Internal audit key in gauging Affordable Care Act risks

With the regulatory requirements of the US Affordable Care Act taking effect, health care will likely be an area of increased focus for all companies’ internal audit departments in the coming year.

As awareness of multiple business risks confronting companies expands, there is a growing trend toward internal auditors directing their attention to areas beyond financial controls, according to results of the latest Pulse of the Profession survey by the Institute of Internal Auditors’ Audit Executive Center.

‘Any time you have a new major piece of legislation that translates into new regulatory requirements, that’s an opportunity for internal audit,’ says Richard Chambers, president and CEO of the Institute. ‘We see it as an opportunity for internal audit to get in and help assess overall adequacy of the way risks are assessed around this, the way controls are designed and implemented and overall compliance efforts within the company around conformity with the ACA.’

Chambers says the legislation is challenging internal audit to become a visionary, proactive function of an organization.

The IIA’s report, ‘Defining our role in a changing landscape,’ notes a potential expectation gap concerning internal audit's ability to help companies understand the risks associated with implementation of the Affordable Care Act and how prepared their organization is to minimize those risks. Twenty-two percent of respondents said they’re unsure whether the 2014 requirements of the law will affect their organization and 18 percent are uncertain of the impact on their internal audit department. Among those who note the Act would apply to their organization, 38 percent consider themselves not very knowledgeable of the Act.

Among those to whom the law applies, 17 percent said that their organization will probably minimize its risks by reducing or dropping health care benefits over the next one to three years. 

Operational audits account for the most prevalent kind of audit coverage for 2014 (27 percent), with compliance audits the second most likely (15 percent) to be seen, according to survey respondents. General financial, Sarbanes-Oxley and information technology audits each represent 11 percent of audit coverage. The survey results also show that compliance is among the top five risks for both the audit committee and the C-suite.

Respondents in general said they feel much better prepared for implementation of the COSO 2013 Internal Control Framework in the coming year. The revised guidelines by the Committee of Sponsoring Organizations of the Treadway Commission take into consideration the many changes in business and technology over the past 20 years and are expected to help companies establish more effective internal controls at lower costs.

The 17 principles in the updated framework place greater emphasis on individual competence and holding individuals accountable for their role in accomplishing the goals of internal controls. One key change recognizes the unique nature of fraud and says it must be gauged as part of internal controls and included in compliance and operations risk assessments in addition to assessments of financial statements.        

Resource levels for internal audit in 2014 are stabilizing near pre-recession levels, the report said. Budgets are expected to increase for 36 percent of respondents, while 54 percent of those polled expect their stated budgets to remain stable next year. Staff increases are projected by 25 percent of survey participants, with another 72 percent expecting staff levels to remain the same, and just 4 percent anticipating them to drop next year. That’s a more optimistic outlook than the forecast for this year, the report said.

‘The traditional view of internal audit as bean counters has been far eclipsed by the kind of risks it is being asked to look at,’ says Chambers. ‘Strategic and business risks are most important. No one is advocating internal audit should be second guessing strategic risks that a company is taking on, but should provide assurance that management itself has assessed these risks, communicated to the board and has a plan to manage these risks.’