NP

New Perspectives
A Publication of the Association of Healthcare Internal Auditors
Vol. 7 No. 2 Winter 2020
on Healthcare Risk Management, Control and Governance

U
h The Value of Internal Audit Pharmacists
U Stress Management in the Workplace
h
U Transform Your Internal Audit Approach
h
U Compliance Policies and Procedures 101
h
Table of
Contents Vol. 7 No. 2 Winter 2020

From the Editor 3

Revisit Basic Risks
By Mike Fabrizius, CHIAP™, CIA, CPA 4
The Value of Internal
Audit Pharmacists
Enhance your focus on care and safety
By Troy Watson, PharmD, Chenette Burks, PharmD, BCPS,
and Nancy Elrod, PharmD, BCPS

7 Transform Your
Internal
11 Audit
Stress Management in the Workplace
Use audit skills to control stress Transform Your Internal
By Cindy Glennon, MPH, CIA, RYT-500 Audit Approach
Cover relevant risks quickly
By Tim Bruhn, CPA, CIA, CISA,
Rebecca M. Welker, CHIAPTM, CIA,
FHFMA, and Daniel T. Yunker

Compliance Policies and Procedures 101

Ensure an effective foundation
By Litany Webster, JD, CHC,
and Meagan R. Parker, MHA, CHC, CMA (AAMA)

NP Digital Insights
Published by AHIA, Inc.
Editor:
Mike Fabrizius, CHIAP , CIA,CPA
TM
15
NP Digital Insights is refereed and peer-reviewed. Our focus is on topics of value and interest to healthcare internal auditors and
compliance professionals involved in risk management, control and governance. NP Digital Insights is published semiannually in June
and December for members of the Association of Healthcare Internal Auditors, Inc. You may send inquiries to: Editor, Association
of Healthcare Internal Auditors, Inc., 4400 College Blvd, Suite 220, Overland Park, KS 66211 USA. Phone: (303) 327-7546

Toll Free: (888) 275-2442 Fax: (720) 881-6101 [email protected].

(410) 707-3274
[email protected] NP Digital Insights, its editors and the Association of Healthcare Internal Auditors, Inc., are not responsible for the opinions and
statements of its contributors and advertisers. The authors do not necessarily reflect the official policies of AHIA, nor does AHIA endorse
any products. AHIA does not attest to the originality of the author’s content.
Editorial Committee and
Board of Directors members’ Reprints of any portion of NP Digital Insights may be used for educational or instructional purposes only, provided the following
names can be found at statement appears on each reprint: “Reprinted with permission from NP Digital Insights, a publication of the Association of Healthcare
AHIA.org. Internal Auditors, Inc., Volume [#], Number [#], [Year], Association of Healthcare Internal Auditors, Inc.”
Copyright 2020, Association of Healthcare Internal Auditors, Inc.

2 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020


Revisit Basic Risks
By Mike Fabrizius, CHIAP™, CIA, CPA
T he pandemic upended internal audit. Our mandate
to stay on top of internal controls and ensure that
risks are adequately addressed has been at least partially
superseded by other pressing needs in our organizations.
Internal auditors have justifiably and admirably pivoted to
assist management in a consulting and supporting role.
For example, internal auditors have temporarily redeployed
to provide assistance to compliance with government
support programs.
Meanwhile, changes in internal controls have occurred
in many organizations. Management was pressed to
respond to dramatic changes in patient care needs
with little preparation and less than optimal resources.
Of course, they prioritized the needs of patients and
quickly implemented workarounds and shortcuts and
in the process may have rationalized compromises of
controls in the interest of expediency.
Control changes may have occurred in areas that
before the pandemic had stabile processes, seasoned
management, onsite staff and highly consistent, excellent
performance over many years. The areas did not score
as being very risky on your previous enterprise risk
assessments and you may not have audited them for
a few years.
Time for a pause. The basic control environment needs a
good shakedown before you move forward with assessing
other identified risks. You need to verify that key processes
and activities are in control and not jeopardizing core
services and supporting functions.
The verification does not have to be deep but should
quickly determine the extent each key area was affected
by the pandemic. Limited time and effort can ascertain
each area’s operational challenges, changed profile,
current performance and control variations.
Operational challenges – What operational challenges have
occurred in this area because of the pandemic? Many
areas have been affected by staffing, space and supply
issues. How have these challenges been met?
Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights
From the
Editor
Do unresolved issues currently exist and do the issues
have the attention of the appropriate level of management?
Changed profile – What adjustments in staffing, systems,
processes, policies and procedures have been made?
Wholesale changes may suggest that the control
environment has changed dramatically. Many new
employees raise concerns about the adequacy of their
skills and training for their positions, and the need for
more training, coaching and oversight. Dramatic
changes in systems and processes may merit post-
implementation assessments.
Current performance – How has area performance
changed? Look for symptoms of problems. Excessive
backlogs of system access requests, performance
reviews, regulatory reports, transaction processing, edit
and reject resolution, approvals and reconciliations are red
flags. Outstanding issues, such as patient and staff safety
matters and system downtime, merit your attention.
Gain an understanding of the effect of staff working from
home. Has performance been at acceptable levels?
Are some tasks better performed onsite and should be
reassigned to onsite staff? Conversely, should more tasks
be assigned to staff that work from home?
Control variations – Ask what exceptions and overrides
to controls and risk acceptance have been made. The
answers combined with your observations and insights
can begin a healthy dialogue on whether the changes are
acceptable. If not, can you facilitate the identification of
solutions to reduce risks to an acceptable level?
Summarize and rank the results of your high-level
assessment. Share the results, especially control gaps,
with management. Decide your next steps, which may
include a deeper dive into areas where risk profiles have
changed significantly.
Your agility and contribution of insight into the overall
control environment in this dynamic and changing
environment will not go unappreciated by your
management and board. DI
3
 Fe a t u r e

THE VALUE OF INTERNAL AUDIT PHARMACISTS

ENHANCE YOUR FOCUS ON CARE AND SAFETY

By Troy Watson, PharmD, Chenette Burks, PharmD, BCPS, and Nancy Elrod, PharmD, BCPS

Patient care requires the availability and integrity of medications, policies and processes for safe
medication practices, and regulatory compliance. Because of the potential for regulatory fines, loss of
accreditation and licenses, and medication-related employee and patient harm, internal auditors need to
regularly evaluate the unique risks posed by pharmacy services. The risks are multiplied for healthcare
systems with numerous hospital pharmacies.

