The Fourth Quarter is when most Plans work to finalize their risk assessment and their auditing and monitoring plan for the coming year. This is a good time to think about what you have been monitoring and auditing and if you think your plan is effective.
Start with the Risk Assessment
The foundation for the monitoring and auditing plan is the Risk Assessment. The Risk Assessment is driven by Compliance and must include:
- All of the Plan’s Operational areas
- All of the Plan’s First-Tier Entities
- The types of risks being evaluated (beneficiary harm, complexity of services performed, etc.)
- The level of risks (e.g., high, medium, low)
- Ranking of Operational areas/First-Tier Entities from highest risk to lowest risk
The Risk Assessment is a living document and should be updated throughout the year. The Risk Assessment translates into the auditing and monitoring plan. Based on the tenants of an effective compliance program, the Risk Assessment should look for opportunities to detect, correct and prevent non-compliance.
Understand the Difference Between Monitoring and Auditing
It’s easy to get confused between auditing and monitoring.
| Monitoring | Auditing |
|---|---|
| Occurs on a routine basis (Daily, Weekly, Monthly) | Is performed periodically |
| Designed to confirm compliance and | Is a retrospective review with a methodical approach and sampling of cases |
| May be done by the operational area of business unit. | Auditors should be independent of the area or department they are monitoring |
Build the Monitoring and Auditing Plan
Based on the results of the risk assessment an auditing and monitoring plan should be built. Some monitoring should be done of all operational areas and first-tier entities. Audits may be more focused based on risk and resource constraints. Compliance should coordinate all monitoring and auditing efforts with the operational areas.
The auditing and monitoring plan should identify key metrics that will be reviewed. Avoid being complacent and push to monitor metrics that are meaningful. Have ongoing conversations with the operational areas to be sure it is clearly understood what the monitoring is intended to detect and if sample sizes are adequate.
The results of the monitoring and auditing plan should be approved by the Compliance Committee annually and more often if there are changes throughout the year.
