One of the seven critical elements of a compliance program is ongoing auditing and monitoring. The U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) calls for auditing and monitoring as “an ongoing evaluation process (that) is critical to a successful compliance program.” The OIG does not define the differences between the two terms, and many compliance officers and program managers continue to be confused about that, as well as the respective roles in addressing them. What the OIG does say in its Compliance Program Guidance for Hospitals is that auditing and monitoring should be:
- an ongoing process;
- thorough with regular reporting on it to senior officials, including the board;
- regular, periodic audits by qualified people focusing on programs with substantive exposure to government enforcement actions; and
- ensuring compliance with specific federal, state, and internal rules and policies.
For purposes of this article, it may be useful to define the difference between these two ongoing functions. First, ongoing monitoring is the program managers’ responsibility. They are the ones most familiar with their own operations and should be charged with identifying risk areas of their responsibility; developing appropriate internal controls, policies, and procedures; and monitoring them to verify they are being followed. Whereas monitoring should be done by program managers, the ongoing auditing of those operations needs to be performed by parties independent of those operations. This is to ensure objectivity in performing the audit reviews. The objectives of these reviews are also different from monitoring. Whereas monitoring is to ensure that policies and procedures are in place and are being followed, auditing is to determine whether the monitoring program is operating as it should and that policies, procedures, and controls adopted are adequate and their effectiveness is validated in reducing errors and risks. Regardless of how an organization goes about its ongoing monitoring and auditing, the major challenge everyone faces is how to get it done properly.
The universe of compliance risks is considerable and getting bigger. All you have to do to be convinced of this is to look at the OIG compliance guidance documents, which highlight some key high-risk areas, then add risk areas identified in the annual work plan and other advisory letters. If that is not enough, you also need to consider risks identified by the Centers for Medicare & Medicaid Services (CMS) and its contractors, recovery audit contractors (RACs), zone program integrity contractors (ZPICs), et cetera. Needless to say, the mountain of risks begins to resemble Mount Everest and, like the mountain, continues to grow. The compliance officer should not be directly involved in ongoing monitoring other than to identify potential areas of risk or concern and to track that appropriate follow-up was made in response to weaknesses or problems; however, the compliance officer should be involved in the ongoing auditing activities. This does not mean being the only one doing the auditing work. That can be done by any party competent to conduct independent review of the program managers’ monitoring programs. This may include the compliance officer, internal or external auditors, consultants, or any combination thereof. The problem for most organizations is having sufficient resources to carry out what is needed in meeting the ongoing auditing burden. Even if you have your own internal audit staff, the likelihood is they will have other priorities in addition to compliance-related reviews. However, there are always experts out there to help with either conducting risk analyses in support of ongoing monitoring or conducting ongoing auditing of selected high risk areas. If it is decided that outside assistance is needed, the questions then are:
- How much outside assistance is affordable?
- What are the high-risk areas that have the highest priority?
- How soon do we have to have results to mitigate risks?
- Does any of the work warrant being performed under direction of legal counsel?
- Are there mechanisms in place to verify that corrective action was effective and sustainable?