P harmacies are a highly specialized area of a hospital

that requires specific knowledge to navigate and assess
complex operations and compliance requirements. Although
pharmacists are uniquely positioned to support internal audit
assessments in this area, few internal audit departments
employ their expertise as team members.
Benefits of internal audit pharmacists
HCA Healthcare is a large healthcare system consisting
of surgery centers, urgent care centers, freestanding
emergency departments, physician clinics, and over
180 hospitals.1 All of HCA’s healthcare facilities provide
pharmaceutical services, although in different capacities
and frameworks. The hospitals have dedicated pharmacy
departments in which pharmacy technicians and
pharmacists provide these services, and they must maintain
compliance with state and federal regulations.
Hospital pharmacists are well versed in relevant laws
because they must pass the Multistate Pharmacy
Jurisprudence Examination, which tests a candidate’s
mastery of pharmacy laws for state licensure.2 The
compliance knowledge required for passing the examination
makes pharmacists logical candidates to serve as subject
matter experts in pharmacy-related audit activities.
Many pharmacy regulations are historical mainstays, but
some were enacted as a result of serious patient harm,
such as the Drug Quality and Security Act (DQSA)3 and
the Compounding Quality Act (CQA) of 2013.4 The federal
regulations resulted from a fungal meningitis outbreak in
2012 that was attributed to contaminated compounded

1
https://hcahealthcare.com/util/forms/press-kit/HCA-presskit-fact-sheet-a.pdf
2
https://nabp.pharmacy/programs/mpje/
3
www.fda.gov/drugs/drug-supply-chain-security-act-dscsa/title-ii-drug-quality-and-security-act.
4
www.fda.gov/drugs/human-drug-compounding/text-compounding-quality-act.

4 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

 Regulatory compliance is an increased focus by the DEA to minimize medication diversion.
steroid injections.5 The outbreak and the federal acts
focused on the risks associated with compounded
medications. Consequently, the HCA Healthcare Internal
Audit department established an Internal Audit Pharmacy
Compliance (IAPC) team with a staff of pharmacists.
The internal audit department expanded their capability to
positively effect patient care through nontraditional reviews.
The benefit is especially apparent when partnering with
corporate pharmacy leaders in reviewing implementation
of specific, organization-wide pharmacy policies affecting
all hospitals within the organization.
Internal audit pharmacists are a key resource, not only
in pharmacy regulatory compliance, but also in other
clinical spaces. Some of the high-impact pharmacy areas
that pharmacists have been a part of include medication
compounding processes and regulatory requirements,
medication diversion prevention processes, controlled
substance regulatory requirements, and medication
safety practices.
The majority of the IAPC team focus is on medication
diversion prevention processes and medication
compounding requirements. Additionally, internal audit
pharmacists have developed key relationships across the
organization. The relationships have allowed collaborative
auditing efforts in areas such as telehealth, provider
credentialing and licensure, information and technology,
core quality measures, inpatient rehabilitation facilities,
and inpatient psychiatric facilities.
Medication compounding
Medication compounding is defined by the U.S. Federal
Drug Administration (FDA) as “combining, admixing, mixing,
diluting, pooling, reconstituting, or otherwise altering a drug
or bulk drug substance to create a drug.”6 Compounded
medications can be tailored to the needs of an individual
patient or can be prepared in larger batches by outsourcing
to compounding facilities in anticipation of needs for multiple
patients. Drug shortages can make the use of outsourced
compounded medications more likely because a hospital
may only be able to obtain a limited supply of manufactured
products from a wholesaler.7
5
www.cdc.gov/hai/outbreaks/meningitis.html
6
www.fda.gov/drugs/human-drug-compounding/text-compounding-quality-act
7
www.ncbi.nlm.nih.gov/pmc/articles/PMC7489216/
8
www.usp.org/
Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights
Compounded medications play a vital role in the care of
patients, but not without risk. Even with the most stringent
regulations, a chance always exists that the product may
become contaminated, ineffective or made with poor quality
ingredients that have the potential to lead to patient harm.
Compliance with standards and regulations set forth by
the United States Pharmacopeia (USP),8 the FDA and other
regulatory bodies decrease the risk of patient harm.
With their knowledge and experience in medication
compounding practices, standards and requirements,
internal audit pharmacists were able to design and execute
targeted audits and provide valuable, objective feedback for
better, safer care for the patients. Medication compounding
audits include reviews of compounding processes for
medications compounded by hospital pharmacy staff
and medications purchased from third-party pharmacy
compounding vendors.
By reviewing outsourced compounding vendors,
pharmacists can ensure that thorough vetting of the
facilities occurs. They can also verify that the product
being outsourced can be tracked from purchasing by
the pharmacy department to patient administration,
which is important in the event of a recall. Pharmacists
can tour vendor facilities to ensure compliance with
applicable standards.
Medication diversion
Pandemic-related unemployment, depression and isolation
have led to more drug use. Many users have turned toward
hospitals as a source for drugs. Hospitals must securely
store and track medications susceptible to diversion to
protect patients and staff.
Physical security includes the storage of medications, but
also includes the processes around stocking, inventorying,
tracking and documenting chain of custody. Controls should
be implemented to limit access to appropriately licensed
individuals for areas necessary to perform their patient
care role.
Wasting procedures need to comply with both Drug
Enforcement Agency (DEA) standards and state regulations.
The procedures should include where to properly dispose
5
of the medication as well as the necessary documentation
for the waste. Frequent monitoring and reconciliation are
controls that should be implemented to limit and detect
diversion as early as possible.
Because of their familiarity with pharmacy dispensing
processes and operations, internal audit pharmacists can
provide an objective review of hospital controls around
controlled substances and medication diversion surveillance.
They can also evaluate processes for gaps in controls by
benchmarking the processes used by hospitals across your
system. The pharmacists can provide hospital leadership
with objective feedback to strengthen their processes and
minimize the risk of medication diversion.
Regulatory compliance
Hospitals and healthcare systems have seen some of
the highest fines ever from the DEA related to controlled
substance requirements.9 10 Regulatory compliance
has become an increased focus from the DEA to
minimize medication diversion in hopes of curbing the
opioid epidemic.
Compliance focus areas have included:
• DEA and state recordkeeping requirements for the
purchasing and ordering of controlled substances
• Transfer of controlled substances between
DEA registrants
• Return of controlled substances through
a reverse distributor
Internal audit pharmacists can add value by identifying
patterns and trends across a healthcare system to allow
corporate pharmacy leaders to develop more precise
education and tools to assist with compliance.
Conclusion
Not all healthcare systems are large enough to justify
employing full-time pharmacists in internal audit, but
consulting arrangements are possible to periodically
supplement your staff. Consider incorporating pharmacists
into your program to assess medication practices and
regulatory compliance. Pharmacists have a unique skill set
and subject matter expertise that will enhance the value,
depth and credibility of your work in an area that is important
to patient care and safety. DI
Disclaimer: This article was supported in whole or in part by HCA
Healthcare and/or an HCA Healthcare affiliated entity. The views
expressed in this publication represent those of the authors and
do not necessarily represent the official views of HCA Healthcare
or any of its affiliated entities.

