Auditing and Monitoring Program: Considerations and Key Elements to Include

Tribal health facilities that provide critical services and high-quality care are also responsible for processing and submitting proper claims for payment.

There’s a reliance on internal staff to be up to date on regulatory requirements and other information in order to submit accurate claims to third-party payers. This includes identifying coverage that’s deemed medically necessary based on Indian Health Services (IHS) requirements. In addition, there’s an assumption that internal staff won’t circumvent controls and alter the coding of services charged by the provider or the fees submitted to payers.

Some Tribal members don’t have alternative resources for health coverage so it’s important that facilities which receive funding from the IHS protect themselves from penalties.

An auditing and monitoring program can help your Tribal health facility:

  • Produce documentation that supports medical necessity and is properly coded and submitted to the payers
  • Demonstrate the effectiveness of your organization’s compliance program with a high level of audit accuracy rates.
  • Train providers and employees on requirements for maintaining integrity and knowing how to prevent, detect, and correct in order to avoid penalties

An overview of key considerations for an auditing and monitoring program follows.


In the late 1990s and early 2000s, the Office of Inspector General (OIG) for the US Department of Health and Human Services developed recommended guidance for compliance programs for health care entities.

The OIG sought to engage the health care community in the combat of fraud, waste, and abuse by providing tools that could assist in prevention, detection, and correction. They released two important sets of guidelines for Tribal health facilities—specifically individual and small group physician practices and third-party medical billing companies—when developing a compliance program.

7 Elements of an Effective Compliance Program

The guidance recommends that an organization implement key elements, also referred to as the seven elements, to demonstrate an effective compliance program.

Program Elements
  1. Implement policies and procedures
  2. Designate a compliance officer and compliance committee
  3. Conduct effective training and education
  4. Develop effective lines of communication
  5. Conduct internal monitoring and auditing
  6. Enforce standards through disciplinary guidelines
  7. Respond to detected problems and undertake corrective action

Element five calls for internal monitoring and auditing, which the OIG recommends be completed periodically. The OIG and other agencies expect an organization to implement a formal audit and monitoring program with oversight by management and the compliance officer. Many smaller organizations may not be able to hire one person for the compliance officer role but the OIG recommends either a person or group of individuals be designated as responsible for compliance and program oversight. This group would be responsible for developing, implementing, and monitoring the audit and monitoring program.

Purpose of an Audit and Monitoring Program

An audit and monitoring program should assist with the ongoing evaluation of the organization’s compliance program and demonstrate effectiveness of internal controls.

This includes:

  • Adherence to policies and procedures
  • Information supporting the services is documented and available
  • Services meet requirements and support medical necessity as expected by IHS and third-party payers
  • Identification of risks
  • Measurement of the compliance program’s effectiveness by tracking improvement over time and
  • Ensures the compliance program does not become stale and outdated.

An organization should also consider if the program provides a mechanism for proactively assessing regulation changes and identifying issues relevant to misconduct. This requires continuous improvement, periodic testing, and review.

Identify Risks in Your Organization

Ideally, an organization would regularly complete a risk assessment that helps define the work plan for the audits or monitoring. Without a work plan, an organization might not demonstrate it’s aware of the risks impacting it and focus attention on lower-risk areas.

The OIG recommends an organization develop a set of monitors or warning indicators to alert it to risks that require mitigation. This may be in the form of data mining or reported concerns from employees or patients. These indicators can assist in identifying a risk when it occurs instead of years after the incident.

If a Tribal health facility uses a third-party billing agency, then management should require access or delivery of a report that details what the agency monitors for risk areas as well as auditing of the records and billing.

It’s important to note that even if an organization doesn’t complete a risk assessment, various government agencies are actively monitoring the data by using internally developed tools to identify areas of risk and providers that are outliers.

How would you know if your organization is being monitored? If your organization frequently receives requests for documentation from state and federal agencies, these requests could be an indicator that those agencies are looking at your organization. These requests can look like an agency is looking for support of a determination of medical necessity of a denied service. But the requests could instead be because data mining flagged an outlier. Many organizations don’t have a formalized process to track or monitor types of documentation or service for these requests. An organization should establish a method for tracking these requests and then review the trends.

