Health care providers have some new guidance on adopting a solid internal control framework. The Committee of Sponsoring Organizations (COSO), along with advisory firm Crowe LLP and Common Spirit Health have published an updated version of its COSO Integrated Framework specifically for the health care provider industry.
COSO says the guide, titled “2013 COSO Integrated Framework: An Implementation Guide for the Healthcare Provider Industry,” is in response to increased regulatory scrutiny of health care providers and growing complexity in the industry.
The Securities and Exchange Commission has been more active in its scrutiny of internal control failures and its enforcement of regulations around internal control structures. Health care providers are especially vulnerable. A recent internal audit at health care provider Ventura County Medical Center, unveiled as many as 42 internal control issues.
“Organizations operating in the healthcare sector, regardless of size, maturity, or form of ownership, have unique challenges and opportunities relating to the design and operation of internal control structure,” the report states.
Internal Control Issues
Healthcare organizations experience issues with system access and integrity, clinical documentation, coding, and billing, all of which may result in potential noncompliance with federal and state regulations, and costly mistakes. The guide provides health care organizations with specialized instruction on adopting elements of COSO’s widely used Internal Control–Integrated Framework, and provides a roadmap to implementation to help strengthen their overall governance and internal control structures.
“Effective internal control is vital to successfully weathering the ever-changing health care environment, and it can help mitigate many of the risks associated with the complex pressures healthcare organizations confront today,” said Paul Sobel, COSO chair, in a statement. “Formally adopting the Internal Control Framework facilitates an increased understanding of the internal controls in existence and indicates where improvements should be made, resulting in reduced risk for all stakeholders.”
The Internal Control Framework, which can be implemented by organizations of all sizes and types, focuses on five integrated components of internal control: control environment, risk assessment, control activities, information and communication, and monitoring activities. It does this in a flexible, reliable, and cost-effective approach, says COSO.
Strengthening Health Care Internal Controls
The implementation guide explores how health care organizations can apply the 2013 Framework to conduct the following:
- Evaluate and strengthen their existing internal control structure;
- Implement controls to assist in mitigating significant risks;
- Optimize the effectiveness of their control environments; and
- Improve the efficiency of their governance, compliance, operations, management, and assurance functions.
Focusing on strengthening key controls in an organization’s existing control structure is vital in the rapidly changing health care landscape, says COSO. It recommends that every health care organization evaluate its risks and key controls to determine potential gaps that may require changes to policies and procedures, governance structure, and management oversight. With the implementation of the Internal Control–Integrated Framework, which was updated in 2013,a healthcare organization with effective controls will be able to:
- Manage the organization’s ability to cope with rapid change;
- Provide a strong foundation to accomplish significant goals and objectives; and
- Improve healthcare delivery.
“COSO provides a framework to build a fundamental foundation of internal control to ensure that organizational risks are monitored and mitigated through sound business decisions,” said Bill Watts, a risk consulting partner at Crowe. “Healthcare organizations must review their environment to confirm proper controls are in place. By doing this, the organizations ensure effective and efficient operations, proper financial reporting, and compliance that support their mission and strategy. COSO provides guidance to streamline this process.”
Sobel added, “Implementing the Internal Control Framework enhances the likelihood of achieving an entity’s objectives and ability to adapt to changes in the business and operating environments. It emphasizes the importance of management judgment in designing, implementing, and conducting internal control, as well as in assessing the effectiveness of a system of internal control.” 