Internal Audit Procedure in Healthcare and Pharmaceutical Sector

Compliance should focus on ensuring that companies are following their policies and regulatory standards while performing an internal audit of the health care field. The audit examines multiple elements of health care, including patient data privacy (HIPAA), accuracy of medical coding (ICD-10), billing practices integrity, clinical protocols adherence, and infection control measures.

Another area for regulatory changes was introduced in 2010 by the Affordable Care Act (ACA), with a focus on both quality of care and financial integrity. Since the 2000's, the health care system has evolved into increased regulatory compliance with a stronger emphasis on enforcement, as well as to provide "transparency" and "accountability," to give patients/consumers the best care and protections possible.

Risk Management

Conducting risk management is the process of measuring/evaluating risks and creating methods to control those risks in accordance with the risk appetite using an orderly and systematic approach. The risk management process involves the identification, evaluation, mitigation, planning, and execution of risks and the establishment of a risk response policy.

Risks associated with Health Sector

The health and pharmaceutical industries are associated with many significant risk types like the following:

• Clinical Risks - Patient safety will be put at risk due to medical errors, including misdiagnosis, wrong treatment, or wrong surgery, and this could be a source of patient harm or death. Inadequate infection control, medication errors, or complications during patient treatment can also create clinical risk.
• Operational Risks - Operational risks from supply chain breakdown, malfunction of equipment, shortage of employees, and facility management are considered operational risks of a health care organization's day-to-day operation.
• Public Health Risks - Public health risks are usually caused by an outbreak of infectious diseases, pandemics, and various other public health emergencies that might occur and place an overwhelming demand on the health care system and put both patients and health care workers in jeopardy.
• Regulatory Risks - There are various regulations and standards that health care organisations must comply with, including, HIPAA for patient data privacy, FDA for regulating drugs and medical devices, and CMS guidelines for billing and reimbursement. If the organisation fails to comply with these regulations and standards, it can face legal consequences and financial penalties.
• Environmental Risks: Environmental risks such as toxic emissions and hazardous pollutants from both people and organizations may incur legal liability or damage to company reputation, or they may incur financial penalties.
• Financial risk: It is created when an entity's financial security is negatively impacted by the change in the healthcare industry's reimbursement system, fluctuation of price for medical supplies, and or other factors, including changing governmental funding.

To protect assets, ensure accurate financial reporting, promote compliance, maintain efficiency, and manage risk, internal controls are a set of processes in the hospital industry. Segregating tasks, approval processes, reconciling, access control, data security, stock management, care standardisation, quality control, billing accuracy, and revenue cycle management are key controls. Patient care is improved, assets are protected, and compliance is promoted through internal controls.

Auditors audit expenses within the health field to confirm that budgets, policies and procedures and efficient operations are being followed for expenditures such as clinical supplies, labour, administrative overheads, services provided to the patient and technology investments.

In addition, auditors also evaluate vendor compliance with contracts and aggregate savings offered. These audits are performed to ensure that there is a financial integrity, optimum use of resources and to improve the delivery of health services while providing for the long-term sustainability of the financial operations of an organisation.

Types of Expenses in Healthcare Sector

In the health industry, multiple types of expenditure are assessed through internal audits to provide assurance of financial accountability, regulatory compliance, and operational efficiencies. The expenditure assessed typically includes:

