The COSO Internal Control-Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, was published in 2013 by the Committee of Sponsoring Organizations (COSO) in collaboration with professional services firm Crowe and CommonSpirit Health.
The guide is meant to help healthcare businesses navigate the enormously complicated world of U.S. healthcare. It addresses subjects such as access control, system integrity, clinical documentation, coding, and billing procedures; all to help healthcare businesses comply with the Affordable Care Act of 2010, and to protect patient data while health records (EHR) have become the norm. COSO’s guidance provides an outline and best practices for meeting those standards.
“Healthcare organizations experience issues with system access, system integrity, clinical documentation, coding, and billing; all of which may result in potential non-compliance with federal and state regulations—and costly mistakes,” the guide’s executive summary states.
To meet those compliance obligations, the guide says, healthcare organizations “must review their control environment to confirm proper controls are in place to ensure effective and efficient operations, proper financial reporting, and compliance; and that their control environment supports the attainment of the organization’s mission and strategy; and COSO provides the direction to do this.”
What Is COSO?
COSO developed its original internal control framework in 1992 with fraud deterrence in mind. The framework provides an effective internal control structure to ensure that an organization’s financial practices, including financial statements and external financial reporting, are accurate and reliable.
COSO defines internal control as “a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance.”
For a detailed history of COSO’s internal control framework (which had a major overhaul in 2013) and a complete guide on compliance with this important document, check out our Guide to COSO Framework and Compliance.
COSO also helps organizations comply with laws and regulations including the Sarbanes-Oxley Act (SOX), a federal law enacted in 2002 to protect public companies and their shareholders from accounting errors and fraud; and the Foreign Corrupt Practices Act (FCPA).
COSO has also published an enterprise risk management (ERM) framework, and several smaller volumes on specific issues such as corporate compliance and environmental, social, and governance (ESG) reporting.
Components of Internal Control
COSO lists five components of internal control:
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring activities
The new guidance, COSO Integrated Framework: An Implementation Guide for the Healthcare Provider Industry, explores how healthcare organizations can use the framework to improve internal control over their specific business environment. COSO offered several ways healthcare providers could use its framework when it published the guidance:
- Evaluate and strengthen the existing internal control structure, including operational functions, procedures, and systems. An example would be hosting a secure Active Directory environment to control access to sensitive systems and information.
- Implement controls to help mitigate significant risks. Risks come in myriad forms. Implementing a system that prevents external access to servers can reduce the risk that a hacker will gain access to systems from outside the environment.
- Optimize the effectiveness of the control environment. Improving the technical environment of healthcare providers can redirect resources from maintaining control environments to allow the administration to focus on its primary objectives.
Improve the efficiency of governance, compliance, operations, management, and assurance functions. Efficient operations support the effectiveness of controls. Having a simplified scope of what needs to be addressed in an audit or controls remediation plan allows the organization to evolve with the changing technical and regulatory landscape more deftly.