Tips for Ongoing Monitoring and Auditing of Compliance Risk Areas
Defining Roles for Managing Compliance Risk Areas
The Department of Health and Human Services Office of Inspector General has repeatedly stressed the importance of ongoing healthcare auditing and monitoring of high-risk areas. However, many compliance officers remain confused about the definitions of auditing and monitoring and how related tasks and roles are assigned. Ongoing monitoring is the responsibility of the program manager. The program manager must remain current with regulatory and legal changes; develop internal controls, policies, and procedures; train staff on these policies and procedures; and take active steps to monitor or verify compliance with new guidelines. Monitoring techniques may include the use of sampling protocols that permit program managers to identify and review variations from an established baseline. Ongoing auditing is the independent review of the ongoing monitoring process. Such audits have the objective of verifying that program managers are properly carrying out their monitoring responsibilities and confirming that controls are functioning as intended. Ongoing audits should also verify that corrective actions taken as a result of audits are timely, effective, and sustainable. Compliance officers, internal or external auditors, outside consultants, other program managers, or any combination of these actors, can perform such auditing tasks.
Compliance officers may consider the following questions regarding ongoing monitoring and auditing of compliance risk areas within their organization:
- Does a compliance audit plan exist to verify that ongoing monitoring and auditing address compliance high-risk areas?
- Have program managers identified and listed all compliance high-risk areas related to their operational areas?
- Have all program managers assessed high-risk areas within their operations?
- Have high-risk areas been ranked in terms of level of risk, probability of risk exposure, and impact or damage from a risk incident?
- Is consideration given to high impact, low probability risks?
- Have program managers calculated potential damage from risk failures, including direct and indirect financial consequences, and the likelihood of risk events?
- Have program managers developed/implemented monitoring plans for identified risk areas?
- Do program managers place priority on addressing areas of highest risk?
- Are all compliance risk areas tested and reviewed on an ongoing basis?
- Does ongoing auditing verify that program managers are actively monitoring their operational areas to address the adequacy of internal controls and reduce the likelihood of an unwanted event in a high risk area?
- Has ongoing auditing validated that the program manager’s ongoing monitoring is effective in achieving the desired objectives?
- Have program managers instituted corrective action plans for all risk area deficiencies identified by ongoing monitoring or auditing?
- Does a process exist to verify that corrective action measures are operating as intended?
- Has the organization engaged compliance experts to independently evaluate the effectiveness of their compliance program?
- Has the organization recently evaluated the effectiveness of the risk assessment program?
- Are results of monitoring and auditing included as regular agenda items for management and board level compliance committees?