Risk Areas

The OIG identified four potential risk areas within recommended guidance:

  1. Coding and billing
  2. Reasonable and necessary services
  3. Documentation
  4. Improper inducements

Consider establishing an audit and monitoring program that regularly reviews and identifies your organization’s greatest risks.

Questions to Consider
  • What are the most common services provided in your organization?
  • Do you routinely receive denials for a particular service?
  • What are high-risk issues specific to your organization?
  • When should annual OIG work plan reviews take place to identify high-risk areas?

Auditing Versus Monitoring

An organization should be aware of the differences between auditing and monitoring.

Definition of Auditing

Auditing consists of reviewing documentation retrospectively to determine if the organization followed procedure and performed and documented a service correctly. A component of an auditing and monitoring program is helping an organization spend resources on proactive steps to mitigate risk instead of correcting an error by refunding money.

  • Is based on risk areas identified in a risk assessment or prior audits
  • Checks whether a service was provided and documented correctly
  • Evaluates and improves the effectiveness of processes and controls
  • Uses sampling techniques and considers key attributes when auditing the risk area

Definition of Monitoring

Monitoring is meant to set up a mechanism to prevent transmitting inaccurate information or data to payers or agencies.

  • Involves ongoing checking and measuring
  • Continuously checks whether processes work as intended
  • Includes internal data integrity checks or monitoring of staff
  • Uses system edits or work queues to validate risk areas

Design Your Audit and Monitoring Program

An audit and monitoring program will vary between organizations due to size, type of entity, and complexity of the organization.

Keep in mind that the design of the audit and methods for sample selection can impact the audit results. The audit should be designed in a manner that will drill down to the risk.

Based on results, action plans can be formulated related to special investigations, operational changes, and overpayment refunds. Corrective action plans may include discussion of how to score or evaluate the results.

Audit and Monitoring Program Elements

An audit and monitoring program will vary between organizations due to size, type of entity, and complexity of the organization. But an effective audit and monitoring program includes follow-up, completion of training of employees, accountability, and monitoring of corrective action plans.

A continuous audit and monitoring program should include planning or a work plan, tools for sample selection, a review of charts or documents, and delivery of concise audit results that provides training and also corrective action monitoring.

Key Elements
Circle flow chart - Design a work plan > plan > sample selection > review > deliver and educate > monitor corrective action

Design a Work Plan

Create a work plan around areas of risk with a risk assessment, but be sure to include the actions to be completed related to monitoring, including:

  • Regular audits of each provider in order to train and educate
  • Audits related to billing and documentation of internal controls as defined by policy and procedure
  • Monitoring already established or requiring review by a compliance team or officer


For each audit, develop an audit work plan that establishes guidance related to the risk, scoring of audit results, and background materials. Identify tools needed for audits, including an approach to selecting a sample that focuses on the risk and how to document the testing.

Sample Selection

Each audit may vary in how a sample is selected based upon the data, allegations, or type of concern. For example, if there is concern that a provider is copying and pasting their notes from one visit to the next, then an audit of a random set of claims might not uncover this issue. Instead, consider selecting a sample of patients and review all visits during a designated period.


Once the sample is selected, the team must track the results of the testing of key attributes. Ideally an organization has audit software to assist in the testing. Prior to the review and in the planning stage, there should be development of attributes to test related to the risk, concern, or allegation.

For example, if the concern is the presence of an order for a test, then attributes should include presence of order, date of order as compared to date of test, and authentication by the provider of the order or intent documented in the progress note.

Deliver and Educate

Audit and monitoring program effectiveness is often measured by the results as well as the demonstrated improvement. Track results of the audit centrally and monitor follow-up actions until complete. Conduct regular audits of each provider for training and education.

Monitor Corrective Action

Effectiveness can be measured by the corrective action plan (CAP) follow-up, completion, and prevention of repeated problems. We have seen organizations implement metrics that measure the number of CAPs and the average length of time to finalize a CAP.

We’re Here to Help

For guidance in creating or implementing an auditing and monitoring program for your organization, contact your Moss Adams professional.

You can also visit our Tribal & Gaming Practice for additional resources.

Contact Us with Questions

Enter security code:
 Security code