Evolving Risk Landscape Refocuses Healthcare Audit Priorities Key findings from the latest survey conducted by Protiviti and AHIA on internal audit plan priorities for provider and payer organizations At a glance 6 min read As the healthcare industry adapts to the lasting effects of digital transformation, regulatory shifts and emerging cyber threats, organizations are encountering increasingly complex and unpredictable risks. Al-driven fraud, data privacy challenges, and escalating ransomware attacks are reshaping the priorities for healthcare internal auditors. Their role remains critical in safeguarding operations, helping to ensure compliance, strengthening financial and IT controls, and addressing evolving vulnerabilities in an environment that demands resilience and strategic foresight.The 2025 Healthcare Internal Audit Plan Priorities Study, conducted by Protiviti and the Association of Healthcare Internal Auditors (AHIA) reveals key areas of focus for internal auditors. This report reveals key cross-segment priority focus areas for internal auditors, along with as payer- and provider- specific resuIts. Download Report Download the full report for detailed findings and actionable guidance Key findings Each priority here connects to specific audit actions. Download the full report to access the full context, audit areas to consider, and segment-specific guidance for both providers and payers. Top 5 cross segment priorities Cybersecurity Employee time and expense reporting and payroll User access management Joint venture and third-party risk management Employee eligibility and credentialing/privileging Top 5 cross segment priorities Top 5 cross segment priorities “In today’s rapidly evolving healthcare landscape, internal audit plays an essential role in protecting organizational integrity and ensuring compliance while also validating, enhancing and leveraging innovation. From cybersecurity and user access management to fraud prevention, provider relationships, and the integration of advanced technology and AI, a proactive and strategic audit function enables healthcare organizations to anticipate emerging risks, strengthen resilience, and deliver optimal consumer experience in the face of unprecedented challenges.” – Richard WilliamsGlobal Healthcare Practice Leader, Protiviti Cybersecurity Cybersecurity Cybersecurity remains the top priority for internal audit in healthcare for the third consecutive year, driven by a relentless wave of cyberattacks targeting the industry. These attacks have caused prolonged system outages and network outages – sometimes lasting a month or longer – resulting in severe patient safety risks, revenue losses, operational disruptions, workforce strain, reputational damage and financial instability. Healthcare organizations must act decisively to safeguard their systems and data against these threats. Employee time and expense reporting and payroll Employee time and expense reporting and payroll In today's healthcare landscape, payroll and timekeeping processes carry significant compliance, financial and reputational risks. With regulations changing frequently amid mounting pressure on labor costs, healthcare organizations must be vigilant in how they manage employee compensation, time tracking and workforce documentation. Internal audit plays a vital role in spotting gaps, reinforcing controls, and ensuring compliance with both federal and state labor laws. User access management User access management Managing user access in healthcare is a complex challenge due to the diverse and dynamic population of users and systems that must be secured. The presence of outdated technologies, which often struggle to integrate with modern Identity and Access Management (IAM) solutions, exacerbates this issue. Such fragmentation can lead to inconsistent access control practices and increased risk. Notably, compromised user credentials are involved in a majority of cybersecurity breaches, making robust user access management essential for protecting sensitive information. Joint venture and third-party risk management Joint venture and third-party risk management Healthcare organizations increasingly depend on external vendors and partners. High-profile incidents demonstrate that third-party failures can cripple operations, jeopardize patient safety, expose the organization to compliance risk, threaten financial stability and damage reputations. With many organizations adding or changing vendors, robust third-party risk oversight is essential. Employee eligibility and credentialing/privileging Employee eligibility and credentialing/privileging Verifying employment eligibility and provider credentials is more than a routine compliance task – it is essential for mitigating legal, financial and patient safety risks. With increasing scrutiny from regulators and stakeholders, healthcare organizations must prioritize thorough verification and credentialing practices to avoid costly oversights. As regulations evolve and technology advances, internal audit teams need to confirm that hiring, credentialing and ongoing monitoring processes are robust and up to date. Top 5 priorities for providers and payers Image Image In closing While the absence of artificial intelligence from the top internal audit priorities may raise eyebrows, it’s not an oversight — it’s a reflection of reality. Despite 90% of respondents reporting AI usage, only 11% claim high proficiency, signaling a wide maturity gap across healthcare provider and payer organizations. Internal audit teams are beginning to explore AI use cases for their own operations, but few have yet placed it firmly on their internal audit plans. This moment presents both a challenge and an opportunity. As AI adoption accelerates, so too must internal audit’s role in ensuring responsible use. It’s time to shift from passive observation to active governance. Internal auditors must not only harness AI to enhance their own capabilities but also scrutinize how their organizations are managing the risks and ethics of this transformative technology. Furthermore, according to Protiviti’s recent AI Pulse Survey, most companies interested in AI are in the exploration or testing stage. Fewer than 11% of organizations have achieved full transformation. However, the momentum is only going to continue to grow, and the pace of that growth is rapidly increasing. The future of internal audit in healthcare will be shaped not just by what we examine, but also the manner in which we are able to keep pace with our organization’s transformative initiatives. Matt Jackson Related resource Infographic December 12, 2024 1 min read Infographic | Navigating critical healthcare areas through internal audit Coming off several years of a pandemic and the associated public health emergency, the healthcare industry continues to face complex and unpredictable risks that could have long-lasting impacts across several critical areas. Healthcare internal auditors play an important role in helping their organizations manage potential risks, stay on top of regulatory compliance,... View infographic View past survey reports: 2024 2023 2022 2021 2024 2023 2022 2021 Leadership Richard Williams Richard is a founding member and Protiviti’s Global Healthcare Practice Leader. He has extensive experience providing operational, financial, and regulatory consulting and internal audit services to the healthcare industry. In addition to leading numerous business ... Learn More Matthew Jackson Matt is a founding member of Protiviti and serves as Protiviti’s Healthcare Internal Audit and Digital Solutions leader. He has more than 24 years of experience providing operational, technology and regulatory consulting and internal audit services to a wide range of ... Learn More Topics Internal Audit and Corporate Governance Industries Healthcare
