How to Create an Annual Audit Plan

Traditionally, as the calendar year approaches its end, many compliance programs evaluate their annual audit plan to assess its effectiveness and revise the plan as needed for the following year. Some compliance programs may do this at other times of the year. When it happens is not as essential as doing so on an annual basis. 

In providing compliance guidance, the U.S. Department of Health and Human Services Office of Inspector General (OIG) asks the question, “Is the audit plan re-evaluated annually, and does it address the proper areas of concern, considering, for example, findings from previous years’ audits, risk areas identified as part of the annual risk assessment…”1 

What is an Annual Audit Plan? 

Compliance programs should have an annual audit plan. An audit plan is a written document that is often approved by a compliance committee, executive leadership, and/or a board of directors or subcommittee. Such a plan demonstrates an intentional commitment to dedicating time and resources to compliance risk areas. Some years, the plan might not change significantly from the previous year, but the assessment should be done to make sure the highest risk areas are still being audited.  

For example, if a hospital opened a new clinical service line they had not provided previously, scheduling a coding and billing audit of those new services might be something to consider adding to an annual audit plan. On the other hand, standard routine audits of all providers might be a mainstay to a compliance program’s auditing and monitoring plans. Such an activity might continue each year if it is still determined to be a significant enough risk to require auditing resources.  

Again, the important aspect is a thoughtful review as opposed to an annual rubber stamp approval without any serious thought. When providing guidance about auditing and monitoring the OIG writes, “An ongoing evaluation process is critical to a successful compliance program.”2 

What should be audited?

The answer to this question will be different for each organization. This is true for many reasons. The first reason is organizations differ significantly in the type of services they provide. A physician practice will likely have significantly different areas to audit than a pharmacy, laboratory, or hospital. The second reason is even similar organizations may differ on the risks they’ve identified. 

For example, two hospitals in the same geographic location may provide very similar services and have the same third-party payor mix. But one hospital may have received a number of recent hotline calls demonstrating concern for a lack of medical necessity with certain imaging studies while the other hospital has been fined three times in the last two years for Emergency Medical Treatment and Labor Act (EMTALA) violations. One hospital should consider a medical necessity audit on their audit plan while the other would likely consider EMTALA audits. 

For these reasons, an annual audit plan should be drafted with heavy consideration of the organization’s annual risk assessment. It is difficult to separate the two. To this point, the U.S. Department of Justice (DOJ) in their document “Evaluation of Corporate Compliance Programs (Updated March 2023)” states a starting point to understand the “…evaluation of whether a company has a well-designed compliance program is to understand the company’s business from a commercial perspective, how the company has identified, assessed, and defined its risk profile, and the degree to which the program devotes appropriate scrutiny and resources to the spectrum of risks.”3

Auditing resources are included in the resources referred to by the DOJ. 

Even though each organization will have specific differences in regard to what it will audit, most of the areas to be audited typically fall into some of the following broader categories of healthcare compliance risk. This list is not all-inclusive. 

  1. Medical coding, billing, and claims (including medical necessity) 
  2. HIPAA privacy and security 
  3. Anti-kickback statute and Stark law 
  4. Conflicts of interest 
  5. Joint ventures and other financial arrangements 
  6. Clinical research 

Beyond these broad categories and an organization’s specific risk assessment, the following may be resources for specific areas to audit. This list is also not all-inclusive. 

  1. HHS OIG Work Plan 
  2. Local Medicare Administrative Contractor (MAC) 
  3. Target, Probe and Educate (TPE) initiatives 
  4. Bulletins and newsletters  
  5. Recovery Audit Contractor (RAC) approved audit items 
  6. DOJ settlements and press releases 
  7. State agencies such as state Medicaid inspectors general and/or state departments of health and human services 
  8. Office for Civil Rights (OCR) settlements and press releases 
  9. Professional societies, webinars, conferences, consultants and thought-leaders  

Annual Audit of the Compliance Program

In addition to the specific audit areas outside the compliance program, enforcement agencies also expect compliance programs themselves to be reviewed annually.  

Some organizations separate this activity from their annual audit plan while others include it because it requires the consumption of auditing resources. These reviews might also be called compliance program effectiveness reviews. They can be performed internally by compliance professionals, but usually are performed by an internal audit department, a colleague or peer outside the organization, or by an external consultant. 

The importance of these reviews is regularly emphasized by the OIG. In one compliance guidance document, the OIG writes, “An effective compliance program should also incorporate periodic (at least annual) reviews of whether the program’s compliance elements have been satisfied, e.g., whether there has been appropriate dissemination of the program’s standards, training, ongoing educational programs and disciplinary actions, among others. This process will verify actual conformance by all departments with the compliance program. Such reviews could support a determination that appropriate records have been created and maintained to document the implementation of an effective program.”4 

As part of this review process, the OIG suggests consideration of the following techniques: 

  • On-site visits
  • Interviews with personnel involved in management, operations, coding, claim development and submission, patient care, and other related activities
  • Questionnaires developed to solicit impressions of a broad cross-section of the hospital’s employees and staff
  • Reviews of medical and financial records and other source documents that support claims for reimbursement 
  • Trend analysis, or longitudinal studies, that seek deviations, positive or negative, in specific areas over a given period

The OIG also suggests those who perform these reviews should: 

  • Be independent of physicians and line management
  • Have access to existing audit and health care resources, relevant personnel, and all relevant areas of operation
  • Present written evaluative reports on compliance activities to the CEO, governing body, and members of the compliance committee on a regular basis, but no less than annually; and
  • Specifically identify areas where corrective actions are needed 

In addition to the OIG, the DOJ has shared similar thoughts on the importance of reviewing and improving an organization’s compliance program on a regular basis.  

Their guidance is given in the context of their own prosecutors assessing compliance programs during an investigation by the DOJ. So, it is written in a way that suggests an issue has arisen and the DOJ is involved in investigating. Even so, understanding what the DOJ is looking for is very instructive.  

They write, “Prosecutors may reward efforts to promote improvement and sustainability. In evaluating whether a particular compliance program works in practice, prosecutors should consider revisions to corporate compliance programs in light of lessons learned (looking to the auditing of the compliance program to assure its effectiveness). Prosecutors should likewise look to whether a company has taken reasonable steps to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct, and evaluate periodically the effectiveness of the organization’s program. Proactive efforts like these may not only be rewarded in connection with the form of any resolution or prosecution (such as through remediation credit or a lower applicable fine range under the Sentencing Guidelines), but more importantly, may avert problems down the line.”5 


One of the seven elements of an effective compliance program includes auditing and monitoring. With scarce resources, and oftentimes more areas to audit that time and money allow, establishing an annual audit plan is one way to transparently address the highest compliance risk areas an organization faces.  

 With this in mind, an annual audit plan must be designed in light of the results of the organization’s annual risk assessment. In addition to auditing specific risks the organization may face, it is also recommended to annually audit or review the effectiveness of the compliance program itself. Doing so demonstrates a commitment to continuous improvement and can fill gaps in the program. Consequently, the compliance program is better positioned to prevent, detect, and correct non-compliance. 

1 Federal Register, Vol. 70, No. 19 pages 4875-4876

2 Federal Register, Vol. 63, No. 35 page 8996 

3 U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs (Updated March 2023)

4 Federal Register, Vol. 63, No. 35 page 8996 

5 U.S. Department of Justice Criminal Division, Evaluation of Corporate Compliance Programs (Updated March 2023)


To download this blog post as a pdf, click the button below.

Download the PDF

Questions or Comments?