Tips for Addressing Compliance High-Risk Areas.

Compliance Officers have the significant challenge of addressing the numerous compliance high-risk areas through ongoing monitoring and independent auditing.  For example, the OIG Compliance Guidance for hospitals identifies over 40 high-risk areas and continues to expand the list each year. Program managers have the responsibility of conducting ongoing monitoring.  They must be informed of current rules and regulations, ensure changes are incorporated into policies and procedures, train staff about these changes, and verify staff adherence to new policies.  Parties outside of the operational areas under review have the responsibility of independent auditing.  External reviewers can be consultant experts or operational auditors.  Internal and external resources, including the Compliance Office and Internal Audit, can also conduct auditing.  Operational high-risk auditing has two primary objectives, including verifying that managers meet their obligations, and validating that the process achieves the desired outcomes.

Best practice tips for addressing compliance high-risk areas include the following:

1. Work with management to identify operational high-risk compliance areas as set forth in the OIG Work Plans, Fraud Alerts, Advisory Opinions, audits, and enforcement priorities and in Medicare contractor activities, industry news, PERM reports, and PEPPER data;
2. Assess each high-risk area in terms of degree of risk, probability of risk exposure, and potential compliance impact from the risk area;
3. Develop and implement a monitoring plan addressing all risk areas and details how compliance risks can be tested and continuously reviewed;
4. Determine the potential damage from a compliance risk failure, including the magnitude of direct and indirect financial consequences;
5. Evaluate program manager effectiveness with regards to ongoing monitoring;
6. Determine the likelihood of a compliance risk event by considering whether the area is a current enforcement priority;
7. Ensure that current internal controls adequately mitigate risk and reduce the chance of an unwanted risk event;
8. Create a compliance audit plan based on risk assessment results, giving highest priority to the highest risk areas.
9. Implement specialized training programs based on risk assessment results;
10. Institute a corrective action plan for all risk area deficiencies;
11. Include monitoring and auditing results as regular agenda items for both management and Board level compliance committees; and
12. Engage compliance experts to independently evaluate the effectiveness of a compliance program by specifically focusing on high-risk areas.