When Tom Boyle, district audit officer at Palomar Pomerado Healthcare (PPH), updated his board of directors on the progress of his company's fledgling continuous GRC monitoring program in September, he chose an analogy that hit close to home.
"Continuous controls monitoring is just like monitoring a patient's vital signs," says Boyle, a 30-year veteran of healthcare internal auditing. "You have a constant record of that patient's health and you are notified immediately if something goes wrong. You can also use trend data to compare the patient's health to that of other patients you have treated. Continuously monitoring your patients is much, much better than making crucial treatment decisions based only on the information contained in an annual physical."
Connecting monitoring wires to a complex healthcare organization is no small feat. Palomar Pomerado Health represents the largest healthcare district in the United States. It serves communities in a densely populated, 800-square-mile swath of southern California. In addition to operating two hospitals, PPH offers home healthcare, surgery, skilled nursing, ambulatory care, behavioral health services, and community health education programs.
Like other healthcare providers, PPH operates with slim profit margins and a dizzying array of billing processes that involve two parties (patients and insurance companies) as well as many different managed care plans. A significant portion of internal controls in any healthcare provider must help to ensure that the payment terms within each of these managed care plans has been executed accurately.
"We have thousands of different of managed care plans," Boyle notes, "and no two are alike. The opportunity for errors, inconsistencies, and lack of information is extreme, and the amount of information that is generated each day is significant."
Because it would be "essentially meaningless" to manually monitor the controls supporting billing processes during annual audits (the yearly physical issue), Boyle and PPH opted to use a technology tool, ACL AuditExchange 2.0, to enable business owners to continuously monitor the controls within their areas of responsibility. In addition to its risk-management benefits, the tool can help PPH managers to validate bills and charges according to the terms of a patient's managed care plan -- before the patient is discharged from a medical facility. Missing charges and other errors are corrected before the bill is finalized. Plus, the tool provides PPH with performance information that strengthens its hand when it comes time to renegotiate managed care plan structures with insurance companies.
The technology is nifty, Boyle acknowledges, and he identifies several people and process-related issues that must be addressed for the technology to succeed, including:
- Internal audit resource and budget constraints;
- Board of directors' understanding, approval, and support;
- Business ownership of continuous monitoring; and
- Exception management
Selling the Board
A recent survey of 800-plus members of The Institute of Internal Auditors (IIA) indicates that 23 percent of all internal audit activities were affected by staff reductions this year. While IIA president and CEO Richard Chambers emphasizes that these results are disproportionate to the overall corporate staffing reductions brought on by the recession, many internal audit departments were small before the financial crisis struck. This was certainly the situation among most IA shops within the healthcare industry, where traditionally slim profit margins necessitated lean and mean internal audit staffs.
Staffing constraints motivated Boyle to introduce continuous monitoring to the organization, in part because the approach helps to "make everyone an internal auditor." He's exaggerating slightly, but only to underscore one of the prime values -- and also a success requirement -- of continuous monitoring: business ownership.
ACL vice president John Verver reports that internal audit often introduces continuous monitoring to the business, stepping back once it has helped to hand off ownership of the program to business process owners. If this sounds familiar, it should. This dynamic echoes the handoff of internal controls monitoring and management that has taken place (and, at a number of GRC-challenged companies, continues to take place) as Sarbanes-Oxley compliance efforts have matured.
"In practice, we are finding that audit is driving continuous monitoring," Verver reports. "The concept of continuous monitoring tends to comes naturally to an internal auditor. The business side usually gets it and says, 'OK, I see value proposition.' But the business still needs internal audit to demonstrate for them the value of this approach."
Once internal audit does so, it can turn over continuous monitoring to the controller, accounts payable (A/P) manager, payroll director, and dozens to hundreds of other process owners throughout the organization.
Successfully executing this handoff requires support from on high. This is why Boyle chose his words -- and analogies -- carefully when making his case for continuous monitoring to his board of directors.
"It is vital to remain very positive and cooperative while working with the business as a team on a continuous monitoring program introduction," says Boyle. "Just as important, you need support from senior leadership and management."
In Boyle's case, this means helping his enterprise's president/CEO, board of directors, and board audit and compliance committee understand what continuous monitoring is and what benefits it will deliver. "In any company, there may be an old-school board member or two who wants a 30-page report from internal audit," he explains. "But the information in that report is months old by the time they get it. Sometimes you may need to go through an education process so that board members realize the benefits of a much more timely and exhaustive validation of compliance and risk controls."
