Weaknesses in Internal Controls: How to Manage and Mitigate Vulnerabilities

This year has been especially challenging when trying to turn off “work brain” after the day is done.  Thoughts and questions keep creeping in during off work time, personal time.  These bothersome questions may revolve around the pandemic. For example, did I send the updated information related to COVID-19 billing? Are the staff following and appropriately documenting for telehealth reimbursement?  Or what should be my priorities on Monday morning? These questions all represent potential weaknesses in internal controls.  Let’s explore what can be done to mitigate or decrease any vulnerabilities.

During this stressful time, it is important to have appropriate internal controls supported by open communication between colleagues, and forthright reporting to both compliance and risk departments in an organization.  The internal controls must also be communicated to the staff so they can adhere to organization’s expectations and policies.

Top areas of risk to a health care organization include weaknesses or vulnerabilities in security, documentation, operations and staff performance.  Let’s consider the following:

  • The risk focus for organization security typically includes areas like information technology (IT) and the physical building. IT cyber events or active shooters, for example.
  • Incomplete, non-existent, or fraudulent medical records documentation is another large risk for health care organizations.
  • Lack of clear policies, procedures or protocols (PPPs) present huge risks to the organization as employees may act in a way which is not in compliance with PPPs.
  • And finally, human error, even if unintentional, can present costly risks to the organization. Both the strongest, and the weakest, internal control for health care organizations involves the staff.  The reason is, our staff are the ones who let the “bad guys in” to both computer systems (IT) and our buildings.

Risk mitigation is an organization strategy to decrease the impact of mistakes or unanticipated outcomes when they occur.  One strategy is to implement organizational controls, such as PPPS along with checklists and tools, to either prevent or decrease organizational risks.

  • A primary and effective way to mitigate risks to the organization is to empower the employees with knowledge. Don’t just have employees complete compliance and risk education online.  Go out and meet the staff and answer their questions real time!  Or encourage them to call or email their questions and provide timely follow up.
  • Risk and compliance departments should foster a culture of early reporting by staff when there is a mistake or unanticipated outcome or a deviation from the PPPs. When a staff member makes a report, it is important to document the facts while remaining objective and non-judgmental.
  • Ensure you have a usable system to track internal control weaknesses to manage and mitigate vulnerabilities. Whether this is a manual process or is done through an IT application, make sure you consistently use the internal controls to evaluate and mitigate risks because they change – frequently.
  • Review, or if you don’t have them, develop cyber security and business continuity plans. These plans should be living documents that are used regularly and revised at least every two years, to ensure compliance and risk topics are current and mitigated.  These plans should not just be a book on the shelf or a file in a computer. The risk focus for these plans should include tools to monitor both information technology (IT) and the physical building risks.
  • Compliance and risk departments must be the leaders in promoting an open culture for reporting weaknesses, or breaks, in internal controls so early mitigation strategies can be implemented.

One of my favorite sayings is, “it’s all good until it isn’t.”  In aligning with that mindset, it is important to implement effective internal controls because mistakes or errors will happen in the organization.  While there is no failsafe way to ensure 100% compliance with internal controls, or that all employees will do the right thing every time, there is comfort in knowing the staff are educated and trained to do the right thing.  And in organizations that have an open culture of reporting, both the risk and compliance teams will be aware of the internal control weaknesses so they can implement mitigation strategies early on.


  1. Select the top two or three compliance or organizational risks for your facility and develop a plan to educate all employees (including allied health professionals and doctors) in 2021. Include the risks, applicable policies or procedures, and mitigation strategies.  Limit the education to 15 minutes.   While in person education is preferred, virtual education with video may be a good alternative.  Conduct compliance and risk mitigation education at least annually.
  2. Utilize the youCompli regTrain function to assess potential internal control weakness and develop remediation plans.

See YouCompli in Action

Easier, faster, more effective compliance is possible