Internal Audit Benchmarking Trends in Healthcare Download By Jarod Baccus, Austin Otigbuo, Kendalyn Rising and Mike MichalowiczInternal audit (IA) functions continue to undergo significant changes ranging from the expanded use of emerging technologies, including robust data analytics and artificial intelligence (AI), and options on where their people work (i.e., remote, hybrid or onsite). IA functions within healthcare organisations have continued to evolve and adapt— some faster than others. Keep the pace by comparing your function with your peers to continuously improve.*Reprinted with permission from New Perspectives, Journal of the Association of Healthcare Internal Auditors, Inc. Volume 43/ Number 1, 2024. Download Topics Internal Audit and Corporate Governance Industries Healthcare Protiviti and the Association of Healthcare Internal Auditors (AHIA) conducted an annual survey on IA functions, demographics, structures, processes, innovative initiatives, next-generation auditing progress, personnel experience, and top IA plan priorities for healthcare providers, payers and integrated delivery systems. The 2023 Healthcare Internal Audit Plan Priorities Survey results can be found in the jointly published Healthcare Internal Auditors Prioritise Cybersecurity, Business Performance, and Technology Modernisation. The publication also provides commentary on suggested practices to improve auditing of top priorities, many of the changes underway within the industry, and how the changes are affecting IA functions.This article provides additional insight into detailed benchmarks around many of the other aspects of an IA function including size, budgets and certifications. The insights are explored from various data points and provide additional context on what the survey data portends for the future of healthcare organisations’ IA functions.MethodologyFor the last two years, Protiviti and AHIA have partnered to jointly conduct and publish a benchmarking survey to allow IA leaders to compare the knowledge and skills of their teams, identify areas of opportunity, and add value to their organisations. In the spring of 2023, surveys consisting of 70 questions of varying response types were sent to all AHIA members and many healthcare organisations across the country. The survey responses provide a snapshot of the current state of healthcare IA functions and professionals.Completed surveys were received from 56 healthcare organisations. The responses represent 37 healthcare provider organisations, 17 integrated payer and provider delivery systems, and two healthcare payer organisations.Survey resultsReporting structureMost respondents (55%) stated that their IA function reports administratively (on a day-to-day basis) to either the chief financial officer (CFO) or the chief legal officer (CLO), with another 18% reporting to the chief executive officer (CEO). The remaining respondents report to the chief compliance officer (CCO, 9%), audit and compliance committee (7%), board of directors (2%), chief operating officer (COO, 2%), or other (7%).Although administrative reporting relationships varied, the majority of respondents (91%) report functionally to an audit and compliance committee or other committee of the board, a trend that was similarly highlighted in the 2022 survey results. The reporting structure to a board committee emphasises the importance of closely aligning the relevant board committee with the IA function, allowing the committee to provide oversight and strategic direction.Relationships with compliance, operations and other areasMost (77%) of respondents have a stand-alone IA function with a separate compliance function, compared to 14% of respondents that have a combined IA and compliance function. The remaining 9% of respondents have a standalone IA function with no compliance function.Respondents were also asked to characterise their organisation’s perception of IA, with 95% of respondents agreeing that their organisation views IA as a value-added service/function that is aligned with the organisation’s strategic objectives. Small numbers of respondents were unsure (3%) or did not believe that their organisation viewed their IA function as a value-added service/function (2%).Exhibit 1 lists various functions with which IA might coordinate. For risk assessments, the majority of respondents coordinate with compliance (71%), risk management (57%), information technology (IT, 55%) and security (50%). For coordination on internal controls over financial reporting, IA most commonly coordinates with a public accounting firm (30%) or IT (21%). Forenterprise risk management (ERM), IA most commonly coordinates with risk management (43%) and compliance (34%).The majority of respondents coordinate assurance (audit) work with compliance (68%), IT (64%) and security (50%), followed by public accounting firms (48%). Finally, respondents coordinate advisory (consulting) work the most with legal (50%), compliance (39%) and IT (36%).Exhibit 1 – Coordination of activitiesCoordinating functionIA activities Advisory (consulting)Assurance (audits)Enterprise risk managementInternal control over financial