Top risks 2025

Introduction

Brace for impact: 2026 isn’t just another year. It’s shaping up to be a perfect storm for internal auditors. With healthcare organizations facing an unprecedented convergence of regulatory shifts, cybersecurity threats, and financial pressures, the question isn’t if risks will surge, but how fast you can respond. 

This annual top risks report from Kodiak identifies the top 10 risk areas for healthcare provider organizations based on audits performed for hospitals, health systems, and medical practices this year by Kodiak’s risk and compliance team. The results point to risk areas that internal auditors will need to focus on in the year ahead to protect their organizations.

The team identified the top 10 risk areas based on audits at provider organizations from
Oct. 1, 2024, through Sept. 30, 2025. Those audits uncovered instances of risk that fell into 23 risk areas, or domains. The top 10 risk areas are based on the number of instances of risk uncovered in each domain.

In addition to identifying the top 10 risk areas based on the number of risk instances in each domain, this report also qualifies the objective data with subjective descriptions of the types
of specific risks the Kodiak team is seeing and what internal auditors can do to mitigate
them in 2026.

Top 10 risk areas

The top 10 risk domains, based on actual audit data collected by Kodiak’s risk and compliance team, are:

1. Information systems
2. Finance/accounting
3. Compliance
4. Revenue cycle
5. Clinical operations
6. Quality/patient safety
7. Human resources
8. Governance and oversight
9. Supply chain/materials management
10. Pharmacy

As the chart below illustrates, the number of instances of risk in the top five risk domains represents nearly two-thirds of all the instances of risk identified in Kodiak’s analysis for this report.

Kodiak’s risk and compliance team identified instances of risk in 13 other domains during the study period. In ranked order, the domains and their respective number of risk instances identified are:

Specific risks and audits

Kodiak’s risk and compliance team took a deep dive into the audits that produced the data to identify the most prevalent risks in each of the top 10 risk domains. The team identified a total of 31 specific risk areas within the 10 domains. Here, the team describes what they’re seeing in each of the 31 specific risk areas and what internal auditors can do to mitigate that particular risk.

Risk domain: Information systems

Specific risk: Cybersecurity

What we’re seeing: Cybersecurity is a rapidly growing threat in healthcare with incidents frequently disrupting patient care delivery and creating significant operational and financial consequences. Many hospitals and health systems still lack mature governance and effective controls to manage these risks. Healthcare organizations are increasingly vulnerable to evolving cyber threats and the complexities of modern IT environments. Without regular updates and validation of cybersecurity controls, they risk data breaches, operational disruptions, and threats to patient safety. It is anticipated that in the future, the Centers for Medicare & Medicaid Services may push the healthcare industry into complying with Cybersecurity Maturity Models, launched by the U.S. Department of Defense program and designed to ensure contractors properly protect sensitive information.

What you can do about it: Align with evolving regulations and proposed revisions to the HIPAA Security Rule. Conduct cybersecurity maturity assessments to benchmark controls against set industry standards. Review third-party risk management for vendors handling sensitive data. Evaluate the effectiveness of response plans, penetration testing, and vulnerability management. Evaluate cybersecurity measures, e.g., patching, access, encryption, incident response, and monitoring, to identify gaps and recommend improvements aligned with industry standards. Validate or establish annual risk analysis, including threat modeling, vulnerability scoring, and mitigation tracking to ensure risks are documented, prioritized, and addressed systematically. Audit data classification and protection, including inventory, policies, access, and retention, to strengthen data security and support compliance. Assess vendor cybersecurity practices and contractual obligations to reduce exposure from third-party breaches. Evaluate backup/restoration capabilities to confirm systems can recover within 72 hours per HIPAA proposals. Verify technology inventories and network diagrams to improve IT visibility and control.

Specific risk: Business continuity

What we’re seeing: Disruptions from outages, disasters, or cyber events can jeopardize patient care and safety. Financial and reputational damage from poor continuity planning is substantial.

