Avoid these common missteps with a risk-based auditing plan

From external benchmarking to internal incident tracking, myriad pieces go into the development of a healthcare organization’s monitoring, auditing, and internal reporting systems – and it’s easy to make a misstep. 

According to the compliance experts at SimiTree, who help clients set up internal reporting systems, two common compliance issues are a lack of procedures to monitor adherence to policies and inadequate follow-up to compliance concerns. 

It isn’t unusual for our consultants to find policies at odds with current organizational processes, especially in organizations where there are no regular policy reviews and updates. 

Common follow-up missteps include a lack of supporting documentation when a work plan or timetable changes. Governing board minutes, for example, may not reflect discussion or additional actions when resolution attempts go off-track.    
 Some organizations also struggle to use auditing methodologies that are objective and independent, relying on inconsistent sampling methodology.


How to set up effective internal
auditing and reporting system

According to the Office of Inspector General (OIG), conducting a full organizational risk assessment is the first and most important step in creating an effective internal auditing and monitoring system.

The OIG issued updated healthcare compliance guidance in November 2023. The guidance emphasized the importance of a comprehensive organizational risk assessment and recommended that organizations make it the foundation for a compliance work plan and reporting system. 

Ongoing auditing and monitoring should be based on risk areas identified in the comprehensive risk assessment. 

Other key steps outlined in OIG compliance guidance include tracking and analysis, ensuring risk reporting is regularly provided to business leadership, and monitoring management’s implementation of corrective plans. 

Questions from the OIG

If you’re wondering whether your organization is on the right track with its internal auditing and monitoring, it’s worth reviewing this handful of questions raised by the OIG in its guidance: 
  • Is your organization using a full risk assessment to create a risk-based annual audit plan? 
  • Who participates in the risk assessment? 
  • How are topics prioritized?
  • Are audit results analyzed, tracked, trended, and reported? 
  • How often are you providing staff education and making policy and procedure changes?
  • Is management (not compliance) responsible for corrective action plans? 
  • How are mitigation steps determined? Is education provided?
  • How are results reported?
  • Is risk reporting regularly provided to leadership?
  • Do compliance committee and governing board level minutes reflect regular risk reporting and discussion, including any risk resolution that does not follow earlier timetables?
  • Do you have an inventory of all audits conducted by internal staff or external consultants?
  • Are there routine interactions between compliance and internal audit staff? 
  • How many internal audit hours are designated for compliance-related work? 
  • Is your organization maintaining a reporting system(s) to enable employees to report any noncompliance (e.g., hotline)?
  • How are you assuring that a timely response is made to any reported compliance concerns?
  • Is there a monitoring process in place to ensure that no retaliation has occurred for reporting compliance concerns?
For additional questions and detailed guidance, read the full resource guide put together by the OIG.

Auditing the auditors 

OIG guidance offers several explicit reminders that it is important to consider who is auditing the auditors in any internal auditing program.  The use of outside expertise is not only allowed but encouraged under OIG guidance. 

If your organization relies solely on internal review, it may be time to hire a knowledgeable and experienced third party to audit the auditors and validate audit results. 

SimiTree can help 

When your organization needs help implementing an effective internal auditing program, auditing its own auditors, or understanding the complexities of compliance, let SimiTree help. 

Our certified healthcare compliance experts work with healthcare organizations to ensure they use objective and independent methodologies and determine sampling methodologies consistent with the circumstances. We also optimize EHRs for ideal monitoring, flagging, and reporting.

SimiTree’s full risk assessments include reviews of billing practices and clinical documentation, as well as organizational processes. 


Reach out to us today, and let’s work together to establish the internal tracking and monitoring required for an effective, compliant, and risk-based audit program throughout your organization. 

Your questions matter!

Tell us what you want to read about.  

Rapidly changing regulations are impacting all behavioral health providers, creating many areas of uncertainty for providers. We want to address the questions that matter most to you in this weekly space.  

Ask your compliance questions – or request the specific topic you’d like more information about – by writing to me at jgriffin@simitreehc.com to tell me what you’d like to read about in a future Compliance Report.  

Make sure you’re subscribed. 

It's more important than ever to stay abreast of compliance issues in 2024 -- and I don’t want you to miss any of my Weekly Compliance Reports. Be sure to add your name to the subscription list here. 

Why not invite the compliance officers you know to sign up as well?


J’non Griffin serves as Senior Vice President for the Compliance and Coding divisions at SimiTree. With a healthcare career that spans three decades, she has a track record of helping many provider types implement effective compliance programs. She has worked with organizations nationwide to develop compliant emergency preparedness and operation plans, implement fully compliant plans of care, and meet regulatory demands. As an AHIMA ambassador, Griffin was instrumental in preparing the coding community for the launch of ICD-10.