Approaches to the organization of the internal audit function in a medical organization can be classical, focused on the International Framework for the Professional Practice of Internal Auditing, developed by the Institute of Internal Auditors.
This organization of control activity is based on the concept of Three Lines of Defense.

Internal audit of a medical organization

Control environment of medical organization can be characterized as intensive. The main bodies controlling the activity of medical organizations are the State Service on Surveillance in Healthcare and the State Service on Surveillance in Consumer and Human Rights Protection, which improve their methods of work, in particular, introduce risk-oriented approach in planning inspections and standard checklists in their conduct. The main topics of such services’ inspections are the quality of medical care, the safety of the use of medical devices and medicines, ensuring compliance with sanitary and epidemiological norms, and the observance of patients’ rights in the treatment facility. Along with public services, private services also provide and monitor compliance auditing with the legal requirements of primary and ancillary medical activities.

First and second line of defense control activities

The first and second lines of defense conduct systematic, coordinated work to ensure the safety of patient care, including regular inspections and internal audits. One example of first-line-of-protection monitoring activities might be conducting “short” cross-audits using structured checklists and internal company resources. Senior medical staff of district outpatient departments, after receiving training, which includes audit methodology and ethics issues, check other district departments on narrow topics, such as: medical waste management, cold chain, vaccination, organization of storage of medication corrective actions of the medical organization for subsequent monitoring of their implementation.

Depending on the number and risk level of findings during internal audits, units are assigned a risk rating, which affects the frequency of internal audits the following year. The practical benefit of cross-audits is not only in identifying and correcting discrepancies, but also in developing nursing staff and building a talent pool to support the development needs of the company.

An example of a second line of defense control activities could be the quality control of medical care by medical examiners of medical referrals using a checklist and ballot assessment. The results of this work are the improvement of protocols and internal algorithms of medical care, the improvement of medical information system, the development of individual recommendations for the medical staff of the training plan. Inspections using structured checklists can also be conducted by the quality department, epidemiological service, operation service, and based on their results the immediate correction of minor deficiencies, the development of a plan of corrective measures for inconsistencies, the findings can be used to improve the quality and safety of medical care program.

Scheduling Internal Audit Activities

Annual planning of internal audit activities is done based on strategic goals. The goal of internal audit is to provide assurance to the board of directors on all material risks, for which internal audit coordinates with the units with control functions, the first and second lines of defense. For this purpose it is proposed to develop a “Guarantee Scheme”, which is a list of basic and auxiliary medical, non-medical processes in all business units of the company, including new projects and initiatives, and assign a rating to each of them. The rating is based on the criteria of importance, complexity, degree of change and maturity of the control environment, as well as business process risks. Business processes with the highest rating are included in the annual plan of the Internal Audit Department, while those with medium and low ratings are included in the second and first line of defense control plan.

Specific risks of a medical organization

Medical organization, like any other, is subject to strategic, financial, and compliance risks.

There is no such thing as detail in medicine, and even simple, minimally invasive procedures, such as drawing blood from a vein for laboratory diagnosis, giving an intramuscular injection, or administering a vaccine, can be associated with a number of risks to the patient, such as misidentification of the patient, violation of the preanalytical stage of the laboratory study, post-vaccination complications. I.e., a nurse performed another patient’s administration due to an identification error; the patient was not warned about preparing for the blood draw, ate a hearty breakfast instead of being hungry and drinking water; the test results are unreliable and there is a risk of misdiagnosis; the vaccine was delivered to the healthcare facility with a violation of temperature control. In a large territorially distributed medical organization with several clinics and a branch network, providing primary, specialized and high-tech medical care in outpatient and inpatient settings, there is a risk of loss of continuity of specialists, distortions in the transfer of information from one specialist to another. With the development of informatization there is an increased focus on the risks of reliability and availability of medical information systems. For example, if for some reason there is no access to electronic medical records, this can be critical for the patient in the postoperative period. Risks associated with infrastructure and facility operations are given as much attention as clinical or infection risks. An elevator stop for 15 minutes is an unpleasant incident in an office or residential building, but in a healthcare facility, such a stop can be critical if a woman in labor is in the elevator, for example.