9
www.dea.gov/press-releases/2018/05/16/southern-district-georgia-announces-largest-hospital-drug-diversion-civil
10
www.dea.gov/press-releases/2018/08/30/record-settlement-reached-university-michigan-hospital-drug-diversion

Troy Watson, PharmD, is a Compliance Audit Manager on the Pharmacy Compliance

team of Internal Audit at HCA Healthcare. He specializes in health system pharmacy
administration, pharmacy operations, regulatory compliance, medication safety,
medication compounding, and medication diversion. Troy can be reached at
[email protected] and (615) 290-2443.

Chenette Burks, PharmD, BCPS, is a Compliance Audit Manager on the Pharmacy

Compliance team of Internal Audit at HCA Healthcare. She specializes in health system
pharmacy administration, regulatory compliance, medication safety, and medication
diversion with additional expertise in ambulatory surgery pharmacy services. Chenette
can be reached at [email protected] and (615) 568-9126.

Nancy Elrod, PharmD, BCPS, is a Compliance Audit Senior Manager on the

Pharmacy Compliance team of Internal Audit at HCA Healthcare. She is responsible
for leading the team in auditing key pharmacy-related regulatory areas and developing
strategies and processes to support internal audit initiatives. Nancy can be reached
at [email protected] and (615) 344-1733.

6 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

 Fe a t u r e

Stress Management in the Workplace

Use audit skills to control stress
By Cindy Glennon, MPH, CIA, RYT-500

Everyone in the workplace experiences stress, and the Covid-19 pandemic has introduced new challenges
that contribute to stress. Overwhelming stress can make you reactive, hinder your performance and
productivity, and affect your mental, emotional and physical well-being. Identify and analyze issues to
recognize stressors and manage your reactions to create the best outcomes.

B reak down the components of a moment of acute and

overwhelming stress to empower yourself and get back
to being your best. To effectively manage stress, you must:
an impact in either direction, or you could feel neutral about
the stressor.

Good stress is mobilizing. An example of good stress is an

• Recognize the triggers that are the root causes.
• Determine an immediate corrective action to recenter
in stressful moments.
• Identify preventive and monitoring controls that lessen
the impact of future stressors and triggers.
Understand stress
A stressor is a circumstance or event—something that
happened—like a condition identified in an audit. Stress
comes from your reaction to that circumstance or event.
Stress can be positive and negative. A stressor could have
exciting goal that you are motivated toward that mostly feels
good. Perhaps you are given an opportunity to work on a
new audit topic that will further your career. Your stressor
is the event of taking on the new topic, and the challenge
mobilizes you to learn, hone skills and work toward
completing the project goals.
However, the term stress most often refers to a negative
reaction to a stressor. The reactions can be feelings of being
overwhelmed, irritated, angry, hurt, scared and anxious.
The stressor may seem to be the root cause, but your
reactions determine the amount of stress you feel.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 7

Recognize the root causes of your stress
When you recognize the stress and take a moment to pause,
you shift from reactive mode to response mode in a calmer
and more collected way. Learn to recognize when you are
stressed, so you can do something about it.
Mentally, stress turns all attention toward the threat or
problem. Today, threats can manifest as a big presentation
to the board, too many incoming emails, a massive task list,
constant distractions, and so on.
In the days when humans were at constant risk from animal
predators, being part of a group provided protection from
attacks. Fighting off a predator by yourself is difficult, but if
you have some help, everyone is much more likely to survive.
Conforming to norms and expectations kept people in good
graces with the group, but deviating from those norms could
result in being outcast from the group. Scientists who study
the evolution of behavior believe that this need for inclusion
is at the root of why humans are social creatures. In today’s
workplace, this need shows up as stress in relationships with
other people.
Social stress appears when crossing the line from
collaboration to people-pleasing. Think about how often
you fear that others will think you are dropping the ball or
are not committed if you miss one email or task. Self-critical
thoughts are sneaky, and you are not alone if you have a
sense of not being or doing enough. The good news is that
you can develop skills to rein your mind back in and reduce
this type of stress.
Identify – The first step in managing workplace stress is
early identification. Taking a moment to say to yourself:
I am stressed. Acknowledgement is quite powerful. When
you identify the stress, you are not only owning it, you are
opening a doorway to gain perspective on the situation.
You can then empower yourself to act to recenter yourself.
Analyze – When the severity of a stressful moment has
passed, you can ask yourself: Why am I stressed? Analysis
will help you identify your triggers. Keep in mind that one
single event likely did not trigger you into stress, but a
compilation of many events and circumstances did. You
employ the root cause analysis technique of asking why,
to understand your own stress and the related triggers.
Break down the components of your acute and overwhelming stress to get back to being your best.
8 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020
You are already beginning to be less immersed in your
stress and are starting to step out of your condition to be an
observer. When you have these moments of stepping out of
the stress—moments of clarity and recognition—you have
some space to work with and make a shift to move forward.
Recognizing and then responding thoughtfully rather than
reacting is a skill you can build. Be patient with yourself as
you work to develop this skill over time.
Determine actions to recenter – When you recognize that
a stressor is triggering you, you can empower yourself to
intervene and counteract it. The practice of recognizing
the start of a stressful moment begins by stepping out of
the stress for a higher perspective. You allow yourself to
evaluate and take immediate action to respond thoughtfully.
Relief from acute stress can occur in just seconds.
Respond to immediate stressors
These responses are simple, effective and require less than
a minute.
• Take one deep, slow breath followed by
a slower exhale.
• Turn your phone face down.
• Lock your computer screen.
• Gaze at a favorite object, photograph or an
inspirational quote.
If you have at least one minute, you can work a little more
at allowing the stress sensation to arise and pass by using
these techniques:
• Take several deep breaths.
• Stand up.
• Walk or move around your desk, office or room.
• Focus on each of your physical senses—sight, sound,
touch, smell and taste.
• Stretch at your desk by moving your wrists and ankles
or by leaning to each side.
When a full break is possible, use the time to center yourself.
When stressed, your tendency may be to keep working.
However, frantically doing more tasks keeps you in the same
stressed-out state, which is not optimal for you or your work
relationships or products.
 Your reaction is what determines the amount of stress you feel.

