CSA Sentinel - The Institute Of Internal Auditors  


Volume 9 • No. 1 • February 2005
printPrint Article
printPrint Entire Issue

A New Approach to Health Care Auditing

Successful use of CSA has helped Mayo Clinic effectively assess risk in today's changing environment.

Douglas Hildebrandt, CPA, CISA, IT Audit Coordinator
  Mayo Clinic Internal Audit Services
Randolph Just, CIA, CPA, CCSA, Vice President Audit Services
Allina Hospitals and Clinics
David Moertel, Manager Electronic Commerce
  Mayo Clinic Foundation Finance
Hugh Pforsich, PhD, Accounting Professor
California State University at Sacramento

Many forward-thinking organizations are assessing their risk management processes to ensure they have effective procedures in place to identify and mitigate risk within their risk appetite. Mayo Clinic, a not-for-profit medical research and education organization based in Rochester, Minn., uses control self-assessment as one of its risk assessment tools to stay on top of the unique risks in health care management.

Mayo Clinic conducted its first CSA facilitated workshop in 2002 to help ensure that its risk appetite and control processes were aligned with the organization's values and mission. Because of its success, other workshops were performed subsequently, which facilitated collaboration between employees and management, and helped to identify obstacles and develop action plans to enhance the prospect of achieving the organization's mission and objectives. 


Recent changes in the health care industry have introduced new risks — such as the myriad variables in the increasing number of patient health plans — for self-insured organizations, health insurance companies, payment clearinghouses, and payer organizations. The complex nature of these plans has made the claims management process difficult to manage. A further complication is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires standardized electronic data interchange with the goals of improving health care delivery efficiency, protection of patient confidentiality, and security of health data through enforced standards. In such a dynamic environment, all of the complex components of changing risks must be identified, assessed, and managed.

Through internal auditing's risk assessment process, management selected the electronic commerce business unit's Mayo claims management system (MCMS) operations as the first CSA workshop participant. Ultimately, if claims management risks are not managed and controlled, cash flow problems caused by inefficient or inaccurate claims processing could threaten the organization's viability and its ability to invest in the education and research programs that support its clinical practice. Therefore, management deemed that a continuous process of risk and control assessment was necessary to ensure MCMS business objectives were achieved.

Management had acknowledged previously some preliminary MCMS risks, and developed in-house software designed to increase claim submission efficiency and accuracy, including coding, testing, documenting, and maintaining the software — referred to as "hard" tasks. From an end user perspective, however, this process also involves many "soft," people-related functions, such as training and support, communication within and among work groups, implementing control procedures and protocols, establishing roles and priorities, and developing effective relationships with payer organizations. 

The most elusive and difficult obstacles threatening the achievement of the MCMS unit's objectives related to interaction and collaboration among MCMS employees. Because traditional internal controls and audit procedures may be insufficient to remove or mitigate such soft risks, the CSA process was put in place to draw from the experience and expertise of the operating employees who are affected directly by these risks. Internal audit services believed this approach would result in developing an appropriate and effective set of controls.


CSA serves several purposes at Mayo Clinic. One goal is to perform a detailed risk and control assessment and to identify risks that traditional audits have found elusive. It also serves as a management tool to administer a corporate governance internal control program.

The MCMS CSA process used a systematic approach to risk assessment that focused on people-related aspects of the organization, such as communication, understanding information, role definition, reengineering and streamlining business processes, and increasing control consciousness. This approach followed the risk assessment process outlined by The Committee of Sponsoring Organizations of the Treadway Commission's (COSO) Internal Control – Integrated Framework. The original 1992 framework — a tool to help organizations provide reasonable assurance that its business objectives will be achieved — identified five critical components that are necessary for an effective internal control program: control environment, risk assessment, control activities, information and communication, and monitoring.

In conjunction with the COSO framework concepts, CSA is used within Mayo Clinic to document and evaluate soft controls — such as corporate culture, control consciousness, and tone at the top — to help ensure compliance with the U.S. Sarbanes-Oxley Act of 2002.


One of the fundamental beliefs and assumptions of CSA is that the knowledge and expertise of operating employees is needed to innovate and improve business processes and to achieve the organization's business objectives. Internal auditors who are trained in CSA techniques often lead a facilitated workshop, a common form of CSA. The workshop is designed to capitalize on this first-hand knowledge and expertise, especially in developing specific action plans that address business unit risks. These action plans include both hard controls (e.g., separation of duties and asset security procedures) and soft controls (e.g., the development of communication channels and maintenance of customer relationships.)

To evaluate the risks and controls of MCMS operations, the electronic commerce business unit used an objective-based facilitated CSA workshop to enable frontline employees to identify past successes and obstacles, participate in the internal controls assessment, evaluate risks, develop potential action plans, and estimate the likelihood of achieving specific business objectives. The workshops' mission was to be a dynamic, interactive audit process involving management, internal auditors, and operating employees that complements and augments, but does not replace, the traditional internal audit function.

