Making Auditing and Monitoring Practical
Making Auditing and Monitoring Practical: A Step-By-Step Approach to Taking the Pulse of Your Operations and Compliance Program
In prior sections of this Compliance Guidance, we compared designing, building and maintaining a corporate compliance program to designing, building and maintaining a house. We’ve been talking about the compliance program design and building process into two major parts: 1) the mechanical or process parts of the program (like the physical structure of a house) including the compliance officer and committee, employee standards and code of conduct, employee education and training programs and the compliance recordkeeping and retention system; and 2) the substance of the program (which we’ve compared to the furniture and appliances that make a house operate) including the substantive laws and internal company policies and procedures that each provider must abide by to ensure “compliance.”
In this portion of the Compliance Guidance, we will continue talking about the “process” parts of a compliance program (the mechanics of operating the program). We will focus on auditing and monitoring functions as part of a corporate compliance program. These systems are designed to ensure that providers know if they are actually complying with the “furniture” of their house, or the substantive laws and policies that are the heart of the compliance program, to detect failures in that compliance, to allow for corrective action, and to ensure those corrections result in ongoing compliance.
According to the OIG, reliable audit and monitoring systems are a key elements of an effective compliance program. The auditing and monitoring functions include all aspects of facility operations (financial, quality of care, resident safety, and so forth) and your compliance program. There’s nothing magic about “auditing and monitoring.” In fact, nursing facilities do it every day when they check the nurses who arrived at work to make sure they are fully staffed, when the kitchen manager checks the day’s supply of food, when the maintenance man checks the HVAC system, and in a thousand other ways. Some of the auditing and monitoring issues that normally come to mind in the context of a corporate compliance program are financial and business processes including, among others, monitoring your accounts receivable, reconciling resident trust fund accounts, ensuring timely resident refunds, and claims billing that is supported by appropriate documentation. But, they also include the entire array of care delivery and quality of care steps facilities undertake each and every day and the OIG has stressed both types of issues – finance/business operations and quality of care in its 2008 Supplemental Compliance Guidance for Nursing Facilities.
In the context of a formal corporate compliance program, auditing and monitoring just means having in place reliable, periodic systems to “audit” or check up on various aspects of facility and corporate operations which are identified in and are a part of your corporate compliance program. The keys to meaningful auditing and monitoring are 1) a workable system that is not overly complex; 2) a reliable system; 3) designated specifics on how the auditing process will work and who will be responsible for making sure it does; and 4) reviewing your auditing processes periodically to ensure that they, like other parts of your operations and business processes, are doing the job they were designed to do.
If you think about it, a compliance program is itself a monitoring program since it’s all about identifying what issues to focus on, how to accomplish reviews of those systems, how to ensure everyone understands both the issues and the systems used to monitor them, how to report when problems arise in operations or in the systems used to monitor operations, and how to correct those problems. Even so, a facility’s compliance program needs its own monitoring to make sure all those goals are being achieved and maintained over time. So, that’s why we say auditing involves both operations and your compliance program.
While there are many ways to design a system for auditing and monitoring your facility’s operations, and your compliance program, there are certain basic elements inherent in all of them. We think they include at least the following components:
- Specifically target and identify what you are monitoring.
Design the specific steps that will make up the monitoring process for the particular issue you are auditing.
- Given the numerous business and quality processes, and compliance issues, which may be the subject of internal or external auditing and monitoring, an important first step is to specifically target an clearly identify what issue(s) you are auditing in a particular process. If your audit and monitoring team doesn’t have clear direction about what they are looking for and at, the results will reflect that in terms if disorganization, missed issues and ineffective auditing. Also, remember that while you may have an internal audit “team,” auditing tasks are performed across many disciplines and departments in your facility and company. So, understanding which of those “tasks” are the target of a specific auditing or monitoring task, and giving the “team” clear direction is a critical first step.
- For example, in the sample we provide below, we will be designing a system to monitor our imaginary facility’s compliance with a nursing facility's obligations under the Medicare Part D program.
- But, we could apply the same steps described here, and shown in the sample below, to any other operational issue or business process, including both mechanical aspects (i.e., the process parts of compliance like the compliance committee or employee training for example) and substantive aspects (i.e., the laws and policies that much up the substance of your compliance program) of operations and compliance. For example, we could apply the same system components to a semi-annual audit of our facility’s compliance with a policy requiring us to investigate each potential and existing employee’s exclusion status on the OIG’s List of Excluded Individuals and Entities (discussed in detail in the prior section of this Compliance Guidance).
Determining what you will be auditing and monitoring depends upon the specifics of your company’s or facility’s operations. But, there are some basic issues all providers should be monitoring on an ongoing basis. The OIG has identified these issues as “risk areas” in the 2000 Compliance Guidance for Nursing Facilities and in the 2008 Supplemental Compliance Guidance for Nursing Facilities. These publications are a great place to begin when you identify the “what are we going to audit/monitor” aspect of your compliance program. The risk areas identified there, along with issues identified by the OIG in its Fraud Alerts, Advisory Opinions and related publications available at www.oig.hhs.gov/ fraud, are a great place to start identifying the risk areas or audit topics you should consider in designing or updating your compliance program. We’ll be addressing each of the key risk areas identified by the OIG in its Compliance Guidance for Nursing Facilities in later sections of this Compliance Guidance.