• Play a mindfulness and meditation application (e.g.,
Insight Timer, Headspace, Calm).
• Go outside and use your physical senses to become
more aware of your surroundings.
• Clear up one pile of clutter.
• Go for a walk and feel your feet with each step.
All these actions provide a moment to turn your attention
away from the stressor and your reaction to it. The activities
lift you out of your overwhelmed state. As you practice these
actions, acknowledge your frustration, stress or anger. Then
slowly release the stress by allowing the action to take up
more of your mind than the stress.
Monitor – You can apply a monitoring technique to check
in with yourself periodically. Measure how you are doing
with your stress level and your intention. Notice how you
start, execute and end your tasks, meetings, emails and
interactions. Set reminders to check in with yourself at
lunchtime and at the end of the day.
If you catch yourself starting to become stressed, use your
intention as an anchor and ask yourself: Am I acting and
thinking from my intention right now? Be nonjudgmental
with yourself and use your repertoire of immediate corrective
actions to get back on course while you remind yourself of
your intention.

Let the moment move through instead of burying or ignoring

it. You may say to yourself: I am stressed right now, but the
stress will pass. When you feel calmer, bring yourself back
to the task, conversation or to-do list, and tackle the activity
with a renewed perspective.

Identify controls
You have learned to identify root causes of stress and take
immediate corrective action to recenter yourself. The next
step is to plan preventive controls to lessen the impact of
future stressors and monitoring controls to check in with
yourself throughout the day.
Prevent – To lessen the impact of future stress, be proactive Exercises
to create a center within yourself for mindfully responding
1. Identify two to five stressors that triggered you
rather than reacting. A simple strategy is to set an intention
in the past at work, home or any other area of
early in your day. Frame your intention in terms of how
your life.
you want to be today. Examples include: patient, focused,
friendly, creative, calm, resilient or light-hearted. Choose just 2. Write down two to five stressors that are themes
one. The intention can change daily, or you may choose to in your life right now.
stick with it for many days, weeks, months or years. 3. Which actions resonate with you? What additional
Form a habit to set your intention for the day. Place a actions might work well for you? Write down these
reminder note that you will see early in your morning routine actions and keep the list in your workspace.
or replace the word alarm on your phone with set intention, 4. Try out your potential actions. Practice them.
or with the intention itself, such as be patient today. One may work in one situation, another in a
Many professionals are adopting a morning meditation different situation.
practice to begin the day from a place of calm. Even one 5. When and where in your early morning routine
minute to focus on breath and set that intention can produce can you set your intention? Set up a reminder to
a meaningful shift in your day. Form an intention just before yourself now so you can start tomorrow.
you open your laptop, taking a brief pause before you launch
into your tasks.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 9

 Employ root cause analysis to understand your stress and the situations that trigger it.

Conclusion You also can help yourself head off stress through
prevention, which is like throwing yourself a lifesaver to climb
Stress is a fact of life and everyone has different triggers to
onto when you need it. Give yourself the gift of setting up
stressors. Take a few moments to follow the suggestions
your day with purpose and intention and come back to these
above to reflect and plan your self-management strategy.
goals throughout your day. If you do, you are already on
Identify your common stressors and triggers so you can
your way to a calmer, happier and more productive state
recognize them when they arise. Choose some immediate
of well-being! DI
actions to take the next time you begin to feel stressed.
Practice relieving the acute stress, which should eventually
help with underlying stress as well.

Cindy Glennon, MPH, CIA, RYT-500, is Director of Internal Audit at Commonwealth Care
Alliance, a nonprofit care delivery system. She is also a certified yoga and meditation teacher
who specializes in stress management skillsets in the workplace. Cindy can be reached at
(617) 426-0600 and [email protected].

10 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

 Fe a t u r e

Transform Your

Internal Audit
Approach
C OV E R R E L E VA N T R I S K S Q U I C K LY

By Tim Bruhn, CPA, CIA, CISA, Rebecca M. Welker, CHIAPTM, CIA, FHFMA, and Daniel T. Yunker

Healthcare organizations are experiencing an array of new risks emerging out of an increasingly complex
healthcare environment. The coronavirus pandemic has added additional risks and uncertainties.
Consequently, organizations and their internal auditors must be nimbler than ever, quickly evolving to
keep pace with new risks that could permanently change healthcare.