reporting (e.g., SOX, MAR, etc.)Risk assessmentNo coordinationCompliance39%68%34%11%71%5%Privacy32%43%20%9%46%21%IT36%64%25%21%55%9%Security34%50%18%13%50%18%Legal50%36%23%7%46%16%Quality25%38%18%4%45%29%Risk management32%38%43%9%57%16%Public accounting firm20%48%4%30%23%21%Note: This question allowed multiple responses. Professional standards and quality assurance reviewsWhen asked if their IA function adheres to The Institute of Internal Auditors (The IIA) professional standards, 52% of respondents indicated that they adhere to all of the standards, including quality assurance reviews (QARs) and establishing and maintaining an IA charter. Fewer respondents (32%) adhere to all of the Standards except QARs. Only 11% of respondents adhere to most of the Standards except QARs and establishing and maintaining an IA charter, and 5% of respondents answered that their adherence either varied or they were unsure.Among those organisations who perform QARs, the majority (64%) stated that they perform QARs every five years, which is in line with The IIA’s guidance, with an additional 22% stating that they perform QARs more frequently, e.g., 1 to 4 years. Only 14% of respondents perform QARs less frequently than every five years, e.g., every 6 or more years. Exhibit 2 outlines the most current type of QARs conducted by respondent organisations.Half of respondents either do not perform formal QARs (43%) or are unsure whether they conduct formal QARs (7%). Among those who stated that their organisation does not conduct formal QARs, 42% reported the reason was because QARs were not required by governance/leadership. The remaining reasons for not conducting a QAR include not seeing the benefit (21%), cost (16%), or other (21%).Exhibit 2 summarises the latest types of QARs that respondents obtained. Over half (54%) of respondents had QARs that involved an IA professional services provider.Exhibit 2 – Latest type of QAR Image Fraud risk managementAccording to The IIA’s Three Lines Model, IA functions serve as a third line of defense of internal controls and provide “independent and objective assurance and advice on all matters related to the achievement of objectives,” inclusive of fraud risk management efforts. Over half of all respondents (54%) noted that their IA function plays a role in monitoring the organisation’s fraud risk management efforts.Surprisingly, 21% of respondents indicated that their IA function’s role was to lead the organisation’s overall internal fraud risk management efforts. While specific organisational circumstances might cause variance, fraud risk management’s ownership under the Three Lines Model is better aligned with a second line function of management.Exhibit 3 provides a deeper view into how healthcare organisations rank various areas of the business as potentially susceptible to fraud risks. Respondents ranked their top three significant risks to their organisation as revenue integrity (31%), financial accounting and reporting (35%) and regulatory compliance (41%).Exhibit 3 –Top three fraud risk areas (highest in bold)Risk areaRisk 1Risk 2Risk 3Business operations21%20%20%Financial accounting and reporting10%35%20%IT security20%6%4%Regulatory compliance18%21%41%Revenue integrity31%18%15% Annual internal audit budget/spendExhibit 4 summarises the responses for the annual IA budget relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately $1,291,822 of annual IA budget/spend.Exhibit 4 – Annual IA budget/spend by revenue Annual revenue (billions)Annual IA budget (millions)< $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999 ≥ $20≥ $3 10%5% 80%100%$2 to $2.999 45% $1.5 to $1.999 5% 20% $1.25 to $1.499 10%33% $1 to $1.249 10%20%22% $0.75 to $0.99925% 40% $0.5 to $0.749 10%10% $0.25 to $0.49950%30%10% ≤ $0.24925%40% Survey respondents %7%19%40%17%11%6%Average budget$437,125$636,800$998,286$1,816,667$2,291,667$3,000,000Average IA team size355101620 Annual internal audit plan hours and breakoutsExhibit 5 depicts the total hours budgeted on an annual IA plan relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately 7,985 hours on their IA plans.Exhibit 5 – Annual IA plan hours by revenueAnnual IA plan hoursAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999≥ $20≥ 15,000 10%4%22%66%67%10,000 to 14,999 9%45%17% 7,500 to 9,999 10%24%11%17%33%4,000 to 7,49950%10%43%11% 2,000 to 3,99925%40%10%11% 1,000 to 1,999 10%10% < 1,00025%20% Survey respondents7%19%40%17%11%6%Average hours3,8754,5006,88010,83313,54212,917Average IA team size355101620 Exhibit 6 shows a breakout of IA plan hours budgeted by top risk category audit areas. The top four audit areas consume 76% of plan hours.Exhibit 6 – Annual IA plan hours by top risk categories Image Internal audit years of experienceExhibit 7 shows the average years of experience by staff level, broken out by years of audit experience, healthcare experience and total experience.Exhibit 7 – Average years of experience by level and experience typeLevelType of experience Audit*HealthcareTotalExecutive vice president or senior vice president22.71622.7Vice president or assistant vice president24.319.226.5Senior director or