Form CMS-10191 CPE Program Area Audit Process and Data Request

Medicare Parts C and D Program Audit Protocols and Data Requests (CMS-10191)

Attachment I CPEAuditProcessDataRequest

Medicare Parts C and D Program Audit Protocols and Data Requests

OMB: 0938-1000

Document [pdf]
Download: pdf | pdf
OMB Control Number 0938-1000 (Expires: TBD)

Parts C and D
Compliance Program
Effectiveness (CPE)
Program Area
AUDIT PROCESS AND DATA
REQUEST

PRA Disclosure Statement According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of
information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 09381000 (Expires: TBD). The time required to complete this information collection is estimated to average 701 hours per response,
including the time to review instructions, search existing data resources, gather the data needed, and complete and review the
information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form,
please write to: CMS, 7500 Security Boulevard, Attn: PRA Reports Clearance Officer, Mail Stop C4-26-05, Baltimore, Maryland
21244-1850. Please do not send applications, claims, payments, medical records or any documents containing sensitive information to
the PRA Reports Clearance Office. Please note that any correspondence not pertaining to the information collection burden approved
under the associated OMB control number listed on this form will not be reviewed, forwarded, or retained. If you have questions or
concerns regarding where to submit your documents, please contact 1-800-MEDICARE.

Table of Contents
Audit Purpose and General Guidelines ............................................................................................................ 3
Universe Preparation & Submission ................................................................................................................ 5
Sample Evaluation ........................................................................................................................................... 7
Audit Elements ................................................................................................................................................ 9
I. Prevention Controls and Activities............................................................................................................... 9
II. Detection Controls and Activities ............................................................................................................. 10
III. Correction Controls and Activities .......................................................................................................... 11
Appendix ....................................................................................................................................................... 12
Appendix A—Compliance Program Effectiveness (CPE) Record Layouts .............................................. 12
Table 1: First-Tier Entity Auditing and Monitoring (FTEAM) Record Layout .................................... 12
Table 2: Employees and Compliance Team (ECT) Record Layout ...................................................... 17
Table 3: Internal Auditing (IA) Record Layout ..................................................................................... 18
Table 4: Internal Monitoring (IM) Record Layouts............................................................................... 22

Page 2 of 26

v. 12-2019

Audit Purpose and General Guidelines
1. Purpose: To evaluate the sponsor’s performance with adopting and implementing an effective
compliance program to prevent, detect and correct Medicare Parts C or D program non-compliance
and fraud, waste and abuse (FWA) in a timely and well-documented manner. The Centers for
Medicare and Medicaid Services (CMS) will perform its audit activities using these instructions
(unless otherwise noted).
2. Review Period: The review period for the Compliance Program Effectiveness (CPE) audits is 1
year preceding and including the date of the audit engagement letter (prior Month, Day, Year
through audit engagement letter Month, Day, and Year).
3. Responding to Documentation Requests: The sponsor is expected to present its
supporting documentation during the audit and take screen shots or otherwise upload the
supporting documentation, as requested, to the secure site using the designated naming
convention and within the timeframe specified by the CMS Audit Team. The screenshots
must be provided to CMS via a Microsoft® Word or PDF document.
4. Sponsor Disclosed Issues: Sponsors will be asked to provide a list of all disclosed issues of noncompliance that are relevant to the program areas being audited and may be detected during the
audit. A disclosed issue is one that has been reported to CMS prior to the receipt of the audit start
notice (which is also known as the “engagement letter”). Issues identified by CMS through ongoing monitoring or other account management/oversight activities during the plan year are not
considered disclosed.
Sponsors must provide a description of each disclosed issue as well as the status of correction and
remediation using the Pre-Audit Issue Summary template. This template is due within 5 business days
after the receipt of the audit start notice. The sponsor’s Account Manager will review the summary to
validate that “disclosed” issues were known to CMS prior to receipt of the audit start notice.
When CMS determines that a disclosed issue was promptly identified, corrected (or is actively
undergoing correction), and the risk to beneficiaries has been mitigated, CMS will not apply the
ICAR condition classification to that condition.
NOTE: For CPE, CMS wants a list of all disclosed issues relating to a sponsor’s compliance
program, not issues discovered during compliance activities (such as routine monitoring or auditing).
For example: the sponsor disclosed an issue to CMS that during the audit review period the SIU
failed to comply with a number of requests for additional information from the MEDIC and
enforcement agencies.
5. Calculation of Score: CMS will determine if each condition cited is an Observation (0 points),
Corrective Action Required (CAR) (1 point) or an Immediate Corrective Action Required
(ICAR) (2 points). Invalid Data Submissions (IDS) conditions will be cited when a sponsor is
not able to produce an accurate universe within 3 attempts. IDS conditions will be worth one
point.
CMS will then add the score for that audit element to the scores for the remainder of the audit
elements in a given protocol and then divide that number (i.e., total score), by the number of audit
elements tested to determine the sponsor’s overall CPE audit score. Some elements and program
areas may not apply to certain sponsors and therefore will not be considered when calculating
program area and overall audit scores. Observations will be recorded in the draft and final reports,
Page 3 of 26

