Healthcare IA Benchmarking
By Jarod Baccus, Austin Otigbuo, Kendalyn Rising and Mike Michalowicz
Internal audit (IA) functions continue to undergo significant changes ranging from the expanded use of emerging technologies, including robust data analytics and artificial intelligence (AI), and options on where their people work (i.e., remote, hybrid or onsite). IA functions within healthcare organisations have continued to evolve and adapt— some faster than others. Keep the pace by comparing your function with your peers to continuously improve.
*Reprinted with permission from New Perspectives, Journal of the Association of Healthcare Internal Auditors, Inc. Volume 43/ Number 1, 2024.
Protiviti and the Association of Healthcare Internal Auditors (AHIA) conducted an annual survey on IA functions, demographics, structures, processes, innovative initiatives, next-generation auditing progress, personnel experience, and top IA plan priorities for healthcare providers, payers and integrated delivery systems.
The 2023 Healthcare Internal Audit Plan Priorities Survey results can be found in the jointly published Healthcare Internal Auditors Prioritise Cybersecurity, Business Performance, and Technology Modernisation. The publication also provides commentary on suggested practices to improve auditing of top priorities, many of the changes underway within the industry, and how the changes are affecting IA functions.
This article provides additional insight into detailed benchmarks around many of the other aspects of an IA function including size, budgets and certifications. The insights are explored from various data points and provide additional context on what the survey data portends for the future of healthcare organisations’ IA functions.
Methodology
For the last two years, Protiviti and AHIA have partnered to jointly conduct and publish a benchmarking survey to allow IA leaders to compare the knowledge and skills of their teams, identify areas of opportunity, and add value to their organisations. In the spring of 2023, surveys consisting of 70 questions of varying response types were sent to all AHIA members and many healthcare organisations across the country. The survey responses provide a snapshot of the current state of healthcare IA functions and professionals.
Completed surveys were received from 56 healthcare organisations. The responses represent 37 healthcare provider organisations, 17 integrated payer and provider delivery systems, and two healthcare payer organisations.
Survey results
Reporting structure
Most respondents (55%) stated that their IA function reports administratively (on a day-to-day basis) to either the chief financial officer (CFO) or the chief legal officer (CLO), with another 18% reporting to the chief executive officer (CEO). The remaining respondents report to the chief compliance officer (CCO, 9%), audit and compliance committee (7%), board of directors (2%), chief operating officer (COO, 2%), or other (7%).
Although administrative reporting relationships varied, the majority of respondents (91%) report functionally to an audit and compliance committee or other committee of the board, a trend that was similarly highlighted in the 2022 survey results. The reporting structure to a board committee emphasises the importance of closely aligning the relevant board committee with the IA function, allowing the committee to provide oversight and strategic direction.
Relationships with compliance, operations and other areas
Most (77%) of respondents have a stand-alone IA function with a separate compliance function, compared to 14% of respondents that have a combined IA and compliance function. The remaining 9% of respondents have a standalone IA function with no compliance function.
Respondents were also asked to characterise their organisation’s perception of IA, with 95% of respondents agreeing that their organisation views IA as a value-added service/function that is aligned with the organisation’s strategic objectives. Small numbers of respondents were unsure (3%) or did not believe that their organisation viewed their IA function as a value-added service/function (2%).
Exhibit 1 lists various functions with which IA might coordinate. For risk assessments, the majority of respondents coordinate with compliance (71%), risk management (57%), information technology (IT, 55%) and security (50%). For coordination on internal controls over financial reporting, IA most commonly coordinates with a public accounting firm (30%) or IT (21%). Forenterprise risk management (ERM), IA most commonly coordinates with risk management (43%) and compliance (34%).
The majority of respondents coordinate assurance (audit) work with compliance (68%), IT (64%) and security (50%), followed by public accounting firms (48%). Finally, respondents coordinate advisory (consulting) work the most with legal (50%), compliance (39%) and IT (36%).