director19.81620.3Senior manager or manager1310.414.8Senior9.96.411.4Staff3.93.95.7 Internal audit function sizeExhibit 8 highlights the IA function’s size relative to the organisation’s annual revenue and its co-sourcing status. Approximately 10% of respondents do not co-source any audit work and they normally employ between 1 to 9 IA staff; most of these respondents have revenue of less than $5 billion. The majority of respondents (90%) co-source a portion of their IA work.Exhibit 8 – Co-sourcing by staff count and revenue sizeNumber of staffAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999 ≥ $20Do not outsource50%0%11%0%17%0%1 to 250% 3 to 550% 50% 6 to 9 50% 100% Do co-source50%100%89%100%83%100%0 or fully outsourced50% 16%11% 33%1 to 2 30%21% 3 to 550%50%42%11% 6 to 9 10%16%45% 10 to 14 5%22%20% 15 to 19 20% ≥20 10% 11%60%67%Survey respondents7%19%40%17%11%6% Co-sourcingA co-sourcing arrangement is used by 61% of respondents as a means to obtain and recruit different skillsets into their IA function. Remote/hybrid work arrangements (75%), salary increases/bonuses (45%) and other benefits/amenities (20%) were other methods used to obtain and recruit different skillsets into the IA function.Acquiring and retaining IA talent whose skills align with a healthcare organisation’s top priorities and internal strategies can be challenging, especially in more specialised and technical areas. Co-sourcing with a strategic partner or third party allows an IA function to achieve its strategic priorities regardless of its internal capabilities. When asked the areas their organisation co-sources, respondents most commonly co-source IT audits (71%), followed by coding (45%), revenue cycle (41%), compliance (32%), clinical (30%), operational (30%), financial and accounting (29%) and third parties/joint ventures (29%).The areas that are co-sourced also align with the top fraud risk areas and top IA plan priorities, highlighting the importance of the areas in the current healthcare environment. Exhibit 8 indicates that most IA functions across all size categories supplement internal resources by co-sourcing.Anticipated staffing trendsExhibit 9 summarises anticipated staffing changes. The majority of respondents do not anticipate a change in the size of their IA function within the next 12 months (75%) or within the next 24 months (59%). The responses are consistent with last year's results, pointing to similar outlooks on IA function growth.Exhibit 9 – Anticipated staffing changes MonthsAnswer1224No change75%59%Increase20%37%Unsure or no response5%4% Staff attributes, sources, development and certificationsExperience in auditing, healthcare and data analytics were ranked as the top three most important attributes that respondents valued on their staff. Furthermore, respondents indicated that their current staff members were experienced hires from another industry (40%) or from another healthcare organisation (30%).Continuing education is essential in remaining up to date on the latest trends and best practices across the various sectors within IA and the healthcare industry. Certifications and designations are avenues to obtaining additional professional education and often are required for advancement within an IA function. The majority of respondents (63%) at the manager level and above are required to possess either a certification or an advanced degree.Additionally, all respondents indicated that at least one of their staff members has a professional designation. Exhibit 10 summarises the prevalence of professional designations with 84% of respondents reporting at least 50% of staff having a credential.Exhibit 10 – Staff with a professional designationStaff with a professional designation RespondentsAll36%75 to 99%25%50 to 74%23% Audit projects and hours per projectExhibits 11, 12 and 13 depict the total number of IA projects across assurance (audit), advisory (consulting), and other types of projects relative to the organisation’s annual revenue. Overall, the respondents reported a majority of assurance projects on their IA plans, with a weighted average of approximately 18.5 assurance projects. Respondents reported a weighted average of approximately 11.5 advisory projects on their IA plans.Exhibit 11 – Number of assurance projects by revenueNumber of assurance projectsAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999≥ $20< 1050%40%28%11% 10 to 1925%40%43%33%17% 20 to 2525%10%24%23% 26 to 29 33% ≥ 30 10%5%33%50%100%Average number141516212730Respondent percentage7%19%40%17%11%6% Exhibit 12 – Number of advisory projects by revenueNumber of advisory projectsAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999 ≥ $20< 10100%100%76%67%66%33%10 to 19 24%22% 67%20 to 25 11%17% 26 to 29 17% ≥ 30 Average number101011121513Respondent percentage7%19%40%17%11%6% Exhibit 13 – Number of other projects by revenueNumber of other projectsAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999≥ $20< 10100%90%86%100%83%67%10 to 19 9% 33%20 to 25 26 to 29 ≥ 30 10%5% 17% Average number101211101312Respondent percentage7%19%40%17%11%6% Exhibits 14, 15 and 16 depict the hours allocated per project split