v. 12-2019

but will not be scored and therefore will not be included in the program area and audit scores.
6. Informing Sponsor of Results: CMS will provide daily updates regarding conditions discovered
that day (unless the tracer has been pended for further review). CMS will provide a preliminary
summary of the conditions at the exit conference. The CMS Audit team will do its best to be as
transparent and timely as possible in its communication of audit findings. Sponsors will also receive
a draft audit report which they may formally comment on and then a final report will be issued after
consideration of a sponsor’s comments on the draft.

Page 4 of 26

v. 12-2019

Universe Preparation & Submission
1. Responding to Universe Requests: The sponsor is expected to provide accurate and timely
universe submissions within 15 business days of the engagement letter date. CMS may request a
revised universe if data issues are identified. The resubmission request may occur before and/or
after the entrance conference depending on when the issue was identified. Sponsors will have a
maximum of 3 attempts to provide complete and accurate universes, whether these attempts all
occur prior to the entrance conference or they include submissions prior to and after the
entrance conference. However, 3 attempts may not always be feasible depending on when the
data issues are identified and the potential for impact to the audit schedule. When multiple
attempts are made, CMS will only use the last universe submitted.
If the sponsor fails to provide accurate and timely universe submissions twice, CMS will document
this as an observation in the sponsor’s program audit report. After the third failed attempt, or when the
sponsor determines after fewer attempts that they are unable to provide an accurate universe within
the timeframe specified during the audit, the sponsor will be cited an Invalid Data Submission (IDS)
condition relative to each element that cannot be tested, grouped by the type of case.
2. Pull Universes and Submit Documentation: The universes and documentation collected for
this program area test the sponsor’s performance in compliance program effectiveness.
Sponsors will provide universes and supporting documentation that describe the framework
and operation of its compliance program and universes to support the implementation of
compliance activities conducted within the audit period. If the audit review crosses calendar
years, sponsoring organizations must provide the requested documentation (e.g. standards of
conduct/code of conduct documents, audit and monitoring work plans, Corporate
Compliance/Medicare Compliance/Fraud Waste Abuse (FWA) plan, formal risk assessments,
etc.) that covers the entire audit period.
2.1. Documentation: Sponsors should submit the following documentation in either a
Microsoft Word (.docx), Microsoft Excel (.xlsx) or Portable Document File (PDF).
•
•
•
•
•
•
•

•

Page 5 of 26

Completed Compliance Officer Questionnaire (Attachment I-A)
Customized Organizational Structure and Governance PowerPoint Presentation
(Attachment I-B)
Completed First-Tier Downstream and Related Entities (FDR) Operations Questionnaire
(Attachment I-C)
Completed Special Investigation Unit (SIU)/FWA Prevention and Detection Questionnaire
(Attachment I-D)
Standards of Conduct/Code of Conduct document (distributed to employees and
FDRs during the audit review period)
Corporate Compliance/Medicare Compliance/FWA Plan (or similar document in
effect during the audit review period)
Formal Risk Assessments and Compliance Performance Mechanisms that show
the extent to which Medicare Parts C and/or D operational areas and FWA risks
were identified and compliance goals were monitored during the audit review
period
Audit and Monitoring Work Plans (for internal operations and FDRs, in effect at any time
during the audit review period)

v. 12-2019

2.2. Data Universes: Universes should be compiled using the appropriate record layouts as
described in Appendix A. These record layouts include:
•
•
•
•

First-Tier Entity Auditing and Monitoring (FTEAM)
Employee and Compliance Team (ECT)
Internal Auditing (IA)
Internal Monitoring (IM)

NOTE:
• For each respective universe, the sponsor should include all items that match the description
for that universe for all contracts and PBPs in its organization as identified in the audit
engagement letter.
• For each respective universe, the sponsor should include compliance and FWA activities.
• Please refer to Section 40 of the Medicare Parts C and D Compliance Program Guidelines for
definitions, flowcharts and guidance on relationships between sponsor and first-tier entities.
• Please refer to Section 50.6 of the Medicare Parts C and D Compliance Program Guidelines
for definitions and guidance for routine internal auditing and monitoring requirements and
expectations.
• Please refer to Sections 50.6.9 and 50.6.10 for guidance on fraud, waste and abuse monitoring
activities and SIU operations.
3. Submit Universes to CMS: Sponsors should submit each data universe in the Microsoft
Excel (.xlsx) file format with a header row (or Text (.txt) file format without a header row)
following the record layouts shown in Appendix A (Tables 1-4). The sponsor should submit its
universes in whole and not separately for each contract and PBP. The sponsor should submit
all documentation with its universes.