As a management governance tool, facilitated workshops can have a significant impact on an organization's control environment. CSA proponents believe that operating employees are best positioned to assess their own business unit's current state of control, provide constructive feedback to management, and implement the controls that they propose. Testing and obtaining evidence related to soft controls through traditional audit procedures is sometimes unfeasible. Furthermore, soft controls are difficult to codify in a traditional policy and procedures handbook. When employees volunteer to take responsibility for carrying out the corrective actions pertaining to these undocumented and informal controls, the soft side of the organization's control environment can be improved. The interaction and collaboration fostered by CSA workshops motivate participants to assume this responsibility voluntarily and contribute significantly to the corporate governance of the organization. 

As an audit enhancement, the MCMS CSA workshop focused on specific high-risk areas that were somewhat elusive. For example, the internal auditors were aware of problems in the business unit caused by poor communication within and among work groups. However, when specific controls were imposed, such as formal notification procedures, communication weaknesses continued to appear in other areas of the business unit's operations. The problem was difficult to pinpoint, trace, and rectify using traditional audit processes. The CSA workshop enlisted frontline employees to help identify "soft" risks and to brainstorm action plans to mitigate these risks effectively. Feedback from frontline employees helped management and the internal auditors focus business unit activities to increase the probability of success. 


To initiate the MCMS CSA, the audit team conducted individual interviews with key personnel in the 11 business units involved. The interviews helped internal audit services and management compile a list of business objectives to assess past successes and obstacles, as well as to consider future action plans for improvement. The team focused on communication, controls, security, functional priorities, implementation activities, reporting, and relationships with payers, which were later discussed in detail in the workshop. For example, interview respondents indicated that although communication had improved in the prior two years, there was not a consistent and proactive communication process to make MCMS users aware of system changes and problems. Discussion of this problem in the workshop yielded more specific obstacles related to this issue.

During the workshop, each participant was given a list of eight MCMS objectives and an electronic voting keypad. Voting took place before and after the discussion of each objective using a seven-point scale. Participant votes were tallied to determine the mean score assigned to MCMS for each objective at the present time, as well as the expected achievability score if the proposed action plans were implemented.

Suggestions from the interactive workshop brought to light inconsistencies in communication caused by the lack of an established and broadly understood communication process. Weaknesses included:

  • MCMS software end users did not receive timely notification that their claims were received, accepted, or paid by the payers.
  • End-users did not receive timely notification of MCMS software changes that would affect their system use.
  • The process used to prioritize decisions regarding software installation and system upgrades was not documented adequately or communicated to end users.

Because the CSA workshop used the combined experience of grassroots MCMS users, specific communication obstacles were highlighted — more than could be expected from the individual user interviews or through top-down policy pronouncements. As a result, the following proactive communication approach was proposed:

  • Establish a rapid broadcast communication strategy with a three-prong protocol — e-mail, telephone, and a Web site log. When payer reports are not sent as scheduled, MCMS users will be notified using all three communication methods within four hours from the scheduled payer report deadline.
  • Use a three-prong protocol to alert end users of system changes. The Web log, rather than e-mail or telephone, will be the first point of contact for information technology personnel to document system changes.
  • Form a committee to develop and maintain a list of MCMS-related priorities. This task will include consolidating priorities established by each business unit, documenting the criteria used to develop these priorities, and publishing a single updated list on the intranet. The intranet would include hyperlinks to other Mayo Web pages that document the particular work that has been completed as a result of each prioritized decision.

Before the workshop participants discussed the communication objective, MCMS communication received a mean score of 4.3 on a seven-point scale. After the discussion of the successes, obstacles, and proposed action plans for this objective, participants assigned an achievability score of 6.0. Through the CSA focus, key MCMS personnel indicated that the proposed action plans from the CSA workshop, once implemented, would improve the communication within and among the MCMS user groups.


Mayo Clinic has since used CSA workshops and techniques in several areas. It has also used CSA to help develop an approach to Sarbanes-Oxley control documentation and evaluation for private, not-for-profit companies.

Because of the organization's CSA efforts, clinical, business, and technology changes that could impact patients are discussed thoroughly, prioritized, and planned before implementation. As a result, change does not happen quickly, but it is also not haphazard or indiscriminate. The decision-making process is controlled purposely to limit negative impact on patients and to optimize their care. Mayo Clinic's primary value, "The patient comes first," is expressed in every aspect of the organization's functional operation. These values drive the corporate culture, which is embedded in every decision made throughout the organization.

A version of this article was published in the Fall 2004 and Winter 2005 issues of New Perspectives Journal, published by the Association of Health Insurance Advisors. Reprinted with permission.

Quick Poll

How has flextime work schedules impacted audit completion time for your agency?

Audits have been completed faster.

There has been no change.

Audits take longer to complete.

My agency does not have a flextime poilcy.

View Results