The Power of Internal Audits and Controls

So, today I welcome Cody Loup from our Gulf Coast office. Cody works in the internal controls area. I'm excited to get into his expertise today. There's a lot to learn in this space for healthcare professionals. Whether you're in the C-suite, whether you're a provider, whether you're a manager in the organization, internal controls is a major issue that you need to deal with on a daily basis. And so, Cody's going to give us some great insights into that space today. 

Cody Loup: 

Thank you, Tony, for the introduction. 

Tony Davis: 

I'm going to have Cody speak for a little bit around his background, how he got into this area of work, and so how he defines internal controls, especially as it applies to healthcare facilities and health systems. So Cody, why don't you start off with that. What's your background a little bit and how'd you get into this? 

Cody Loup: 

Yeah. So about 15 years ago, I graduated and I kind of did the normal CPA route. I started in assurance, actually at Postlethwaite & Netterville. So, our Gulf Coast region's historical office was Postlethwaite & Netterville. And I did general assurance works, so financial statement audits for external companies. And really got to know the financial statement side of things. But during that time, I got my CPA and I realized I kind of was more interested in operational sides of business. Finances are great, it's important, I didn't mind it by any means. But the operational side and what actually made a business run and how it ran was kind of more of my interest. 

So at that time, about 10 to 11 years ago, I actually left P&N to work on the internal audit side of a large health system here in the Gulf Coast called Ochsner Health System. About 10 hospitals now, so extremely large. And they were growing a lot at the time I was there. And I really got into the control sides of the operations of health systems. And it helped me to see how hospitals run from start to finish, from the supply chain side, from the operations, from the clinical side, and the financial side too as well. But really being an internal audit, it gave me that full picture of how a health system runs and it gave me an idea of how internal controls run. 

So, we did everything there. We touched on supply chain, like I was saying, with vendor management audits. We did clinical safety audits with drug diversion, patient safety, infection control. We did a revenue cycle audits of course, because hospitals, obviously that's the important part with claims, denials, and how the money comes in is important for everyone, but it's extremely important for hospitals as we know. And so really, that cut my teeth on really how health systems work. 

And the way hospitals were at Ochsner, they also had a huge physician clinic practice. So, it [inaudible 00:03:04] got me an idea of how that area works. So not just from the hospital setting, but how physician clinics work, how drug pricing works, how physician clinics are trying to start billing more as a hospital system with provider base. So, it really was just a great way to learn healthcare. 

And from there, in the last five years I've been doing the consulting side of healthcare. So I left Ochsner, but still doing mainly healthcare work and focusing on internal controls, and really trying to build that out for our clients here at EA. And that's really ranging from fully outsourced internal audit shops where we are that third line of defense, as well as doing individual projects for hospitals when they need help. 

And in internal audit, Tony, everyone thinks of it, they think of Sarbanes-Oxley, right? The reason internal audit really became huge was for Sarbanes-Oxley in public companies. Healthcare was a little slower to develop that, as they're not usually publicly traded. But in the last 10 years, internal audit, internal controls have really bled its way into healthcare, it's extremely important. It's an extremely regulatory-based environment. Patient safety is important. And they're starting to see the benefits of how internal controls, even though maybe not regulated by Sarbanes-Oxley is still extremely important for them, for both their patients, but for the financial health and the operational health as the hospital itself. Compliance is huge in health systems, but where's that third line to make sure compliance has kind of got its I's dot and its T's cross? So, that's really how we're seeing growth in that area right now. 

Tony Davis: 

Yeah. No, wonderful introduction. And I think you touched on several areas there, which I think we're going to explore a little bit on today's episode. And I think for those listening, whether you are sitting in the C-suite level of a health system or a physician practice, if you're [inaudible 00:04:50] yourself anybody that lives in that space, you understand the regulatory components of what we have to deal with in healthcare every single day. It's very overwhelming and I think sometimes it's just a matter of, where do you start and how do you prioritize? And I'm wondering if you could just maybe touch on that. 