Page 6 of 26

v. 12-2019

Sample Evaluation
1. Tracer Sample Selection: In order to be effective, a sponsor’s compliance program must be
fully implemented and tailored to the sponsor’s unique organization, operations, and
circumstances. CMS will use a tracer method to evaluate implementation of applicable
compliance elements and determine whether the sponsor’s compliance program, as a whole
system, functions in a way that is effective to address compliance and FWA issues in a timely
and well-documented manner. CMS will select a sample of six (6) cases from the universes and
related to the documentation provided to trace the sponsor’s response to compliance issues. It is
not required that each case in the sample will cover all elements of a compliance program.
For example, a case pulled from the Internal Monitoring (IM) universe may involve a quality
monitoring activity performed by a sponsor’s quality improvement (QI) department to review
and analyze untimely grievances. This activity identified compliance issues that involved
additional training and education, communication with involved parties and revisions to
processes, and other actions to correct and prevent the issue from recurring in the future.
However, after a thorough root cause analysis was completed, the QI department and
Compliance Officer determined the issues were isolated with limited beneficiary impact which
required engagement by the Compliance Committee but not escalation to senior management or
the governing body. While this case touched many of the seven elements of an effective
compliance program, due to the detected issues having minimum impact on the Medicare
business it was not necessary for the sponsor to implement all of the core requirements and
actions identified in Compliance Program Elements I, II, and V.
Employee and Compliance Team and First Tier Entity (ECT& FTE) Sample Selection:
In addition to tracer samples, CMS will select twenty samples from the ECT universe, which
will be reviewed for training and accessibility of the Policies & Procedures and Standards of
Conduct. Two FTE samples will be selected from the FTEAM universe, which will be reviewed
for accessibility of the Policies & Procedures and Standards of Conduct. The sample selections
will be uploaded to HPMS the morning of day one of the onsite field work. The review will take
place on day three of the onsite field work.
2. Tracer Case Summary and Documentation Reviews:
2.1. Tracer Case Summary: For each selected case, sponsors should prepare a written document that
provides the specific facts, rationales, and decisions and describe how suspected, detected or
reported compliance issues are investigated and resolved by the sponsor in chronological order.
The sponsor should ensure each tracer summary, at a minimum, addresses the following points:
•
•
•
•
•
•

Overview of the issue(s) or activity
Indicate which compliance and business operations units were involved in detecting and
correcting the issue(s)
Detailed explanation of the issue(s)/ activity (e.g., what the sponsor found, when the sponsor
first learned about the issue, and who or which personnel/operational area(s) were involved.)
Root cause analysis that determined what caused or allowed the compliance issue, problem or
deficiency to occur
Specific actions taken in response to the detected issue(s)/activity
Processes and procedures affected and revised in response to becoming aware of the
issue(s)/activity

Page 7 of 26

v. 12-2019

•
•
•
•

Steps taken to correct the issues/deficiencies at the sponsor or FDR levels, including a timeline
indicating the corrective actions fully implemented or, if not implemented, when the sponsor
expects the corrective action to be completed.
Issue escalation (e.g. senior management, compliance oversight committees, governing body,
etc.)
Communication within the sponsor and with its FDRs
Prevention controls and safeguards implemented in response to the issue(s)/activity

Sponsors must document the facts of each tracer summary using the most effective and efficient
method for their business. While the method used frequently by sponsors for tracer summaries are
PowerPoint presentations (PPTs), sponsors may use other communication tools such as MS Word,
story boards, and/or dashboards. A total of 6 tracer summaries must be submitted to CMS.
2.2. Supporting Documentation: During the onsite portion of the audit, CMS will review the
summaries and supporting documentation during the tracer reviews with the sponsor to
determine if applicable audit elements were effectively met. The sponsor will need access and
provide screenshots only for the documents and data that are relevant to a particular case:
•
•
•
•
•
•

