Importance of Compliance Audits

What Compliance Officers & Lead Auditors Should Know

Written by the AIHC Education Department 

Introduction

Audits Must be Independent, Transparent and Objective - No one enjoys having their department reviewed; however, audits are a necessary and important part of your organization’s compliance program. When a review or audit is conducted, you want to know that the auditors are objective with no hidden agendas. We want to be confident that the audit is being conducted fairly and objectively. Which leads us to the next important topic - who does the Auditor and Compliance Officer report to?

How to Establish Fairness

Bias, whether conscious or unconscious, can lead to improper influence, inaccurate evaluations, and legal repercussions, so auditors must have the ability to recuse themselves to ensure objective decision-making and to maintain the organization’s trust.

The reporting structure is critical to maintain fairness and impartiality. The Lead Auditor, as well as the Compliance Officer, must be outside the line of management to ensure independence and avoid conflicts of interest. This separation allows them to effectively monitor operations, identify risks, and hold the organization accountable without fear of reprisal, which is essential for maintaining an effective compliance program and protecting the organization from legal and financial penalties.

A few important key reasons for separation from management are:

Independence and unbiased assessment - Being outside the direct management structure ensures an objective and unbiased evaluation of the organization's operations, free from internal pressures. Lead auditors and Certified Healthcare Auditors know that the best compliment received is that the audit was fair. 

This means auditors must avoid participating in a review where bias can be construed.

• Auditors must avoid taking a position that isn't objective due to personal convictions, which can impact everything from audit scope to reporting.
• Auditors never create the audit criteria.
  • Evaluate compliance based on objective factors and documented data, such as implemented policies and procedures as your audit criteria.

Avoidance of conflicts of interest – Your organization is wise to follow advice from the Office of the Inspector General (OIG) general compliance guidance which emphasizes that the Compliance Officer should not lead or report to the legal or financial departments to prevent conflicts of interest. For example, the legal department's role is to defend the organization, which can conflict with the Compliance Officer's role of identifying and reporting risks. This is important because the audit team generally reports to the Compliance Officer or Compliance Department.

Direct reporting structure is necessary: A direct reporting relationship to the CEO or board of directors allows compliance and audit officers to bypass management interference when necessary. This ensures complete transparency and empowers them to raise concerns between all levels of management and act on findings without fear of reprisal.

Enabling effective "checks and balances" - Separation from the reporting structure creates a system of checks and balances, a vision promoted by the OIG, which is crucial for achieving the goals of a compliance program and identifying issues before they become costly problems.

Audit Results Must be Reproducible - Audit results must be reproducible to ensure objectivity, reliability, and transparency. Reproducibility allows independent verification of findings, catching mistakes and biases, and building trust in the results. It is crucial for validating the audit process, supporting long-term research, and meeting professional standards.

Maintaining professional obligations - Keeping the compliance function separate from operational departments upholds the professional obligations of the role, which include risk identification and mitigation, which must be separate from those who may be responsible for operational outcomes.

Exceed OIG Audit & Compliance Objectives

OIG is the acronym for Office of Inspector General (OIG), which is a division within a government agency responsible for oversight, audits, and investigations to prevent waste, fraud, and abuse. These offices conduct independent reviews of an agency's programs and operations to ensure efficiency, effectiveness, and financial health, and they often operate with a degree of independence to better serve their oversight function.

Compliance Officers should have structured training in auditing and monitoring not only to understand and support the Lead Auditor, but also to perform their own essential functions effectively, proactively manage risks, and foster an organization-wide culture of compliance and accountability. Acquiring expertise in auditing and monitoring enhances a compliance officer's professional value and opens up career advancement opportunities within the organization or as an independent consultant.

• Training equips compliance officers with the skills to identify, assess, and mitigate potential compliance risks and vulnerabilities before they escalate into serious issues or legal violations. This proactive approach helps the organization avoid costly penalties and legal repercussions.

The Compliance Officer also is required to understand the principles of auditing and monitoring to ensure reviews have been conducted according to appropriate, acceptable standards and in compliance with applicable rules and regulations. Specialized training transforms a compliance officer from a simple "rule-checker" into a strategic asset who actively contributes to the organization's resilience and long-term success. Obtaining certification in both compliance and auditing is recommended (choose a non-profit organization which is a licensing/certification partner with CMS, such as the American Institute of Healthcare Compliance.

Ensure All Audits are in Alignment with Organizational Objectives

An effective audit program should assist with the ongoing evaluation of the organization’s compliance program and demonstrate the level of risk for mitigation purposes. Ideally, an organization would regularly complete a risk assessment that helps define the work plan for the audits or monitoring. Without a work plan, an organization might not demonstrate it’s aware of the risks impacting it and focus attention on lower-risk areas.

To audit where your organization is on the OIG risk spectrum, you should review your compliance program's effectiveness by auditing its seven core elements and assessing your exposure to risks like fraud, waste, and abuse. The seven elements recommended by the OIG are:

1. Written Policies and Procedures
2. Compliance Leadership and Oversight
3. Training and Education
4. Effective Lines of Communication
5. Enforcing Standards: Consequences and Incentives
6. Risk Assessment, Auditing, and Monitoring
7. Responding to Detected Offenses and Developing Corrective Action Initiatives

Start by evaluating your internal controls and policies, checking for potential violations, and using risk assessment tools that consider both the likelihood and impact of risks. These audits help identify areas for improvement and ensure you are not on a path that could lead to severe consequences such as OIG exclusion or a Corporate Integrity Agreement.