You talked a little bit about operational efficiency, you talked about compliance. Patient care, obviously very important. I think we want to delve into each of those, but when you're looking at it from an in-sourced work that employees that you have within your organization, whether it's outsourced, is there sort of a baseline or foundation that you would recommend folks start thinking about? Maybe start there. And I know also it can run financial, operational, it's also got sort of verticals components to it as well. So I hit on a few things there, but maybe pick through some of that and tell me where you might begin. 

Cody Loup: 

So usually from an in-source perspective, you're so worried about your just daily operations and patient safety, that's where the focus is going to be. You're going to have probably a built out compliance team and they're going to really be hitting HIPAA hard, right? HIPAA is going to be a major source of concern. And so usually when I see an in-source health system, HIPAA and their compliance team, their legal team normally has that very well covered. They're also going to usually have a team working just for claims and denials. You can never have enough people for that. 

But normally a lot of their workforce is going to be working to make sure for, why are they getting denied? How do we get these claims through? Is it pre-auth, is it after the fact? Why are we missing some of these claims and why are they getting denied by these insurance carriers? So I usually will see a lot of risks there, and that's absolutely two of the biggest risk areas for your hospital. So, I'll see a lot of the effort of in-source going there. Also, patient safety, they'll be reviewing clinical documentation. They'll be making sure their doctors are trained, their nurses are trained. That's the three big areas I'll see in-source. 

Because of that and because everyone has not as many people as they'd like working for them, resources are tight. And so, that's going to be the three biggest areas, and that are the three biggest risks. So absolutely, if you are resources constraint, that's where you should be spending your time. 

Where we kind of come into play with outsource is, we can give those boots on the ground to look at everything else that's still largely important. And so from a revenue perspective, that's often going to be your vendors. Vendor management, I know I touched on that earlier, and the reason why that's a huge risk is a hospital is going to have so many vendors, it's going to be absolutely impossible for their supply chain or the logistics team, whoever's monitoring at your hospital, to truly be an expert in each of those individual contract areas. 

Even if the contract properly goes through legal, the terms in that contract and what you as a hospital own, it's extreme risk to your organization and money going out the door. And that can be from an incentive and rebates, right? If you have a thousand contracts, it means a thousand contracts, there's incentives and rebates, it could be millions of dollars you're leaving on the table. We've looked at audits and it's not just that you hit an incentive or rebate and they didn't give it to you, it's, are you at the end of the month? And if you order simply 5,000 more mask or 5,000 more sterile gloves, which you're going to use, now you get a 10% savings, but no one's monitoring that so you miss that. I mean, that happens all the time. 

We've also seen from vendor management when it comes to medical device, the ownership of, what medical devices are you in your hospital that you're paying for, that inventory, that's on you, the hospital. Well, we've done checks where hospitals are paying 15%, 20% on equipment that they don't even have anymore. Or sometimes we'll find it, but it's in a storage closet. It hasn't been used in years. All they simply have to do is send that email to that vendor and say, "Hey, we don't want that anymore." And that's hundreds of thousands of dollars in savings. But it's impossible for the health system to know that those terms are on them to control. Because like I said, their resources are going to those first three risks [inaudible 00:08:57]. 

The other things we see from clinical people don't think of internal auditors, CPAs as people that can get in the clinic space, but it's all a control. And so patient safety is always going to be the number one concern, but people just don't think they can do it with people like us. They think they got to hire nurse auditors. It's simply not true. For example, we've done specimen chain of command audits. We've had a hospital that, as crazy as it sounds, they were having specimen not get logged in time. So, they couldn't do the correct pathology on a specimen that was removed from a patient. 

That's just a control system, right? Who's in that room? When is it getting logged that it was taken out from the patient? What is the chain of command and the custody of that specimen before it gets logged in pathology lab? We can look at that. We can go out there, we can sit in that patient room, we can sit in that operation room and see, where is that going wrong? Is it on the intake or is it on the outtake? That's just an idea. 