•
•

Policies and procedures (Ps&Ps) reviewed and revised in response to detecting and correcting
compliance issues.
Evidence that compliance issues were communicated to the appropriate compliance
personnel, senior management and oversight entities.
Training provided in response to identifying and correcting compliance issues.
Evidence of communication to the affected or involved business areas regarding the
compliance issues.
Evidence of the monitoring/auditing activities that occurred as a result of the detected issues.
Evidence of appropriate accountability and oversight by the sponsor when issues are detected
at the FDR level, including response and correction procedures, communication, educational
requirements and engagement with compliance department, operational areas and any
oversight entities.
Evidence/explanation of the root cause analysis performed to determine why the issue
occurred.
Description of the beneficiary and/sponsor impact as a result of the detected compliance
issues.

3. Submit Tracer Documentation to CMS: Sponsors should be prepared to provide only the
supporting documentation that is specific for each tracer either by uploading to the Health Plan
Management System (HPMS) or providing onsite.

Page 8 of 26

v. 12-2019

Audit Elements
I. Prevention Controls and Activities
This audit element evaluates the sponsor’s internal controls to reduce the number of potential noncompliance, FWA and regulatory violations from occurring within all Medicare business operational
areas by employees and delegated entities. These compliance controls provide the framework for which
the company and its employees operate, convey compliance expectations, prevent repeated issues from
recurring and deter minor issues from becoming significant problems with adverse impact to the
sponsor’s operations and Medicare beneficiaries.
1. Apply Compliance Standard: CMS will evaluate cases through the tracer and sample review
against the following criteria. CMS may review factors not specifically addressed in these questions
if it is determined that there are other related CPE requirements not being met. Also, since some cases
may not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor update and distribute their Standards of Conduct and Ps&Ps to their
employees/FDRs when appropriate and within required timeframes?
1.2. Did the sponsor’s compliance officer and compliance committee operate in accordance
with CMS requirements?
1.3. Did the sponsor demonstrate appropriate accountability and reporting of Medicare
compliance issues to appropriate senior management/executives and the governing body?
1.4. Did the sponsor have a governing body that exercises reasonable oversight of the Medicare
compliance program?
1.5. Did the sponsor establish and implement effective training and education to ensure its
employees, senior administrators and governing body members were aware of the
Medicare requirements related to the job function, compliance and FWA?
1.6. Did the sponsor implement an effective monitoring system to prevent FWA in the delivery
of Medicare Parts C and D benefits?
2. Sample Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews and review employee and FTE samples while onsite to provide insight
and additional information on the sponsor’s compliance program. If CMS requirements are not
met, conditions (findings) are cited. If CMS requirements are met, no conditions (findings) are
cited. NOTE: Cases and conditions may have a one-to-one or a one-to-many relationship. For
example, one case may be associated with a single condition or multiple conditions of noncompliance.

Page 9 of 26

v. 12-2019

II. Detection Controls and Activities
This audit element evaluates the sponsor’s internal controls to monitors and detect potential and
suspected compliance issues and activities. These compliance controls identify opportunities for the
sponsor to improve the performance of Medicare business operational areas and the compliance
program.
1. Apply Compliance Standard: CMS will evaluate cases through the tracer and sample review against
the following criteria. CMS may review factors not specifically addressed in these questions if it is
determined that there are other related CPE requirements not being met. Also, since some cases may
not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor implement a reporting system to receive, record, respond to, and track
compliance concerns, questions and reports of suspected or detected non-compliance and
FWA that allowed for anonymity and maintains confidentiality (e.g., telephone hotline)?
1.2. Did the sponsor implement a risk assessment that identified areas of concern and major
compliance risks for its Medicare business operational areas and beneficiaries?
1.3. Did the sponsor implement an effective system for monitoring and auditing its internal
Medicare Parts C and/or D operations and compliance program effectiveness?
1.4. Did the sponsor implement an effective monitoring system to detect and control FWA in
the delivery of Medicare Parts C and D benefits?
1.5. Did the sponsor properly monitor and audit its FDRs to ensure compliance with all
applicable laws, regulations and sub-regulatory interpretive guidance with respect to the
Medicare Parts C and/or D delegated functions and responsibilities?
1.6. Did the sponsor implement effective communication, monitoring and auditing controls for
detected issues involving its FDRs’ compliance performance?
2. Sample Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews and review employee and FTE samples while onsite to provide insight
and additional information on the sponsor’s compliance program. If CMS requirements are not
met, conditions (findings) are cited. If CMS requirements are met, no conditions (findings) are
cited. NOTE: Cases and conditions may have a one-to-one or a one-to-many relationship. For
example, one case may be associated with a single condition or multiple conditions of noncompliance.