• Operating expenses: The operating costs of the health care facility consist of those incurred in providing day-to-day operational services to the facility (salaries for staff, utilities and supplies, maintenance costs etc.), required to keep the operations of the facility functioning and support the staff.
• Medical supply & pharmaceutical expenses: Auditors review medical supply, medication and pharmaceutical expenditures as part of the internal audit to ensure appropriate procurement processes are followed, maintain accurate inventory records and assess the cost efficiencies related to these supplies.
• Equipment & capital expenses: All the expenditures related to the acquisition, maintenance and upgrade of medical equipment and facility infrastructure. Auditors will also evaluate whether the capital expenditures made are consistent with the long-term operational goals of the facility and provide value for money.
• Patient care expenses: Further expenditures related to direct patient care provided by the facility (diagnostic testing, treatment, surgical procedures, consultations, etc.) to verify that patient care expenses are properly billed and appropriately reimbursed.
• Labour expenses: The distribution of labour expenses (salary, benefits, overtime and other compensation) is also evaluated to ensure that these expenses comply with Labour Standards and Employment Laws.
• Administrative Costs: These costs include all nonclinical functions, such as billing/coding staff salaries, administrative office supplies, etc., that are subject to an external audit to evaluate their accuracy, efficiency, etc.
• Compliance Costs: Compliance costs (e.g., to ensure compliance with healthcare regulations) are evaluated during an external audit for compliance with applicable privacy laws, regulations, and quality standards. An auditor will examine the costs to ensure compliance with legislative/regulatory requirements.
• Marketing and Promotional Cost: Auditors will review the costs associated with marketing and promotional activities related to the facility (hospital) so that they comply with transparency, proper utilization of resources, and ethical standards.
• Training and Development Costs: Training and professional development expenditures will be assessed during the audit for the purpose of determining whether such expenditures increased the effectiveness of patient care and the effectiveness of the organisation as a whole.
• Emergency Preparedness: An auditor may assess expenditures for emergency preparedness and response to determine whether the facility is sufficiently equipped to provide emergency response to unexpected situations.

The IT assessment process conducted as part of internal audits in the healthcare sector assesses the effectiveness of the information technology systems (IT), infrastructure, and practice within healthcare organizations.

The IT assessment process is generally performed during internal audits within the healthcare sector as follows.

• Scope Definition: Internal auditors collaborate with IT Experts to define the scope of the assessment. This includes identifying the systems, networks, applications, and processes that will be evaluated. The scope may cover electronic health records (EHR) systems, patient data management, network security, software applications, and more.
• Audit for Compliance with Regulations: The auditors perform a review of the organisation's IT operations to ensure compliance with both the applicable regulations and standards within the healthcare Industry. This would include performing compliance testing against specific regulations such as HIPPA, HITECH Act, and General Data Protection Regulation, where applicable.
• Data Security Assessment: The Internal Auditor will review the organisation’s methodologies for securing its sensitive information to protect against unauthorised access, data breaches, and other cyber threats. They will perform a review of the organisations encryption methodologies, methods used for establishing access controls, authentication methods and their vulnerability management processes.
• Electronic Health Records (EHR) Audit - The auditor must evaluate whether the EHR System is being maintained properly (i.e., patient record accuracy, completeness, and security). The auditor needs to ensure that appropriate documentation and data integrity controls are in place to achieve these objectives.
• Network Infrastructure Evaluation - Network infrastructure (including firewalls/routers/servers/ etc.) is evaluated for security and vulnerabilities within the facility using both static and dynamic assessments. Auditors should determine whether proper network segmentation is being maintained to prevent unauthorised entry into the facility via the network.

Hospitals prioritise patient’s safety in internal audits to ensure that the highest standard of care has been provided to the patients. Audits evaluate adherence to clinical protocols, medication management, infection control, patient identification, medical records, communication, emergency preparedness, staff training, patient involvement, informed consent, privacy protection, event reporting, and investigation, etc.

In healthcare, the multitude of expense types means there are many different items to monitor; therefore, it is important to provide ongoing, thorough oversight of these expenses. Internal audits in the healthcare and pharmaceutical sector not only safeguard against financial mismanagement but also an assurance that every dollar spent results in better quality of patient care and safe delivery of medication. Furthermore, the pharmaceutical industry is subject to an equal amount of internal audit scrutiny on all aspects of the organization, including its research and development costs, quality assurance, and regulatory compliance; all of which are critical components in promoting innovation while protecting the health of consumers.

Internal auditing within the pharmaceutical industry is necessary to promote compliance and protect public health while promoting innovation. The primary focus areas of these audits are the research and development-related costs, quality assurance, and regulatory compliance associated with producing medications for commercial distribution.