Blog Post

Compliance Ongoing Monitoring and Auditing

Richard P. Kusserow | September 2022

Join us for an upcoming Webinar! You can register here for a free CEU credited webinar, “Building Blocks for Effective Compliance Programs (,” that will be held on November 10, 2022, at 2 PM Eastern.

Key Points:

Ongoing monitoring and auditing of high-risk areas has been repeatedly stressed by the Department of Health and Human Services Office of Inspector General (OIG). Notwithstanding this emphasis, monitoring and auditing remains an area of some confusion for many compliance officers in terms of definition and assignment of responsibility.

Ongoing Monitoring is a Program Manager, not a Compliance Officer, responsibility.  Program Managers should be responsible for (a) keeping current with changes in rules, regulations, and laws applicable to their operational areas; (b) developing internal controls, policies, and procedures to comply with them; (c) training their staff on the written guidance; and (d) actively monitoring and verifying the guidance is being followed.  Monitoring techniques may include sampling protocols that permit program managers to identify and review variations from an established baseline.  

Ongoing Auditing, by definition, must be performed by parties independent of the operations being reviewed.  This can be done by the compliance office, internal/external auditors, outside consultants or any combination thereof.  These reviews should verify that program managers are properly carrying out their monitoring responsibilities and validate that the process is effective in mitigating levels of compliance risks. 

The Compliance Officer should ensure all this is functioning as it should, as well as verifying that timely corrective actions have be taken to address all weaknesses and problems identified in these processes. It may be worthwhile for Compliance Officers to seek answers to the following questions:

  1. Do Program Managers understand their compliance monitoring responsibilities?
  2. Do Program Managers need assistance in meeting their ongoing monitoring duties?
  3. Have Program Managers designed a plan for monitoring their areas of responsibility?
  4. Are Program Managers assessing their operational high-risk areas?
  5. How do Program Managers ensure identified need corrective actions are implemented?
  6. Does the Compliance Audit Plan include verifying ongoing monitoring is taking place?
  7. Have Program Managers identified their operational compliance high-risk areas?
  8. Are compliance risk areas ranked by level of risk, probability, and impact? 
  9. Have Program Managers calculated potential damage and the likelihood of a risk event?
  10. Have Program Managers developed/implemented monitoring plans for identified risk areas?
  11. Has priority been given to ranking and addressing areas of highest compliance risk?
  12. Are all compliance risks tested and reviewed on an ongoing basis?
  13. Is monitoring evidencing a reduction of the likelihood for unwanted risk events occurring?
  14. Have audits validated ongoing monitoring is effective in mitigating compliance risks?
  15. Have corrective action plans been instituted for all identified risk area deficiencies?
  16. Is there a process by which corrective action measures taken are validated as effective?
  17. Have outside experts independently evaluated monitoring and auditing processes?
  18. Are monitoring and auditing results part of agenda for the compliance committees?
  19. Do compliance oversight committees actively ensure timely corrective actions are taken?

For more information on this topic, contact Richard Kusserow at r[email protected].

Keep up-to-date with Strategic Management Services by following us on LinkedIn

About the Author

Richard P. Kusserow established Strategic Management Services, LLC, after retiring from being the DHHS Inspector General, and has assisted over 3,000 health care organizations and entities in developing, implementing and assessing compliance programs.

Subscribe to blog