Tina Rolling (rollingtm@alma.edu) is an assistant professor of Business Administration at Alma College in Alma, MI. Tom Ealey (ealey@alma.edu) is a professor of Business Administration at Alma College.
When most people think of auditing, they think of external and sometimes internal auditing, both being focused on financial results and financial internal controls.
A third type of auditing, performance auditing (earlier known as operations auditing)[1] has great promise for improving the compliance function, and also the operations of the provider. Performance auditing can be applied to a wide range of business practices and regulatory compliance targets, because it focuses on effectiveness, efficiency, and compliance.
Performance auditing was pioneered and has been enhanced by the federal General Accountability Office (GAO) as well as private sector internal auditors and consultants. The GAO uses performance auditing to evaluate everything from military procurement efficiency to social service program effectiveness. GAO developed a common set of tools to evaluate the performance of people and hardware across a wide range of government programs.
Performance auditing differs from financial auditing in intent, scope, procedures, and reporting. Performance auditors need not be independent from the company or highly trained audit practitioners.
Defining performance auditing
The General Accountability Office defines performance auditing as:
2.09 Performance audits are defined as engagements that provide findings or conclusions based on an evaluation of sufficient, appropriate evidence against criteria. Performance audits provide objective analysis to assist management and those charged with governance and oversight in using the information to improve program performance and operations, reduce costs, facilitate decision making by parties with responsibility to oversee or initiate corrective action…[2]
Substitute “practice” for “program” and performance auditing instantly becomes relevant to medical practice management.
The GAO goes on to explain, “2.10 Performance audit objectives may vary widely and include assessments of …effectiveness, economy, and efficiency; internal control; compliance; … These overall objectives are not mutually exclusive…”
The emphasis on efficiency and effectiveness distinguishes performance auditing from financial statement audits and compliance procedures. Many of the techniques and procedures are used to do parallel compliance auditing procedures, and some compliance projects lend themselves to performance studies, thus allowing double value from the work.
Lindberg and Cohn's classic definition of performance (operations) auditing[3] highlights the focus of performance auditing:
-
The appraisal is regular and systematic.
-
A comparison is made with industry standards and company policies.
-
The “auditors” are not specialists in every area being audited.
-
Management finds out if its aims and desires are being carried out; and
-
Deficient areas are identified.
A customized approach
Performance auditing is the most flexible of auditing techniques; the audits can be customized by need and by provider.
Many long-term care facilities employ “self-survey” techniques and, whether they know it or not, these surveys are performance audits. The facilities have multiple special regulatory regimens and use self-surveys to improve operations and get ahead of the government surveyors.
Physician groups have a wide range of compliance concerns and often do not have large staff or resources to regularly monitor compliance. The burden of everyday work precludes systematic review, exactly where and when it is needed most.
Hospitals are a huge target for systematic review and audit; the number and diversity of departments, the volume and complexity of billing, the interaction among so many providers―these are all reasons for monitoring and review.
Value added
Performance auditing can provide value within the compliance program by:
-
Identifying failures in critical regulatory compliance areas
-
Identifying quality failures
-
Measuring effectiveness in performance of mission-critical functions
-
Identifying targets for improvements in the revenue cycle
One caveat here: An audit team may find something very unsettling―and that is when work is halted and a phone call is made to legal counsel.
Rationale
There are at least four major reasons for using performance auditing in healthcare compliance:
-
The complexity of the interactions and services provided,
-
The increasingly complex regulatory environment,
-
The usual absence of “deep” specialists (e.g., accounting, legal, medical records) in many facilities (or the experts are there but have little spare time), and
-
The potential high cost of compliance failure and/or inefficient management.
Managers and supervisors are often flooded with data and information, including routine operational and financial reports, budget reports, and statistical summaries. There are informal feedback loops from the daily whirl of observations as nurses, physicians, ancillary clinicians, and other staff interact. In the blizzard of data, there is often little time for thorough examination and evaluation.
Performance auditing requires the focused, systematic collection and analysis of data―an important supplement to the daily stream of quick data and steady anecdotes. Both the cost of this process and its offsetting benefits must be considered. The acid test of any management control system is the cost-versus-benefit relationship: Does the control system or audit pay for itself by improving efficiency, cutting costs, or even by avoiding penalties? So, does performance auditing pay for itself in a compliance program?
We believe yes. Benefits can be measured or estimated for dollars directly saved and/or the avoidance of regulatory legal penalties. Performance auditing can be cost-beneficial when used inside a compliance plan, and it is also useful outside a compliance plan.
Basics of performance auditing
A typical performance auditing project (see Table 1) would flow like this:
-
Select a target topic
-
Determine the scope of the work and the resources available
-
Research and document relevant criteria
-
Develop an audit plan with necessary checklists and work papers
-
Gather and examine evidence, compare with criteria, and document results
-
Form judgments
-
Report findings to the appropriate manager or governing body
The fundamental audit process consists of: (a) planning the audit, (b) gathering data, (c) comparing the data with relevant criteria, (d) forming judgments, and (e) reporting to management. The audits are done systematically, rather than randomly.
Note that the auditors offered no solutions, only findings. Operations auditing is not a solutions process; solutions are always the province of management. Follow-up is assigned separately by senior management.