Exhibit 1 – Coordination of activities
Coordinating function | IA activities | |||||
Advisory (consulting) | Assurance (audits) | Enterprise risk management | Internal control over financial reporting (e.g., SOX, MAR, etc.) | Risk assessment | No coordination | |
| Compliance | 39% | 68% | 34% | 11% | 71% | 5% |
| Privacy | 32% | 43% | 20% | 9% | 46% | 21% |
| IT | 36% | 64% | 25% | 21% | 55% | 9% |
| Security | 34% | 50% | 18% | 13% | 50% | 18% |
| Legal | 50% | 36% | 23% | 7% | 46% | 16% |
| Quality | 25% | 38% | 18% | 4% | 45% | 29% |
| Risk management | 32% | 38% | 43% | 9% | 57% | 16% |
| Public accounting firm | 20% | 48% | 4% | 30% | 23% | 21% |
| Note: This question allowed multiple responses. | ||||||
Professional standards and quality assurance reviews
When asked if their IA function adheres to The Institute of Internal Auditors (The IIA) professional standards, 52% of respondents indicated that they adhere to all of the standards, including quality assurance reviews (QARs) and establishing and maintaining an IA charter. Fewer respondents (32%) adhere to all of the Standards except QARs. Only 11% of respondents adhere to most of the Standards except QARs and establishing and maintaining an IA charter, and 5% of respondents answered that their adherence either varied or they were unsure.
Among those organisations who perform QARs, the majority (64%) stated that they perform QARs every five years, which is in line with The IIA’s guidance, with an additional 22% stating that they perform QARs more frequently, e.g., 1 to 4 years. Only 14% of respondents perform QARs less frequently than every five years, e.g., every 6 or more years. Exhibit 2 outlines the most current type of QARs conducted by respondent organisations.
Half of respondents either do not perform formal QARs (43%) or are unsure whether they conduct formal QARs (7%). Among those who stated that their organisation does not conduct formal QARs, 42% reported the reason was because QARs were not required by governance/leadership. The remaining reasons for not conducting a QAR include not seeing the benefit (21%), cost (16%), or other (21%).
Exhibit 2 summarises the latest types of QARs that respondents obtained. Over half (54%) of respondents had QARs that involved an IA professional services provider.
Exhibit 2 – Latest type of QAR
Fraud risk management
According to The IIA’s Three Lines Model, IA functions serve as a third line of defense of internal controls and provide “independent and objective assurance and advice on all matters related to the achievement of objectives,” inclusive of fraud risk management efforts. Over half of all respondents (54%) noted that their IA function plays a role in monitoring the organisation’s fraud risk management efforts.
Surprisingly, 21% of respondents indicated that their IA function’s role was to lead the organisation’s overall internal fraud risk management efforts. While specific organisational circumstances might cause variance, fraud risk management’s ownership under the Three Lines Model is better aligned with a second line function of management.
Exhibit 3 provides a deeper view into how healthcare organisations rank various areas of the business as potentially susceptible to fraud risks. Respondents ranked their top three significant risks to their organisation as revenue integrity (31%), financial accounting and reporting (35%) and regulatory compliance (41%).
Exhibit 3 –Top three fraud risk areas (highest in bold)
Risk area | Risk 1 | Risk 2 | Risk 3 |
| Business operations | 21% | 20% | 20% |
| Financial accounting and reporting | 10% | 35% | 20% |
| IT security | 20% | 6% | 4% |
| Regulatory compliance | 18% | 21% | 41% |
| Revenue integrity | 31% | 18% | 15% |
Annual internal audit budget/spend
Exhibit 4 summarises the responses for the annual IA budget relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately $1,291,822 of annual IA budget/spend.
Exhibit 4 – Annual IA budget/spend by revenue
Annual revenue (billions) | ||||||
Annual IA budget (millions) | < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| ≥ $3 | 10% | 5% |
| 80% | 100% | |
| $2 to $2.999 |
| 45% | ||||
| $1.5 to $1.999 |
|
| 5% |
| 20% |
|
| $1.25 to $1.499 |
|
| 10% | 33% |
|
|
| $1 to $1.249 |
| 10% | 20% | 22% |
|
|
| $0.75 to $0.999 | 25% |
| 40% |
|
|
|
| $0.5 to $0.749 |
| 10% | 10% |
|
|
|
| $0.25 to $0.499 | 50% | 30% | 10% |
|
|
|
| ≤ $0.249 | 25% | 40% |
|
|
|
|
| Survey respondents % | 7% | 19% | 40% | 17% | 11% | 6% |
| Average budget | $437,125 | $636,800 | $998,286 | $1,816,667 | $2,291,667 | $3,000,000 |
| Average IA team size | 3 | 5 | 5 | 10 | 16 | 20 |
Annual internal audit plan hours and breakouts
Exhibit 5 depicts the total hours budgeted on an annual IA plan relative to the organisation’s annual revenue. Respondents reported a weighted average of approximately 7,985 hours on their IA plans.