Using a healthcare analogy to define the benefits of continuous monitoring helped; so did a picture. Boyle shared a slide with the board that efficiently illustrates how continuous monitoring can counteract the Hawthorne Effect (see illustration).
The Hawthorne Effect describes the improvements in behavior that occur when people know that their behavior is being studied. By studying, or monitoring, compliance and risk controls constantly as opposed to once a year or once every two years (via an annual review conducted by internal auditors), business process owners can ensure that the effectiveness of their controls does not diminish due to lack of attention.
In other words, Boyle notes, continuous monitoring helps to cure short-term memory syndrome.
To finalize the case for continuous monitoring (to both the board and to managers throughout the organization), Boyle pointed to another valuable business process, a "daily census," that delivers a similar capability. Rather than monitoring controls and risks, the daily census monitors the exact number of patients and types of patients (inpatient, outpatient, etc.) in each PPH facility.
These census e-mails are distributed every morning and help managers to calibrate staffing to meet patient needs in an effective and cost-efficient manner. The comparison further emphasized the value of timely information, Boyle adds.
Mitigating "Mediocre" Results
Once support from senior management and the board and a strong case to the business for the adoption of continuous monitoring have been established, internal auditors face the task of helping their business process colleagues to take ownership
At PPH, Boyle describes the ownership of continuous monitoring by the organization's managed care analysts -- among the first process owners to use the technology -- as the "underlying objective" of the program.
"We turn the ACL application over to them to allow them to be their own auditors," he explains. "They are responsible for their own destiny, and they should be identifying what the key controls are and be adjusting those controls as needed. We're giving them the ability to have what is essentially a daily audit. They control the process."
Bringing this scenario to fruition requires addressing an issue that crops up in many, but not all, GRC technology implementations: exception management.
Gary Dickhart, vice president, customer advisory office, for SAP's Governance Risk & Compliance area, describes exception management as a "key to sustainable compliance." When companies encounter difficulty in getting business process owners engaged in a GRC technology project, Dickhart says that the reason often boils down to the technology's implementers (usually IT or internal auditors with IT expertise) focusing too much on getting their business-process colleagues "to understand how their new watch works rather than on asking them what time they want to know -- on helping them to define what their exceptions should be."
OpenPages vice president Gordon Burnes points out that exception management tends to be more of a challenge with GRC systems that churn out large volumes of information. The key to getting exception management right, he continues, is to avoid loose definitions of which exceptions are important and which are not. "It gets down to the definition of what you elevate to a threshold -- something that you have to pay attention to," says Burnes. "And this comes down to risk appetite and tolerance." He also emphasizes that thresholds can and do change over time. As a result, exception management requires ongoing calibration.
The appeal of continuous monitoring, like continuous auditing, is that the technology tools can rifle through hundreds of thousands of transactions, spot anomalies, and then alert business process owners that these anomalies exist.
At PPH, for example, analysts use the tool to determine whether the terms in different managed care contracts have been properly adhered to during a patient's visit. Since the contracts are so voluminous and complex, "there are thousands of things we could monitor," says Boyle. "So, we have to carefully select what we monitor based on what is most important to the business. What are the 5 or 10 primary things we need to track? If we're getting way more exceptions than we should, this is an indication that our range for what qualifies as an anomaly is too large."
In other words, one of the risks of rifling through hundreds of thousands of transactions is that thousands of anomalies -- including inaccurate exceptions and "mediocre" exceptions -- may be identified. "Mediocre" results, says Boyle, are issues that "are a little bit off, but not urgent. These issues would be nice to fix, but since they don't have a significant impact, it is not urgent to fix them right away."
This "too much information" challenge will sound familiar to GRC professionals who performed segregation of duties (SoD) work in the first couple of years of Sarbanes-Oxley compliance. At that time, it was not uncommon for large, multinational companies using GRC tools to identify thousands of potential SoD violations -- figures on slides that would scare the pants off of audit committee members. On closer inspection, the bulk of these SoD "violations" turned out to be mediocre results rather than material internal controls risks.
The key to properly harnessing powerful continuous monitoring technology, Boyle says, is to master exception management -- and this means working closely on process with the ultimate end users of the technology in the business.
"A strong rapport with the business is critical because we want the users to have involvement and buy-in," says Boyle. "They are the operational experts in these areas. We may know more about the control area or how to use the tool, but I always let them know that they are in the driver's seat and that we are there as internal control consultants. We are there to assist them."