Features of internal auditing in a medical organization

The main focus of internal auditing is the interests and safety of patients, including compliance with the requirements for the protection of patients’ personal data, including medical confidentiality. Particular attention is paid to compliance with regulatory requirements and applicable standards of care. However, due to the complexity and uniqueness of the human body, justified deviations from medical standards and variations in the application of clinical guidelines are possible, and the internal auditor must be prepared for this.

The healthcare industry has entered an era of digital transformation: a law and bylaws regulating telemedicine have been adopted, a Unified State Health Information System is being formed, artificial intelligence is being introduced into medicine, robotics, decision support systems for doctors, predictive analytics, etc. Responding to today’s challenges, internal audit must acquire competencies in IT auditing, application of analytics, implementation of continuous audits and embedded controls.

That said, as long as people continue to treat people, the key to internal audit’s success is advanced communication skills: the ability to listen and ask open-ended questions using “doctor language” or “patient language,” to maintain ongoing communication and build relationships with department and function leaders.
The increasing speed of change in healthcare necessitates approaches such as Agile-format project management in internal audit. It is possible to propose to use such type of internal audit as a comprehensive audit by multifunctional team with the involvement of employees from other departments as experts. Such audits allow to quickly obtain systematic information about the state of affairs in the division, a snapshot of strengths and weaknesses, to develop comprehensive recommendations for the development and improvement of the unit.

Benchmarking is an effective tool for internal audit of a medical organization. The use of this tool facilitates the exchange of specialists’ experience and dissemination of best practices.

Let’s do an internal audit

To summarize, I suggest we do an internal audit, using elements of the tracer methodology on an individual patient, applied by JCI (Joint Commission International), which deals with the accreditation of medical organizations. Suppose the patient “X” with symptoms of pneumonia, with a history of heart failure, goes to a therapist for an outpatient appointment, on the results of which he is admitted to a therapeutic hospital, treated as an inpatient, discharged for further rehabilitation in outpatient conditions.

Patient identification

At least two identifiers must be used for identification. For example, last name, first name, patronymic and date of birth. Identification is made at the time of the appointment, at the beginning of the appointment, before invasive and other procedures are performed, and before medications are dispensed to the patient. It is prohibited to use only one identifier or to use only the patient’s last name and room number as identifiers, due to the risk that there are complete namesakes among the patients of the medical organization, or that namesakes from neighboring rooms have been moved to other rooms.

Condition Assessment/Patient Reassessment/Pain Management

When a patient is admitted to the hospital, an assessment of the patient’s condition is made. Based on the condition assessment, the emergency room physician should prioritize the patient for admission. Based on the results of diagnostic tests, the condition should be reevaluated and the treatment plan revised. Attention should be given to the patient’s pain syndrome, and based on the results of the assessment using a standardized scale, appropriate therapy should be prescribed. During hospitalization, the patient’s risk of falling is assessed, and steps are taken to reduce it.

Interaction of Specialists/Continuity

When laboratory results are obtained that indicate a patient has a life-threatening condition, there is a legal obligation to inform the treating physician and/or patient. When conducting internal audits, it is important to ensure that such a patient is not only informed, but also hospitalized in a timely manner. When transferring information between the outpatient clinic -> inpatient clinic -> outpatient clinic, all necessary medical records must be made in the patient’s electronic card.
When referring a patient for diagnostic examinations (e.g. a scan), the attending physician must make a corresponding note of the purpose of the upcoming examination.

Medication Provision

Medication management must be systematic and focus on proper storage and safe use.

Increased adherence to physician orders/Family Involvement

Patients should be familiarized with the treatment plan, trained in procedures and medication administration during both outpatient and inpatient stays. During the inpatient stay, it is the responsibility of the medical staff of the institution to supervise the implementation of prescriptions, but it is difficult to overestimate the role of the family in increasing adherence to the physician’s recommendations. For example, relatives living alone may overestimate an older person’s capabilities after surgery. Therefore, training in the use of assistive devices after trauma surgery is advisable for both the elderly patient and their relatives.