The other huge risk obviously, are regulatory environment, joint commission, OIG. They're always looking at certain areas. One we've seen recently is hospitals, now that they're getting larger, these physician clinics are often on the hospital umbrella. Hospitals want these physician clinics to work as if they're part of the hospital so they can get certain billing reimbursements, like 340B pricing for their drugs. So they make these physician clinics provider-based, as if they're outpatient to the hospital itself. Great for savings, huge in terms of regulatory standards that have to be. Your clinic better look like a part of the hospital, it better bill as part of the hospital. And so, we've helped a lot of hospitals and health systems make sure that they are billing correctly for how CMS wants to see them bill, that their signage is correct to make sure patients know they're holding themselves out as outpatient to the hospital. 

So, it's really every area. We're touching clinical operations with nurses, we're touching the ref cycle team, we're dealing with supply chain. And that's bringing us to the chief revenue officer, the COO. It's bringing us to VPs in supply chain. So it's really your whole hospital environment and your whole leadership team, as well as some of your operational team like clinic, your nurses and your chief medical officers. Everyone's got to work together for your internal controls to really put you where you want to be as a hospital. 

Tony Davis: 

Well said and well articulated. I think what was going through my mind as you were talking and having as audience who's listened to the podcast before, know that I ran a large dermatology practice for a dozen years. And I think about what you just described and I think about, okay, well, I understand A, the complexity of all the pieces that go into what you just described through vendor management, through clinical operations, and into the financial space for sure. 

Maybe the approach to take might be some sort of assessment, some sort of evaluation of how your current system is in place right now. So if you're in a physician practice, whether it be part of a hospital or a standalone, or if you're in a bigger hospital environment, is that something that you guys would come in and then again, give us sort of a game plan? Obviously, trying to tackle that at once. And obviously again, talking about budgetary restrictions or resource restrictions, that's typically where... And time. I think that's the other thing. 

I think when I sitting in a management role, you're trying to balance your day as to what priorities to take. Certainly if there's agencies calling, that takes a priority. But you've got staff to deal with, providers to deal with, patients to deal with. That really becomes just, where's the fire? But more broadly, as an approach to really managing your internal controls from either operational, financial, clinical, all the various verticals, is an assessment sort of a good place to start, do you think? 

Cody Loup: 

You have to start there. And there's two ways to do this. There's the risk assessment that everyone's used to, and it's still... People have tried a thousand different ways to make it better than this, but it keeps coming back to the, let's sit down and let's interview the important people within your health system. And log down what keeps them up at night. 15 years ago when I was in school, that's why I always studied [inaudible 00:13:24] risk assessment. I'm sure 30 years ago, and I'm sure 30 years from now, it's going to be the same way. You have to talk to the people on the ground. 

You can look up what the largest risks are in hospitals and healthcare, but until you actually sit down and interview the key people in your hospital or in your areas, you're not really going to know what is truly the risk. That's the general, that's the easiest way to start with. The risk assessment, we log the risks that they give us, we rank the risk based on our conversations and based on our expertise. And then we give you the idea of where we should hit the plan. 

One step further, and what we're starting to do with a lot of clients is a business impact analysis. And then that could lead to a business continuity plan. But that's taking those risk assessment interviews and going one step further. We're mapping the KPIs, or key process indicators, for each of those units. So not only are we taking the risk, we're asking them, "Okay, what are you doing on a daily basis?" And we're taking that information and saying, "These are the key processes that each of the units in your hospital do. These are the systems they rely on, and this is where you have a lot of risk to where you've got only two or three people maybe working this area. And that information knowledge isn't being shared with anyone else in your hospital. So, you better get these controls documented in case these people leave or in case something happens that you have an idea how to fix this." 

It also gives you that idea for a business continuity plan that we are extremely reliable on some third-party systems. And if that were to go down, where are we going to be? I'm not going to mention the name here, but we all know the cyber attack that happened a couple of months ago. And hospital systems were down. People had no idea they had that much reliance on this system. And the reason why was because they'd never done that BIN BCP. Normal operations were completely disrupted. 