across assurance (audit), advisory (consulting) and other types of projects relative to the organisation’s annual revenue. Across all respondents, assurance projects were allotted more hours (286.5) on a weighted average than advisory projects (226.3). Organisations with revenue less than $0.5 billion allotted on an average 175 hours across all audit types. Respondents with a revenue of $1 to $4.999 billion allotted the most hours to assurance projects, spending on average 283 hours on such projects.Exhibit 14 – Hours per assurance project by revenueHours per assurance projectsAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999≥ $20≤ 99 10%4% 100 to 19975%20%15%11% 200 to 29925%20%33%33%50% 300 to 399 20%33%45% ≥ 400 30%15%11%50%100%Average hours per project175280283283325400Respondent percentage7%19%40%17%11%6% Exhibit 15 – Hours per advisory project by revenueHours per advisory projectsAnnual revenue (billions) < $0.5$0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999≥ $20≤ 99 30%14%22% 100 to 19975%30%24%11%33%34%200 to 29925%30%33%56%50% 300 to 399 10% 17%33%≥ 400 10%19%11% 33%Average hours per project175189242222233300Respondent percentage7%19%40%17%11%6% Exhibit 16 – Hours for other types of projects by revenueHours per other projectsAnnual revenue (billions) < $0.5 $0.5 to $0.999$1 to $4.999$5 to $9.999$10 to $19.999 ≥ $20≤ 9950%60%57%56%50% 100 to 19925%10%10%33%50%34%200 to 29925%20%19%11% 300 to 399 10% 33%≥ 400 10%4% 33%Average hours per project149164171133124300Respondent percentage7%19%40%17%11%6% Exhibit 17 – IA findings follow-up frequency Image Next-generation methodology maturity levelSurvey respondents were asked to consider the maturity level of each of their next-generation methodology components: dynamic risk assessment, agile audit approach, high-impact reporting and continuous monitoring. Most respondents (57%) indicated that their IA function has the necessary talent and skills (or has access to the necessary talent and skills) to perform or integrate all methodology components.When asked to rank the maturity level of each component, most respondents reported that their functions had an advanced level of maturity in high-impact reporting (70%), agile audit approach (57%) and dynamic risk assessment (55%).However, most respondents (54%) reported a low level of maturity in the continuous monitoring component, highlighting a potential disconnect as the same respondents (80%) also believe they have the necessary skills and talent to conduct continuous monitoring. The disparity indicates an opportunity for organisations to better leverage existing talent and skills within their IA functions and co-sourcing partners to increase the current maturity level of their continuous monitoring efforts. IA functions should reassess whether their resources of available staff time and co-source budgets can actually increase their maturity in this area.Findings follow-up frequencyTimely follow up and validation of management’s remedial actions on IA findings is a critical activity performed by IA as part of its control environment monitoring role. Exhibit 17 shows how frequently respondents perform audit findings follow-up efforts.Most respondents (48%) perform follow-up efforts on individual findings based on individual due dates. Performing follow-up efforts on an individual basis has the potential of spreading already limited IA resources thin, resulting in lessthan- optimal efficiency.IA functions should consider adopting a more standardised periodic follow-up frequency (e.g., monthly, quarterly, etc.) or aligning the follow-up intervals with the meetings of their assigned board committees. In a periodic follow-up process, management action owners are sent reminders of upcoming finding due dates using emails or workflow capabilities, and IA then follows up according to the set frequency.Periodic follow up helps process owners better manage their workload and commitments to IA, builds goodwill and fosters cooperation, and enables a more structured reporting cycle to management and the functional reporting committee.Risk assessmentsRisk assessments are essential to regularly identifying the organisation’s top risks, prioritising risks and developing strategic plans to mitigate the risks. Most respondents (61%) reported that they perform a risk assessment annually, while 21% of respondents indicated that they conduct continuous risk assessments. Risk assessments were conducted quarterly by 7%, with another 7% conducted two or three times a year. Surprisingly, 4% continue to perform risk assessments less than once a year (e.g., audit plans spanning two years, three years, etc.). No respondents from the previous year’s survey indicated that they conduct risk assessments less than once a year.Many respondents (59%) stated that they perform engagement or process-level risk assessments for each project, both during the annual risk assessment and prior to project kick-off. Another 32% stated that this assessment is only completed prior to the project kickoff.Responsibility for compliance auditsCompliance and IA often work together to perform certain compliance-based audits