Monthly Newsletter

December 2025 Monthly Newsletter

In This Issue -

Is Your Organization “Audit-Ready”?

What is “Audit-Ready”?

Audit readiness is the state of being prepared in the event of an external audit or investigation. This is best achieved by conducting your own internal audits for the purpose of ensuring the organization has all necessary documentation, processes, and internal controls in place to demonstrate compliance with established requirements and standards.

Smaller and mid-sized healthcare organizations may need to contract with a consulting firm to perform internal audits. Larger organizations may have an audit team and Lead Auditor. Regardless of your size, internal compliance audits are necessary to be audit-ready for any external force reviewing your organization.

Basic Audit-Readiness Checklist:

Employee training: Educating employees on their roles and responsibilities regarding compliance requirements is necessary to foster a culture of integrity and mitigate risks. The first line of responsibility is on-boarding or new hire compliance training. This is the responsibility of the Compliance Officer or Compliance Department followed by the Manager, accountable for on-going compliance of workforce members.
Have a Written Communication Plan: Document a plan to address who will respond to either internal audits and external auditors or investigative requests. Investigative requests should include who is responsible for contacting legal counsel and how evidence may or may not be shared.
- The purpose is to avoid an inappropriate response to an investigation or external audit.
- Another purpose is to have the Compliance Office immediately know when an external audit or investigation is being launched within the organization. Such requests should immediately “land” on the right desk or in-box. An important Request for Information should not be “floating” around the organization.
  - One designated person, such as the Compliance Officer, should receive all request for record documents, then forward to the appropriate department. There are typically deadlines to respond to such requests.
Documentation and records: This item ensures all financial records, logs, policies, and other supporting documents are accurate, complete, and easily accessible. This includes having a system for prompt document retrieval and keeping logs for system changes and security incidents.
Internal controls: Evaluate the effectiveness of internal controls to identify and fix weaknesses before they are discovered during an audit. This includes controls over system access, segregation of duties, and monitoring mechanisms.
Compliance and accuracy: Verify that all processes and reports are compliant with the latest regulations and that financial information is accurate and reconciled.
- Each department should conduct a readiness assessment to monitor compliance to identify and correct areas of non-conformance to organizational policy and applicable external forces.
Risk management: Conduct company Risk Assessments.
- The primary responsibility of risk management falls on the Board of Directors and Compliance Officer or Compliance Department.
- Conducting a risk assessment to identify potential issues like fraud or errors, which allows an organization to develop mitigation strategies.
- Risk assessment may be delegated to the Audit Team which typically reports to the Compliance Department.

Continuous preparedness places you in an advantageous position because it requires your organization to cultivate a culture of compliance so the organization is always prepared, rather than scrambling to get ready right before an external or internal audit, inspection or review. It also places your organization in a better position in the event of an investigation.

Benefits of being audit-ready

The main benefit is that it mitigates risk. It reduces the risk of fines, penalties, or loss of funding associated with non-compliance. Another important benefit is that being ready reduces disruptions by minimizing delays and disruptions during the audit process, saving time and resources.

It requires inter-departmental team work which can improve relationships.
It also fosters a more collaborative relationship with internal auditors by allowing them to focus on high-risk areas.

Audit-ready enhances decision-making. It provides reliable, up-to-date information for strategic and financial decision-making throughout the year. It also builds trust. Compliance demonstrates a commitment to transparency and good governance to stakeholders, your patients and the community your serve.

It Starts with Risk Assessment

Regularly conducting and documenting risk assessments, in addition to performing internal auditing and monitoring, helps healthcare providers remain "audit-ready". As previously mentioned, It demonstrates a commitment to compliance, which can be a mitigating factor if an inadvertent violation occurs.

Integrating risk mitigation procedures, such as risk assessments, not only helps your organization meet Office of Inspector General (OIG) OIG compliance requirements, but helps to identify vulnerabilities proactively, prevent fraud and abuse, reduce legal and financial penalties, and improve patient safety and care quality.

Risk assessment is also listed in the OIG’s recommended compliance program infrastructure as item 6.

By identifying potential vulnerabilities and misconduct, risk assessments enable providers to implement preventative measures, improve their compliance programs, and allocate resources effectively.

This proactive approach is a key component of an effective compliance program and can help a provider avoid costly penalties and maintain public trust. A few key reasons for conducting risk assessments are:

To meet regulatory requirements

The OIG recommends at least annual compliance risk assessments to ensure compliance with government healthcare program requirements.

To provide documentation of effort to identify and prevent fraud and abuse

A primary goal of the OIG is to prevent fraud, waste, and abuse in healthcare programs. Risk assessments help identify potential misconduct in high-risk areas.

To demonstrate effectiveness of your compliance program

Assessments allow providers to update their compliance programs to address current and emerging risks, and incorporate lessons learned from internal and external sources.

To improve resource allocation

Allocating resources effectively can be a management challenge. By identifying risks, management and providers can prioritize and allocate resources to the areas of greatest need, leading to better outcomes and more efficient operations.

To enhance patient safety and quality of care

Risk assessments can identify vulnerabilities that could impact patient safety and quality of care, allowing providers to take corrective action.
The results of risk assessments are a key factor in determining if a compliance program is effective, especially in the eyes of the Department of Justice. It also helps improve public perception by demonstrating your proactive approach to compliance and safety.