What you can do about it: Assess the completeness and testing frequency of business continuity and disaster recovery plans. Verify that critical systems and data backups are protected and recoverable. Identify gaps in resilience planning across departments and recommend improvements.

Specific risk: System access management

What we’re seeing: Poor access controls can lead to data breaches, insider threats, and compliance violations. Risks include excessive privileges, delayed deprovisioning, and unmanaged role changes.

What you can do about it: Review access provisioning and deprovisioning workflows for timeliness and accuracy. Test for least privilege enforcement and segregation of duties. Audit privileged access management and monitor for anomalies. Evaluate the effectiveness of periodic access reviews and real-time alerts for unauthorized access attempts.

Specific risk: AI and emerging technologies governance

What we’re seeing: AI is rapidly being adopted across clinical, financial, and operational areas. These tools require access to massive datasets, increasing exposure to privacy and ethical risks. Governance frameworks for AI are still evolving.

What you can do about it: Assess AI governance structures, including oversight committees and ethical review processes. Evaluate data governance practices for AI training datasets, e.g., consent, bias, and security. Audit AI tool deployment for transparency, accountability, and alignment with strategic goals.

Specific risk: Complex IT environments and legacy systems

What we’re seeing: Healthcare organizations face growing risks due to fragmented IT infrastructure and outdated systems. A mix of legacy platforms and new technologies creates integration challenges, while managing multiple vendors adds complexity and increases potential for errors. Upgrades often introduce unforeseen performance issues, further straining operations. Maintaining these aging systems consumes a disproportionate share of IT budgets, and with limited vendor support, organizations are forced to rely on costly custom fixes and consultants. These factors collectively undermine efficiency, increase costs, and pose risks to the continuity and quality of patient care.

What you can do about it: Evaluate the organization’s mix of legacy and modern systems, focusing on integration challenges, system dependencies, and failure points to identify infrastructure-related risks and recommend modernization priorities to improve resilience and efficiency. Review vendor contracts, service-level agreements, and oversight practices across systems to assess vendor performance, identify duplications or inefficiencies, and recommend governance improvements to mitigate operational risk. Analyze the cost, supportability, and security posture of legacy platforms to highlight systems at risk due to limited vendor support and high maintenance costs and provide a road map for decommissioning or upgrading. Review IT spend allocation, particularly on maintaining outdated systems versus investing in modernization to provide insights into resource drain and suggest reallocation strategies to support strategic IT transformation.

Risk domain: Finance/accounting

Specific risk: Declining reimbursement

What we’re seeing: One of the most pressing issues for healthcare provider organizations is the decline in reimbursement from government and private payors. As reimbursement rates stagnate or decrease, providers are forced to operate with tighter margins. That can lead to reduced services or even closures, particularly among rural and urban safety net hospitals that already face many other challenges.

What you can do about it: Implement comprehensive internal controls to safeguard financial and data integrity and consider seeking guidance from external healthcare financial professionals. Also, use tech-enabled continuous monitoring to measure the effectiveness of controls. Use technology for automating accounts payable, payroll, and general ledger to reduce waste and errors, lower administrative costs, and gain real-time financial insights. Implement a comprehensive internal accounts receivable reserving process and regularly audit claims processing to capture charges, minimize denials, and verify compliance. Deploy advanced analytics tools to identify cost-saving opportunities, improve budget accuracy, and support decision-making by analyzing data from various sources, including EHR and billing systems.

Specific risk: Increased labor costs

What we’re seeing: Inflation and increased demand for healthcare professionals are behind these rising costs.

What you can do about it: Use analytics to match the right staff with the right skills to the actual workload. Reduce reliance on expensive 13-week contracts. Verify pay premiums are managed and are working to provide desired short- and long-term results. Expand scope of practice for qualified staff like advanced practice registered nurses and physician assistants.

Specific risk: Increased supply costs

What we’re seeing: Providers are experiencing 10% to 13% increases in the prices of medical supplies, drugs, and purchased services.

