Source: RSM US LLP.   


The demands on health care administration are increasing in what is a complex and highly competitive environment. Risks are seemingly around every corner for health care organizations, from legislation and regulatory developments to operational and financial concerns. It is sometimes difficult to be aware of emerging and existing risks while maintaining your focus on your organizational strategy, mission and patient care. And events of the last several months, given the impact of the COVID-19 pandemic, have further complicated the risk environment for many health care systems.

With this in mind, it is important to identify, prioritize and thoroughly evaluate the risks that affect your organization. From pharmacy operations to cybersecurity and evolving telehealth needs, there are a variety of risk considerations for every organization. How can you identify and address these areas? A robust risk assessment and internal audit can be the game changer your organization needs. Let’s examine further how these methods can affect your risk management strategy.

Risk Assessment: A Holistic View

To evaluate and address the risks involved with your organization, undergoing a thorough risk assessment is a very beneficial exercise. Such an assessment takes a holistic view of your organization to understand your goals, objectives, processes and governance structure.

An assessment is the systematic process of identifying all areas in your health care system that could be audited, and the presence of risks in those areas. The goal is to include as much as you possibly can, so that you don’t overlook an area that could be important.

There are numerous risks that could be present within a health care system, and just as many ways to select the ones to be analyzed in the risk assessment process. It would be advisable to choose a smaller number of risks that are easy to quantify, and are relevant for the industry and your health system. Risk factors that fit these qualifications and can be used for the risk assessment at your health care system are operational, compliance, financial, environmental, clinical and reputational.

Once the processes are identified, a risk assessment of the inherent risks and internal control structure should be performed so that a uniform risk rating is applied across the organization. These risks should be presented to management and the board. If the risk assessment has been performed by an internal auditor, the assessment can be transposed to a “heat map” and then transformed into an annual audit plan. Depending on the number of risks identified, risks that are not addressed by audits during the year could remain on the heat map and could be added to a three- to five-year audit plan/focus.

Common Risks: Questions to Consider

As the day-to-day operations of today’s hospitals and health care organizations have become more intricate, so have the nature of the risks they face. With myriad functions that must be accomplished to be successful, risks to organizations can be diverse. The following are some relevant questions to help identify risks within a health care organization. The following includes just a sampling of areas to consider:


Is the laboratory in compliance with Office of Inspector General guidelines? Do reference forms contain all needed diagnostic information? Is there a maximum time limit for standing orders? How does the laboratory charge? On result only?


Charge Description Master

Is the hospital reviewing this area on a regular basis to make sure charges are captured correctly? Is there one person who helps coordinate and makes sure that this is occurring? Coding and charge information can change frequently and if a procedure is recorded incorrectly, a hospital may not receive the correct reimbursement amount.



What system does the hospital use for medications? How are medications controlled? Who does the ordering for the pharmacy? How are patient accounts charged? Is there a segregation of duties between the pharmacy and receiving inventory functions? How are returned/unused medications credited?


Admitting and Registration of Patients

When a procedure has been scheduled in advance, how does the hospital register the patient? Can this be done over the phone or via fax for insurance information? Does the admitting area ask for identification and insurance information upon arrival at the hospital? Are any co-payments and deductibles discussed prior to the procedure taking place? How are co-payments and deductibles collected? Is there annual training for all department personnel?


Charity Care

Is there a process in place to maintain charity applications? Are logs maintained? Who approves charity write-offs? Who reviews write-off codes for compliance with hospital-level services defined by HCAP and Medicaid covered UB 92 revenue codes? Does anyone monitor collection agency accounts to verify the patient has not qualified for charity at a later date? What is the process for recording charity care expense on the general ledger and the financial statements?


Other risk areas for an organization to be mindful of could include overall brand and industry reputation or shared services areas like human resources, revenue cycle, technology support or supply chain.

It’s important to note that if the health system does not currently have an audit function, then hospital management and the board must decide whether to accept all the risk identified without a call to action, or to bring in outside help to perform the internal audit work and/or develop an internal audit department.

The Role of the Internal Audit Process

An internal audit is an independent appraisal to provide assurance to the organization that its financial and operational controls are sufficient. This procedure compares organizational policies and procedures in relation to required compliance demands. Auditors are not responsible for executing organization activities; however, they advise management and the board of directors on how to more efficiently execute their operations.

Based on a risk assessment of the organization, internal auditors, management and oversight boards establish and agree upon an annual audit plan. Typically this plan will provide a brief overview of the entities to be reviewed and the time frame for the audit to be performed. Before the audit commences, organization management develops and reviews the scope and objectives of the audit.

The internal audit will then proceed into fieldwork, which includes interviews with appropriate management and testing, depending on the specific scope of the audit. The audit evaluates the controls the organization has in place and—taking current risks and compliance demands into consideration—determines if new processes or controls are needed. Upon completion, a report of the audit findings is prepared and shared with the organization where corrective actions are collaboratively developed. After a finalized report is prepared and approved by management, it is presented to the organization’s audit committee.

There are a variety of strategies for executing an internal audit. Our methodology is a four-step process (risk assessment which we touched on earlier, annual internal audit plan development, audit program development and execution, findings and recommendations) and takes a holistic look at the organization and its processes. The following expands on key considerations within the process.

Annual Audit Plan Development

After the risk assessment has taken place, an audit plan is built depending on the findings and processes of the organization. This plan identifies the key processes and auditable entities that were found to require regular testing and examination. These processes are ranked according to potential risk and placed in a rotation to allow available resources and the audit schedule to align.

Audit-based Program Development and Execution

Based on the audit plan developed, work plans are developed for each key process and auditable entity. An initial audit plan is developed, addressing the risk and process objectives. This plan normally includes a detailed analysis of the audit objective, scope, period, auditable entity, process owner, audit steps and testing requirement. Other common steps that take place in the development and execution process include:

  • Developing documentation that details prevalent risks, their potential impact and control activities in place to mitigate them
  • Conducting walkthroughs of control activities to ensure that they are performed as described
  • Designing a test plan, including sampling methodology
  • Analyzing exceptions and offering viable recommendations to mitigate the recurrence of problem areas

Findings and Recommendations

A final report is produced and, after being approved by management, is presented to the audit committee for review. The committee has the responsibility to provide oversight and direction to the internal audit function. The internal auditor should continue to hold regular meetings with the audit committee to discuss any issues that have been discovered that could result in a change to the annual audit plan.

The Takeaway

The current business atmosphere among health care organizations is very complex and competitive. There are pervasive risks in all facets of your operations and an increasing amount of regulatory requirements with which your organization must comply. As management sets objectives and identifies processes, a successful risk assessment and internal audit can help to locate high-risk areas within your operations as well as potential opportunities. This process will allow your organization to more efficiently determine where resources should be allocated.


This article was written by Jessika Garis, Ryan Haggerty and originally appeared on 2021-08-12.
2021 RSM US LLP. All rights reserved.


RSM US Alliance provides its members with access to resources of RSM US LLP. RSM US Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM US LLP. RSM US LLP is the U.S. member firm of RSM International, a global network of independent audit, tax, and consulting firms. Members of RSM US Alliance have access to RSM International resources through RSM US LLP but are not member firms of RSM International. Visit for more information regarding RSM US LLP and RSM International. The RSM(tm) brandmark is used under license by RSM US LLP. RSM US Alliance products and services are proprietary to RSM US LLP.