After the Risk Assessment

Performing the risk assessment demonstrates that the organization has identified non-conformance or weaknesses which need to be improved. Lack of taking action after identifying such facts can lead to more severe treatment and penalties in the event of an external audit or investigation.

Don't wait for an external audit to start being compliant. Make adherence to regulations a part of everyday tasks. This can best be achieved by conducting internal audits and establishing a culture of compliance within the organization to identify and fix issues before they become major problems.

Continuously assess your organization's vulnerabilities to address potential risks before they escalate. And, if a situation has gone undetected and escalates, have a response plan. This means creating a clear plan addressing what to do when an audit occurs, including who is responsible for what tasks.

Maintain thorough and organized documentation

Keep all records, including patient data, financial records and claims, accurate and complete.

Document all processes. Keep clear policies, procedures, and records of controls. Document any protocol deviations and the corrective actions taken.
Archive previous compliance documents and audit findings. Never destroy historical records.
- Investigations and external audits may require retrieval of records from years prior.

Invest in continuous training

The saying “an ounce of prevention is worth a pound of cure” coined by Benjamin Franklin, holds true for compliance. It means that it is more efficient to prevent a problem from happening in the first place than it is to fix it after it has occurred. Invest in meaningful, effective workforce training.

Make training a consistent part of the employee lifecycle, not just an onboarding step.

Promote open communication

Create an environment where staff feel comfortable raising questions and reporting concerns without fear. Clearly define the role of each staff member or department in the audit process to avoid confusion.

Leverage technology

Automate where possible. Utilize electronic systems, Artificial Intelligence (AI) and automated compliance platforms with built-in audit trails, access logs, and permission controls. Use technology to automate data collection and analysis to improve efficiency and accuracy. Ensure you have secure file storage systems that support version control and timestamped documentation.

In summary - To become audit-ready, your healthcare organization should build compliance into daily operations by ensuring accurate documentation and data integrity, implementing a culture of continuous training, and proactively performing internal audits and risk assessments. Using technology to support compliance and establishing a clear audit response plan are important, however, you’ll need a Lead Auditor to guide the organization’s efforts.

Role of the Lead Auditor

Lead auditors are responsible for creating the audit framework, selecting and managing the audit team, and guiding the process to ensure a high-quality, effective assessment. This person may be a consultant or an internal expert assigned as the Lead Auditor. This requires significant judgment, and research shows that the cognitive abilities of the lead auditor directly impact the accuracy and quality of the audit findings.

Creating the audit team for a specific risk assessment or evaluation requires the lead auditor to have broad expertise in healthcare compliance. An auditor assigned to a project must be specifically qualified to ensure a competent and objective audit. Qualification includes having the necessary knowledge, skills, and experience relevant to the project's subject matter. The audit team should be independent and free from conflicts of interest, and their competence should be maintained through ongoing education and training to meet professional and legal standards.

The lead auditor ensures that the company's operations align with regulations and standards, a process that identifies and helps mitigate risks before they become costly problems. Instead of just checking for compliance, a lead auditor encourages a proactive approach.

They help an organization see audits as an opportunity to improve performance, efficiency, and output.

Becoming a lead auditor requires more than just on-the-job training. Key responsibilities of a healthcare organization’s lead auditor encompass the following (or more):

Audit planning: Develop detailed audit plans, including defining objectives, scope, sample size and audit criteria, as well as assigning roles to the audit team.
Conducting audits: Lead the audit process by conducting on-site reviews, interviewing staff, observing processes, and reviewing documentation and records.
Compliance verification: Ensure the healthcare facility complies with all relevant laws, regulations, and standards, such as fraud and abuse laws, coding and documentation accuracy, adherence to patient quality and safety standards.
Identifying issues: Identify and document non-conformities, root cause analysis (RCA), and opportunities for improvement.
Draft Reports: Prepare and present comprehensive audit reports that include findings, non-conformities, and recommendations for management.
Follow-up: Oversee the implementation of corrective actions and follow up on previous findings to ensure resolution.
Communication: Manage all communication with the auditee before, during, and after the audit and chair meetings, such as the opening and closing meetings with the auditee.

Recommended qualifications from organizations seeking to hire a lead auditor might be any or all of the following (or more):

College Degree
Training and/or certification in quality, coding, documentation, billing, reimbursement and HIPAA
Audit Certification
- To become a lead auditor, many organizations will require you to complete a training course that covers auditing principles, management systems, and leadership skills, followed by passing an exam and gaining auditing experience, such as offered by the American Institute of Healthcare Compliance (AIHC), recognized as a Licensing/Certifying partner with the Centers for Medicare & Medicaid Services (CMS).

Resources to Stay Informed

Lead Auditors and Compliance Officers need to stay informed. Subscribing to government notifications is one way. You may also want to review current educational articles (free) published by the American Institute of Healthcare Compliance (AIHC)– click here for the Auditing category, and view all articles or by additional categories.

Videos can be a helpful way to stay informed. We recommend the following which may be of interest for you or members of your audit and compliance team!

Risk Management Playlist;

Corporate Compliance Playlist;

HIPAA Playlist

Individual Videos