What you can do about it: Avoid relying on one supplier. Establish relationships with multiple sources to reduce dependence and vulnerability to disruptions. Build a surplus of critical inventory and form a buffer against surges in demand to prevent shortages and maintain operational continuity. Deploy technology such as AI-powered dashboards to monitor supply chain processes, gain real-time insights, and identify issues such as contract pricing compliance and on-contract purchasing before they escalate. Leverage machine learning and predictive models to analyze data, forecast trends, and anticipate any changes in supply and demand, enabling faster and more informed decisions. Develop contingency plans and conduct regular drills to simulate disruptions like natural disasters or supply shortages to assess and refine response strategies. Collaborate with other healthcare entities or strategic partners to share financial burdens, resources, and best practices, creating a more resilient and cost-effective supply chain. Build strong, communication-focused relationships with suppliers to improve collaboration, ensure data transparency, and foster a shared commitment to risk mitigation. Form cross-functional teams responsible for supply chain risk management to ensure a comprehensive and coordinated approach to crisis response. Conduct regular training for all staff to enhance their understanding of supply chain risks and best practices, promoting a culture of awareness and vigilance across the entire enterprise. Develop clear and consistent communication plans for various potential crises, ensuring timely and accurate information is cascaded to all stakeholders, including staff and patients.

Risk domain: Compliance

Specific risk: Price transparency

What we’re seeing: Additional changes proposed for calendar year 2026 would require hospitals to post actual prices (not estimates) and provide data in standardized formats that should allow patients to understand what their care will cost. Hospitals that fail to comply could face civil monetary penalties.

What you can do about it: As part of an internal audit that tests whether existing controls and processes align with regulations, use the CMS Hospital Price Transparency Validator Tool to verify publicly posted files comply with requirements.

Specific risk: Physician service arrangements

What we’re seeing: PSAs remain a top compliance risk each year due to the large and often complex operational expense health systems expend on these contracts, as well as potential penalties if violations of Anti-Kickback Statute, False Claims Act, or Stark Law occur.

What you can do about it: As part of an internal audit that tests whether existing controls and processes are in place to manage physician service arrangements, use data analytics to evaluate physician compensation models, e.g., relative value units, incentive payments, and administrative services. Additionally, health systems should consider implementing a centrally controlled contract management system if one is not already in use.

Specific risk: Emergency Medical Treatment and Labor Act

What we’re seeing: As with PSAs, EMTALA remains a top compliance risk, as failure to comply with EMTALA requirements can result in civil monetary penalties. Penalties are based on the number of beds.

What you can do about it: As part of an internal audit that tests whether existing controls and processes align with regulations, data analytics can be used to evaluate emergency department visits for compliance with specific components under the EMTALA regulations such as medical screening exams.

Risk domain: Revenue cycle

Specific risk: Denials management

What we’re seeing: Denials directly impact a hospital’s financial performance and operational efficiency. Specifically, denied claims delay or prevent reimbursement for services already provided, leading to cash flow disruptions, time-consuming appeals, claims rework, and potentially lost revenue. The burden of resolving denials can also contribute to employee turnover, leading to more denials because of staffing shortages and/or errors caused by inexperienced personnel.

What you can do about it: Internal auditors can use data analytics to help provide operational insights. By analyzing claims data and associated write-offs, patterns in denial reasons can be identified and addressed. In addition, internal auditors can assist with tracing denials back to the source, e.g., registration errors, department workflow issues, and documentation issues, to provide management with valuable corrective action recommendations.

Specific risk: Payor contracts/expected reimbursement

What we’re seeing: The misinterpretation of a payor’s contract terms can result in inaccurate accounts receivable balances due to errors in the calculation of contractual allowances. Furthermore, the hospital can experience lost revenue associated with undetected payment errors and missed opportunities to dispute reimbursement variances. Hospitals that do not routinely analyze contract modeling are missing opportunities to maximize revenue and can potentially miss opportunities to renegotiate payor contracts for better terms.

