Best Practices in Healthcare Finance and Accounting
By Caitlin Prete, Manager, Assurance Services
In the healthcare industry, there are a multitude of best practices with respect to the day-to-day operations performed by the nursing staff, doctors, finance department, and management of healthcare facilities. No matter the role, there is no such thing as too high of quality when it comes to ensuring patients receive the appropriate care. From the audit perspective, best practices include proper checks and balances performed by not only the finance department but also employees working with confidential patient information. If steps are taken to implement appropriately designed internal controls from the start, the risks of potential negative findings from an audit will be reduced. Here are a few ways organizations can prepare for an audit:
Internal Audit (Review of Information)
This could be performed in various ways depending on the size and complexity of the organization. See below for a few examples:
- Engage an internal audit team to perform quarterly checks. The internal audit team can feature professionals hired internally or externally. The internal audit team should perform testing to ensure management is following controls designed and implemented by the organization, as well as testing balances for accuracy.
- Ensure there are proper checks and balances being performed routinely, ideally on a monthly basis. These checks can include testing to ensure the internal financial statements prepared by one staff member are reviewed by another, with a final review by management or governance. Documenting such review ensures that controls are followed by management. For example, monthly internal financials should contain a preparer and reviewer signature, and the date of each action. Note that this process can also be implemented for reconciliations imperative to the operations.
- Management review of Service Organization Controls (SOC) reports. Many healthcare facilities utilize service organizations to host data for patient activity, including Electronic Health Records (EHR) and Electronic Medical Records (EMR). In using these service organizations, management relies on the service organizations to follow the controls in place on their end in order to guarantee that confidential data remains secure. It is vital that management reviews relevant SOC reports so they are aware of internal controls and can assess whether or not the controls are properly implemented.
- Review of user access controls on relevant financial reporting systems including the general ledger system, the EHR/EMR system, and security systems. Only personnel qualified to use these systems should have access to them for the purpose of conducting reviews. Providing access to unqualified personnel can lead to management override of controls, misappropriation of assets, or misrepresented financial statements.
In addition, a couple other best practices contribute to a smooth audit experience follow:
Our job as auditors is to help organizations confirm that they are in line with Generally Accepted Accounting Principles (GAAP), as well as any other regulatory requirements, and to ensure to the best of our knowledge that there is no fraud occurring within the organization. See below for a few helpful tips:
- If there are matters that arise prior to the audit, communicate with your auditors to ensure that they are aware of the situation and can help you address the matter. Even if the matter does not seem significant, it is a best practice to communicate so the auditors can determine how best to proceed with testing. If any matters arise during the audit, communicate with your auditors as soon as feasible to not interfere with any deadline dates.
- If timelines change due to staffing constraints, changes in regulatory due dates, etc., communicate with your auditors so expectations can be established on both ends to enable a smooth audit process.
Choose the Setting that Works Best for You
COVID-19 has significantly changed corporate America and the way it operates. As a result, there are various ways that audits can be performed to work best for both the client and audit team. Communication and flexibility are key to establishing a successful relationship:
- On-site. If it is feasible, on-site options for the audit team can help move the process along more quickly. This provides the audit team with the opportunity to have face-to-face discussions in real time. If the client team has the availability to work with the audit team during an on-site period, this method can provide many benefits to ensuring a successful audit.
- Fully Remote. This option allows for flexibility in case there are changes to timing. In addition, if the client themselves have alternative work arrangements where key personnel are hybrid/fully remote and may not be in an office setting but are very responsive to emails/phone calls and audit requests, this could be the best option for both the client and audit team.
- Hybrid. A mix of the two scenarios above can offer the best of both worlds.
Our goal as auditors is to meet client expectations. Working together and following best practices can help to provide a great experience for both parties involved.