To help cultivate this buy-in early, Boyle invited one of the managed care analysts to join the team that was customizing parts of the ACL tool to meet PPH-specific needs. "He showed us what was crucial for him to do his job from an information perspective and also what he ideally wanted to see in terms of results that the tool produced. Based on this input, we customized the solution together. Without this input, there would have been some guesswork involved."
Thresholds as Triggers
Eliminating guesswork helped PPH to create a continuous monitoring capability that managed care analysts now use to detect errors in real time -- and that other business process owners will soon use to do the same.
"One area where will be doing a lot of continuous monitoring is in accounts payable," Boyle says. "We might have 50 to 100 different controls of varying levels of importance related to purchasing. So, our corporate controller might be interested in knowing if one of her staff members made an excessive number of general ledger adjustments during a month. She might get a list showing a list of all of the people who have access to make those changes and of how many did so." For example, if a staff member makes 10 times as many GL adjustments as other staffers (or makes an adjustment that exceeds a specified threshold), the controller will be notified immediately.
The corporate controller will also receive a trend report that tracks exceptions over time. "This helps us to prevent somebody from getting too much information," Boyle notes. "Continuous monitoring can be set up so that you have dial-up sensitivity. If you're getting too much water from the faucet, you can crank it down by adjusting the threshold."
The trend reports that the managed care analysts currently receive also serve an additional purpose -- one that helps to improve razor-thin profit margins.
"Right now, the primary objective is for managed care analysts to identify any errors," Boyle asserts. "The secondary objective -- and one where great value exists -- is in leveraging the performance information the analytic tool generates about a managed care plan."
Few healthcare providers have the ability to generate a highly detailed readout of where a particular managed care plan generated revenue and losses. Most rely on estimates and guesswork. Boyle says that the continuous monitoring tool generates information that lets PPH's managed care analysts see exactly which terms within the plan are hurting PPH and which are helping the organization. When it is time to renegotiate these plans with insurers, the analysts are now equipped with plenty of factual information for strengthening their negotiating position.
At PPH, this output helps to nudge continuous monitoring beyond the Hawthorne Effect and into first-rate care for the bottom line.
Mastering Exception Management
When it comes to exception management advice, ACL vice president John Verver errs on the side of efficiency: "You don't want to scream 'fire,'" he emphasizes.
Exception management is the process through which red flags churned out by continuous auditing, continuous monitoring, and other types of governance, risk management, and compliance (GRC) software are identified, relayed, and addressed.
If too many red flags turn out to be false positives, genuine red flags can eventually fall on deaf ears among business process owners who feel that the tool too often cries "Wolf!" If genuine red flags are relayed to business process owners who fail to address the issue, the tool can also suffer from underutilization, while exposing the organization to more serious risks.
Properly managing exceptions represents a crucial process in the success of a GRC technology initiative such as continuous monitoring. Verver identifies several steps to helping this process succeed:
- Define your parameters carefully. "You don't want too many exceptions," Verver notes. Avoiding this trap requires close collaboration between the function responsible for the tool's implementation (usually internal audit or IT) and business process owners. For example, when Palomar Pomerado Health's (PPH) internal audit department implemented a continuous monitoring application from ACL, it included a business process owner on the design team (which customized the tool for PPH's use); doing so helped to cultivate ownership.
- Clearly identify investigative responsibilities. Who needs to know when the tool spots a red flag? During the implementation process, it is important to task a specific business process manager with responsibility for investigating exceptions within their domains. Verver points to an extreme example, where a set of exceptions within one organization were still being e-mailed to a manager weeks after the manager had left the company. Tools can spot problems, but humans need to fix the issues.
- Define an escalation process. Investigating an exception marks the first step a business process owner takes as part of a larger escalation process. "The purpose of escalation is to find out whether people are responding properly," Verver explains. "Responses need to be tracked. If the exception was a false positive, were the parameters changed so that the false positive won't come up again? Or, if the transaction in question was confirmed as an error, how was it corrected? And then, how was the related internal control -- which obviously wasn't working properly -- fixed? People need to execute each of those steps."
ACL's tool includes exception management and functionality. At one multinational client company, for example, the divisional CFO is e-mailed if an unresolved exception lingers for too long. If the divisional CFO fails to address the issue in a timely manner, the corporate CFO is alerted. The recipient of this exception-tracking information does not need to possess any systems expertise, notes Tom Boyle, district audit officer at Palomar Pomerado Healthcare.
"They receive an e-mail," Boyle explains, "and they log on. They can see what happened, what action has been taken, and any action that they need to take."