H ealthcare internal auditors are ideally positioned to

help their organizations navigate and mitigate new
risks. To do so successfully, internal auditors need to
shift from traditional audit approaches and adopt more
modern processes that leverage professional expertise
and technology.
Cover more with less
The coronavirus pandemic has been eye opening for
healthcare, by exposing vulnerabilities to the effects of
major disasters. Existing risks for many organizations have
been amplified, and new risks have surfaced. As a result,
internal auditors will need to cover more ground in their day-
to-day work, and they will need to do so more effectively
and efficiently.
But how can auditors cover more ground and close risk
gaps when resources and talent are limited and, in some
cases, are being reduced as healthcare organizations face
steep budget shortfalls? To start, organizations and their
internal auditors should focus on those specific risks that
are most likely to impact their organization, rather than
attempting to assess and mitigate a list of generalized
healthcare industry risks.
Reprioritizing risks requires a shift in thinking—from
considering all the things that could go wrong to considering
what is actually going wrong or underperforming in the
organization, and determining what specific risks deserve
attention. The shift also requires a new work approach—
one that uses data analytics, automation and other tools
throughout the entire audit process.

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 11

Traditionally, internal auditors, using mainly manual
processes, have made limited use of data sets throughout
the entire auditing cycle. The manual audit steps—such as
conducting surveys, interviewing management and other
key stakeholders, and reviewing organizational goals and
objectives—were used to make educated guesses about
the state of an organization’s risks.
Auditors then created annual audit plans that required
manually intensive planning and walkthroughs to be
conducted as part of performing individual audits. Once
audit testing took place, many individual audit steps were
performed manually, and analytics were used only as part
of transactional testing.
A more modern internal audit approach uses risk
identification and control testing with data analytics to
analyze full data sets. Using data analytics allows you to
identify and target an organization’s critical risk areas and
opportunities for process improvement.
Utilizing data throughout the entire internal audit process
offers benefits to:
• Streamline the risk identification process, enabling the
organization to focus on, and when possible, quantify
the most important risks
• Facilitate acceleration of manual audit steps
• Create validated risk baselines and benchmarks of the
current state
• Enable continual monitoring of newly implemented
processes designed to mitigate identified risks
Move to automated audits
To embark on a modern approach to internal audit—one
that uses data at every possible point in the process—you
should consider the following steps.
Perform a digital risk assessment
Identify data sources that provide quantifiable, meaningful
performance indicators to measure the risk areas that relate
most closely to overall organizational goals and business
objectives. Using data to identify the risks that have the
biggest potential impact on the organization helps accelerate
closure of risk gaps and allows the organization to avoid
using costly resources—including limited staff time—on
assessing and monitoring low-risk areas.
When you measure your organization’s risk gaps, you can
better determine in the future whether risk exposures are
improving or when identified risks no longer pose a threat.
12 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020
In addition, using full data sets to identify risks allows the
organization to benchmark itself against other organizations
to help inform performance objectives and plans.
You can facilitate meaningful discussions with management
by aligning the intelligence revealed by the risk assessment
with the organization’s business objectives and strategic
goals. These discussions can help foster the development
of smarter audit plans.
For example, while reviewing service line performance,
an auditor at one large healthcare system noticed a sharp
decrease in the distribution of emergency department (ED)
coding levels at one of the system’s hospitals compared to
the others. During continuous risk assessment discussions,
ED leadership indicated that new coding software had been
installed with an expected increase in the distribution, not
a decrease.
ED management found the objective information provided by
the auditor to be extremely valuable and timely as they had
not performed an analysis. The identification of the variation
in coding distribution compared to expectations led to
adding a post-implementation audit to the internal audit plan
to examine ED documentation and coding processes.
Develop a smarter audit plan
Once you have used data to identify the critical risk areas
that should be audited, you have an incredibly valuable
baseline to develop and implement audit plans and monitor
processes. The essential areas to spend time on within each
audit will have been identified by the risk indicator analytics
prior to conducting the audit. You can use this identification
to allocate your valuable time in a more focused manner to
assess those risks, identify specific controls, and design
further analytics to test the controls.
Smarter, more informed audit plans that incorporate
data throughout each step in the audit process also
encourage automation of steps that in the past were manual.
Analysis of the risk indicators can benefit from feedback
from a continual monitoring process. At each iteration, the
analytics become more refined and robust based on the
information gained.
For example, the internal audit team for a multihospital health
system had been performing 340B drug pricing program
audits for several years. Initially, the team took the approach
used by the Health Resources and Services Administration
and selected small samples to test for Medicaid duplicate
discounts and other billing requirements.
 Modern internal audit approaches use data at every possible point in the process.
Because of the high volume of 340B transactions, internal
audit team members wondered how any anomalies could
be identified with such a small sample. The team then spent
time developing automated testing to shift from sampling to
a complete review of the transactions.
The team was amazed to find that while many transactions
were correct, almost as many were incorrect. The insight
led to program improvements that strengthened 340B
compliance. Now the automated tests run continuously
and alert the team to any process breakdowns that can be
addressed quickly and more efficiently.
Conduct a modern audit
You should consider the manual steps in the traditional
audit process that can be completed or benefitted by using
data or information from technology sources. Technology
solutions and information generated from automations
can help you complete audits faster and more efficiently,
ultimately reducing the number of manual audit steps.
For example, improve your performance by using
knowledge-based workflow and report generation software,
in conjunction with data analytics, to:
• Systematize the planning of required audit steps
• Assess risks and control testing in real time with full
data sets
• Generate actionable reports that help organizations
measure performance improvement or rising
risk gaps
• Offer workflow technology to assist with additional
risk monitoring
• Allow audit and risk monitoring activities to be
conducted remotely, if necessary, through cloud-
based solutions
Today, your expertise is needed more than ever to interpret
data, provide insight and guidance to your organization, and
to reduce the time gap between risk identification and audit
coverage. When considering the manual processes that can
be automated, look for routine or repetitive steps that should
not require a human touch or an auditor’s expertise.
Many traditional test steps require auditors to acquire
sample source documents, analyze those documents, and
then manually record their results in workpaper summaries.
The technology in place at many healthcare organizations
Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights
can provide access to transactional data in digital form and
enable many of manual processes to be accelerated or
completed automatically.
Audit automation streamlines testing of full data sets and
identification of anomalies. You can then use your valuable
budgeted time and expertise to assess the anomalies and
identify root causes.
An example of automation combined with auditor expertise
that improved the audit process and outcome occurred in
an oncology charge capture audit at a large hospital system.
Analytics had been developed to identify inappropriate
billing patterns related to intensity-modulated radiation
therapy (IMRT).
An analysis of the IMRT exceptions produced by the
automated testing led the auditor to inquire about other
radiotherapy treatment planning and delivery approaches
such as stereotactic body radiotherapy. The results of this
inquiry led to a discussion with management, which led to
identifying other questionable billing patterns. The auditor’s
knowledge of the process and the data insights led to
identifying additional risks that had not been part of the
original scope of the project.
Internal auditors are uniquely positioned to understand
identified risks in the context of an organization’s overall
goals, business objectives and vision for its future. Health-
care clinicians have long been encouraged to practice at
the top of their licenses, meaning they should work to
the full extent of their education and training. You can
practice at the top of your internal audit credentials by
using leading practices.
By adopting a modern approach to internal audit, you
have an opportunity to elevate and demonstrate the value
proposition you bring to your entire healthcare organization
by identifying and managing risk. Practice at the top of your
credentials to the full extent of your education, training and
experience with a modern approach.
Monitor risks continually
Your auditing process should not stop once risks are
identified and process improvements to manage risks are
implemented. One of the most important components of a
modern internal audit approach is continual monitoring for
sustainability. Using complete data sets can assist you in
continually scanning for and assessing emerging risks.
13
An example of the value of continuous monitoring was
demonstrated by an internal audit team at a multihospital
system when assessing patient observation services.
Compliance was to be evaluated with Medicare guidelines
for assigning patients to observation (outpatient) status
rather than admitting as inpatients.
The team obtained transactional data for a two-year period
and performed an observation status assignment analysis
across all the hospitals. During a meeting to scope the audit,
care management leadership indicated that an observation
process at one hospital had recently been modified and
a plan was in place to apply the same process at the
other hospitals.
However, after the internal auditors reviewed the data with
care management leadership, the leaders realized that the
modifications at the first hospital did not fix the process and
should not be rolled out elsewhere. The leaders recognized
that more work was necessary, and the auditors could
provide an independent perspective through continuous
monitoring that would be helpful in improving the process
across the entire system.
Invest for better risk coverage
The constantly changing healthcare landscape will require
a new internal audit approach to help organizations attain
better—and smarter—risk coverage. When healthcare
organizations can better align their risk coverage with the
specific, unique risks that they are exposed to, they can
achieve better risk management outcomes.
To successfully implement a new internal audit approach,
management must invest in the internal audit function and
recognize its ability to contribute to better risk management
for the organization. Providing internal audit with access
to valuable data sets is an important first step. With real-
time access to available data, internal audit can implement
automations throughout the entire internal audit process to
create efficiencies that will translate into covering more risk
areas with the same resources.
The internal audit area also must invest in their function by
committing time to implement new automations in areas
where data allows. Automation is not a once-and-done
project, but rather an ongoing evolution that must build
over time to anticipate risks rather than react to risks.
Conclusion
Most healthcare organizations find themselves in increasingly
competitive markets. Internal auditors who adopt the
smartest, most efficient processes can create a competitive
advantage for their organizations, helping to meet their
missions, thrive within their markets, and satisfy their
patients’ expectations. Healthcare industry complexities will
continue to grow over time, but you can help to close risk
gaps and expand your organization’s ability to mitigate the
risks that matter most at a critical time. DI

