Internal Audit Benchmarking Trends in Healthcare

Protiviti and the Association of Healthcare Internal Auditors (AHIA) conducted an annual survey on internal audit (IA) functions, demographics, structures, processes and top IA plan priorities for a wide range of healthcare organizations.

The results of the 2024 Healthcare Internal Audit Plan Priorities Survey can be found in the jointly published Navigating Critical Healthcare Areas Through Internal Audit. The publication provides insights into the healthcare industry’s top IA plan priorities, with a view on how IA functions can effectively adapt to a continuously evolving environment.

This article provides insights into benchmarking data points related to healthcare industry IA functions, including aspects such as size, budget and coordination of activities.

For the past three years, Protiviti and AHIA have partnered to conduct a benchmarking survey to help IA leaders evaluate their functions’ capabilities and maturity, identify areas for enhancement to boost unit performance, and contribute more effectively to the success of their organizations. A survey consisting of 55 questions was sent to all AHIA members and a variety of other healthcare organizations across the country. Completed surveys were received from a total of 69 organizations, largely comprised of providers and payers. See Exhibits 1 and 2 for survey respondents’ demographic information.

Exhibit 1 – Total number of employees

Exhibit 2 – Annual revenue

Reporting structure and the audit committee

Half of respondents (50%) indicated that their IA function reports administratively to either the chief financial officer (CFO) or chief executive officer (CEO), with another 16% reporting to the chief compliance officer (CCO) and 15% to the chief legal officer (CLO). The remaining respondents (19%) report to other individuals within their organizations, such as the CEO of their university (for academic medical centers), chief operating officer, chief accounting officer, chief administrative officer, chief risk officer, corporate controller, president, etc.

Although variability exists in the administrative reporting structures, most respondents (84%) reported that their IA function reports functionally to the audit committee or another committee of the board. This result continues to reflect the industry’s alignment with what is generally considered to be the optimal reporting structure to help support independence and objectivity, allowing the board to provide direct oversight and help ensure that audit plans target the organization's most significant risk areas.

Additionally, the vast majority of respondents indicated that their audit committee also has responsibility for and/ or receives reports from functions other than IA, including compliance (81%), external audit (80%), information security (74%) and enterprise risk management (ERM) (51%). Each of these functions is interconnected and contributes to the organization’s overall risk management and internal control environment.

Overseeing such areas allows the audit committee to have a more comprehensive view of risks across the organization, improves coordination and communication among internal functions, and when the committee is effective, provides assurance that controls in high-risk areas like information security and compliance are functioning effectively.

Institute of Internal Auditors (IIA) charter

In March 2024, the Institute of Internal Auditors (IIA) issued an updated model internal audit charter that aims to enhance organizational governance by facilitating efficient, effective and independent IA departments. While the new IIA Standards recommend organizations update their IA charter accordingly, most respondents (68%) stated that they have not yet adopted the new model.

Exhibit 3 – Coordination of activities

Relationship with other functions

Respondents were asked to characterize the degree of perceived value that their organization places on IA. Most respondents (61%) reported that their organization has a high degree of perceived value in IA. Remaining respondents had a medium (33%), low (4%) or unknown (2%) level of perceived value in IA.

IA is expected to provide objective assurance with an independent reporting line to governance. But IA’s value can be enhanced via coordination with other organizational assurance functions such as compliance and privacy, information technology security, legal, quality, risk management, and the organization’s public accounting firm(s) (firms may provide external audit and other services).

Most respondents (58%) indicated that their IA function does not perform audits on behalf of compliance while 42% noted that IA does perform audits on compliance’s behalf. In addition to performing audits, IA also coordinates more broadly with compliance and other functions in the organizations. Exhibit 3 shows the frequency of coordination between IA and other assurance functions by typical IA activity.

Co-sourcing

Co-sourcing with a third-party partner allows IA functions to leverage specialized knowledge or skill sets that are often unavailable internally. It can also facilitate knowledge transfer, enabling internal staff members to learn new methodologies and best practices, thereby enhancing their capabilities and/ or the overall maturity of the IA function.