Beyond those issues, each provider should identify issues unique to its operations. How do you find those issues? Through your own operations experience as reflected in resident or family complaints, staff complaints or suggestions, survey results (standard and complaint), internal Quality Assurance Committee findings, quality measure scores, customer satisfaction surveys, the findings of outside auditors such as accountants, billing consultants, compliance hotline reports and so forth.
Decide how your company or facility will use the information obtained as a result of auditing and monitoring.
- What source information and/or processes will we be looking at as part of the audit to get at the issue we are monitoring?
- For example, are we checking up on whether medication carts on the hall are always locked when left unattended (a quality of care/survey issue)?
- Are we reviewing a sample of payment claims submitted to the Medicare program (a financial/operations/potential fraud and abuse issue)?
- Are we reviewing all facility contracts with vendors to ensure they comply with applicable federal statutes such as the Anti-Kickback Statute, the False Claims Act and physician self-referral laws (all three of these topics be discussed in detail later in this Compliance Guidance)?
- Specifically, how will we review or “audit” that information or those processes? In other words, ask what mechanism or processes are we going to use to get at the issues we are trying to audit and monitor?
- Will we be pulling and reviewing resident charts or billed claims, for example, for review and, if so, how many (what’s a reliable sample)?
- Will we be interviewing nursing staff about a specific care issue we’ve spotted from complaints, observations by management, survey results, quality indicator scores, or other sources? If so, which staff and how many will we interview?
- Will we be observing staff who explain residents’ rights under the Medicare Part D program and our obligations to provide them with information and ensure their freedom of choice in pharmacy providers to ensure we are not improperly influencing residents’ choice of Part D Plans and/or pharmacies (see our sample below on this topic)?
- Will we be reviewing our Board of Directors training materials or monitoring our management staff’s interaction with Board members on corporate compliance issues and related Board training and reporting materials on quality of care in nursing facilities?
- How will we gather and report our findings and to whom?
- Are we preparing written reports, compiling sample charts marked for certain issues, compiling findings in a table format, or making oral reports to management, for example?
- To whom do we submit our findings? Remember this may include both internal reporting to company officials and external reporting if required under applicable state and federal reporting requirements.
- How frequently will we undertake the audit or monitoring process for the particular issue we’re examining?
- Are we talking about an annual audit of our facility or company financial records?
- Are we talking about a quarterly review of our pharmacy program (the federally-mandated monthly and quarterly drug regimen review is a good example of a process already used by nursing facilities which is also a compliance auditing process – a good reminder of a point we’ve made repeatedly in this Guidance which is that many “compliance” functions already exist in nursing facilities, perhaps just not recognized by providers as “compliance”).
- Are we talking about a time-limited review of medication error rates in our facility because our error rates have spiked? For this type of issue, maybe we need to have a time-limited, focused review of medication processes, followed by a less frequent, but periodic, review to make sure any corrections we’ve implemented are working.
- The results of your auditing and monitoring will normally suggest the appropriate frequency for auditing specific issues, based on which, if any, are determined to be noncompliance with facility/company policies and/or applicable law. This will be driven in part by the frequency of error rates your audits identify and the magnitude of noncompliance.
- Who (by title or name) will be responsible for the periodic auditing of the issue(s) you’ve identified, using the processes you’ve decided to implement, on the schedule you designed. Determine and designate the specific individual(s) responsible for a designated auditing/monitoring task to avoid the “it wasn’t my job to look at that” risk. Also, determine and designate the person(s) who will be responsible for periodic reporting on resolution steps (where noncompliance id identified) and prevention efforts to your Board of Directors, owners and/or senior management.
- Put someone in charge, even if you have multiple participants in the auditing/monitoring process.
- Maybe you’ll use outside “auditors” who can be experts in finance, clinical issues, life safety code/physical plant issues, or any other issue you are auditing and monitoring.
- If so, designate someone in the company or facility to work directly with and “mini-monitor” the work of the outside consultant. Providers remain responsible for the functions of their outside consultants, so it’s important to remain as “hands on” as possible.
- This will vary greatly by provider and based on the particular issue you are monitoring or auditing.
- For example, an external financial audit by your accountant will probably be shared with your company’s or facility’s chief financial officer and other senior management. Those individuals will decide how to use the information, whether it requires any action, and so forth.
- By contrast, an audit of resident care plans, whether handled by your own staff or by external consultants, will probably be shared with your administrator, director of nursing and/or MDS coordinator and they will decide what the audit reveals, what if any changes are needed to care planning procedures, and other actions that may need to be implemented and communicated to all staff.
Let’s look at a sample of an Auditing/Monitoring Plan for Part D.
Content by Ken Burgess