Tim Bruhn, CPA, CIA, CISA, is a Senior Manager at Crowe Healthcare Risk Consulting
LLC. He specializes in the digital acceleration of the audit model. Tim can be reached
at [email protected] and (314) 802-2821.

Rebecca M. Welker, CHIAPTM, CIA, FHFMA, is a Managing Director at

Crowe Healthcare Risk Consulting LLC. She leads the clinical operations
team of clinical, coding and compliance professionals. Rebecca can be
reached at [email protected] and (314) 802-2055.

Daniel T. Yunker is a Principal at Crowe Healthcare Risk Consulting LLC.

He is responsible for leading strategic direction and the transformation
of healthcare internal audit services. Dan can be reached at
[email protected] and (312) 899-1514.

14 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

 Fe a t u r e

Compliance Policies and Procedures 101

Ensure an effective foundation
By Litany Webster, JD, CHC, and Meagan R. Parker, MHA, CHC, CMA (AAMA)

The Office of Inspector General (OIG) first issued compliance guidance for organizations over 20 years
ago. Yet many organizations still struggle with a cost-effective, preemptive approach when designing and
maintaining their organization’s compliance program. Make sure your organization has the right policies
and procedures, as well as a code of conduct, to support an effective compliance program.

T he adoption and enhancement of a voluntary,

well-designed compliance program can boost an
organization’s ability to provide quality services and
demonstrate a strong commitment to honest and fair
dealings to their community. A compliance program with
comprehensive policies and procedures aids in mitigating
the risk of fraud, waste and abuse.
If wrongdoing is detected, an effective program may be the
difference between onerous fines/penalties or a corporate
integrity agreement with the Department of Justice (DOJ).
Accordingly, both the OIG’s and DOJ’s guidance for
compliance programs has highlighted the importance of
well-developed policies, procedures and a code of conduct.
Policies and procedures listed in OIG and DOJ guidance
are the first element of effective programs, and they serve
as important and valuable resources for organizations and
workforce members because they:
• Document how the organization conducts business in
compliance with ethical standards and applicable state
and federal laws and regulations
• Standardize processes and operations across multiple
activities and locations
• Provide the workforce with clear, concise guidance
• Reduce institutional risk through accountability

