from appropriate assignments of responsibility,
to training programs, to systems of incentives and Program operations
discipline—that ensure the compliance program is well Policies and procedures relating to the operation of the
integrated into the company’s operations and workforce.”1 compliance program will usually:
1. Provide information regarding the compliance program,
Furthermore, prosecutors should determine the existence of
including the structure
“a code of conduct that sets forth, among other things, the
company’s commitment to full compliance with applicable 2. Define noncompliance, fraud, waste and abuse
federal laws that is accessible and applicable to all 3. Identify mechanisms for reporting noncompliance
company employees.”2 4. Prohibit retaliation for good faith reporting
The DOJ guidance assists prosecutors in determining the 5. Spell out expectations regarding employee conduct
effectiveness of a compliance program at the time of an
6. Require risk assessments
alleged offense, and at the conclusion of the investigation.
Accordingly, the focus is on assessing “whether the 7. Set expectations for training and education
company has established policies and procedures that 8. Require auditing and monitoring
1
Page 2, www.justice.gov/criminal-fraud/page/file/937501/download
2
Page 4, Ibid
3
Page 4, Ibid
4
Page 4, Ibid
5
Page 4, Ibid

16 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Policies should define the scope of disciplinary actions for noncompliance.

9. Specify corrective and disciplinary actions for a group of rules or directives. In contrast, procedures put
policy violations the policies into action. Procedures essentially provide the
10. Define the self-disclosure process for violations who, what, when and where of applying policy statements
of laws and regulations in daily operations.
11. Govern responses to regulatory examinations and Your organization should strive to standardize the policies
accreditation surveys and procedures across its enterprise to help facilitate
workforce members’ understanding and ease in using these
Compliance risks
resources. Uniform policy and procedure templates should
Policies and procedures should address the organization’s
be adopted that standardize key elements.
significant compliance related risks, which may vary
based on type of organization. Examples of policies and Document headings and subheadings – Standardize
procedures for compliance risks include: categories and sections such as titles, policy numbers,
1. Advanced beneficiary notices purpose, responsibilities, definitions, scope/applicability,
review and effective dates, sanctions for violations and
2. Charity care
noncompliance, and related policies and procedures.
3. Coding
Identification system – A numbering scheme can facilitate
4. Conflict of interest
policy organization by location/department (e.g., ambula-
5. Credentialing and privileging tory, inpatient, pharmacy, site/state) or purpose/ownership
6. Discounting services (e.g., compliance, health information management,
7. Documentation of medical necessity privacy, security).
8. Gifts, gratuities and business courtesies Definitions – Definitions of key phrases or terms should be
9. Health Insurance Privacy and Accountability Act developed and standardized across all policies to help your
compliance readers understand the content.

10. Identification of overpayment and repayment obligations Document owners should be directed to use these
11. Internal investigations standardized templates, and should be educated on how to
use simple language when drafting the content. Consider the
12. Language services
audience when determining the appropriate language to use
13. Patient rights in a policy or procedure. Since your organization likely has a
14. Patient transfers between facilities broad scope of workforce members, the best practice is to
15. Policies addressing regulatory requirements use simple language that is no more than an eighth-grade
(i.e. false claims, Emergency Medical Treatment and level of comprehension.
Labor Act, labor laws, etc.) Additional best practices include:
16. Records management and retention • Define acronyms
17. Third party relationships and contracts
• Provide examples when the content is complex
18. Vendor management
• Avoid policy provisions that cannot be implemented or
Policy and procedure development executed

Knowledge of the importance of policies and written • Verify the appropriate use of must, may, should
standards must be combined with an effective plan and shall
for development and implementation. Begin with an Policies should include statements that define the scope of
understanding of the difference between a policy and a disciplinary actions for noncompliance, including termination
procedure. Policies are largely static documents that define if applicable.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 17


Review and approval Accordingly, the compliance program should develop an
implementation plan that addresses policy and procedure
A review schedule must be established and adhered to for communication, education, dissemination and effectiveness.
all policies, procedures and the code of conduct to ensure
these resources remain relevant and up to date with industry Communication, education and dissemination
standards, laws and regulations. A review every two years Communication, education and dissemination should be
or when a substantial change is needed is usually sufficient. coordinated to occur in a limited timeframe. Consider the
following factors when generating the plan:
However, certain accreditations, laws and regulations may
require more frequent review. • Is the policy or procedure new, or an update to an
existing document?
The roles and responsibilities for reviewing and revising each
• Are operational changes required?
policy and procedure as well as the formal approval process
should be clearly defined. Responsibility generally falls in • Who are the relevant stakeholders and employees?
three areas: • What is the scope of entities involved, organization
• Drafting and revising based on subject matter expertise types, number of employees affected, and number
of locations involved?
• Organizational review oversight
• Does new-hire education or orientation need to
• Approval
be updated?
Implementation of a formal approval process is important to
If the policy or procedure requires operational changes,
prevent inaccurate or conflicting policies and procedures.
communicate with the relevant stakeholders as early as
Based on your organization’s size, consider whether a
possible. Ideally, if operational changes are required, these
policy coordinator, policy and procedure committee, and/ stakeholders will have been involved in the development.
or department-specific oversight plans are appropriate.
The formal approval process should be designed to make Based on the factors identified above, determine the
appropriate communication plan for the relevant policy
certain that the proper responsibilities are defined, and that
or procedure. Delivery methods may include an article
review and approval procedures are followed.
in an employee newsletter, email blast, message on the
To ensure compliance, internal auditors and compliance organization’s intranet site, organization- and/or location-
professionals should monitor and periodically audit the specific training, messaging posted in employee workspaces,
review and approval processes. and discussions at meetings with relevant stakeholders.