Exhibit 4 highlights areas of reported co-sourced IA coverage. Most frequently, respondents co-source to conduct information technology (IT) audits (57%). Other common areas for co-sourcing include financial and accounting audits (35%), revenue cycle audits (32%), coding audits (30%) and compliance audits (30%).

Exhibit 4 – Co-sourcing with a strategic partner/third-party vendor

Exhibit 5 – Annual IA budget/spend by revenue

Annual internal audit budget/spend

Exhibit 5 shows the respondents’ annual IA budgets relative to their organization’s annual revenue.

Exhibit 6 – Annual IA plan hours by revenue

Annual internal audit plan hours and breakouts

Exhibit 6 shows the respondents’ annual IA plan hours relative to their organizations' annual revenue.

Annual IA hours by category

Exhibit 7 shows the percentage of annual non-administrative IA time budgeted across a variety of categories compared to last year. The percentages of time budgeted per category were allocated similarly across 2023 and 2024.

Exhibit 7 – Annual IA hours by category

Internal audit function size

Exhibit 8 shows the average IA staff size relative to the organization’s annual revenue.

Exhibit 8 – IA staff size by revenue

Staff development and certification

Staying informed about the latest trends and best practices in IA and the healthcare industry is more important than ever, with certifications and designations serving as pathways for ongoing professional education. Organizations often find that providing (or funding) staff members with training or educational opportunities can lead to increased efficiency and productivity, improved adherence to ever-changing compliance and risk management practices, and better employee retention.

On average, respondents indicated they provide or fund each staff member with 9 hours per year of internal training, 11 hours of external AHIA training and 14 hours of training from other external organizations.

Exhibit 9 depicts the average number of staff members with graduate degrees, professional designations, or certifications.

Exhibit 9 – Staff members with a professional accreditation

• CIA - Certified Internal Auditor; CHIAP - Certified Healthcare Internal Audit Professional; CRMA - Certification in Risk Management Assurance
• Financial/Accounting/Fraud certifications: CPA - Certified Public Accountant; CFE - Certified Fraud Examiner; CMA - Certified Management Accountant
• IT certifications: CISA - Certified Information Systems Auditor; CCSA - Check Point Certified Security Administrator; CISSP - Certified Information Systems Security Professional
• Compliance certifications: CHC - Certified in Healthcare Compliance; CHPC - Certified in Healthcare Privacy Compliance; CHRC - Certified in Healthcare Research Compliance
• Clinical certifications (including licensing); RN - Registered Nurse; CPC - Certified Professional Coder; CCS - Certified Coding Specialist; CMC - Cardiac Medicine Certification
• Healthcare revenue cycle certifications: CRCR - Certified Revenue Cycle Representative; CHFP - Certified Healthcare Financial Professional; FHFMA - Fellow of the Healthcare Financial Management Association

Audit projects and hours per project

Exhibits 10 and 11 depict the total number of IA projects across assurance (audit) and advisory (consulting) projects relative to the organization’s annual revenue. Similar to last
year’s results, respondents reported that most projects were assurance (audit) focused.

Exhibit 10 – Number of assurance projects by revenue

Exhibit 11 – Number of advisory projects by revenue

Exhibits 12 and 13 depict the hours allocated per assurance (audit) and advisory (consulting) project relative to the organization’s annual revenue.

Exhibit 12 – Hours per assurance project by revenue

Exhibit 13 – Hours per advisory project by revenue

Exhibit 14 – Findings follow-up frequency

Image

Findings follow-up frequency

Exhibit 14 illustrates respondents’ approach to audit follow-ups over the last two years. The data shows a year-over-year decrease in the percentage of respondents who addressed findings individually as they occur (44%) or on a quarterly basis (29%). There is an increase in the percentage of respondents who reviewed all report findings upon their remediation (7% vs. 2%), monthly (12% vs. 11%), and annually (4% vs. 2%). Surprisingly, respondents without a formal IA follow-up process increased, up two percentage points from last year (3% vs. 1%).

Establishing a standardized and regular follow-up process (such as monthly or quarterly) for audit findings is advantageous for stakeholders and process owners, as it assists with process owner buy-in to the process, enhances rapport and trust with the IA function, and simplifies managerial tasks. Such a process can help ensure that risks are mitigated efficiently and completely.

