• E-mail
• Print
• RSS

Tip: Follow these ten steps to identify vulnerabilities before a risk-based audit

Healthcare Auditing Weekly, February 10, 2009

1. Determine the objective by identifying what management wants or should want accomplished (e.g., Objective: The capture and entry of surgery charges is complete and accurate).
2. Identify risks. There are two ways to identify risks:
   1. State the negative of your objective
   2. List what could go wrong during the process
3. Assess inherent risks based on criteria that are meaningful to your organization and/or to the category of objective. Criteria could include significance and likelihood, volume/materiality, and complexity.
4. Identify optimal controls you think should be in place. This step, which is usually only done for high risks, provides a basis for evaluating the adequacy of actual control design.
5. Identify actual controls that are in place by process walk-throughs, department observations, internal control questionnaires, and employee interviews.
6. Perform a gap analysis of the controls for high-risk areas. When you compare the optimal controls with the controls already in place, consider whether the existing controls are doing their job—even if they differ from your suggestions.
7. Test key controls to determine whether they work as intended. You don’t have to test every control—just the ones on which the department relies to mitigate the risk.
8. Record your test results, and determine whether controls are working as intended and are effective.
9. Work with the department through the process to provide education, get information, and share identified risks, controls, test results, and evaluations.
10. Present your organizations management with an executive summary that describes the objective and scope of the audit and summarizes control issues and action plans.

• E-mail to a Colleague
• Print
• RSS
• Archive