Skip to main content

Annual risk assessments and associated monitoring and auditing work plans are not only required, but also help to ensure your compliance program is efficiently and effectively monitoring and auditing business operational areas and vendors that represent the highest risk level to your organization. BluePeak has helped many clients develop their risk assessments, as well as monitoring and audit work plans, providing the following tips and insights.

Developing the 2018 Risk Assessment

During Compliance Program Effectiveness (CPE) audits, CMS thoroughly reviews a plan’s risk assessment process to determine whether policies and procedures exist to guide the process; what business operational areas are included; whether First Tier, Downstream and Related Entities (FDRs) are included, along with business operational areas, or in a separate risk assessment; what issues are included; and how risks are prioritized.

The risk assessment should be a collaborative effort between the compliance department and operational business owners. A risk assessment survey is one way to drive collaboration. The compliance department considers changes in law, regulations, CMS requirements and operational matters, as well as issues identified through CMS audits and oversight and the plan’s internal monitoring and auditing efforts, to develop a risk assessment survey. The compliance department distributes the risk assessment survey to business owners and asks them to rate the levels of risks specific to the Medicare business operational areas for which they are responsible. Factors that business owners may consider when determining the levels of risk within their operational area include, but are not limited to: the size of the department, complexity of work, amount of training, past compliance issues and budget. Upon receipt of the completed surveys, the compliance department ranks all risk areas as low, medium or high. Known compliance concerns and issues negatively impacting beneficiaries are priority risks.

Developing the 2018 Monitoring and Audit Work Plan

Once the risk assessment is completed, a monitoring and audit plan must be developed using the results of the risk assessment, prioritized from the highest to lowest risk areas. CMS expects plans to audit their operational areas and those of their first tier entities annually. While it may not be possible or necessary to audit all operational areas and first tier entities within a year’s time, CMS recommends plans follow their risk assessment-based work plan to target auditing activities first to high-risk areas and first tier entities. For example, a plan with 50 first tier entities would likely not be able to audit all their first tier entities within a year. Instead, the plan audits the 10 first tier entities with the highest levels of risk and monitors all first tier entities, to whom Medicare administrative and health services functions are delegated, as included in the monitoring and audit work plan.

BluePeak Can Help

BluePeak has helped many clients develop their risk assessments and monitoring and audit work plans. Depending upon your needs, we can assess your compliance program effectiveness, review or develop your plan’s risk assessment and monitoring and audit work plans, and provide best practices and recommendations. Contact us today at or (469) 319-1228 for a free consultation.