Exhibit 5 – Annual IA plan hours by revenue
Annual IA plan hours | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| ≥ 15,000 |
| 10% | 4% | 22% | 66% | 67% |
| 10,000 to 14,999 |
|
| 9% | 45% | 17% |
|
| 7,500 to 9,999 |
| 10% | 24% | 11% | 17% | 33% |
| 4,000 to 7,499 | 50% | 10% | 43% | 11% |
|
|
| 2,000 to 3,999 | 25% | 40% | 10% | 11% |
|
|
| 1,000 to 1,999 |
| 10% | 10% |
|
|
|
| < 1,000 | 25% | 20% |
|
|
|
|
| Survey respondents | 7% | 19% | 40% | 17% | 11% | 6% |
| Average hours | 3,875 | 4,500 | 6,880 | 10,833 | 13,542 | 12,917 |
| Average IA team size | 3 | 5 | 5 | 10 | 16 | 20 |
Exhibit 6 shows a breakout of IA plan hours budgeted by top risk category audit areas. The top four audit areas consume 76% of plan hours.
Exhibit 6 – Annual IA plan hours by top risk categories
Internal audit years of experience
Exhibit 7 shows the average years of experience by staff level, broken out by years of audit experience, healthcare experience and total experience.
Exhibit 7 – Average years of experience by level and experience type
| Level | Type of experience | ||
| Audit* | Healthcare | Total | |
| Executive vice president or senior vice president | 22.7 | 16 | 22.7 |
| Vice president or assistant vice president | 24.3 | 19.2 | 26.5 |
| Senior director or director | 19.8 | 16 | 20.3 |
| Senior manager or manager | 13 | 10.4 | 14.8 |
| Senior | 9.9 | 6.4 | 11.4 |
| Staff | 3.9 | 3.9 | 5.7 |
Internal audit function size
Exhibit 8 highlights the IA function’s size relative to the organisation’s annual revenue and its co-sourcing status. Approximately 10% of respondents do not co-source any audit work and they normally employ between 1 to 9 IA staff; most of these respondents have revenue of less than $5 billion. The majority of respondents (90%) co-source a portion of their IA work.
Exhibit 8 – Co-sourcing by staff count and revenue size
Number of staff | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| Do not outsource | 50% | 0% | 11% | 0% | 17% | 0% |
| 1 to 2 | 50% |
|
|
|
|
|
| 3 to 5 | 50% |
| 50% |
|
|
|
| 6 to 9 |
|
| 50% |
| 100% |
|
| Do co-source | 50% | 100% | 89% | 100% | 83% | 100% |
| 0 or fully outsourced | 50% |
| 16% | 11% |
| 33% |
| 1 to 2 |
| 30% | 21% |
|
|
|
| 3 to 5 | 50% | 50% | 42% | 11% |
|
|
| 6 to 9 |
| 10% | 16% | 45% |
|
|
| 10 to 14 |
|
| 5% | 22% | 20% |
|
| 15 to 19 |
|
|
|
| 20% |
|
| ≥20 |
| 10% |
| 11% | 60% | 67% |
| Survey respondents | 7% | 19% | 40% | 17% | 11% | 6% |
Co-sourcing
A co-sourcing arrangement is used by 61% of respondents as a means to obtain and recruit different skillsets into their IA function. Remote/hybrid work arrangements (75%), salary increases/bonuses (45%) and other benefits/amenities (20%) were other methods used to obtain and recruit different skillsets into the IA function.
Acquiring and retaining IA talent whose skills align with a healthcare organisation’s top priorities and internal strategies can be challenging, especially in more specialised and technical areas. Co-sourcing with a strategic partner or third party allows an IA function to achieve its strategic priorities regardless of its internal capabilities. When asked the areas their organisation co-sources, respondents most commonly co-source IT audits (71%), followed by coding (45%), revenue cycle (41%), compliance (32%), clinical (30%), operational (30%), financial and accounting (29%) and third parties/joint ventures (29%).
The areas that are co-sourced also align with the top fraud risk areas and top IA plan priorities, highlighting the importance of the areas in the current healthcare environment. Exhibit 8 indicates that most IA functions across all size categories supplement internal resources by co-sourcing.
Anticipated staffing trends
Exhibit 9 summarises anticipated staffing changes. The majority of respondents do not anticipate a change in the size of their IA function within the next 12 months (75%) or within the next 24 months (59%). The responses are consistent with last year's results, pointing to similar outlooks on IA function growth.