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 15

 incorporate the culture of compliance into its day-to-
day operations.”3
Elements of an effective
compliance program The program’s ability to meet these standards may affect the
ultimate form of resolution to an investigation, including the
An effective compliance program must be a amount of monetary penalties and the scope of compliance
continual process that consists of the following obligations in a corporate integrity agreement.
elements as set forth by the OIG*:
1. Written policies, procedures and standards Code of conduct, policies and procedures
of conduct As a starting point, a code of conduct should set forth
2. Compliance officer and compliance committee the organization’s expectation that staff members are
3. Effective training and education committed to ethical business practices and compliance
4. Effective lines of communication with applicable laws and regulations.4 The code should
incorporate the following:
5. Internal monitoring and auditing
• The organization’s missions, vision and values
6. Enforced standards through well-publicized
disciplinary guidelines • Clear and concise language about how and to
whom to report actual or suspected misconduct or
7. Prompt responses to detected offenses and
noncompliance with organizational expectations
prompt corrective action
*https://oig.hhs.gov/compliance/provider-compliance-training/files/
• A prohibition of retaliation for good faith reporting
Compliance101tips508.pdf
• An annual requirement that each staff member will
attest and document receipt and acknowledgement
of the code of conduct
DOJ compliance program evaluations
Compliance policies and procedures should give “both
Policies and procedures are so vital to a compliance
content and effect to ethical norms” and “address and
program that the DOJ’s Evaluation of Corporate Compliance
aim to reduce risks identified by the company as part of
Programs guidance states that “prosecutors should
its risk assessment process”5 Therefore, most compliance
examine the ‘comprehensiveness of the compliance
programs include policies and procedures that fall into
program’… ensuring that there is not only a clear message
two categories: compliance program operations and
that misconduct is not tolerated, but also policies and
compliance risks.
procedures—from appropriate assignments of responsibility,
to training programs, to systems of incentives and Program operations
discipline—that ensure the compliance program is well Policies and procedures relating to the operation of the
integrated into the company’s operations and workforce.”1 compliance program will usually:
1. Provide information regarding the compliance program,
Furthermore, prosecutors should determine the existence of
including the structure
“a code of conduct that sets forth, among other things, the
company’s commitment to full compliance with applicable 2. Define noncompliance, fraud, waste and abuse
federal laws that is accessible and applicable to all 3. Identify mechanisms for reporting noncompliance
company employees.”2 4. Prohibit retaliation for good faith reporting
The DOJ guidance assists prosecutors in determining the 5. Spell out expectations regarding employee conduct
effectiveness of a compliance program at the time of an
6. Require risk assessments
alleged offense, and at the conclusion of the investigation.
Accordingly, the focus is on assessing “whether the 7. Set expectations for training and education
company has established policies and procedures that 8. Require auditing and monitoring
1
Page 2, www.justice.gov/criminal-fraud/page/file/937501/download
2
Page 4, Ibid
3
Page 4, Ibid
4
Page 4, Ibid
5
Page 4, Ibid

16 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

 Policies should define the scope of disciplinary actions for noncompliance.
9. Specify corrective and disciplinary actions for
policy violations
10. Define the self-disclosure process for violations
of laws and regulations
11. Govern responses to regulatory examinations and
accreditation surveys
Compliance risks
Policies and procedures should address the organization’s
significant compliance related risks, which may vary
based on type of organization. Examples of policies and
procedures for compliance risks include:
1. Advanced beneficiary notices
2. Charity care
3. Coding
4. Conflict of interest
5. Credentialing and privileging
6. Discounting services
7. Documentation of medical necessity
8. Gifts, gratuities and business courtesies
9. Health Insurance Privacy and Accountability Act
compliance
10. Identification of overpayment and repayment obligations
11. Internal investigations
12. Language services
13. Patient rights
14. Patient transfers between facilities
15. Policies addressing regulatory requirements
(i.e. false claims, Emergency Medical Treatment and
Labor Act, labor laws, etc.)
16. Records management and retention
17. Third party relationships and contracts
18. Vendor management
Policy and procedure development
Knowledge of the importance of policies and written
standards must be combined with an effective plan
for development and implementation. Begin with an
understanding of the difference between a policy and a
procedure. Policies are largely static documents that define
Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights
a group of rules or directives. In contrast, procedures put
the policies into action. Procedures essentially provide the
who, what, when and where of applying policy statements
in daily operations.
Your organization should strive to standardize the policies
and procedures across its enterprise to help facilitate
workforce members’ understanding and ease in using these
resources. Uniform policy and procedure templates should
be adopted that standardize key elements.
Document headings and subheadings – Standardize
categories and sections such as titles, policy numbers,
purpose, responsibilities, definitions, scope/applicability,
review and effective dates, sanctions for violations and
noncompliance, and related policies and procedures.
Identification system – A numbering scheme can facilitate
policy organization by location/department (e.g., ambula-
tory, inpatient, pharmacy, site/state) or purpose/ownership
(e.g., compliance, health information management,
privacy, security).
Definitions – Definitions of key phrases or terms should be
developed and standardized across all policies to help your
readers understand the content.
Document owners should be directed to use these
standardized templates, and should be educated on how to
use simple language when drafting the content. Consider the
audience when determining the appropriate language to use
in a policy or procedure. Since your organization likely has a
broad scope of workforce members, the best practice is to
use simple language that is no more than an eighth-grade
level of comprehension.
Additional best practices include:
• Define acronyms
• Provide examples when the content is complex
• Avoid policy provisions that cannot be implemented or
executed
• Verify the appropriate use of must, may, should
and shall
Policies should include statements that define the scope of
disciplinary actions for noncompliance, including termination
if applicable.
17
Review and approval
A review schedule must be established and adhered to for
all policies, procedures and the code of conduct to ensure
these resources remain relevant and up to date with industry
standards, laws and regulations. A review every two years
or when a substantial change is needed is usually sufficient.
However, certain accreditations, laws and regulations may
require more frequent review.
The roles and responsibilities for reviewing and revising each
policy and procedure as well as the formal approval process
should be clearly defined. Responsibility generally falls in
three areas:
• Drafting and revising based on subject matter expertise
• Organizational review oversight
• Approval
Implementation of a formal approval process is important to
prevent inaccurate or conflicting policies and procedures.
Based on your organization’s size, consider whether a
policy coordinator, policy and procedure committee, and/
or department-specific oversight plans are appropriate.
The formal approval process should be designed to make
certain that the proper responsibilities are defined, and that
review and approval procedures are followed.
To ensure compliance, internal auditors and compliance
professionals should monitor and periodically audit the
review and approval processes.
Implementation
Once developed, a policy or procedure can move through
an appropriate implementation plan. While implementation
may at times seem burdensome, an effective process will
be taken into consideration should the organization ever find
itself under investigation.
The DOJ’s Evaluation of Corporate Compliance Programs
guidance directs prosecutors to “assess the steps taken by
the company to ensure that policies and procedures have
been integrated into the organization, including through
periodic training and certification for all directors, officers,
relevant employees, and, where appropriate, agents and
business partners.”6
Verify mechanisms that assess whether policies and procedures are understood by staff members.
6
Page 5, Ibid
18 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020
Accordingly, the compliance program should develop an
implementation plan that addresses policy and procedure
communication, education, dissemination and effectiveness.
Communication, education and dissemination
Communication, education and dissemination should be
coordinated to occur in a limited timeframe. Consider the
following factors when generating the plan:
• Is the policy or procedure new, or an update to an
existing document?
• Are operational changes required?
• Who are the relevant stakeholders and employees?
• What is the scope of entities involved, organization
types, number of employees affected, and number
of locations involved?
• Does new-hire education or orientation need to
be updated?
If the policy or procedure requires operational changes,
communicate with the relevant stakeholders as early as
possible. Ideally, if operational changes are required, these
stakeholders will have been involved in the development.
Based on the factors identified above, determine the
appropriate communication plan for the relevant policy
or procedure. Delivery methods may include an article
in an employee newsletter, email blast, message on the
organization’s intranet site, organization- and/or location-
specific training, messaging posted in employee workspaces,
and discussions at meetings with relevant stakeholders.
If the policy or procedure is new, requires a significant
operational change, and/or addresses a significant risk
area for the organization, extra steps and resources may
be needed. Consider providing educational resources and
training, and obtaining workforce member attestations as a
component of the implementation plan.
Once the policy or procedure communication and education
plan has been implemented, ensure that the policy and
procedure resource is continuously accessible to staff
members. Policies and procedures should be maintained
in a defined location that is readily accessible to the
relevant stakeholders and staff members. Additionally, the
organization should consider and address the following
as appropriate:
 Determine if policies and procedures are relevant and up to date with laws and regulations.