What you can do about it: Internal auditors can help validate the contract modeling for the organization’s top payors, using data analytics to compare hospital-calculated reimbursements with actual reimbursements received. Internal audit can also help assess whether the revenue cycle staff is identifying, disputing, and following up on payment variances as management intended.

Risk domain: Clinical operations

Specific risk: Clinical operations and AI

What we’re seeing: Navigating the AI landscape is challenging and evolving, particularly because AI is subject to overlapping regulations from rulemaking and standard-setting bodies like the Food and Drug Administration, Federal Trade Commission, U.S. Department of Health and Human Services, and international agencies. Clinicians may defer too quickly to AI recommendations, even when they conflict with clinical judgment, leading to missed diagnoses and inappropriate treatment. Workflows and algorithms incorporating AI need constant re-evaluation and validation to address accuracy and safety.

What you can do about it: Assess that leadership involvement includes multidisciplinary oversight and governance. Validate that there is clear accountability for decisions, outcomes, and monitoring. Examine policies for AI use, including approval, monitoring, decommissioning, and whether AI tools align with existing workflows and maintain adherence to HIPAA, state, federal, and accreditation regulations. Test that clinicians can override AI decisions and provide feedback to report issues or suggest improvements. Verify that AI-related errors are logged into the incident reporting system and that there is a review, reporting, and root cause analysis process in place. Verify that clinical decisions and patient care are not affected by AI downtime.

Specific risk: Quality assurance, risk management, and compliance functions

What we’re seeing: Poor performance in quality assurance, risk management, and compliance functions can expose organizations to a wide array of serious risks such as legal and regulatory exposure, strategic and operational risks, reputational demise, financial penalties, and patient safety events.

What you can do about it: Perform audits to verify that care standards and protocols are maintained to protect patient safety. Validate that quality data accuracy and reporting mechanisms function for both internal and external measures. Run audits that benchmark and pinpoint risks identified in the EDI datasets and create algorithms for continuous monitoring. Validate the event reporting system for utilization, accuracy of input, and efficacy of the platform. Verify leadership oversight, communication, and integrated structure for QA/risk management, and compliance cross-function. Validate compliance with standards from private, state, and federal agencies.

Specific risk: Patient care coordination and throughput

What we’re seeing: Poor management, inefficient patient throughput, and the inability to identify complex patient needs can negatively affect patient satisfaction, cause operational and financial strain, create staff burnout, and produce care inefficiencies. As patients stay longer in the hospital, their risk for complications and hospital-acquired infections increases.

What you can do about it: Verify that leadership involvement includes multidisciplinary oversight and governance. Validate that there is clear accountability for decisions, outcomes, and monitoring. Validate that data metrics are relevant and incorporated in review processes and that there is a change management system in place to prevent harm. Verify that care coordination and utilization management committees are established, meeting regulatory requirements, and reviewing data with meaningful action plans. Observe discharge workflows for inefficiencies such as delayed orders, missing test results, siloed departmental communication, or other hurdles.

Risk domain: Quality/patient safety

Specific risk: Behavioral health

What we’re seeing: Healthcare organizations face significant risks when proper suicide screening and restraint protocols are not in place. Failure to identify individuals at risk of suicide and/or provide a safe environment of care can lead to preventable deaths. Aggressive behavior and workplace violence can also impact restraint and seclusion use metrics. There are regulatory standards organizations must follow, and there can be legal action if the care provided was negligent.

What you can do about it: Validating bedside practices, maintaining strong policies, establishing interdisciplinary communication, and performing unit-specific staff training can assist with reducing risk. Examine policies and procedures for compliance with organization, industry, and regulatory standards. Validate internal data, e.g., event reports and dashboards, and monitor and communicate data with appropriate committees, including meaningful action plans when necessary. Perform observations to validate that suicide risks are assessed, restraint or seclusion use is compliant with standards, and the environment of care is safe for patients. Perform EHR documentation testing for organizational and regulatory compliance.

