2. City Hospital
• City Hospital is a leading healthcare services provider in India. It is one of the largest healthcare organisations in the country
with 6 healthcare facilities, 2000 operational beds and over 50 diagnostics centers
• Core Facilities – Orthopaedics, Neurology, Cardiac Services, Urology, Oncology, Liver Transplant, and Bone Marrow Transplant.
• Operations management includes overseeing the day-to-day practices. These practices are typically broken down into three
components: administrative, financial, and legal.
• Administrative tasks include keeping detailed records of medical and office supplies, scheduling employees, responding to
questions from staff and customers, and updating patient records.
• Financial responsibilities involve managing claims, medical billing, revenue cycle management, and value-based
reimbursement.
• Legal practices revolve around compliance and credentialing.
ARDK Associates 2
3. Objectives & Scope:
ARDK Associates 3
The objectives of the review were as follows:
• Determine if crucial financial and operational controls exist
and are operating effectively.
• Assess the operating efficiency of the process.
• Compare the hospital’s practices to “best practices,”
including performance measures.
• Assess compliance with applicable corporate policies and
procedures.
• Identify opportunities for internal control and process
improvements.
The scope of this audit included a review of
the hospital’s financial and business
processes, focusing on the following areas:
• Surgery scheduling and pre-registration
• Invoice receipt and approval process
• Payment prioritization and processing
• Insurance claim verification process
• Inventory management
• Vendor management and maintenance of equipment and
devices
• Information controls and data privacy
• Medical waste handling
4. Summary of Procedures Performed
• Key management and hospital personnel were interviewed.
• Walkthrough performed for existing and newly created business processes.
• Existing documentation of relevant policies and procedures were reviewed.
• An understanding of procedures and internal controls was obtained.
• The effectiveness and efficiency of business processes and adequacy of
information technology general controls against best practices were evaluated.
• Data privacy and security was assessed
• Observations and management action plans were summarized.
ARDK Associates 4
5. Executive Summary
ARDK Associates 5
At the request of Chairman and Managing Director of City Hospital, the Internal
audit team conducted a review of the financial and business processes (Jan 2021-
Jan 2022).
Overall, the control environment needed improvement. At the time of our review,
hospital management had identified weaknesses in controls and had begun to
implement plans to improve the control environment as well as the efficiency and
business effectiveness of the process. These plans are summarized on Page 7-11.
On the following pages, a summary of potential opportunities for enhancements
noted during this review has been compiled. Each opportunity has been prioritized
based on its impact to City Hospital.
6. Key Risks Identified
Risk assessed - The risk assessment was focused on critical processes leading to inefficiencies and loss of revenue.
ARDK Associates 6
# Risk Area Risk Profile
1 Unauthorized access to protected data High
2 Poor Inventory control High
3 Irregular functioning of Insurance eligibility confirms patient insurance coverage High
4 Insurance pre-certification is not consistently performed for a high-insurance claim
for scheduled outpatient procedures and surgical cases
Medium
5 Policies and procedures not updated timely Low
6 Inadequate and Ineffective maintenance of medical devices and equipment High
7 Surgical Scheduling and pre-registration gets cancelled after patient admission Low
8 Inadequate training and upgrading of knowledge and control awareness Low
9 Poor Waste disposal Medium
8. 8
ARDK
Associates
Finding 1 -The Insurance eligibility software was not always available to confirm
patient insurance coverage. (Operating effectiveness)
Risk
The Insurance eligibility software, JADU, was not functioning properly to confirm
patient insurance coverage. City Hospital observed the unavailability of JADU in the
ERP SYSTEM leads to outpatient admitting booths during this review. JADU is
configured to recognize whether the patient is eligible for insurance coverage
including cashless insurance. Therefore, insurance verification is not performed. JADU
is also interfaced with the Meditech system used for patient care documentation and
billing. City Hospital also reviewed the denial report maintained by the Department
from January through March 2022. The denial report did indicate significant
insurance denials related to insurance eligibility. However, City Hospital noted that
57% of the denials pertained to HMO insurance carriers that require a physician
authorization prior to treatment.
• Inaccurate insurance information leads to
denial of insurance coverage due which
hospital will lose patient and patient will not be
able to get insurance coverage even though he
was eligible during the registration and
admitting process.
• Insurance denials may result when insurance
verification is not performed.
Recommendation Priority level
• The Insurance eligibility software, JADU should be available 24X7 with latest
upgradation. In the event the JADU upgrade does not improve the
software’s availability, another insurance eligibility method will be determined.
• The PAS staff will be trained on the insurance carriers, which require a
physician’s authorization prior to treatment.
• Surgical cases will be pre-registered for all scheduled procedures at least
seven days prior to the surgery date. Insurance eligibility will be performed
during the pre-registration process.
High
9. 9
ARDK
Associates
Finding 2 – Inefficient Inventory Management Risk
The Hospital does not have adequate inventory controls over expensive medical
devices. Our observation and testing noted the following:
• Access to the stock room and pharmacy is not restricted to specific employees.
• No biometrics are used, and the cameras are not installed at critical locations to
observe the activities.
• Third-party vendors deliver orders directly to storerooms.
• Medicines and devices issued from the stockroom are manually recorded. The
records are not posted onto the inventory software the same day.
• Segregation of Duties does not exist as the stockroom issuer and the data entry
operator is the same person.
• Inventory is not reconciled, and physical verification is not carried out
periodically.
