What if Your Audit Findings Are Not Favorable?

By Joette Derricks, CPC, CHC, FACMPE, CSSGB
From Compliance Today, a publication for HCCA members

The word “audit,” in the broadest sense, refers to a variety of activities. It may refer to an accounting firm examining the financial statements of a public corporation, or a consultant conducting a medical chart review. Regardless of what activity is being examined, the audit is a systematic attempt to take a closer look at something (e.g., financial statements, a work process, customer service) for the purpose of evaluation and, ultimately, decision making.

The purpose of any audit is to provide useful information so improvements can be made to better the organization.[1] Unfortunately, many people still cast the audit process as auditors on one side and the people being audited on the opposite side. This immediately creates an adversarial relationship that is unproductive to the corporation. When implemented properly, an audit can be one of the most effective means for improvement. From financial institutions, to manufacturers, to hospitals, auditing is an important management, compliance, and quality tool.

Findings
In general, there must be a basis (i.e., specific requirements) for an audit and a systematic method for gathering facts or evidence. An auditor compares the evidence with the requirements and comes up with observations, which can be either positive or negative. The auditor analyzes his/her observations for patterns (also called findings) in order to draw conclusions. The auditor then presents the observations, findings, and conclusions in a report.[2]

Regardless of the industry, the product, or the process, there will be findings. No matter how much preparation and monitoring you do, and how many systems are in place, the fact is, no system or process is perfect. Along with findings, conclusions, and recommendations, there will be emotions. No one, individually or collectively, in an organization wants to hear that he/she has deficiencies or non-conforming processes in place. As hard as it is, try not to take the findings personally. The best approach is to embrace the audit findings and recommendations, and move immediately to corrective action planning. This positive approach does not mean that you embrace each finding and implement a change without due consideration to costs, reportable conditions, or even a realization that the audit team may not have been provided with all the supporting documentation before they reached their conclusions.

Regrettably, when emotions are particularly high and are taken personally, the response to the audit can take a negative twist. In the worst case, there is an attack mentality where the focus is not on the underlying problems, but on discrediting the audit. Often, the attack will be to challenge the methodology, the sample size, or the auditors’ expertise or independence. At times, the process descends into nitpicking details like a mislabeled citation (that is appropriate—but may have been a mere typo). There will be times when these items should be appropriately challenged. However, they should not be employed as a slurring tactic when the audit findings are on point.

In today’s world of heightened scrutiny by governmental regulators, many organizations, including hospitals, view an external audit report as a compliance risk. With emotions running high, the organization often seeks outside legal advice on how to proceed. Most attorneys will review the reason and scope of the audit. If the audit reason, scope, and findings have identified valid underlying problems and the organization was aware of the audit, provided the necessary documentation for the audit to proceed, and actively participated in the audit process, the best approach is to address those problems, rather than plan an all-out attack to try to invalidate them.[3]

Corrective action plans
Generally, counsel will assist in preparing corrective action plans that address all findings, questionable costs, reportable conditions, and material weaknesses cited in the audit report and other recommendations. If these plans are to be approved by the governing board, legal counsel may attend to respond to their questions. Often, the written corrective action plans are appended to the audit report, which provides a better understanding of the organization rather than leaving open the question of how the organization will respond. Following the time required to fully address the findings and implement the appropriate change processes, a follow-up audit may be warranted. The principle goal of the follow-up audit is to support the corporate effort to take corrective action that will result in no repeated findings from the prior report.

There are situations where, either due to out-of-control emotional reactions or (dare we say) bad advice, a different approach is adopted by the organization. Sometimes the organization decides to conduct a re-audit of the original material with the goal that the deficiencies identified will magically go away, based on another auditor’s review. If the initial audit was conducted in an appropriate manner, this wishful thinking may actually backfire and result instead in confirmation of a reportable condition. The liability to disclose and make restitution in a timely manner may fall back to when the corporation or hospital received the first audit report, when it became a known event, rather than from the date of the subsequent verification audit.[4]

Best practices
The best approach is to treat all audits as if the auditor is well versed in the regulations. It is best not to challenge the auditor’s understandings of the regulations during the audit process, including the delivery of the report. If challenges are warranted, then those challenges must be made in writing during the audit report’s resolution responses. If documents were missed, produce them and feel confident of your company’s ability to meet and exceed not only the audit requirements, but the regulatory requirements as well. However, if in fact there are deficiencies in meeting regulatory compliance, any attempt to attack the audit findings will only support that the organization is hiding from the real issues.

What should you do when the audit findings are not favorable?

1. Accept that no one or no organization is perfect.
2. When an audit is conducted, there will be findings.
3. Be positive.
4. Keep the emotions under control.
5. Keep the nitpicking comments off the table.
6. Look at the findings and conclusions honestly.
7. Consider outside legal advice to assist in addressing the deficiencies, not in discrediting the audit. Do consider challenging the findings when there are issues that warrant a challenge, not when the parties involved are merely angry at being cited for genuine regulatory findings.
8. Write a corrective action plan and implement it promptly.
9. Conduct a follow-up audit three to six months later to confirm that the deficiencies have been addressed.
10. Lastly, thank the auditors for their work.

Joette Derricks (jpderricks@gmail.com) is President of Derricks Consulting, LLC in Hunt Valley, MD.

[clickToTweet tweet=”What if Your Audit Findings Are Not Favorable? @theHCCA” quote=”What if Your Audit Findings Are Not Favorable?” theme=”style3″]

[1] For a definition of auditing, see http://www.praxiom.com/iso-19011-definitions.htm
[2] Preparing for a Computer Systems & 21 CFR Part 11 Audit. Available at http://www.auditing.com/PreparingfortheAudit.htm
[3] National Council of Nonprofits: “Step 3: After the Audit” Available at https://www.councilofnonprofits.org/nonprofit-audit-guide/after-the-audit
[4] United States ex. Rel. Kane v. Continuum Health Partners. Southern District of New York, August 3, 2015. Available at http://www.fcaupdate.com/tag/united-states-of-america-ex-rel-kane-v-continuum-health-partners-inc/