Implementation If the policy or procedure is new, requires a significant


operational change, and/or addresses a significant risk
Once developed, a policy or procedure can move through area for the organization, extra steps and resources may
an appropriate implementation plan. While implementation be needed. Consider providing educational resources and
may at times seem burdensome, an effective process will training, and obtaining workforce member attestations as a
be taken into consideration should the organization ever find component of the implementation plan.
itself under investigation.
Once the policy or procedure communication and education
The DOJ’s Evaluation of Corporate Compliance Programs plan has been implemented, ensure that the policy and
guidance directs prosecutors to “assess the steps taken by procedure resource is continuously accessible to staff
the company to ensure that policies and procedures have members. Policies and procedures should be maintained
been integrated into the organization, including through in a defined location that is readily accessible to the
periodic training and certification for all directors, officers, relevant stakeholders and staff members. Additionally, the
relevant employees, and, where appropriate, agents and organization should consider and address the following
business partners.”6 as appropriate:

Verify mechanisms that assess whether policies and procedures are understood by staff members.

6
Page 5, Ibid

18 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Determine if policies and procedures are relevant and up to date with laws and regulations.

• Are these resources made available to persons 3. Surveys


with disabilities? 4. Audits
• Do communication barriers exist that need to be 5. Questionnaires
addressed? Communication considerations are 6. Test scores and passage rates from training
especially relevant if your organization has foreign The goal of an effectiveness review is to seek feedback on
subsidiaries. whether any gaps exist in policies and procedures. If gaps
are discovered, consider whether job aids or cognitive aids
• Are the policies and procedures only available internally
can be used in conjunction with the policy and procedure
or are they also publicly available? If policies are
to improve adherence. If the gaps represent a problem
confidential or for internal use only, make sure the
that cannot be addressed through the implementation
stakeholders and staff members are aware of the scope
of additional resources, the policy or procedure should
of accessibility. be revised to address the gaps and streamline the
Operational effectiveness reviews operational issues.
As a best practice, organizations should implement
Process reviews
mechanisms to assess whether policies, procedures
Internal auditors and compliance professionals should
and codes of conduct are understood by workforce
periodically evaluate the overall organizational process for
members. Methods that may be utilized to evaluate
developing, implementing and maintaining policies and
effectiveness include:
procedures. Determine whether your organization’s policies
1. Interviews and procedures are relevant and up to date with laws and
2. Observations regulations. Consider the questions listed below.

Questions for process reviews


1. Is the policy manual comprehensive?
2. Does the manual include policies and procedures that incorporate a culture of compliance in day-to-day operations?
3. Are the policies and procedures aimed at reducing risk to the organization through well-defined and easily
understandable content?
4. Are the policies and procedures aligned with industry standards?
5. Do the policies and procedures address accreditation, certification and attestation requirements for regulatory
agencies and payers?
6. Are gaps addressed that were identified in the compliance risk assessment?
7. Are the appropriate policy owners designated and are they aware of their responsibilities as policy owners?
8. Are the individuals or groups that approve the policies, procedures and the code of conduct properly identified?
Is a policy and procedure committee necessary?
9. What is the communication plan to ensure workforce members are aware of policy, procedure and code of
conduct updates?
10. Has an appropriate review schedule been established? When was the last time the review schedule was evaluated?
Is the review schedule being followed?
11. Are staff members aware of how to access policies?
12. Are staff members or relevant stakeholders able to demonstrate an understanding of the policies, procedures and
code of conduct?

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 19


Conclusion principles and written standards, and demonstrated in
day-to-day operations. Conduct consistent, regular
Organizational policies, procedures and a code of conduct reviews of policies and procedures to ensure that the
are foundational pillars of a successful compliance documents are updated with the latest laws and regula-
program. Your organization’s commitment to compliance tions to continually aid in mitigating regulatory and other
can be evaluated by the active application of compliance organizational risks. DI

Litany Webster, JD, CHC, is the Manager of Regulatory Compliance and Government
Relations for The Kroger Company’s Health and Wellness division. Litany can be
reached at [email protected].

Meagan R. Parker, MHA, CHC, CMA (AAMA), is the Business Office Director
for the Women First of Louisville medical practice. Meagan can be
reached at [email protected].

We want to know...
who’s the sharpest crayon in the box?
Share your best work with us.

AHIA New Perspectives is looking for your most interesting


4400 College Blvd, Suite 220 audits. Check our writer’s guidelines on the AHIA
Overland Park, KS 66211 USA
800-ASK-AHIA www.ahia.org
website or contact the editor at:
[email protected]

20 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


A LEADER IN CONSTRUCTION AUDIT, CONSULTING, AND PROJECT MANAGEMENT

Ensuring accountability and transparency throughout the


duration of a healthcare capital program while enabling
the completion of projects on time and within budget

“Talson has been a long time valued


partner with Main Line Health and has helped
establish the framework for success between
our health system and our contractors.
Talson is a perfect extension of our internal
audit function”.....Mary Jane Schroeder,
Director Internal Audit Main Line Health

Serving public & private healthcare clients since 2001

Atlanta, GA | Los Angeles, CA | New York, NY | Philadelphia, PA


215-592-9634
www.talsonsolutions.com

You might also like