Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities

weaknesses internal controls

Revised September 2022

Risk in US Healthcare

It is incredibly difficult to turn off “work brain” after the day is done.  Thoughts and questions keep creeping in during off work time, personal time.   

For example, did I send the new state law privacy requirements to our IT security team to review? Are the staff following and appropriately documenting for telehealth reimbursement?  Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls.  Let’s explore what can be done to mitigate or decrease any vulnerabilities. 

It is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization. 

Since organizations are still run by humans, there remains the potential that one human sets up a call to discuss a topic (like a regulatory change), and inadvertently forgets to invite all the other humans affected by the change. Having a process in place where an employee discusses a need to meet with his or her supervisor can help ensure you’ve got the right humans at the table.  

Internal controls must also be communicated to the staff so they can adhere to the organization’s expectations and policies. This is where education, early and often, that includes the why behind the internal control, can provide the best results to reducing any vulnerabilities. 

Top Areas of Risk

Top areas of risk to a healthcare organization include weaknesses or vulnerabilities in security, documentation, operations, and staff performance.  Let’s consider the following: 

  • The risk focus for organizational security typically includes areas like information technology (IT) and physical buildings. Cybersecurity data leaks or active shooters are examples of each.  
  • Incomplete, non-existent, or fraudulent medical record documentation is another large risk for health care organizations. 
  • Lack of clear policies, procedures, or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs. 
  • And finally, human error, even if unintentional, can present costly risks to the organization, such as a Stark law violation. Both the strongest and the weakest internal control for health care organizations involves the staff.  Take cybersecurity: many data leaks come from staff clicking on the wrong link or attachment and letting the “bad guys in” to the network. The same is true when an employee lets someone in the building on their badge scan rather than making them badge in themselves.  

Mitigate Risks

Risk mitigation is an organizational strategy to prevent or decrease the impact of mistakes or unanticipated outcomes when they occur.  One strategy is to implement organizational controls, such as PPPs along with checklists and tools, to either prevent or decrease organizational risks. 

  • A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online.  Go out and meet the staff and answer their questions in real time!  Or encourage them to call or email their questions and provide timely follow up. 
  • Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental. (Related: Read Brian Kozik’s story of changing the consequence structure to support a safe to speak up culture) 
  • Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently. 
  • Review, or if you don’t have them, develop cybersecurity and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated.  These plans should not just be a book on the shelf or a file on a computer. The risk focus for these plans should include tools to monitor both IT and the physical building risks. 
  • Commit to being a leader when it comes to promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented. 

Proactively setting internal controls helps you and your colleagues address mistakes and errors when they inevitably do happen.  While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, you’ll be better positioned when staff are educated and equipped to comply with regulations and do the right thing.  And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on. 

Strong internal controls are critical to effective regulatory change management. YouCompli can enable your collaboration with compliance champions and free your time to focus on relationships and communications. Take a look at our regulatory change management solution today.  


Jerry Shafran is the founder and CEO of YouCompli. He is a serial entrepreneur who builds on a solid foundation of information technology and network solutions. Jerry launches, manages, and sells software and content solutions that simplify complex work. His innovations enable professionals to focus on their core business priorities.


Never Miss a Compliance Related Article

Get a 15-minute strategic overview of YouCompli

Emergency Preparedness Revisited

Emergency preparedness has always been one of the top concerns of hospital administrators and medical staff, but never has it been more critical. As the the coronavirus pandemic continues to impact the United States, and facilities are struggling to maintain levels of personal protective equipment (PPE) and ventilators, administrators and compliance professionals should also review the updated federal emergency preparedness requirements, published by the Centers for Medicare and Medicaid Services (CMS) in the Federal Register on September 30, 2019.

We previously blogged about these requirements in 2017, but the requirements have changed in the past few years. Here are the four core elements of a hospital’s emergency preparedness plan to handle natural and man-made disasters — and a look at how they are impacted by last year’s final rule revision by CMS:

Risk Assessment and Planning

Commonly referred to as the emergency plan, CMS requires such a strategy to be developed and then updated at least once a year. It is based on certain risk assessments and uses an “all-hazards” approach that focuses on hospital capacities and capabilities, care-related emergencies, equipment and power failures, communication interruptions (including cyberattacks), and interruptions to water, food, and medication supply chains.