• Are these resources made available to persons 3. Surveys

with disabilities?
• Do communication barriers exist that need to be
addressed? Communication considerations are
especially relevant if your organization has foreign
subsidiaries.
• Are the policies and procedures only available internally
or are they also publicly available? If policies are
confidential or for internal use only, make sure the
stakeholders and staff members are aware of the scope
of accessibility.
Operational effectiveness reviews
As a best practice, organizations should implement
mechanisms to assess whether policies, procedures
and codes of conduct are understood by workforce
members. Methods that may be utilized to evaluate
effectiveness include:
1. Interviews
2. Observations
4. Audits
5. Questionnaires
6. Test scores and passage rates from training
The goal of an effectiveness review is to seek feedback on
whether any gaps exist in policies and procedures. If gaps
are discovered, consider whether job aids or cognitive aids
can be used in conjunction with the policy and procedure
to improve adherence. If the gaps represent a problem
that cannot be addressed through the implementation
of additional resources, the policy or procedure should
be revised to address the gaps and streamline the
operational issues.
Process reviews
Internal auditors and compliance professionals should
periodically evaluate the overall organizational process for
developing, implementing and maintaining policies and
procedures. Determine whether your organization’s policies
and procedures are relevant and up to date with laws and
regulations. Consider the questions listed below.

Questions for process reviews

1. Is the policy manual comprehensive?
2. Does the manual include policies and procedures that incorporate a culture of compliance in day-to-day operations?
3. Are the policies and procedures aimed at reducing risk to the organization through well-defined and easily
understandable content?
4. Are the policies and procedures aligned with industry standards?
5. Do the policies and procedures address accreditation, certification and attestation requirements for regulatory
agencies and payers?
6. Are gaps addressed that were identified in the compliance risk assessment?
7. Are the appropriate policy owners designated and are they aware of their responsibilities as policy owners?
8. Are the individuals or groups that approve the policies, procedures and the code of conduct properly identified?
Is a policy and procedure committee necessary?
9. What is the communication plan to ensure workforce members are aware of policy, procedure and code of
conduct updates?
10. Has an appropriate review schedule been established? When was the last time the review schedule was evaluated?
Is the review schedule being followed?
11. Are staff members aware of how to access policies?
12. Are staff members or relevant stakeholders able to demonstrate an understanding of the policies, procedures and
code of conduct?

Winter 2020 Association of Healthcare Internal Auditors NP Digital Insights 19

Conclusion
Organizational policies, procedures and a code of conduct
are foundational pillars of a successful compliance
program. Your organization’s commitment to compliance
can be evaluated by the active application of compliance
principles and written standards, and demonstrated in
day-to-day operations. Conduct consistent, regular
reviews of policies and procedures to ensure that the
documents are updated with the latest laws and regula-
tions to continually aid in mitigating regulatory and other
organizational risks. DI

Litany Webster, JD, CHC, is the Manager of Regulatory Compliance and Government
Relations for The Kroger Company’s Health and Wellness division. Litany can be
reached at [email protected].

Meagan R. Parker, MHA, CHC, CMA (AAMA), is the Business Office Director
for the Women First of Louisville medical practice. Meagan can be
reached at [email protected].

We want to know...
who’s the sharpest crayon in the box?
Share your best work with us.

AHIA New Perspectives is looking for your most interesting

4400 College Blvd, Suite 220 audits. Check our writer’s guidelines on the AHIA
Overland Park, KS 66211 USA
800-ASK-AHIA www.ahia.org
website or contact the editor at:
[email protected]

20 NP Digital Insights Association of Healthcare Internal Auditors Winter 2020

A LEADER IN CONSTRUCTION AUDIT, CONSULTING, AND PROJECT MANAGEMENT

Ensuring accountability and transparency throughout the

duration of a healthcare capital program while enabling
the completion of projects on time and within budget

“Talson has been a long time valued

partner with Main Line Health and has helped
establish the framework for success between
our health system and our contractors.
Talson is a perfect extension of our internal
audit function”.....Mary Jane Schroeder,
Director Internal Audit Main Line Health

Serving public & private healthcare clients since 2001

Atlanta, GA | Los Angeles, CA | New York, NY | Philadelphia, PA

215-592-9634
www.talsonsolutions.com