Navigating CMS Audits: Understanding the CMS Audit Phases

At Informa’s recent Transparency, Aggregate Spend & HCP Engagement conference, compliance professionals focused heavily on the CMS audits that began in early 2023. Since data collection began in 2013, the CMS’s decision to perform random audits marks a pivotal shift, signaling a new phase in Sunshine Act reporting. Throughout the conference, valuable insights were shared on the audit process and how best to prepare should your company be selected.

Legal Disclaimer: The information provided in this blog is for educational purposes only. The opinions and recommendations expressed are those of the author and do not constitute legal or other professional advice.

Understanding the CMS Audit Phases

CMS initiates the random audit process through a notice of inquiry, sent to the email and mailing addresses listed in the company’s CMS registration. Ensuring this information is complete and accurate is critical. While the audits appear to be random and there’s no specific information on the companies selected so far, it’s wise to review your historical data trends on the CMS Open Payments website for any anomalies.

Following the notice of inquiry, the auditor schedules an initial kick-off meeting with the company. During this phase, the auditor outlines the scope of the audit, objectives, criteria and process. Companies have the opportunity to present an overview of the types of transfers of value provided to covered recipients and the systems used for tracking and reporting payments. It’s important to carefully select the team for this meeting, leveraging advice from general and/or outside counsel as needed.

Post kick-off meeting, the auditor provides three questionnaires: internal controls, Open Payments program processes and fraud risks. Additionally, the auditor will request documentation such as past submissions during the lookback period, the Company Code of Conduct, written policies and procedures and a chart of accounts and general ledger. During this phase, the auditor is establishing baseline evidence of the company’s program. Companies should be strategic about the documents they provide, ensuring they reflect an appropriate scope while not withholding any relevant information. Consider offering additional documents that demonstrate the seriousness of your response and participation.

Fieldwork is conducted in two parts: reviewing sample transactions and searching for missing transactions. The auditor will request a specific number of transactions and supporting documentation from the lookback period, usually covering three years, which could include data reported from third-party vendors. In the search for missing transactions, the auditor may request a full general ledger to identify any unreported transactions. Given the auditor’s relative lack of familiarity with how life sciences companies operate, this phase is an opportunity to educate them on your data requests (e.g. no-shows, de minimis transactions). Companies should scrutinize all auditor requests, especially those that are outside the audit’s scope or may compromise your business operations.

After the fieldwork is completed, the CMS auditor issues preliminary findings. It’s essential to scrutinize these findings from every angle, as the report sent to CMS could implicate fraud and abuse in other areas. During this phase, companies should emphasize to auditors that while errors can occur, they are committed to making a good-faith effort to accurately report all transfers of value. Given the vast amount of data, spread across multiple systems and reported by various entities, this commitment is critical.

The final phases involve the management representation letter and post-audit company updates. After resolving draft findings, the auditor sends a draft management representation letter, where the company affirms compliance with Open Payments requirements and discloses any known instances of non-compliance during the audited period. Companies should carefully consider any concerns with executive management signing this letter. After the audit, the auditor will send a final report to CMS, and companies should evaluate what corrective actions are needed to prevent future audit findings.

Are you ready to elevate your transparency program to help ensure your organization is audit-ready? Don’t wait for compliance issues to arise—proactively manage your transparency risks and drive informed decision-making through a single repository for all your transparency data. To learn more, contact us.

Stay tuned for Part 2 of this blog series, where we’ll highlight key strategies and best practices for effectively preparing for a CMS audit.

Jay Ward
Director, Life Science Solutions

August 28, 2024

Cookie	Description
cookielawinfo-checkbox-advertisement	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.
cookielawinfo-checkbox-non-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
cookielawinfo-checkbox-preferences	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.

Cookie	Description
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Marketo	This allows a website to track visitor behaviour on the sites on which the cookie is installed and to link a visitor to the recipient of an email marketing campaign, to measure campaign effectiveness. Tracking is performed anonymously until a user identifies himself by submitting a form.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
VISITOR_INFO1_LIVE	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

Understanding the CMS Audit Phases

Stay tuned for Part 2 of this blog series, where we’ll highlight key strategies and best practices for effectively preparing for a CMS audit.

Share This Story, Choose Your Platform!