Fraud risk management

The IIA notes that IA activity is responsible for assessing the organization’s risk management processes and their effectiveness, including the evaluation of fraud risks and how they are managed by the organization (Standard 9.4 Internal Audit Plan and Standard 13.2 Engagement Risk Assessment). IA’s role is to provide independent and objective assurance by helping to detect, prevent and monitor fraud risks through audit plans and risk assessments that address the organization’s internal control environment.

When asked what role IA plays in their organization’s fraud risk management process, half of the respondents (52%) noted that IA incorporates a component of fraud risk management in all audits. Other respondents indicated that IA performs only specific fraud audits (38%), assists other departments' efforts (30%), or monitors the organization’s efforts (16%). Additionally, 12% of respondents indicated that IA leads the organization’s fraud risk management efforts, down nine percentage points from last year’s 21%.

Risk assessments

Conducting regular risk assessments helps organizations identify existing and emerging risks, subsequently improving their risk management strategies and related decision making.

Most respondents (61%) perform risk assessments annually, while the rest perform risk assessments continuously (22%), two or three times per year (11%), quarterly (3%), or less than once per year (3%). Half of those who reported that they perform risk assessments continuously (53%) said that they perform mini-risk assessment interviews throughout the year; most of the other half (40%) indicated they perform periodic data monitoring and follow-up based on data results throughout the year.

ERM process

A well-functioning ERM program equips healthcare organizations with the tools needed to anticipate potential threats, minimize adverse impacts, ensure regulatory compliance, protect financial health, enhance operational efficiency, secure data integrity, maintain their reputation, and support strategic decision-making processes.

The IIA defines enterprise-wide risk management as a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of the enterprise’s objectives. In addition, the most recent Enterprise Risk Management— Integrated Framework from COSO highlights the importance of considering risk in both the strategy-setting process and in driving performance.

When asked about IA’s role in their ERM program, most respondents (57%) noted that IA helps to facilitate the ERM program, but it is owned by another function. Another 23% reported that IA owns the ERM program; 16% do not have an ERM program; and 4% indicated that IA is not involved in the ERM program. Among those who do not have an ERM program, most cited either a lack of board/executive support (37%) or a lack of an established ERM program or structure (36%) as the primary reason for not having an ERM program. The remaining respondents pointed to a lack of budget/funding (9%) or other reasons (18%) for not having an ERM process. Interestingly, no respondents mentioned a lack of subject matter expertise as a reason for not having an ERM process.

Most respondents (61%) indicated that either the chief risk officer (CRO) or the chief audit executive (CAE) is responsible for leading the ERM process. The remaining respondents said that this responsibility lies with the CCO (21%), general counsel (10%), CEO (9%), CFO (7%) or others (12%).

Implementation of Sarbanes-Oxley

Complying with Sarbanes-Oxley (SOX) is not mandatory for many healthcare organizations, but adopting a SOX framework can provide several advantages by fostering transparency and accountability and enhancing internal controls and financial reporting mechanisms. Although the majority of respondents (76%) indicated that SOX is neither required nor adopted within their institutions, some have taken steps toward its adoption: 8% review SOX implications and adopt what they can, 5% fully implement all of its provisions, 1% adopt specific sections at the behest of third parties, and 10% have other reasons for considering a SOX framework.

Next-generation enabling technology

Exhibit 15 illustrates respondents’ ratings of their organization’s current level of proficiency with the next-generation enabling-technology categories (advanced analytics, automation, artificial intelligence [AI], and process mining) compared to last year. Respondents reported having the lowest level of maturity for automation, process mining and AI.

Exhibit 15 – Next-generation enabling technology

Image

Image

Image

Image

Related to automation, process mining and AI, a larger percentage of respondents placed themselves in the “lowest level of maturity” category. While this isn’t necessarily surprising as a current state, many healthcare organizations are beginning to look more intently at adopting these enabling technologies in a more widespread capacity while recognizing the vast range of risks that they may introduce. We anticipate this level of maturity will continue to increase over the coming years.