So your risk assessment, you've got that information, you do just a little bit step more with that assessment into a business impact analysis to a business continuity plan. A lot of times we'll do that work, and the idea was to take that then to do audits, but management will see this and be like, "This is more important than any audit you could have done." I had no idea we had this many areas that we're doing this work, that had this many KPIs. 

A lot of times what we'll get is, health systems started as one hospital. The last 15 years, it's almost no senior [inaudible 00:15:39]. And people realize, I had no idea that we had these three groups doing this. We could consolidate this into more one work unit. Or I had no idea this poor unit over here was doing all this work. I thought it was being supplemented over here. And these leaders, the CEO and the CO see this and that's gold to them. Before we even do an audit, just the information they have on how their process flows go is sometimes bigger than the work we can do in individual audit. 

So, that's a risk assessment. But then the business impact analysis, business continuity plan, part of it we're starting to see become extremely common. And the reason for that is COVID. COVDI disrupted people, so they wanted to have a continuity plan on how to go forward. And recently in the last two or three months, or I guess it's been almost six months now, and the cyber attack happened, that put a lot of health systems and then [inaudible 00:16:28]. 

Tony Davis: 

Yeah. I think the cyberspace piece is- 

Cody Loup: 

It's huge. 

Tony Davis: 

... it's very scary for a lot of us. 

Cody Loup: 

Yes, it is. 

Tony Davis: 

I want to touch on a couple of things you hit on. I think that really for me, is a nice summary of maybe a place to start for folks. Is to talk about an assessment and sort what that would cover. And then give you as an organization, a game plan to look at where your strengths are, where your weaknesses are, and go forwards. 

A couple of things, and when I think about the clinical side a little bit is, you tend to have vendor management. We've sort of beat that a couple of times already. But that is a definite win. Anytime you're can have someone come and look at your vendor management, whether it's your inventory, as you talked about, and the waste that goes on there, the overbuying or the shortage issues that you don't see coming, which is often an issue as well. And then the pricing part, which is very complicated, not only on the traditional supply side, medical, that sort of thing, but also on the PBM front as we get into that whole... That's a different podcast for a different day. 

But I think having someone with... putting some concerted time and eyeballs on your various GPOs that you might be part of, I think is a great place to go as well. So, I really would encourage folks listening to seek us out to see if there's a way we could assist on that front firstly. That might be a quick and easy way to handle or get started with some of the work that you guys are doing. 

The one I wanted to touch on a little bit there was internal controls from a financial perspective. So nerdy accountant, okay, talking to a nerdy accountant here, I get quite a few calls from clinics particularly saying, "We want to do an audit. We want to do a financial statement audit. We just haven't done one in a while. We just want to make sure that everything's in the right place." And for my assurance folks listening, I'm not bagging the audits, but I think oftentimes an internal control assessment or a greater prompt procedures engagement, which basically just follows the cash for example. Talk a little bit about those sorts of more maybe accessible, more easy to jump into engagements where you can give the groups, give the clinics, give the health system a comfort around segregation of duties. I'll use the F word, fraud, embezzlement, those sorts of things come up quite a bit. Maybe let's spend a few minutes on that. 

Cody Loup: 

Yeah, absolutely. So a lot of times when we see these audits, it's comfort of mine. The CFO, not that they think anything's wrong, but they just start saying, "We've done our external audit for 10 years. We haven't looked from our internal side. All the numbers check out, everything seems to balance, but are our controls there? Is it luck, right? Are our numbers right for luck or is it because our controls are good?" 

And oftentimes, what we'll see is segregation duties can be a little light in the hospital world because like I said, they started smaller. They've got unbelievable experts in their area, so they can do the work that five people would normally do, which is great from what you're spending on expense in your finance department. But from a segregation of duties, if one person is doing the job of five, we now know that leads to, they have forward fraud, potential fraud, I should say. The opportunity is there for fraud. 

So oftentimes when we'll do that, there'll be a lot of segregation of duties findings, just like, "Hey, we know you're light on people. But because of this, let's just divvy out the work to who you have in order just to make sure that the same people that in the accounts payable or in the AR don't have all those responsibilities. Or we can..." Yeah. 