Specific risk: Obstetrics

What we’re seeing: Perinatal care is among the most litigated areas in healthcare. There are numerous high-risk scenarios surrounding maternal and neonatal health. Organizations can focus on the following risks to mitigate the chances of poor outcomes: maternal hemorrhage, preeclampsia, intrapartum fetal monitoring, oxytocin management during labor, and newborn complications such as hyperbilirubinemia and sepsis.

What you can do about it: Validating that bedside practices and policies align with industry standards, confirming interdisciplinary communication and escalation protocols are used, and testing that unit-specific education occurred can assist with mitigating organizational risks. Use data to pinpoint where risk is occurring; obstetrics has eight key risk areas that are highly measurable at the procedural and provider levels. Perform observations of staff to validate practice aligns with industry standards and protocols and that required drills are performed. Test medical record documentation for compliance with up-to-date organizational policies and procedures, industry standards, and regulatory requirements. Validate that staff education and training occur and align with industry standards and best practices. Evaluate facility policies and procedures to confirm they are updated regularly and align with industry recommendations for maternal and neonatal care.

Specific risk: Surgical safety, including device sterilization and high-level disinfection

What we’re seeing: Numerous errors made in the perioperative space usually can be prevented. Wrong site surgeries, unplanned retained instruments, lost specimens, and failed sterile trays are unfortunately common risks that plague operating rooms and procedural areas across the country. These mistakes can result in patient infections, delayed treatment, extended stays, or, even worse, death. Organizations face more than just financial consequences. They may also face loss of reputation, poor publicity, and poor patient satisfaction scores.

What you can do about it: Examine policies and training to ensure they align with industry, regulatory, and manufacturer standards. Observe OR safety practices for compliance with universal protocol (pre-procedure verification, time-out, surgical site marking), fire safety, interdisciplinary communication, and escalation pathways. Observe sterilization and HLD steps for compliance from point-of-use throughout reprocessing, including storage. Validate that vendors are compliant with protocols for sign in, tray drop-off and pickup, surgical attire, and personal protective equipment.

Risk domain: Human resources

Specific risk: Recruitment, hiring, and retention

What we’re seeing: Recruiting, hiring, and retaining qualified employees continue to be risk areas for healthcare organizations due to workforce shortages, rising competition, and increasing burnout. The demand for skilled professionals often exceeds supply, especially in rural or underserved areas, making it difficult to fill critical roles. High turnover rates disrupt continuity of care, increase training expenses, and strain existing staff, potentially leading to lower patient satisfaction and safety concerns. Additionally, the time and resources required to recruit and onboard employees can divert attention from core clinical operations. Reliance on travel nurses has increased to relieve staffing burdens. However, this leads to increased turnover of non-travel staff and higher costs and pressure on already tight budgets. Without a stable, qualified workforce, healthcare organizations face operational, financial, and reputational risks.

What you can do about it: Internal audit departments can assist healthcare organizations in evaluating whether their strategic workforce plans align with future staffing needs, including critical department staffing levels, succession planning, and skills gap analysis. Additionally, internal audit departments can review recruiting and retention processes by assessing efficiency and compliance in hiring practices to attract qualified candidates and meet regulatory standards. Internal audit departments can analyze turnover rates, exit interview data, and employee engagement surveys to identify root causes of attrition. Internal audit departments can also evaluate travel nurse contracts for payment compliance and management of the program for compliance with the contracts.

Specific risk: Payroll

What we’re seeing: Payroll presents both financial and reputational risks to healthcare organizations. Inconsistent or noncompliant pay practices can lead to wage disputes, legal penalties, and damage to the organization’s credibility. Errors in timekeeping, overtime calculations, or compensation advances may result in financial losses and compliance issues. These problems can also lower employee morale and retention, especially in unionized settings or where labor regulations are strict. Further, outdated or inadequate payroll systems may struggle to handle complex staffing models, shift differentials, and/or contract labor, leading to inefficiencies and further risk exposure.

