Research Updates

Internal auditing in healthcare: current and future status

The questions

Internal auditing, according to the current definition established by the Institute of Internal Auditors, is an “independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”



For Italian public healthcare organizations, internal auditing is a relatively new function. Starting in the 2000s, early experiences initially focused on managing operational risks associated with clinical practice, aimed at assessing the organizational causes of adverse patient events. Then, in 2012, with the introduction of certification requirements for financial reports, additional areas for internal audits emerged, centering around the financial risk dimension. As recently as 2015, some Italian regions began to regulate the internal audit function specifically for healthcare.



Building on an initial study carried out in 2013, in 2023, together with my colleagues Camilla Falivena, Francesca Lecci, Elisabetta Notarnicola and Valeria Rappini, we dug deeper into the topic of internal auditing in public healthcare organizations. The goal was to explore the most common approaches to the techniques and focus of this function across different regions, to determine if and to what extent internal auditing was perceived as an effective means of strengthening the broader system of corporate governance.



While all Italian regions have internal audit legislation for the public sector, our analysis revealed that only five out of 21 regions have enacted specific audit legislation for healthcare organizations (i.e., Veneto, Lombardy, Emilia-Romagna, Abruzzo, and Sardinia).



To explore the implementation of internal audit in healthcare organizations, we conducted 11 semi-structured interviews with key players at the regional and organizational levels. We found that the leading driver for internal auditing implementation was the introduction of mandatory financial report certification. Hence, audit practices have frequently been adopted within administrative departments, focusing primarily on financial and compliance risks, akin to the role of clinical risk managers reporting to chief medical officers.



To ensure independence, the internal auditor should, by the nature of the role, report to general management; this would also secure a closer connection between internal auditing and planning and strategic control. Nevertheless, even when the internal audit function reports to the CEO, strategic and operational (i.e., clinical) risks are largely neglected.



Consequently, the current understanding of internal auditing within healthcare organizations is vague and lacks a systemic and strategic vision. To bridge this gap, we call for an investment in education to foster a more comprehensive risk management culture. And this requires more than just technical training for internal auditors.

Looking Ahead

Nowadays, to fully express its potential, internal auditing in healthcare organizations should gain greater legitimacy by investing in the following areas:


  • Promoting a systemic vision of organizational risk management.
  • Integrating internal auditing into the organization’s overall control system.
  • Developing approaches and tools for corporate risk governance.