While the mission statements of internal audit and corporate compliance functions are similar — focused on operational integrity, efficiency, and effectiveness — organizational structures often put them in separate worlds. In most organizations, the two departments have separate leadership, perform separate risk assessments, develop separate audit and monitoring plans, individually identify and investigate issues and concerns, and recommend appropriate solutions. Rarely does one know what the other is doing. It is unfortunate, because organizations can leverage the work of these two departments, so that working together they can bring value that is greater than the sum of the separate parts.
Twelve years ago, Cleveland Clinic's senior management and the audit committee decided to leverage the work of the offices of Internal Audit and Corporate Compliance by putting them under one umbrella, and calling it the Integrity Office. As the chief audit executive (CAE), I was promoted to a new C-suite position called chief integrity officer to lead the office, and continued to report directly to the audit committee.
Structuring the Office
The first organizational decision was whether to combine the two departments into one staff, or keep them as separate departments under one overall leader. Though their mission statements were similar, there was a key difference in their interpretation and application of the word independent. Consistent with the U.S. Federal Sentencing Guidelines, formal guidance issued by the Office of the Inspector General at the U.S. Department of Health and Human Services (DHHS), and requirements imposed in numerous corporate integrity agreements, corporate compliance must maintain an independent reporting structure to the governing body of the organization. It also must maintain independence and objectivity in all aspects of the organization's compliance and ethics programs. That said, the program cannot effectively be administered or maintained without at least some degree of coordination and collaboration with operational areas. For example, corporate compliance often participates in the development of policies and procedures, internal controls, and systems to mitigate risks. Independence is likewise a necessity for internal audit, but in a different way. The work of internal audit is much more defined than that of corporate compliance and must conform to stringent professional standards of independence. Internal audit must demonstrate independence of mind as well as appearance. Considering that independence and objectivity are core tenets of both professions, we felt it was necessary to preserve a certain degree of independence between them. We accomplished this by organizing them as separate departments within the Integrity Office.
Independence From General Counsel
In many organizations, the compliance function reports to the office of general counsel. Board of director guidance from the DHHS Office of Inspector General has provided that the compliance officer should not be the general counsel, or the subordinate to that position. Corporate compliance independence from the legal department is critical, and the integrity office model provides that independence. Also, while many companies view the compliance department as a legal function, compliance programs should be focused on implementing regulations in the organization's operations and preventing noncompliance, or aiding early identification of issues. Therefore, having a compliance staff that understands the organization's operations and how the regulations can be implemented is most effective.
Just as the missions of internal audit and corporate compliance are similar, so are the skills necessary for their work. Internal auditors need to understand an organization's operations to audit its processes effectively. Due to the complexity of an academic medical center's varied operations, Cleveland Clinic's internal audit staff consists of professionals with different backgrounds in finance, billing, coding, nursing, medical research, IT, and forensics. Similarly, the corporate compliance staff includes professionals with experience in nursing, billing, coding, medical research, and law. Both staffs need excellent investigation skills, and the diversity of professional experience provides a depth of knowledge necessary to audit across the risk population effectively and make appropriate recommendations. A major difference is that while both staffs can identify and report issues and make recommendations, corporate compliance also can be involved in the issue remediation process. Internal audit can subsequently complete a follow-up audit to determine if the recommendations were implemented correctly.
Risk Assessment Benefits
Cleveland Clinic is a complex, $8 billion academic medical center, with multistate regional hospitals and international operations. Like many organizations, it has an enterprise risk management (ERM) process that is focused on monitoring significant risks to the organization and what we are doing to address or mitigate those risks. While ERM focuses on the major enterprise risks, internal audit and corporate compliance have to focus on the related sub-risks at ground level.
Internal audit completes an extensive annual risk assessment as the basis of developing its annual audit plan. The risk assessment is a three-pronged process. First, it incorporates input from approximately 100 interviews each year from people throughout the enterprise. In addition to interviews of senior management and board members, we include mid-level managers, administrators, doctors, and nurses. Internal audit learns a lot about the risks they perceive, which can differ depending on their operation. This information is critical to our risk assessment, and we probably would not be aware of many of these perceived risks if we did not listen to such a broad group of people.
Second, we evaluate if we may be affected by national health-care issues or concerns currently impacting other organizations. We frequently read or hear about significant issues at peer organizations, and we want to determine if we may have the same exposures. Evaluating the issues during this process helps mitigate the exposure by either determining that it is not an issue for us, or that we have identified it and will resolve it more timely.
The third part of our risk assessment process is evaluating known risks from prior years. Have they adequately been resolved? Is a follow-up audit warranted? All three parts of the risk assessment process are important to capture and understand the risk population.