Exhibit 9 – Anticipated staffing changes
| Months | |
Answer | 12 | 24 |
No change | 75% | 59% |
Increase | 20% | 37% |
Unsure or no response | 5% | 4% |
Staff attributes, sources, development and certifications
Experience in auditing, healthcare and data analytics were ranked as the top three most important attributes that respondents valued on their staff. Furthermore, respondents indicated that their current staff members were experienced hires from another industry (40%) or from another healthcare organisation (30%).
Continuing education is essential in remaining up to date on the latest trends and best practices across the various sectors within IA and the healthcare industry. Certifications and designations are avenues to obtaining additional professional education and often are required for advancement within an IA function. The majority of respondents (63%) at the manager level and above are required to possess either a certification or an advanced degree.
Additionally, all respondents indicated that at least one of their staff members has a professional designation. Exhibit 10 summarises the prevalence of professional designations with 84% of respondents reporting at least 50% of staff having a credential.
Exhibit 10 – Staff with a professional designation
Staff with a professional designation | Respondents |
All | 36% |
75 to 99% | 25% |
50 to 74% | 23% |
Audit projects and hours per project
Exhibits 11, 12 and 13 depict the total number of IA projects across assurance (audit), advisory (consulting), and other types of projects relative to the organisation’s annual revenue. Overall, the respondents reported a majority of assurance projects on their IA plans, with a weighted average of approximately 18.5 assurance projects. Respondents reported a weighted average of approximately 11.5 advisory projects on their IA plans.
Exhibit 11 – Number of assurance projects by revenue
Number of assurance projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| < 10 | 50% | 40% | 28% | 11% |
|
|
| 10 to 19 | 25% | 40% | 43% | 33% | 17% |
|
| 20 to 25 | 25% | 10% | 24% | 23% |
|
|
| 26 to 29 |
|
|
|
| 33% |
|
| ≥ 30 |
| 10% | 5% | 33% | 50% | 100% |
| Average number | 14 | 15 | 16 | 21 | 27 | 30 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibit 12 – Number of advisory projects by revenue
Number of advisory projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| < 10 | 100% | 100% | 76% | 67% | 66% | 33% |
| 10 to 19 |
|
| 24% | 22% |
| 67% |
| 20 to 25 |
|
|
| 11% | 17% |
|
| 26 to 29 |
|
|
|
| 17% |
|
| ≥ 30 |
|
|
|
|
|
|
| Average number | 10 | 10 | 11 | 12 | 15 | 13 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibit 13 – Number of other projects by revenue
Number of other projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| < 10 | 100% | 90% | 86% | 100% | 83% | 67% |
| 10 to 19 |
|
| 9% |
|
| 33% |
| 20 to 25 |
|
|
|
|
|
|
| 26 to 29 |
|
|
|
|
|
|
| ≥ 30 |
| 10% | 5% |
| 17% |
|
| Average number | 10 | 12 | 11 | 10 | 13 | 12 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibits 14, 15 and 16 depict the hours allocated per project split across assurance (audit), advisory (consulting) and other types of projects relative to the organisation’s annual revenue. Across all respondents, assurance projects were allotted more hours (286.5) on a weighted average than advisory projects (226.3). Organisations with revenue less than $0.5 billion allotted on an average 175 hours across all audit types. Respondents with a revenue of $1 to $4.999 billion allotted the most hours to assurance projects, spending on average 283 hours on such projects.
Exhibit 14 – Hours per assurance project by revenue
Hours per assurance projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| ≤ 99 |
| 10% | 4% |
|
|
|
| 100 to 199 | 75% | 20% | 15% | 11% |
|
|
| 200 to 299 | 25% | 20% | 33% | 33% | 50% |
|
| 300 to 399 |
| 20% | 33% | 45% |
|
|
| ≥ 400 |
| 30% | 15% | 11% | 50% | 100% |
| Average hours per project | 175 | 280 | 283 | 283 | 325 | 400 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibit 15 – Hours per advisory project by revenue
Hours per advisory projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| ≤ 99 |
| 30% | 14% | 22% |
|
|
| 100 to 199 | 75% | 30% | 24% | 11% | 33% | 34% |
| 200 to 299 | 25% | 30% | 33% | 56% | 50% |
|
| 300 to 399 |
|
| 10% |
| 17% | 33% |
| ≥ 400 |
| 10% | 19% | 11% |
| 33% |
| Average hours per project | 175 | 189 | 242 | 222 | 233 | 300 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibit 16 – Hours for other types of projects by revenue
Hours per other projects | Annual revenue (billions) | |||||
| < $0.5 | $0.5 to $0.999 | $1 to $4.999 | $5 to $9.999 | $10 to $19.999 | ≥ $20 |
| ≤ 99 | 50% | 60% | 57% | 56% | 50% |
|
| 100 to 199 | 25% | 10% | 10% | 33% | 50% | 34% |
| 200 to 299 | 25% | 20% | 19% | 11% |
|
|
| 300 to 399 |
|
| 10% |
|
| 33% |
| ≥ 400 |
| 10% | 4% |
|
| 33% |
| Average hours per project | 149 | 164 | 171 | 133 | 124 | 300 |
| Respondent percentage | 7% | 19% | 40% | 17% | 11% | 6% |
Exhibit 17 – IA findings follow-up frequency
Next-generation methodology maturity level
Survey respondents were asked to consider the maturity level of each of their next-generation methodology components: dynamic risk assessment, agile audit approach, high-impact reporting and continuous monitoring. Most respondents (57%) indicated that their IA function has the necessary talent and skills (or has access to the necessary talent and skills) to perform or integrate all methodology components.
When asked to rank the maturity level of each component, most respondents reported that their functions had an advanced level of maturity in high-impact reporting (70%), agile audit approach (57%) and dynamic risk assessment (55%).
However, most respondents (54%) reported a low level of maturity in the continuous monitoring component, highlighting a potential disconnect as the same respondents (80%) also believe they have the necessary skills and talent to conduct continuous monitoring. The disparity indicates an opportunity for organisations to better leverage existing talent and skills within their IA functions and co-sourcing partners to increase the current maturity level of their continuous monitoring efforts. IA functions should reassess whether their resources of available staff time and co-source budgets can actually increase their maturity in this area.
Findings follow-up frequency
Timely follow up and validation of management’s remedial actions on IA findings is a critical activity performed by IA as part of its control environment monitoring role. Exhibit 17 shows how frequently respondents perform audit findings follow-up efforts.
Most respondents (48%) perform follow-up efforts on individual findings based on individual due dates. Performing follow-up efforts on an individual basis has the potential of spreading already limited IA resources thin, resulting in lessthan- optimal efficiency.
IA functions should consider adopting a more standardised periodic follow-up frequency (e.g., monthly, quarterly, etc.) or aligning the follow-up intervals with the meetings of their assigned board committees. In a periodic follow-up process, management action owners are sent reminders of upcoming finding due dates using emails or workflow capabilities, and IA then follows up according to the set frequency.
Periodic follow up helps process owners better manage their workload and commitments to IA, builds goodwill and fosters cooperation, and enables a more structured reporting cycle to management and the functional reporting committee.
Risk assessments
Risk assessments are essential to regularly identifying the organisation’s top risks, prioritising risks and developing strategic plans to mitigate the risks. Most respondents (61%) reported that they perform a risk assessment annually, while 21% of respondents indicated that they conduct continuous risk assessments. Risk assessments were conducted quarterly by 7%, with another 7% conducted two or three times a year. Surprisingly, 4% continue to perform risk assessments less than once a year (e.g., audit plans spanning two years, three years, etc.). No respondents from the previous year’s survey indicated that they conduct risk assessments less than once a year.
Many respondents (59%) stated that they perform engagement or process-level risk assessments for each project, both during the annual risk assessment and prior to project kick-off. Another 32% stated that this assessment is only completed prior to the project kickoff.
Responsibility for compliance audits
Compliance and IA often work together to perform certain compliance-based audits across an organisation. Each function’s involvement depends on a variety of factors, including the specific skills needed to perform the audit and the capability and capacity of each function.
Exhibit 18 identifies the functions—compliance, IA or other function—that are responsible for each of the compliance audit areas. Survey results indicate that compliance alone is responsible for conducting the majority of compliance audits, but does collaborate with IA often in several areas, including on 340B pharmacy drugs and billing price transparency/No Surprises Act audits.