What you can do about it: Internal audit departments play a vital role in reducing payroll-related risks by ensuring strong and effective controls and compliance. Audit departments assess payroll processes for accuracy, proper authorization, and segregation of duties to prevent errors and fraud. Audit departments can verify compliance with labor laws, union agreements, and internal policies, helping to avoid legal and reputational consequences. They also should review timekeeping and overtime calculations to ensure employees are paid correctly and fairly. By analyzing payroll data, internal auditors can detect anomalies such as duplicate payments or unauthorized compensation. Additionally, internal auditors can evaluate whether payroll systems can handle complex staffing models, shift differentials, and contract labor.

Specific risk: Physician contracts

What we’re seeing: Physician contracts pose significant operational, financial, and reputational risks to healthcare organizations. Key concerns include noncompliance with federal fraud and abuse laws such as the Stark Law, Anti-Kickback Statute, and False Claims Act. Risks can arise when physicians are paid without a valid contract, receive compensation above fair market value, or are paid more than agreed. Additional issues include physicians using hospital space without proper leases or compensation and recruitment arrangements that fail to meet regulatory standards. A lack of continuous monitoring of contract and recruitment compliance further increases exposure to legal and financial penalties. Proper oversight and documentation are essential to mitigate these risks.

What you can do about it: Internal audit departments can confirm that physician arrangements are properly documented, approved, and aligned with fair market value. Additionally, they can evaluate physician group payments to confirm compliance with compensation agreement terms and that contractual amounts are being met and not exceeded, confirm that terms have been met to receive any eligible incentive payments, and verify that other compliance requirements are being met in accordance with the agreement. Internal auditors can evaluate physician space leases and recruitment agreements to ensure regulatory compliance and proper compensation. Additionally, internal auditors can confirm ongoing monitoring of contract performance and identify gaps in oversight or policy enforcement.

Risk domain: Governance and oversight

Specific risk: Policy changes

What we’re seeing: Policy changes in government healthcare programs continue to create uncertainty across the industry. Reductions in funding for Medicare, Medicaid, and Affordable Care Act subsidies can significantly impact provider reimbursement, leading to increased levels of uncompensated care. These financial pressures often result in patients delaying treatment due to cost concerns, which in turn raises the acuity of their conditions when they finally seek care. Sicker patients require more intensive services, further straining healthcare systems. As reimbursement declines and patient needs grow more complex, organizations may be forced to reduce staffing levels, contributing to workforce shortages and increased burnout among remaining staff. This cycle not only affects the quality of care but also threatens the long-term sustainability of healthcare delivery.

What you can do about it: Internal auditors can assess hospital readiness by evaluating financial models and impact mitigation strategies to ensure the organization is prepared for shifts in reimbursement or regulatory requirements. Analysis of processes used to identify and respond to policy changes, including the effectiveness of action plans and communication strategies, can help confirm timely and informed decision-making. Additionally, internal auditors can evaluate budget and reimbursement forecasting to determine whether projections align with potential policy shifts. This proactive approach strengthens organizational resilience, supports strategic planning, and helps safeguard financial stability during an evolving regulatory environment.

Specific risk: Communication

What we’re seeing: Effective communication is critical, serving as the foundation for strategic alignment and organizational trust. When communication breaks down, it can lead to lack of transparency and poor decision-making, ultimately compromising patient care and system performance. Inconsistent or unclear messaging across departments may result in oversights, misinformed strategies, and delayed responses to emerging risks. In high-risk or emergency situations, timely and accurate communication enables the appropriate teams to act quickly, reduce harm, and improve patient outcomes. It also strengthens trust within the organization and the communities served. Absent strong communication practices, healthcare systems risk fragmentation, increased liability, and diminished quality of care. Clear, consistent, and proactive communication is essential to managing risk effectively and maintaining operational resilience.

