A continuing major challenge for Compliance Officers is how to address ongoing auditing and monitoring of high-risk areas. The OIG has repeatedly stressed the importance of auditing and monitoring activities in its various guidance documents, yet there remains considerable confusion as to the difference between auditing and monitoring, as well as to who has responsibility for these functions. Steve Forman, CPA, has over 35 years of experience in health care compliance including time as Director of Management Operations for the Office of Inspector General (OIG) and as Vice President for Audit and Compliance at the New York-Presbyterian Hospital. He is widely published as an expert on this subject and offers his advice and tips in this article.
The Difference Between Auditing and Monitoring
Ongoing monitoring should be a continuous control, monitoring both process and method to detecting compliance risk issues associated with an organization’s operations. Ongoing monitoring programs are a manager’s responsibility, not the Compliance Officer’s. Such program responsibilities include keeping current with changes in rules, regulations, and applicable laws; developing internal controls, policies, and procedures to comply with them; training staff on these rules; and taking steps in monitoring or verifying compliance with these new guidelines. Monitoring programs should be designed to test for inconsistencies, duplication, errors, policy violations, missing approvals, incomplete data, dollar or volume limit errors, or other possible breakdowns in internal controls. Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline.
Ongoing auditing entails reviewing the ongoing monitoring process and verifying it is effective in achieving the desired outcome. When it comes to high-risk compliance areas within an operation, audit objectives are to: (1) verify that managers are meeting their obligations for ongoing monitoring; and (2) validate that the process is achieving desired outcomes. This includes confirming that controls are in place and functioning as intended or identifying weaknesses in the program that need to be addressed. An audit must be an independent and objective review, which means it should be done by people external to the program area to be audited. This can be done by the compliance office, internal or audit department, other program managers, or any combination thereof. External reviewers can also be used, such as consultant experts or operational auditors. In any case, the Compliance Officer should ensure that both the monitoring and auditing is taking place and doing what it should be doing.
Have Compliance Concerns? We Have Solutions.Speak with an Expert Today
Monitoring and Auditing Practices for Effective Compliance: Tips for Compliance Officers
- Work with management to identify and make a list of compliance high-risks areas related to their operational areas, beginning with the OIG work-plans, fraud alerts, advisory opinions, audits, and enforcement priorities, along with Medicare contractor activities (e.g., RACs or ZPICs), industry news, PERM reports, PEPPER data, etc.
- Create a compliance audit plan that will evaluate whether ongoing monitoring and auditing are adequately addressing compliance high-risk areas, giving priority to the areas of highest risk.
- Ensure responsible program managers are engaged in assessing high-risk areas within their operations and have ranked them in terms of level of risk, probability of risk exposure, and impact or damage that may result from that risk.
- Ensure that program managers adequately develop and implement monitoring plans to address all risk areas; monitoring plans should detail how compliance risks are being tested and reviewed on an ongoing basis.
- Determine if program managers have calculated the potential damage a risk can cause, including the potential scale of direct and indirect financial consequences (i.e., liability, penalties, etc.), as well as whether they have established the likelihood of a risk event, taking into consideration whether the area is a current enforcement priority (e.g., improper physician arrangements).
- Determine whether ongoing auditing has addressed the adequacy of the internal controls (e.g., policies and procedures) to reduce likelihood that an unwanted, high-risk event will occur.
- Ensure that corrective action plans have been instituted for all deficiencies found within a risk area and verify that the corrective action works as intended.
- Include results of monitoring and auditing as regular agenda items for both the management and board level compliance committees.
- Engage compliance experts to independently evaluate the effectiveness of a compliance program, inasmuch as it is also a program that should be part of ongoing auditing as called for by the OIG. Further, place special emphasis in the scope of work for reviewing whether high-risk areas are being properly addressed.