Healthcare Internal Audit – Risk & Controls

Outcome ERP Services
October 23, 2018
online accounting and bookkeeping
How Accounting is changing on Cloud-Based Tools
February 24, 2019


The Healthcare continues to be a high-growth sector across the globe. There is a continuity of challenges, emergence of new risks and a host of complicated regulatory compliances. Recent market studies demonstrate that health care reforms have already changed the way the business is being done, and will have further – perhaps unforeseen, ramifications for the industry. There has been remarkable change in the perception amongst the masses; and modifications to the health care regulations – consequently the risks within the healthcare provider must be effectively evaluated more than ever.
Demand for healthcare providers, better doctors, amenities and technology are on a rise. The industry has become highly competitive; and branding plays an important role in attracting more business. Risks are seemingly at every corner for healthcare organizations, from legislation to regulatory developments, from operational and financial concerns to doctor’s pay-out terms and contracts. Not all healthcare partners are able to keep a sync with emerging trends and risk in the industry. The focus of a healthcare partner continues to remain on better patient care services; and organizational mission and strategy.
With this background in mind, it is imperative to identify, prioritize and thoroughly evaluate the risks that impact your organization. Healthcare industry has very unique basic risk & challenges, that may pose threat to smooth functioning; and may skim margins over a small period of time. As the organization define new objectives and implement an initiative, and as regulatory requirement may change, the risks your organization may be exposed to, tend to evolve as well. The method through which you assess the risk, thus requires to be flexible.

Risk Assessment

Risk assessment is one of the most important foundation process to evaluate and address the risks involved. Conducting risk assessment gives a holistic view of organization goals, objectives, processes and current governance structure from the risk exposure standpoint. Risk assessment is a process all auditable processes in healthcare sector. There are various risks that existing inherited from all departments and business process. The key aspect is to identify all key business processes and provide them with a uniform risk rating across the organization. These risks will be presented to management and the Board. The risk assessment is also transposed to heat map and help auditors to determine the internal audit plan & scope.

Audit Plan Development

After the risk assessment has been completed, an audit plan is built depending on the findings and processes of the organization. This plan identifies the key processes and auditable entries that were found to require regular testing and examination. These processes are ranked according to potential risk and placed in a rotation to allow available resources and the audit schedule to align.

Key Areas to Consider

Following business cycles in a healthcare service provider could be at larger risk exposure; and may qualify for be a auditable process:
  • Infrastructure – Equipment, Beds, Devices, Facilities, Real Estate, Expansion etc.
  • Regulatory Compliances – IMA, NABH, NABL, Environmental
  • Patient Health – Retention, Customer Care, Quality and Hygine
  • IPD / OPD Billing
  • Sales & Marketing
  • Doctor’s Payment and Accounting
  • Database and Documentation Retention
  • Revenue
  • Procurement
  • Data Security
  • Accounts Payables, Accounts Receivables, Finance & Accounts, Inventory and Issuance, HR, Tax etc.

Conducting Internal Audit

Based on the audit plan developed in the previous step, work plans are developed for each key process and auditable entity. An internal audit plan is developed, addressing the risk and process objectives. This plan normally includes a detailed analysis of the audit objective, scope, period, auditable entity, process owner, audit steps and testing requirement.
Other common steps that take place in the development and execution process include:
  • Developing documentation that details prevalent risks, their potential impact and control activities in place to mitigate them
  • Walkthroughs of control activities to ensure that they are performed as described
  • Designing a test plan, including sampling methodology
  • Analysing exceptions and offering viable recommendations to mitigate the recurrence of problem areas

Findings & Recommendations

A final report is prepared and presented to management for approval. It is also presented to audit committee for review. The management / AC has the responsibility to provide oversight and direction to the internal audit function. The internal auditor should continue to hold regular meetings with the audit committee to discuss any issues that have been discovered that could result in a change to the annual audit plan.



The current healthcare business atmosphere is very competitive and complex. There are pervasive risks in all facets of your operations and an increasing amount of regulatory requirements that your healthcare organization must comply with. As management sets objectives and identifies processes, a successful risk assessment and internal audit can help to locate high-risk areas within operations as well as potential opportunities. This process will help the organization to efficiently determine where resources have been productive; and where the emphasis should be given going forward.


For more information, you may reach out to:

Nitin Gupta

Practice Lead – Risk Advisory

Outcome Solutions & Services LLP