Effective auditing and monitoring for your compliance program

by Marti Arvin

Marti Arvin (marti.arvin@cynergistek.com) is Vice President of Audit Strategy at CynergisTek, in Austin, TX.

What is effective auditing and monitoring in support of an effective compliance program? There is no clear-cut answer, but it is clear that doing nothing will not get you to effectiveness. The key question is how much of something must be done? It is helpful to understand what the two terms mean. They are often used as a single phrase, but the two activities are distinctly different. Understanding what the two activities entail can help determine if what is being done supports an effective compliance program.

Auditing versus monitoring

An audit is usually a formal, structured process with a defined scope of work to evaluate controls and determine if a process is functioning as expected. An independent, objective, and knowledgeable third party should perform it. The scope of work would generally define what controls are being tested, the universe from which a sample is being identified, the method for randomly selecting the sample, and the size of the sample that will be evaluated. It might also include a background regarding why the audit is being performed and the identified references and resources used in support of the audit.

Some organizations refer to activity under this element of the compliance program as “reviews” rather than audits, because they recognize what they are engaged in does not have the structure and formality of a true audit. The important factor is to understand the difference in the terms and use them appropriately.

Monitoring does not have the same requirement for independence and objectivity that auditing does. Monitoring is something that can be performed by the Compliance Office as an independent party, but it can also be a self-assessment performed by the business operations unit. Monitoring is often conducted on a more routine, less formal basis than performing a review or an audit. For example, there may be a requirement that all clinical areas complete a self-assessment of coding and documentation practices by selecting ten claims a month and evaluating the accuracy and completeness of the coding and documentation for those services. Because the business unit that performs the work conducts the monitoring, it cannot be considered an independent and objective assessment. That is not to say that the person performing the monitoring will not do a thorough and complete job — it is simply a recognition of the inherent conflict of interest in having someone involved in the process also evaluate the process.

Now that the terms are defined, what are the next steps? The key to effective auditing and monitoring will encompass a number of factors. Key among those are:

  • Conducting an effective risk assessment and risk prioritization for the organization,

  • Identifying resources to conduct auditing and monitoring activities around the high-risk items, and

  • Actually performing the auditing and monitoring activities.

The risk assessment process and risk prioritization

The buy-in of senior leadership and business unit leaders is critical to conducting an effective risk assessment. The compliance officer will be able to identify a number of risks the organization has and provide input into the priority of those risks, but the ultimate decision regarding the risk tolerance of the organization lives with the senior leadership and governing body. There may be risks the compliance officer is not aware of, and even for the risks known by the compliance officer, there may be compensating controls that would impact the overall priority of addressing such risks.

Compliance may drive the risk assessment process, but the final outcome — a prioritized list of the organization’s risks based on the likelihood of the risk occurring, the consequences if it occurs, and mitigating factors (e.g., compensating controls) — must be determined by the governing body. This final list will be the road map to the auditing and monitoring program. Rarely does a compliance program have the resources to address all risks but, ideally, the organization will provide sufficient resources to address the highest risk. The decision on which risk will be addressed through the auditing and monitoring program should be formalized in the minutes of the oversight body for the compliance program. It should be clear that the governing body was made aware of the risks, made the final decision regarding which risks would be addressed, and how they determined which resources they would use to address them. If the risk assessment identifies ten high-risk items, but the resources are not available to address all ten, it is important that the governing body is clear on the potential consequences of not addressing each risk or providing support to obtain the resources.

A mistake made by some compliance professionals is to attempt to address all the high priority risk items with the resources available, if their governing body is not willing to support additional resources. This approach can have multiple negative consequences. It can lead to staff burnout because of overwork, sloppy work because of the pressure to complete more audits and reviews than feasible, and/or a continued unwillingness for the governing body to provide resources if they perceive the risks are being addressed.

Compliance professionals should be very clear to the governing body that if they choose not to provide sufficient resources to address the highest priority risks, those risks will not be part of the annual auditing and monitoring work plan. Decisions on risk tolerance should be left to the governing body. The compliance professional may have to fight the inherent natural desire to assure all the high-risk items are addressed in the interest of protecting the organization.

The risk assessment process may be a joint effort with other business units, such as Risk and/or Internal Audit. Not only does this get Compliance the input of these business units, but it also means Compliance will not be standing alone in presenting the risks to the governing body. It also allows for the coordination of efforts that may result in a more efficient use of resources to address more risk areas.

When identifying risk, most organizations will take into account a number of resources. The Office of Inspector General (OIG) Annual Work Plan[1] is one such often-used resource — but it should not be the only resource. Looking at other program integrity and enforcement activities of any regulatory body that has oversight for activities performed by the organization will be important. There can be a multitude of these in addition to the OIG. Those of interest to the organization will depend on the nature of the organization and the laws and regulations it is subject to, but they may include the Office for Civil Rights (OCR), the Food and Drug Administration (FDA), the Office for Human Research Protections (OHRP), and the Department of Justice (DOJ), just to name a few.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings