Mock Compliance Audits
What, Why, Who, Where, When, How
Organizations face complex regulatory and legal requirements in today’s highly regulated, ever-changing healthcare environment. They may fall short of what is required to remain in compliance. If deficiencies are not identified and addressed, it can result in potential liabilities. One way to meet the challenges is to have mock audits of compliance high-risk areas to identify and address any weaknesses. The following answers critical questions regarding using mock audits:
- What. A mock audit is an outside review and assessment that replicates the form and substance of a typical regulatory audit or examination to identify and mitigate exposure to potential liabilities. It may involve reviewing existing policies, procedures, internal controls, and practices against regulatory standards and mandates in process or systems review contexts. It may be transactional reviews, such as claims audits, arrangements audits, etc. The scope may vary according to needs but typically reviews operational processes or documents (claims, contracts) against specific standards. The whole point is to simulate closely what will take place during an actual program audit or transactions review.
- Why. Mock audits offer many benefits, including (a) providing an outside review and perspective and identifying weaknesses that can be mitigated; (b) understanding what to expect during an external audit; (c) evidencing continuous ongoing improvement; and (d) increased confidence in compliance program effectiveness. They can also enable pinpointing areas of need for improvement of the compliance program and determine which areas require the most attention first.
- Who. One critical component of a successful mock audit is to have subject matter experts knowledgeable of the audit area. Mock audits can be performed using internal staff but commonly involve engaging qualified third-party consultants with expertise and experience in the area to be reviewed and audit processes being mimicked. Results of reviews by outside experts also generally carry greater weight and credibility to outside authorities.
- Where. The most common mock audits are for (1) HIPAA Privacy/Security, (2) Claims Processing, (3) Physician Arrangements, (4) EMTALA, (5) Conflicts of Interest, (6) Research Compliance, (7) Physicians at Teaching Hospitals (PATH), and (8) Cost Reports. One could add to the mock audits Compliance Program Effectiveness Evaluations.
- When. The decision to have a mock audit is usually triggered by an event, identified program weaknesses, increased focus of regulatory agencies, expectation of audit by outside authority, requests by boards, etc. For the Compliance Program, periodic evaluations (mock audits) by outside experts are called for by the OIG and mandated in numerous CIAs.
- How. To conduct a mock audit, a team of experts will (a) request and review existing process documentation and documentary evidence, (b) examine internal controls, (c) conduct a process review or transactions review, (d) interview program staff, (e) evaluate the evidence, and (f) prepare a report of findings and recommendations.