Exhibit 18 – Responsibility for performing compliance audits
| Compliance areas | Responsible audit functions | ||||
| IA | Compliance | Combined (IA & Compliance) | Audited outside of IA or Compliance | Not audited | |
| 1135 Waivers | 2% | 43% | 9% | 18% | 28% |
| 340B pharmacy drugs | 27% | 18% | 18% | 21% | 16% |
| Advanced Beneficiary Notices | 6% | 46% | 13% | 14% | 21% |
| Clinical trial billing | 11% | 25% | 25% | 16% | 23% |
| Coding and billing | 9% | 45% | 18% | 20% | 8% |
| Health equity | 2% | 21% | 4% | 20% | 53% |
| Medicaid disenrollment | 2% | 39% | 2% | 18% | 39% |
| Medicare Conditions of Participation | 11% | 45% | 12% | 21% | 11% |
| Medicare quality measures | 13% | 32% | 4% | 31% | 20% |
| National Coverage Determinations | 2% | 50% | 5% | 18% | 25% |
| Physician evaluation and management coding and billing | 7% | 60% | 13% | 7% | 13% |
| Physician procedural-based coding and billing | 9% | 50% | 16% | 14% | 11% |
| Pricing transparency/No Surprises Act | 22% | 27% | 32% | 5% | 14% |
| Privacy access audits | 5% | 64% | 9% | 13% | 9% |
| Provider based clinics/hospital outpatient departments | 16% | 36% | 23% | 4% | 21% |
| Two-midnight rule | 5% | 53% | 11% | 11% | 20% |
Implementation of Sarbanes-Oxley
A majority of healthcare respondents (70%) reported that their organisations, mostly not-for-profit, are not required to be Sarbanes-Oxley Act (SOX)-compliant, and they have not implemented the requirements. However, many healthcare organisations see the benefit of maintaining compliance and have therefore implemented a robust but cost-effective system of internal controls over financial reporting. Exhibit 19 summarises the implementation of SOX.
Exhibit 19 – SOX Implementation
Level of SOX implementation | Percentage of respondents |
Implemented all aspects | 7% |
Reviewed SOX and implemented as much as possible | 9% |
Implemented SOX except Sections 302 and 404 | 5% |
Implemented only sections required by a third-party | 2% |
Total | 23% |
Notes:
|
ERM processes help to identify and assess risks pertaining to specific segments of an organisation. In addition to looking at current risks, ERM is forward-looking and attempts to identify potential risks to the organisation.
For 84% of respondents, their organisation’s ERM process is led by either the chief audit executive (36%), chief compliance officer (30%), chief risk officer (28%), others (17%), general counsel (15%), or the chief executive officer (6%) or some combination thereof.
Exhibit 20 identifies the role that IA plays in the respondents’ ERM process. Most respondents see IA as a facilitator to help identify and evaluate risks (45%), reviewer of key risk management (43%), champion of the establishment of ERM (41%), and evaluator of the ERM process (41%). Only 2% of respondents see IA’s role as implementing risk responses on management’s behalf.
Among the respondents who indicated that their organisation does not have an ERM process (16%), the majority (67%) cited a lack of executive support as the primary reason they do not. The remaining respondents cited a lack of perceived benefit (11%), lack of necessity (11%) and other (11%) as reasons for not implementing an ERM process.
Exhibit 20 – Internal audit role in ERM
Exhibit 22 – Total number of employees
Number of employees | Respondent percentage |
< 5,000 | 16% |
5,000 to 9,999 | 14% |
10,000 to 24,999 | 34% |
25,000 to 49,999 | 18% |
≥ 50,000 | 14% |
Unsure | 4% |
Exhibit 23 – Annual revenue (billions)
Survey respondent demographic information
Exhibits 21, 22 and 23 provide additional respondent demographic information, including their primary industry, total number of employees and the organisation’s annual revenue.
As healthcare organisations continue to evolve their operating strategies in response to a rapidly changing industry risk profile, IA functions need to be vigilant and adaptable to remain relevant and effective. Ensure that your IA function has the staffing, financial resources and other support necessary to advance your capabilities. Build a highly skilled and engaged team, while maintaining focus on meeting stakeholder expectations and complying with professional standards.
Use this data to measure your function’s metrics against your industry counterparts. Close identified gaps, improve your performance and contribute more value to your organisation. Garner support from responsible committees for the IA function.
The Association of Healthcare Internal Auditors (AHIA.org) is an international organisation dedicated to the advancement of the healthcare internal auditing profession, which includes disciplines such as operational, compliance, clinical/medical, financial and information technology. AHIA provides leadership and advocacy to advance the healthcare internal audit profession by facilitating relevant education, certification, resources and networking opportunities.