What you can do about it: Internal auditors can help mitigate risks related to communication challenges in healthcare by evaluating how effectively information flows across all levels of the organization. Internal auditors can assess the use and consistency of standardized communication tools like Situation, Background, Assessment, and Recommendation protocols, ensuring that critical information is conveyed clearly and reliably. Auditors can also analyze incident reporting and tracking mechanisms to learn whether data is being captured, analyzed, and used in governance and decision-making processes. In both clinical and administrative settings, internal auditors can spot gaps in communication protocols and recommend improvements to enhance coordination, transparency, and responsiveness. By proactively evaluating these systems, internal audit supports safer patient care, stronger organizational alignment, and more effective risk mitigation.

Specific risk: Enterprise resilience

What we’re seeing: Enterprise resilience is essential in healthcare, especially for hospitals that must maintain continuity of care during disasters or emergencies. Resilience should be embedded in the facility’s infrastructure, including robust emergency preparedness plans, staff training, and clear role definitions. When healthcare teams understand their responsibilities and are equipped to act quickly, response times improve, and patient safety is preserved. Coordination with local emergency services is also critical to avoid delays in care and recovery efforts. Additionally, resilient logistics systems help prevent supply chain disruptions, ensuring access to essential equipment, pharmaceuticals, and other critical supplies. Without these safeguards, hospitals risk operational breakdowns that can compromise care delivery and community trust. Building enterprise resilience is not just about reacting to crises—it’s about proactively preparing them to protect patients, staff, and the broader health system.

What you can do about it: Internal audits are an essential tool in strengthening enterprise resilience in healthcare. Internal auditors can evaluate hospital preparedness for a range of threats, including natural disasters, pandemics, and cyberattacks. This includes reviewing the effectiveness of emergency response plans, the frequency and quality of drills, and staff readiness across departments. Internal audit can also assess whether contingency plans are up to date and aligned with current risks and whether critical infrastructure, such as backup systems and communication protocols, is fully supported. By identifying gaps in planning, training, and coordination, internal audits help ensure that provider organizations can maintain continuity of care during crises. This proactive approach not only protects patient safety but also supports operational stability and community trust.

Risk domain: Supply chain/materials management

Specific risk: Inefficient inventory management

What we’re seeing: Hospitals may experience financial losses from overstocking, which ties up capital, or from stockouts, which cause procedure delays and force costly expedited orders. Poor inventory control can also lead to the use of expired or obsolete products.

What you can do about it: Implement a real-time, cloud-based inventory management system with automated reordering based on historical usage. Use strategies like First-In, First-Out and First-Expired, First-Out to manage products with expiration dates.

Specific risk: Inaccurate billing and lost charges

What we’re seeing: Lack of integration between the supply chain and financial systems can lead to medical supplies being used on patients but not being accurately recorded and billed. This causes revenue loss and affects financial integrity.

What you can do about it: Integrate inventory management software with the hospital’s EHR and billing systems. Use barcode or RFID scanning at the point of use to automatically capture and charge for all medically necessary supplies.

Specific risk: Procurement and contracting fraud

What we’re seeing: Lack of adequate oversight of procurement processes and vendor contracts can result in “maverick spending,” i.e., out-of-contract purchasing, contract noncompliance, and potential kickbacks or fraud.

What you can do about it: Standardize the procurement process using a centralized e-procurement system and require competitive bidding. Conduct regular audits of vendor contracts to verify adherence to terms, pricing, and service-level agreements.

Specific risk: Cybersecurity threats

What we’re seeing: As healthcare supply chains become more digital, they are increasingly vulnerable to cyberattacks such as ransomware that can disrupt critical operations and compromise sensitive data. Third-party vendor networks also pose a risk.

What you can do about it: Prioritize cyber resilience by vetting critical vendors and ensuring they meet strong security standards. Implement security policies and regular employee training and conduct tabletop exercises to prepare for potential cyber incidents.