Tony Davis: 

And there's eyeballs on it. 

Cody Loup: 

And there's eyeballs on it. And the big one we're seeing from a control environment right now from a financial statement that people want to look at, because there are some kind of big cases in the news in the last few years, is their foundations. Hospitals were huge on foundations. You're having millions, millions, hundreds of millions in some cases, come through the foundation. Oftentimes, that's completely handled outside of your normal finance department. 

So the external audit will come, and they'll look at the foundation a little bit to do their due diligence there. But overall, it's not really getting looked at nearly as much as the actual money coming into the hospital. And those people kind of in the foundation are kind of off on their own. Most of the time, they're on a different platform. So, they're using a foundation software just getting managed differently. 

So people say, "Okay, look, I do have good strong internal controls over our finance department. I've looked at it, I've documented. I haven't looked at the foundation at all. I haven't looked at where that a hundred millions are going. I haven't looked at our funds. Is our funds even accounted for correctly?" The same person that's taking in the fund cash is also dispersing the funds. Whoa. I see that all the time. And it's not fraud when I'm looking at it normally. But the fact that the same person that takes in a hundred thousand dollars has the responsibility to send that a hundred thousand dollars out, I mean, you see where I'm going there. I mean, the potential there is massive. And it's a great sum of money. 

So, I've done multiple foundation audits recently. I'm speaking actually on foundation audit in Oklahoma City on Wednesday for universities. But university foundations, hospital foundations, it's all the same type of accounting and processes. So, that's a big one. When we're talking about the financial control world. That's an easy way in as well because it's usually a pretty quick audit. It's a lot of money, but it's usually not a lot of steps to look at it. So, that's one that we've looked at often as well. 

Tony Davis: 

And I think folks listening, I would say if you haven't had some sort of internal control review audit assessment in recent times, I think it is worth the conversation. And you don't want to wait until it's too late or something happens. 

Cody Loup: 

And that's the thing, Tony. It's like your house has not been broken into, but you found out when your kid leaves for school, he's not locking the door. 

Tony Davis: 

Yeah. 

Cody Loup: 

Yeah. Your house hasn't been broken into, but if you keep on locking the door, leaving the door unlocked for long enough, that's the easiest way to teach someone to understand the internal controls. Well, nothing's going wrong yet. Yet, right? Yet, yet. If you don't have that process there to protect yourself, yet, is the word I like to use. 

Tony Davis: 

Yeah. Well said. Well, we've touched on a lot of the reasons why we think internal controls assessments and reviews and audits are important. On the operational side, certainly, clinically as well, and on the financial side, absolutely. So as we finish up today, Cody, maybe some thoughts about, we've touched on common challenges. I think resource limitation becomes kind of a big one for a lot of executives. And if there's any others you can think of, maybe a tip or two for the audience to think about. And then maybe finish up with sort of what you see trend-wise. Where we're at in this space as we wrap up the podcast today. 

Cody Loup: 

And I think that's the toughest part, is resources, right? Hospitals live in that margin of being in the red, right? 

Tony Davis: 

Yep. 

Cody Loup: 

So, hiring more people and just throwing people at the problem. Which is the easiest way to do it, is not maybe possible for a lot of the hospitals out there that we're going to be talking to. But the best way that they can manage it themselves is do an internal risk assessment themselves, if they can. Try to just figure out where your people see the risk. If we're not going to come in there and do it for you, maybe build it out as big as our BIA or BCP. You can still log internally what your risks are. Just talk to your people. That's the biggest thing I can say, is talk to them. Ask them, where is your concerns? What keeps you up at night in terms of where do you see in your area? Because oftentimes the COO or CO, they understand where the hospital's risk is, but that's so big picture, that's so out of the weeds. Get in the weeds every now and then with the people under you. Get in there and understand. 

I had no idea that potential drug diversion is such a concern for our nurses and the pain management clinic. Get in there and understand that. Understand that they feel like they don't have enough PIXIS machines to lock the controlled substances in. Take that concern down and then think, okay, well, we can get another PIXIS machine. It doesn't necessarily have to be people. Or we can give them security at night when they're in that area because they feel like their personal safety isn't great when they're closing up on a shift there. 

