Stepping into continuous audit: a health-care audit shop shares its strategy for making real-time auditing a success

Internal Auditor, April, 2004 by Lee Nelson

In addition, the test must provide clear results to management. In the earnings manipulation example, differing balances between the two accounts tested would represent an objective, unambiguous result. Exceptions would merely require internal auditing to request documentation for the variance and perform steps to determine what caused it.

Developing these criteria gave us the ability to select the tests that would be most valuable and effective if performed on a continuous basis.

AUTOMATE TESTS

Once we decided which tests were best suited for CA treatment, we then needed to find a way to automate the testing process. We investigated several "off the shelf" software products that enable event-driven scheduling and determined that purchasing one of these products was much more cost effective than attempting to develop software in house. Many of the products we considered cost US $100 or less and provide tremendous functionality. The software can initiate processes at specific dates or times or when it detects the presence of a file in a specific directory. The HCA audit team selected the product that best met our needs and deployed this technology to trigger exception-based CA tests.

COMMUNICATE TEST RESULTS

To ensure the CA process would be useful to audit clients, we needed to find an effective means of communicating reporting exceptions across the organization. Specifically, we had to determine whom to contact at each business unit and how to deliver the necessary information in a timely manner.

The audit team first considered basing its CA notification system on a centralized e-mail address list of key division, market, and facility management personnel. Because HCA is composed of hundreds of entities and thousands of employees across diverse locations, however, this approach was deemed impractical. In light of employee turnover, transfers, and promotions, the task of maintaining an accurate database would have been impossible. We would have found ourselves spending too much time performing maintenance on the communication database and not enough time performing tests.

Instead, we decided to employ the company's existing centralized security software, which manages security for core business applications, as a means of identifying users needing access to exception reports. The process is facilitated through local security coordinators (LSCs) at each of HCA's entities. Each LSC administers security for his or her respective organization and coordinates report access to members of management based on our specified parameters.

The HCA audit team set up security for its CA system based on several job roles, including positions within the finance, human resources/payroll, compliance, and security departments. Patient privacy is an essential consideration in the healthcare industry, and any tests involving patient identifiable data must be limited to appropriate individuals. The security roles are designed so that each individual has rights to only one area of access.