Your Internal Audit's Vital Signs

When Tom Boyle, district audit officer at Palomar Pomerado Healthcare (PPH), updated his board of directors on the progress of his company's fledgling continuous GRC monitoring program in September, he chose an analogy that hit close to home.

"Continuous controls monitoring is just like monitoring a patient's vital signs," says Boyle, a 30-year veteran of healthcare internal auditing. "You have a constant record of that patient's health and you are notified immediately if something goes wrong. You can also use trend data to compare the patient's health to that of other patients you have treated. Continuously monitoring your patients is much, much better than making crucial treatment decisions based only on the information contained in an annual physical."

Connecting monitoring wires to a complex healthcare organization is no small feat. Palomar Pomerado Health represents the largest healthcare district in the United States. It serves communities in a densely populated, 800-square-mile swath of southern California. In addition to operating two hospitals, PPH offers home healthcare, surgery, skilled nursing, ambulatory care, behavioral health services, and community health education programs.

Like other healthcare providers, PPH operates with slim profit margins and a dizzying array of billing processes that involve two parties (patients and insurance companies) as well as many different managed care plans. A significant portion of internal controls in any healthcare provider must help to ensure that the payment terms within each of these managed care plans has been executed accurately.

"We have thousands of different of managed care plans," Boyle notes, "and no two are alike. The opportunity for errors, inconsistencies, and lack of information is extreme, and the amount of information that is generated each day is significant."

Because it would be "essentially meaningless" to manually monitor the controls supporting billing processes during annual audits (the yearly physical issue), Boyle and PPH opted to use a technology tool, ACL AuditExchange 2.0, to enable business owners to continuously monitor the controls within their areas of responsibility. In addition to its risk-management benefits, the tool can help PPH managers to validate bills and charges according to the terms of a patient's managed care plan -- before the patient is discharged from a medical facility. Missing charges and other errors are corrected before the bill is finalized. Plus, the tool provides PPH with performance information that strengthens its hand when it comes time to renegotiate managed care plan structures with insurance companies.

The technology is nifty, Boyle acknowledges, and he identifies several people and process-related issues that must be addressed for the technology to succeed, including:

• Internal audit resource and budget constraints;
• Board of directors' understanding, approval, and support;
• Business ownership of continuous monitoring; and
• Exception management

Selling the Board

A recent survey of 800-plus members of The Institute of Internal Auditors (IIA) indicates that 23 percent of all internal audit activities were affected by staff reductions this year. While IIA president and CEO Richard Chambers emphasizes that these results are disproportionate to the overall corporate staffing reductions brought on by the recession, many internal audit departments were small before the financial crisis struck. This was certainly the situation among most IA shops within the healthcare industry, where traditionally slim profit margins necessitated lean and mean internal audit staffs.

Staffing constraints motivated Boyle to introduce continuous monitoring to the organization, in part because the approach helps to "make everyone an internal auditor." He's exaggerating slightly, but only to underscore one of the prime values -- and also a success requirement -- of continuous monitoring: business ownership.

ACL vice president John Verver reports that internal audit often introduces continuous monitoring to the business, stepping back once it has helped to hand off ownership of the program to business process owners. If this sounds familiar, it should. This dynamic echoes the handoff of internal controls monitoring and management that has taken place (and, at a number of GRC-challenged companies, continues to take place) as Sarbanes-Oxley compliance efforts have matured.

"In practice, we are finding that audit is driving continuous monitoring," Verver reports. "The concept of continuous monitoring tends to comes naturally to an internal auditor. The business side usually gets it and says, 'OK, I see value proposition.' But the business still needs internal audit to demonstrate for them the value of this approach."