across an organisation. Each function’s involvement depends on a variety of factors, including the specific skills needed to perform the audit and the capability and capacity of each function.Exhibit 18 identifies the functions—compliance, IA or other function—that are responsible for each of the compliance audit areas. Survey results indicate that compliance alone is responsible for conducting the majority of compliance audits, but does collaborate with IA often in several areas, including on 340B pharmacy drugs and billing price transparency/No Surprises Act audits.Exhibit 18 – Responsibility for performing compliance auditsCompliance areasResponsible audit functions IAComplianceCombined (IA & Compliance)Audited outside of IA or ComplianceNot audited1135 Waivers2%43%9%18%28%340B pharmacy drugs27%18%18%21%16%Advanced Beneficiary Notices6%46%13%14%21%Clinical trial billing11%25%25%16%23%Coding and billing9%45%18%20%8%Health equity2%21%4%20%53%Medicaid disenrollment2%39%2%18%39%Medicare Conditions of Participation11%45%12%21%11%Medicare quality measures13%32%4%31%20%National Coverage Determinations2%50%5%18%25%Physician evaluation and management coding and billing7%60%13%7%13%Physician procedural-based coding and billing9%50%16%14%11%Pricing transparency/No Surprises Act22%27%32%5%14%Privacy access audits5%64%9%13%9%Provider based clinics/hospital outpatient departments16%36%23%4%21%Two-midnight rule5%53%11%11%20% Implementation of Sarbanes-OxleyA majority of healthcare respondents (70%) reported that their organisations, mostly not-for-profit, are not required to be Sarbanes-Oxley Act (SOX)-compliant, and they have not implemented the requirements. However, many healthcare organisations see the benefit of maintaining compliance and have therefore implemented a robust but cost-effective system of internal controls over financial reporting. Exhibit 19 summarises the implementation of SOX.Exhibit 19 – SOX ImplementationLevel of SOX implementationPercentage of respondentsImplemented all aspects7%Reviewed SOX and implemented as much as possible9%Implemented SOX except Sections 302 and 4045%Implemented only sections required by a third-party2%Total23%Notes:Section 302 is the Management CertificationSection 404 is the Control Evaluation ERM processes help to identify and assess risks pertaining to specific segments of an organisation. In addition to looking at current risks, ERM is forward-looking and attempts to identify potential risks to the organisation.For 84% of respondents, their organisation’s ERM process is led by either the chief audit executive (36%), chief compliance officer (30%), chief risk officer (28%), others (17%), general counsel (15%), or the chief executive officer (6%) or some combination thereof.Exhibit 20 identifies the role that IA plays in the respondents’ ERM process. Most respondents see IA as a facilitator to help identify and evaluate risks (45%), reviewer of key risk management (43%), champion of the establishment of ERM (41%), and evaluator of the ERM process (41%). Only 2% of respondents see IA’s role as implementing risk responses on management’s behalf.Among the respondents who indicated that their organisation does not have an ERM process (16%), the majority (67%) cited a lack of executive support as the primary reason they do not. The remaining respondents cited a lack of perceived benefit (11%), lack of necessity (11%) and other (11%) as reasons for not implementing an ERM process.Exhibit 20 – Internal audit role in ERM Image Exhibit 21 – Primary industry Image Exhibit 22 – Total number of employeesNumber of employeesRespondent percentage< 5,00016%5,000 to 9,99914%10,000 to 24,99934%25,000 to 49,99918%≥ 50,00014%Unsure4% Exhibit 23 – Annual revenue (billions) Image Survey respondent demographic informationExhibits 21, 22 and 23 provide additional respondent demographic information, including their primary industry, total number of employees and the organisation’s annual revenue. Conclusion As healthcare organisations continue to evolve their operating strategies in response to a rapidly changing industry risk profile, IA functions need to be vigilant and adaptable to remain relevant and effective. Ensure that your IA function has the staffing, financial resources and other support necessary to advance your capabilities. Build a highly skilled and engaged team, while maintaining focus on meeting stakeholder expectations and complying with professional standards.Use this data to measure your function’s metrics against your industry counterparts. Close identified gaps, improve your performance and contribute more value to your organisation. Garner support from responsible committees for the IA function.The Association of Healthcare Internal Auditors (AHIA.org) is an international organisation dedicated to the advancement of the healthcare internal auditing profession, which includes disciplines such as operational, compliance, clinical/medical, financial and information technology. AHIA provides leadership and advocacy to advance the healthcare internal audit profession by facilitating relevant education, certification, resources and networking opportunities.