• Unauthorized access to the
critical areas
• Inaccurate Inventory Data
processed at real time
• Loss of Costly Medical Devices
or Medicines
• Purchase of Stock at higher
cost
• Conflict of Duties
• Loss of Revenue
• Lackluster profit margins and
elevated overhead expenses
Recommendation Priority level
• Segregation of duties between the critical roles is maintained
• Access to storeroom is monitored. Issuance is authorized and approved.
• Activities are logged and logs are secured and cannot be modified.
• Ensure all issuance recorded by a person on the inventory software is different
from the person who issues the devices/equipment. A review of all stock
issuance is periodically performed.
• The policy is developed and approved. Adherence to the policy and all issuance is
approved and authorized.
High
10. 10
ARDK
Associates
Finding 3 : Irregular and Ineffective Maintenance of Medical equipment and Devices Risk
Our Observations in this regard are as follows:
• Preventative maintenance for 30 % of equipment we sighted was not done on time,
and yet the un-serviced equipment remained available for use.
• Responsibility is dispersed across health service staff, biomedical engineers, operations
managers and heads of clinical service areas. This reduces accountability and efficiency.
• Machine handled by 15 employees out of which only 5 have received proper direct
training from Machine manufacturers.
• Same medical equipment has been rushed to different operation theatres. During
Transition no specific care is taken.
• Possibility of Machine failure;
risking life of patient
• Low life span of costly Medical
instruments
• Unauthorized use of machine
by untrained individual
Recommendation Priority level
• Keeping to Good maintenance and monitoring schedules that ensure equipment
remains in good condition
• Asset management strategies or plans for addressing gaps between replacement
needs and available funding.
• Clear allocation of duties & responsibilities among the staff.
• Arrange adequate training or knowledge regarding the appropriate use of equipment
on periodic basis
High
11. 11
ARDK
Associates
Finding 4 : Poor Waste Management Risk
Our Observations in this view are:
• Personal Protective Equipment are not being used as per the
recommended safety policies of the hospital.
• The vendor payment system for waste management has flexible terms,
leading to control gaps.
• The logbook used for the vehicle used for waste handling is kept at main
security gate and is filled by the driver itself, which may lead to a false trip
recognition.
• No GPS tracking is available for the outsourced medical waste
transportation vehicle.
• Possibility of Infection to waste handling staff.
• Occurrence of financial loss due to false
recording of vehicle trip.
• Local public disturbances due to improper
waste handling.
• litigation with the regulatory authorities.
• Eventually, loss of brand and reputation.
Recommendation Priority level
• Proper training, regarding safety, to be provided to the staff engaged in
medical waste handling.
• The vendor payment system for waste management should be made rigid,
with proper authorization mechanism.
• The logbook used for the vehicle used for waste handling should be filled
by a separate person, with proper authorization to do so, to ensure
correctness of a particular trip and GPS tracking to be done.
• Periodic physical checks should be done for the compliance of health and
safety policy of the Hospital.
Medium
12. 12
ARDK
Associates
Finding 5: Lack of Data Privacy controls and weak Cybersecurity
controls
Risk
• Data security and privacy policies were not developed.
• It could not be determined if adequate data security
protection such as encryption was required for Hospital
patient applications. The application collected personal data
related to patients such as credit card number, Aadhar details
etc.
• Hospital management did not complete a privacy assessment
and Data classification exercise standards that include
confidential and critical data in storage were not in place.
• City Hospital has not established controls for securing the
external network perimeter comparable to other healthcare
organization of similar size.
• Hospital does not perform internal and external vulnerability
scanning of its on prem and web applications.
• Private and confidential data related to patients could
be miscued is misused, altered, destroyed and disclosed
without permission and fraud could be committed.
• Attackers could upload malware, viruses, or
ransomware to exploit hospital management resources
and commit a data breach.
Recommendation Priority level
• Developing formal security/privacy policies that meet
global framework.
• Revamping security/privacy processes to ensure that the
related issues are detected, controlled and responded to in
a timely manner.
• Personal data that are confidential in nature are encrypted
in the system.
• Controls such as port security, network segmentation,
regular vulnerability scans are implemented.
• Intrusion detection/prevention is actively performed.
High
13. Conclusion
• City Hospital management has proactively made a commitment to address all risks identified and
work on the recommended actions. The gap analysis indicated possible risks and the likelihood of
these risks to occur were determined. The audit committee played a key role in executing the
suggested control design and information security initiatives to mitigate these risks, thus setting the
direction for City Hospital management.
• Plans to enhance City Hospital’s approach to develop adequate policies and improve inventory
management, revamp waste disposal and augment insurance coverage process will represent a
significant effort over the next year and require the appropriate resources to complete them. The
implementation of recommended actions will help hospital in maintaining customer loyalty.
• Operating at a managed maturity level will allow City Hospital to use resources effectively in
ensuring effective vendor management with compliance to service level agreement and getting
timely and cost-effective maintenance on the devices and equipment. This will help Hospital in
minimizing disruptions to business operations.
• The implementation of suggested information security initiatives to meet privacy and security
compliance goals will lead to a competitive advantage and affect City Hospital positively by
protecting its reputation and brand and avoiding fines, penalties and potential litigation.
ARDK Associates 13
14. Team Members
ARDK Associates 14
NAME
Koel Dutta CMA
Dhananjay Kondhare CMA
Rama Krusha Ragoli CMA
Rajesh Ranjan CMA
Ravi Sharma CMA, CPA, CISA, CISSP
Abhisek Sinha CMA
Devang B. Thaker CMA