Step | Activity |
---|---|
Select a target topic | HIPAA compliance |
Determine the scope | Compliance with notices and signatures |
Resources available | Supervisory staff, medical records, IT staff |
Audit plan | Perform a “chart” review, sample some active charts, and develop checklist for each chart |
Review charts | Review sample charts over a one-month period |
Document results |
Determine the percentage of charts in compliance Compile list of errors and omissions |
Reporting | Make judgments, prepare report for management |
Best practices
Performance auditing compares evidence against standards; those standards are derived from regulatory rules, industry norms and best practices, company policies, and professional standards. Performance auditing can only be used when norms, policies, standards, and practices exist and are accepted within the organization.
Best practices are gleaned by constantly scanning the operational and regulatory environment―paying attention to the literature, watching the federal government, consulting with professional advisors, and being an active member of the Health Care Compliance Association.
If our target is the completeness of personnel files, our criteria would be compliance with company policies and government regulations. Our checklists would list the required documentation in each file. Our examination would document the contents of each file. A summary would give us percentages of completeness from which we would form judgments and report to management. This assumes management is current on all human resources policies and regulations.
Sampling
Given the volume of activity in a healthcare facility, 100% audits (or even a high percentage of audits) are rarely feasible, even for a limited period of time, unless the audit is designed to review a very serious problem brought to management’s attention.
Sampling techniques should provide valid feedback on many compliance and operations topics:
-
Random – every 20th patient from June 1st to June 15th, using appointment logs or encounter numbers
-
Stratified – every billing more than $5,000 in the month of July
-
Block – every patient seen on Monday and Wednesday mornings in the month of August
-
Targeted – every patient seen by a new physician in his/her first month to evaluate medical records and coding skills
Sampling techniques can be mixed and matched and customized to fit the project at hand. Consult your CPA if you need help, because sampling is key to your CPA’s audit protocols.
Revenue cycle and the cost/benefit test
The heart of compliance is billing integrity and related regulatory compliance. The heart of revenue cycle management is accuracy, timeliness, and related regulatory compliance. Notice the overlap?
The cost of auditing the revenue cycle can be covered by the resulting discoveries that lead to improvements in the cycle. This does not count penalties avoided by finding and correcting accuracy and integrity problems.
Performance auditing may produce bad news; discovering something toxic (e.g., upcoding problems) can be expensive, but correction sooner is better than correction later.
Cyber security concerns
Twenty years ago cybersecurity meant making a tape backup of the billing system and putting the tape in a secure place. Cyber security has taken on a whole new meaning and has become a massive issue for healthcare supervisors and managers. Some aspects of cybersecurity are best left to technical experts, or really have to be left to technical experts. Other aspects are within the purview of supervisors and managers.
Password compliance, log-off procedures, portable media issues (e.g., the infamous flash drive is a dangerous implement), phishing attacks, bring-your-own-device (BYOD), smartphone concerns, phone cameras, cloud security, mobile laptops—all of these are management concerns subject to constant monitoring and the occasional performance audit.
A comprehensive set of policies and procedures is a start, but policies without compliance have no value. Check, double check, and recheck!
Assembling the team
The audit team members, by definition, are not professional auditors and should be selected to compliment your audit topic. They should be capable of understanding the best practices standards and be able use checklists to collect the required data. The members of the audit team do not all need to be deep content experts, but they must be familiar enough with the organization’s operations to gather data through document or observational review. For example:
-
An audit of HIPAA privacy compliance could include clinical, administrative, and clerical staff.
-
An audit of HIPAA security could include clinical, administrative, and senior management staff.
-
An audit of revenue cycle coding could include clinical and billing staff.
-
An audit of OSHA compliance would include a variety of clinical staffers.
Audits may identify performance weaknesses, possibly including compliance failures and productivity failures, or they could identify opportunities for new and enhanced operational techniques.
The application of performance auditing is illustrated by this example: Human resources is a highly regulated and paperwork-intensive business relationship. An audit to test paperwork completeness and compliance with company policies and government regulations is suggested, management wants to target critical topics, and a targeted approach narrows the first examination to auditing OSHA compliance.
Reporting
Performance auditors are not empowered to fix problems or improve operations; they are directed to report to senior management. Reporting should be concise and focus on good performance and weak performance. Reports should not include the bulk of audit documentation, but the documentation should be available for any affected manager to review.
Team members may well be called to help fix problems or improve operations, if for no other reason than they know the issues so well.
Additional benefits
There are costs to performance auditing, particularly in staff time; therefore, we need to weigh the costs and benefits of this work. Performance auditing can provide benefits both inside and outside the compliance program as well as for other operational concerns related to compliance concerns.
Performance auditing can add value outside the on-going compliance program if it is used to:
-
Identify inefficiency and performance weaknesses
-
Determine cost control opportunities
-
Further productivity improvements
-
Measure effectiveness in performance of mission critical functions
-
Measure compliance with other critical regulations, such as Occupational Safety and Health Act (OSHA), wage-and-hour laws, etc.
-
Measure efficiency in use of resources
In terms of value added, any performance auditing procedures may provide useful information, both for compliance and for operations.
Conclusion
Performance auditing can be a useful and cost-effective tool in health care organizations. The complexities of and risks inherent in providing medical care demand a high level of administrative control and quality performance; performance auditing can provide feedback critical to the organization about control and supervision processes.
Takeaways
-
Performance auditing is a useful tool in monitoring compliance.
-
Performance auditing can be used on a wide range of financial and operational matters.
-
Performance auditing can be cost beneficial, both in avoiding penalties and enhancing operations.
-
Many providers are already using self-audit techniques in their compliance activities.
-
Performance auditing does not require sophisticated staff experts or expensive outside experts.