One might think that an auditor is an auditor, whether internal or external to the organization. However, the role played by internal auditors is substantially different from that of their external counterparts.

While external auditors focus on historical financial reporting, internal auditors work proactively with management to ensure reliable internal reporting, now and in the future. Internal auditors also help ensure compliance with federal and state laws and regulations to avoid enforcement actions and possible damage to the entity’s reputation.

Fraud enforcement is for real

Regulatory compliance is critical in the health care industry, as government oversight continues to expand and Health & Human Services’ Office of Inspector General steps up enforcement efforts.

Under the Federal False Claims Act, citizens who know of people or companies that are defrauding the government may sue on the government's behalf and share in the proceeds of the suit. Not surprisingly, the top 10 cases prosecuted under the act have been brought against companies in the health care industry.

Taxpayers Against Fraud (TAF), a nonprofit organization formed to combat fraud against the federal government, reports that each dollar spent by the government on investigation and enforcement generates about $13 in damages, fines, and recovered funds. With that kind of return on “investment,” government enforcers are unlikely to back away; on the contrary, recoveries from investigations are expected to increase 22 percent, to $36 billion, in fiscal year 2006.

Board members need reassurance

The Sarbanes-Oxley Act has prompted board members to reflect on their responsibilities to provide governance, guidance and oversight within their organizations. Effective board members must be objective, capable and inquisitive. They must also spend more time learning the details of the entity's activities and environment.

But even with diligent board members, a dishonest management team can still sometimes override controls and ignore or stifle communications from subordinates, enabling the team to intentionally misrepresent financial results to the board.

A strong, independent internal auditor can provide assurance to the board that internal control systems are in place and functioning properly, that regulatory compliance is being pursued, and that management assertions are complete and correct.

In short, an effective internal audit program can help an organization get to where it wants to go while avoiding pitfalls and surprises along the way.

Key features of effective internal audit programs

The Institute of Internal Auditors defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” The process adds value “by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”

In other words, an effective internal audit process goes beyond compliance to help the organization achieve its profitability and performance targets while at the same time safeguarding valuable resources from loss. And while no two audit programs are exactly alike, the best programs tend to share some common characteristics.

• Clear direction from the top. Internal audit programs are most effective when the tone and direction are set from the top and key leaders are fully behind the process. The internal auditor should report directly to the audit or finance committee, with additional responsibility to the CEO. This does not mean that the CFO and other officers are excluded from active involvement; in fact, the day-to-day activities of auditing require constant coordination with other officers to ensure timely audit completion.
  
  
• A thorough risk assessment. The most effective audit plans are rooted in an integrated risk assessment process -- one that combines the specific knowledge of the internal auditor with management’s broader insights into the business. With a thorough risk assessment in hand, an audit plan can be tailored to the organization based on risks and resources.
  
  
• A flexible audit plan. After the auditor and the management team agree on a plan and the audit/finance committee approves it, any further changes typically require committee approval. However, it’s important to remember that the initial risk assessment represents a snapshot in time, and that rule changes, potentially fraudulent activities, and other situations may arise during the course of the year that require timely changes to the audit plan. Flexibility on the part of the committee is sometimes necessary for the audit program to meet its objectives.
  
  
• A clear review process. After each audit report is completed and approved by the internal audit team, departmental managers should have the opportunity to propose action plans in response to issues raised. To speed up the review and approval process, the report should not be sent up the chain until it has been drafted in its entirety. The approval process should start at the bottom and continue up the ladder until the final report reaches the audit/finance committee.
  
  
• No surprises. A no-surprises environment may be the biggest factor behind an efficient and effective internal audit program. In such an environment, the internal auditor does not make a beeline to executive management whenever an issue is discovered; an effective auditor cannot be perceived as a “bad guy” or management spy. Instead, the auditor should work closely with the department lead to understand issues and agree on action plans. It should be a very rare occasion when disagreements about issues or action plans cannot be resolved.
  
  
• Serious follow-through. Each and every issue identified in the audit report should be followed up, and the results should be submitted to the audit/finance committee. The first follow-up report will probably show lackluster results -- but with such high-level visibility, management will quickly get the message and communicate to the rest of the organization the need to follow through on action plans.

Measuring the results

It’s not uncommon for internal audit programs to reveal revenue-enhancing or cost-saving opportunities, providing a direct boost to the bottom line. Some true-life examples:

• One hospital was able to increase net revenue by $1.2 million per year after its internal audit program revealed that ER facility codes were being assigned improperly.
  
  
• Another hospital realized $750,000 in additional net revenue after an internal audit revealed that surgery case loads were not being balanced efficiently.
  
  
• In another case, an internal audit identified an $840,000 shortfall in reimbursements from managed-care payors.
  
  
• Another internal audit recovered $75,000 for the organization by identifying duplicate payments.

For compliance audits, the savings aren’t so easily illustrated, but they’re real nonetheless. The benefit comes in the avoidance of large settlements and convictions. And by being proactive about compliance lapses, health care organizations can gain the favor of government regulators, who tend to look more favorably on entities that self-disclose rather than cover up or ignore violations.

In today’s regulatory and financial environment, the benefits of having an experienced, independent internal auditor and a strong audit program far outweigh the costs.

Tony Evers directs the internal audit division of Wipfli’s health care services group.