Risk domain: Pharmacy

Specific risk: 340B Program compliance

What we’re seeing: Compliance with the 340B Drug Pricing Program has been and continues to be a top concern for healthcare organizations. Under the 340B Program, eligible entities may take advantage of significant discounts in the cost of outpatient drugs, enabling them to stretch limited funds and provide more comprehensive services to low-income patients and their local communities. The 340B regulatory requirements are numerous and complex; they require substantial internal monitoring. Noncompliance can pose significant financial risks ranging from regulatory penalties and manufacturer repayments to total removal from the 340B Program. Beginning in 2020, manufacturers began implementing policies refusing to provide or restricting 340B pricing for drugs dispensed via contract pharmacies. At least 40 pharmaceutical manufacturers have imposed distribution limits on covered outpatient drugs dispensed through the 340B Program, undermining the program. In response to the restrictions, 18 states have passed legislation to prohibit drug companies from restricting access to 340B Program pricing through contract pharmacies.

What you can do about it: Internal audit can complete a comprehensive review of the organization’s 340B program to confirm compliance with 340B regulations and prepare a 340B covered entity for a Health Resources and Services Administration 340B Program integrity audit.

Specific risk: Controlled substance diversion

What we’re seeing: For healthcare provider organizations, Drug Enforcement Administration regulations are not only complex and often difficult to understand but violating these regulations can lead to multimillion-dollar settlements. A DEA audit or inspection can lead to criminal prosecution and administrative action against your DEA registration if the agency finds violations of the Controlled Substances Act. And if an entity is a member of a larger organization, DEA may inspect other locations within that health system to investigate practices throughout the organization. Strict compliance with complex DEA regulations is a must for healthcare organizations that want to avoid fines, negative publicity, damaged reputation, and loss of licensure for personnel and entities.

What you can do about it: Internal audit can complete an audit to identify compliance areas where a healthcare organization is most at risk and implement action plans for strengthening the organization’s DEA and controlled substance compliance program.

Summary and conclusion

The Kodiak risk and compliance team analyzed data collected from thousands of audits from Oct. 1, 2024, through Sept. 30, 2025, to identify the top 10 risk areas, or domains, confronting hospitals, health systems, and medical practices. The team also captured the number of instances of risk in each of the 10 domains as well as the most common risk areas in each domain. The matrix below summarizes what the team uncovered:

These results provide a road map ahead for the risks that internal audit departments at healthcare provider organizations will face in 2026. In an era of limited or declining resources, this will help internal audit departments focus their audit work plans and workflows on the most target-rich risk areas facing their organizations in the year ahead.

To meet these challenges, successful risk programs can leverage a Risk Intelligence approach that starts by leveraging data sources. This data can be incorporated into risk assessments and audit workflows, leveraging benchmarks, KPI metrics, and auditor organizational and industry knowledge. The significance of this data is that it drives prioritization of the risks faced by the organization and can output insights, data visualizations, and KPIs that highlight the materiality and propensity of risk priorities.

Once a potential risk priority is placed on the audit plan, innovative audit workflow and auditing expertise can validate and identify the root cause of the risks being audited. Once the audit is finalized, the findings can establish baselines of the multidimensional aspects of the risk, so the interventions deployed or implemented can be tracked and sustained via ongoing monitoring with what Kodiak calls Risk Cubes.

Imagine conducting an audit and being able to capture the key aspects of that audit, controls, KPIs, baseline performance metrics, etc. for ongoing testing and analysis and putting all these attributes into a box or what is better described as a Risk Cube. As audits on the plan are completed using this approach, risk program coverage grows by building more Risk Cubes from audits being conducted.

Once a risk is in a Risk Cube, full-scope audits are no longer required, allowing for resources to be focused on new risks and other risk priorities. The organization gains a return on risk from maximized operating performance, greatly expanded risk coverage, and risk management effectiveness.

Learn more

Risk mitigation has never been more challenging in healthcare as the industry itself grows more complex and more complicated with each passing day. Let’s talk about how we can put our Risk Intelligence tools, technologies, services, and solutions to work for you.