So just talking to the people, they're going to tell you what the problems are in your system. So, that's the number one thing I always tell management, if they can, if they feel light on resources, if they feel light on budget, talk. Just listen, listen to what your people are telling you. 

Tony Davis: 

Great advice. 

Cody Loup: 

That's where you're going to find your risks are. And more importantly, that's where you're going to find where your controls are weak. Because if they're not telling you it's a risk, it's not because it's not a risk, it's 'cause they have good controls in that area. Their risks are going to be the ones in the back of their head they know their controls are light. 

Tony Davis: 

Yeah. One thought on that is if you get pushback or if you get very defensive responses- 

Cody Loup: 

That's where controls are weak. 

Tony Davis: 

... you want to be listening in that sense. Right? I think that's a great point you make. Yeah, yeah. 

Cody Loup: 

You'll know when you touch a button. You'll know, you'll know. Know either they'll start talking a lot or they'll stop talking. That's kind of the two indicators. 

Tony Davis: 

Great little tip for everyone listening out there. And just finishing up on how you see the work you're doing going forwards. Obviously the environment we're living in today, there's a lot of talk around accountability and waste and those sorts of things. But it's also often case just a failure of internal controls, is really what's happening there. So, are there tools out there? Are there things that are just sort of evolving in the space that you're seeing as we finish up today? 

Cody Loup: 

Yeah, I'm not sure if there's been too much involvement in tools outside of just doing the work. I think that there's no hiding internal control work that you've got to do the work. There's no real shortness there. You've got to take time. There's no magical on. And unfortunately, from an insourcing perspective, there's a lot of times, not the time or the power. And that's why we're seeing so much internal control work outsourced now. People are starting to understand importance of it, but they understand they don't have the people to do it, but they say it can't wait anymore. 

Tony Davis: 

And I think [inaudible 00:26:49] case it's nice to have an outsider sometimes. 

Cody Loup: 

It is. And look, it's a third line of defense. So if you're going to do it in source, which is perfectly legal, you better make sure they have an independent reporting structure. And they feel like they're almost a whistleblower inside, if they need to be. So, that's why it's just a natural feeling sometimes to outsource it 'cause you know those people aren't going to be related to the people they may have [inaudible 00:27:09]. And from a healthcare perspective, there's never been more eyes on healthcare from the public. The public has in the last five years, obviously COVID kickstarted that, the public's eye is on healthcare. So, they're kind of scrutinizing it. And the media is going to follow where the public's concern is. So if you have a hiccup either from a cyber leak or you have a hiccup from billing or something like that, the news is going to be more than happy to report on that. 

Tony Davis: 

Yeah. And healthcare is so important to the community, so it is going to get on the radar very quickly. So, none of us want to be on the front page of the local news [inaudible 00:27:51]. 

Cody Loup: 

That's right. Yep, yep. I know a lot of my clients, I know the reporters names in the area. And in the meetings we say we just want to avoid X. That's our biggest concern, is avoiding X. And everyone knows who they are. And it's just true because your public perception as a healthcare provider is massive. Because when the public loses confidence in you, it's hard to get it back. 

Tony Davis: 

Well, I think on that note, I want to say thanks to Cody Loup today for his time. And a dare say, we'll get a chance to visit again and maybe deep dive into a few of these things. Cody is available, all his information is in the footnotes of our podcast here today. So I just wanted to, again, thank you, Cody, for your time and expertise. And I think you can add a lot of value to healthcare organizations. So, thanks again for today's talk. 

Cody Loup: 

Yep. Thank you, Tony. Thank you for having me. 

Tony Davis: 

Yeah, appreciate it. Well, thanks for listening for today's episode. You can find it in all the good podcast venues, Spotify, YouTube. So please hit us up, and like us and subscribe so you can get future content as well. So with that, thanks, Cody, and we'll catch you next time. 

Transcribed by Rev.com