One element of an effective compliance program is to include the auditing and monitoring of compliance risks. Corporate compliance functions also have to perform a risk assessment to determine the risks to be included in their audit and monitoring programs. Risk assessments are much more effective when internal audit and compliance staff can work together to determine the risk population, evaluate the level of risk, and decide the risks to be audited and monitored. It is more effective to have the minds of both departments involved in evaluating risks. It is also more efficient, as it can eliminate the duplicate steps of both departments auditing the same areas or processes, as well as eliminate certain risks from falling through the cracks and not being audited at all. Management also appreciates when employees are interviewed once during the assessment process instead of internal audit interviewing employees the week after corporate compliance asked them the same questions.
A significant part of any U.S.-based health-care organization's compliance program is complying with the U.S. Health Information Portability and Accountability Act (HIPAA). HIPAA security regulations require an organization to have a current assessment of information security risks. At Cleveland Clinic, the chief information security officer reports functionally to the chief information officer, but also has an indirect, or dotted line, reporting to the chief integrity officer. This reporting line provides the chief integrity officer the ability to effectively monitor information security control activities, and the opportunity for internal audit and corporate compliance to make recommendations related to information security-related risks.
While our formal risk assessment process happens annually, the benefits of internal audit and corporate compliance being under the same umbrella are reaped throughout the year. The findings from one of the department's activities may result in a change in plans for the other department. While internal audit and corporate compliance are separate departments, their offices are on the same floor and they can easily talk with each other about questions or concerns.
We continue to have separate monthly department staff meetings. Because I am familiar with the activities and results in both departments, my attendance at both staff meetings provides the opportunity for immediate transfer of helpful information during discussions. There also is a better understanding of and appreciation for the work performed by members of the other department.
Our internal audit staff has a forensic audit group that is charged with looking for financial, privacy, and information security-related anomalies. They also use their talents to provide corporate compliance support during complex compliance investigations. Our IT audit staff and operations audit staff provide support to compliance investigations when their talents are required to add value.
That support goes in both directions. Our compliance staff members consist of professionals from many disciplines, so they can provide internal audit with invaluable objective insight into areas being audited. Having everyone under the same organizational umbrella also eliminates resource politics. As the chief integrity officer, I can decide the best use of resources and not have to work through another executive's agenda. This is a significant benefit for both departments.
The Three Lines of Defense model of internal controls puts corporate compliance in the second line of defense, and internal audit in the third line of defense. The main concern with putting corporate compliance and internal audit under common independent leadership is that internal audit cannot then independently audit the compliance function activities. If internal audit cannot independently audit compliance under one umbrella, then it is an internal audit performance issue rather than an inherent limitation with the structure. In addition to the internal reports we provide management and the audit committee, our external auditors review our compliance activities and results. They attend every audit committee meeting, and the audit committee asks for their opinions about the internal audit and corporate compliance functions during multiple executive sessions throughout the year. If our compliance function were underperforming compared to our peers, our external auditors would inform the audit committee.
Apart from that, management and the board receive other third-party evidence to determine if internal audit is not being above board with its assessment of compliance activities. For example, as a health-care provider to Medicare Advantage programs, insurance plans that provide supplemental coverage to people with government provided Medicare coverage, our compliance program is subject to annual audits by the Medicare Advantage insurance companies. Numerous insurance companies have completed detailed audits of our compliance program, requiring documentation and audit testing support for compliance program requirements. Each of the external auditors issued audit reports showing no findings or recommendations. These reports are provided to senior management and the audit committee as independent third-party support.
We also have a senior-level enterprisewide corporate compliance committee, chaired by a physician leader. The committee meets twice a month to review compliance program activities and results. The organization's ERM program also has identified regulatory compliance as an area of risk. Compliance risks and current mitigation activities are under the oversight of our ERM Steering Committee. The corporate compliance function has to demonstrate to the steering committee how the organization is addressing and mitigating these risks.
Management and the board also may request to have an external peer review of the compliance program performed. Similar to the process included in The IIA's International Standards for the Professional Practice of Internal Auditing, an external peer review of the compliance program would provide an independent evaluation of compliance program effectiveness.
Umbrella of Benefits
The integrity office model was not a common organizational structure at the time Cleveland Clinic implemented it 12 years ago. Given the success we have experienced and benefits we have realized from having internal audit and corporate compliance under the leadership of an integrity office umbrella, it is easy to see why an increasing number of health-care entities have subsequently adopted it.
In addition to the internal benefits realized, we are pleased that our integrity office model has been an integral part of Cleveland Clinic being recognized as one of the World's Most Ethical Companies by Ethisphere for eight years. It is a recognition that the organization is proud to have received and maintained.