Audit for Quality Assurance to Improve Patient Care

The Centers for Medicare & Medicaid Services (CMS) Quality Assurance and Performance Improvement (QAPI) is a data-driven, proactive approach that combines Quality Assurance (QA) and Performance Improvement (PI) to maintain and improve care standards in healthcare facilities like nursing homes.

QA ensures that care meets established standards, while PI focuses on continuously enhancing processes to prevent issues and improve outcomes and resident quality of life. A key framework for QAPI includes five core elements: Design and Scope, Governance and Leadership, Feedback/Data Systems/Monitoring, Performance Improvement Projects, and Systematic Analysis and Action.

Element 1: Design and Scope

A QAPI program must be ongoing and comprehensive, dealing with the full range of services offered by the facility, including the full range of departments. When fully implemented, the QAPI program should address all systems of care and management practices, and should always include clinical care, quality of life, and resident choice. It aims for safety and high quality with all clinical interventions while emphasizing autonomy and choice in daily life for residents (or resident’s agents). It utilizes the best available evidence to define and measure goals. Nursing homes will have in place a written QAPI plan adhering to these principles.

Element 2: Governance and Leadership

The governing body and/or administration of the nursing home develops a culture that involves leadership seeking input from facility staff, residents, and their families and/or representatives. The governing body assures adequate resources exist to conduct QAPI efforts. This includes designating one or more people to be accountable for QAPI; developing leadership and facility-wide training on QAPI; and ensuring staff time, equipment, and technical training as needed.

The Governing Body should foster a culture where QAPI is a priority by ensuring that policies are developed to sustain QAPI despite changes in personnel and turnover. Their responsibilities include, setting expectations around safety, quality, rights, choice, and respect by balancing safety with resident-centered rights and choice. The governing body ensures staff accountability, while creating an atmosphere where staff is comfortable identifying and reporting quality problems as well as opportunities for improvement.

Element 3: Feedback, Data Systems and Monitoring

The facility puts systems in place to monitor care and services, drawing data from multiple sources. Feedback systems actively incorporate input from staff, residents, families, and others as appropriate. This element includes using Performance Indicators to monitor a wide range of care processes and outcomes and reviewing findings against benchmarks and/or targets the facility has established for performance. It also includes tracking, investigating, and monitoring Adverse Events that must be investigated every time they occur, and action plans implemented to prevent recurrences.

Element 4: Performance Improvement Projects (PIPs)

A Performance Improvement Project (PIP) is a concentrated effort on a particular problem in one area of the facility or facility wide; it involves gathering information systematically to clarify issues or problems and intervening for improvements. The facility conducts PIPs to examine and improve care or services in areas that the facility identifies as needing attention. Areas that need attention will vary depending on the type of facility and the unique scope of services they provide.

Element 5: Systematic Analysis and Systemic Action

The facility uses a systematic approach to determine when in-depth analysis is needed to fully understand the problem, its causes, and implications of a change. The facility uses a thorough and highly organized/structured approach to determine whether and how identified problems may be caused or exacerbated by the way care and services are organized or delivered.

• Additionally, facilities will be expected to develop policies and procedures and demonstrate proficiency in the use of Root Cause Analysis.
• Systemic Actions look comprehensively across all involved systems to prevent future events and promote sustained improvement. This element includes a focus on continual learning and continuous improvement.

QAPI amounts to much more than a provision in Federal statute or regulation; it represents an ongoing, organized method of doing business to achieve optimum results, involving all levels of an organization.

Conclusion

The OIG recommends an organization develop a set of monitors or warning indicators to alert it to risks that require mitigation. This may be in the form of data mining or reported concerns from employees or patients. These indicators can assist in identifying a risk when it occurs instead of years after the incident.

Adherence to OIG guidance is considered a basic best practice. An effective compliance program, which includes risk assessments and audits, help meet requirements of the Federal Sentencing Guidelines and is viewed favorably by enforcement authorities like the Department of Justice (DOJ).

About the AIHC Education Department

The American Institute of Healthcare Compliance (AIHC) Education Department provides classroom and web-based training and certification for healthcare administrators and professionals. It includes an enrollment department that processes registrations, and a research and development arm focused on creating new educational products. Learn more about short course and certification offerings in addition to free and low-priced Continuing Education Unit (CEU) certification renewal single short courses or CEU packages. Visit our website https://aihc-assn.org/

References

• Auditing for Compliance certification course with the American Institute of Healthcare Compliance
• Exclusions Program with the Office of Inspector General
• Fraud Risk and Heightened Scrutiny with the Office of Inspector General
• Quality Assurance and Performance Improvement (QAPI) with the Centers for Medicare & Medicaid Services

Copyright © 2025 American Institute of Healthcare Compliance All Rights Reserved