A major change to this element involves hospital climate control and power. Facilities are no longer required to heat and cool the building evenly. However, safe temperatures are to be maintained in areas deemed necessary to protect patients, other people in the facility, and provisions stored in the facility during the course of an emergency, as determined by a risk assessment. If a hospital is unable to maintain safe temperatures, it should follow an established plan for a timely relocation/evacuation that avoids patient exposure to harmful conditions. Additionally, hospitals are required to have an essential electric system with a generator that complies with the NFPA 99 – Health Care Facilities Code.

Like before, the plan must include strategies for addressing emergency events and include a process to work in conjunction with local, tribal, regional, state, and federal emergency preparedness officials. But the key change to the all-hazards approach — and this is crucial in light of recent events — is that all participating hospitals must be prepared for emerging infectious disease (EID) threats, such as the coronavirus. EIDs may require modification to standard facility protocols to protect the health and safety of patients and personnel, such as isolation and PPE usage.

Communication Plan

This element received additional fine-tuning. Participating hospitals still must develop a communication plan that complies with local, state, and federal laws and the plan must be reviewed and updated annually. It should now also include the names and contact information of key hospital personnel for local, tribal, regional, state, and federal emergency preparedness officials. And, it should detail how patient care is coordinated within the facility, across healthcare providers, and with local and state public health departments and emergency management systems.

Policies and Procedures

Hospital policies and procedures still must be based on the emergency plan, risk assessment, and the communication plan, and must be reviewed and updated at least once a year. They should address a broad range of topics and situations, including subsistence needs (water, food, medical supplies) of patients and staff, emergency staffing strategies, tracking the location of on-duty staff and patients during emergencies, sheltering-in-place plans, and patient relocation/evacuation plans.

Training and Testing Program

This revised element the result of an additive process. Program development is based on the emergency plan, the risk assessment, the communication plan, and the policies and procedures. As before, the final rule states the program must detail who needs to be trained, describe the frequency of training, how knowledge is assessed, and document how the training was conducted.

During the course of normal events, hospitals are required to annually conduct a mock disaster drill that is either a full-scale, community-based or individual facility-based exercise. In addition, hospitals must also hold a discussion-based tabletop exercise with its senior staff to discuss hypothetical emergency scenarios and reassess policies and procedures. But recent years have not been normal.

Along with the coronavirus outbreak, many parts of the country have suffered from an increase in natural disasters or mass shootings. The final rule revision acknowledges this wide spectrum of emergencies. If there is an event that activates a hospital’s emergency plan, that facility is exempt from holding its annual mock disaster drill for one year following the incident, provided it has written documentation. If a hospital activates its emergency plan twice in one year, it is exempt from both the mock disaster drill and tabletop exercise for one year following the actual events. Again, written documentation of these events and procedures is required.

Maintain Compliance with CMS

Being compliant with the September 30, 2019 final rule is a requirement for your facility’s Condition of Participation (CoP) / Condition for Certification (CfC) with CMS. Failure to comply, even during a pandemic, could thus have significant impact on your organization. The youCompli compliance management software is a powerful tool to help mitigate risk and enable your hospital to effectively implement these, and many other, regulatory requirements. The software is easy to use and quick to deploy, and can be a powerful means to drive efficiencies through your compliance department.

See YouCompli in Action

Easier, faster, more effective compliance is possible

youCompli Team Heads to Compliance Institute

  The youCompli team is looking forward to heading to Boston for the HCAA’s Compliance Institute from April 7-10. The HCAA calls this event the single most comprehensive healthcare compliance conference. That’s why we think it’s a terrific chance to learn more from our colleagues in specialties such as Healthcare Reform, Hospital Physician Alignment, and […]

Continue reading

78 Pages. 1 Regulation. Analyzed by Experts in Days.

Final rule 42 CFR Part 59 is 78 pages long. Have you read it yet? How about your team? How long will it take? And then, will you feel confident in what actions you may take? Or is there another process you’ll undertake to make sure? At youCompli, it took us just a few days to […]

Continue reading

How I Became a Confident Compliance Officer

As the sole compliance professional in my hospital, my role preceded me. When clinicians saw me rounding a corner, they seemed to avert their eyes and look at the floor. Department heads? The same. I understood why. I brought extra work: go to websites, read regulations and print things off; re-invent policies; re-evaluate codes, and […]

Continue reading

Do You Have the 4 Core Elements of an Emergency Preparedness Program?

four core elements of emergency preparedness

Revised February 2023 Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers Final Rule  (Check out our latest update on emergency preparedness, based on the 2019 final rule.) The motto of the Boy Scouts is Be Prepared. As of 2016, that motto applies to healthcare emergency preparedness, too.  Hurricanes Katrina and Sandy wreaked havoc […]

Continue reading