Page 10 of 26

v. 12-2019

III. Correction Controls and Activities
This audit element evaluates the sponsor’s escalation processes, timely response and appropriate actions
to correct the underlying problems after compliance issues and deficiencies are identified. These
compliance controls provide immediate and reasonable response to the detection of misconduct and
violations of the Medicare program.
1. Apply Compliance Standard: CMS will evaluate cases through the tracer and sample review
against the following criteria. CMS may review factors not specifically addressed in these questions
if it is determined that there are other related CPE requirements not being met. Also, since some cases
may not demonstrate all elements of an effective compliance program, it is acceptable if some of the
questions below do not apply. Auditors will note for each question which case demonstrated the
sponsor’s compliance or non-compliance with the standard.
1.1. Did the sponsor undertake timely and reasonable corrective action in response to
compliance issues, incidents, investigations, complaints or misconduct involving Medicare
non-compliance or FWA?
1.2. Did the sponsor implement timely corrective actions for detected issues involving its FDRs’
compliance performance?
2. Sample Case Results: CMS will test each of the 6 cases through the tracer review. CMS will
also conduct interviews and review employee and FTE samples while onsite to provide insight
and additional information on the sponsor’s compliance program. If CMS requirements are not
met, conditions (findings) are cited. If CMS requirements are met, no conditions (findings) are
cited. NOTE: Cases and conditions may have a one-to-one or a one-to-many relationship. For
example, one case may be associated with a single condition or multiple conditions of noncompliance.

Page 11 of 26

v. 12-2019

Appendix
Appendix A—Compliance Program Effectiveness (CPE) Record Layouts
The universes for the Parts C & D Compliance Program Effectiveness (CPE) program area must be
submitted as a Microsoft Excel (.xlsx) file with a header row reflecting the field names (or Text (.txt)
file without a header row). Do not include the Column ID variable which is shown in the record layout
as a reference for a field’s column location in an Excel file. Do not include additional information
outside of what is dictated in the record layout. Submissions that do not strictly adhere to the record
layout will be rejected.
Note: There is a maximum of 4000 characters per record row. Therefore, should additional characters be
needed for a variable (e.g., description of deficiencies), enter this information on the next record at the
appropriate start position.
Table 1: First-Tier Entity Auditing and Monitoring (FTEAM) Record Layout
• Include:
o First-tier entities (FTEs) that have entered into a written agreement with a sponsor to
provide administrative or health care services to Medicare enrollees under the Part C
and/or D program (e.g., PBM, claims processors, enrollment processes, fulfillment, call
centers, credentialing, independent provider groups that manage/oversee a network of
physicians).
o Compliance and FWA audit and monitoring activities of first-tier entities that were
conducted by the compliance department, operational areas and SIU to evaluate the
compliance performance of first-tier entities.
o Audit and monitoring activities performed during the audit review period to identify and
address potential or suspected non-compliance and FWA at the FDR level in the delivery
of Medicare Part C and/or D benefits.
o Audit and monitoring activities that reviewed reports from FDRs to detect noncompliance and FWA trends and abnormalities
o Audit and monitoring activities to investigate allegations of non-compliance and
fraudulent , wasteful, abusive or questionable behavior performed by FTEs (e.g.
employee misconduct, fraudulent provider or pharmacy claims, fraudulent FTE invoices,
misuse of Medicare beneficiary information, overpayments, complaints or tips received
through hotlines, referrals, members, MEDIC, law enforcement, etc.)
o Audit and monitoring activities initiated, started, re-opened or completed during the audit
review period. This includes auditing and monitoring activities that may have started
outside the audit review period, but were completed within the audit review period.
o Audit and monitoring activities that are performed on a scheduled basis (e.g., weekly,
monthly, quarterly, annually, ad-hoc), should be included in the universe each time it was
performed.
o Related entities acting as a first-tier entity to provide administrative or health care
services.
o Other audit or monitoring activities of downstream entities performed by the sponsor
during the audit review period.
• Exclude:
o First-tier entities that do not provide an administrative or health care service function
related to the sponsor’s Medicare Parts C and/or D contracts.

Page 12 of 26

v. 12-2019

o
o
o

Audit and monitoring activities that are performed on a daily basis.
First-tier entities that were not audited or monitored within the audit review period.
Downstream or related entities that were not audited/monitored by the sponsor during the
audit review period.

Column
ID
A

Field Name

Field Type

Name of FTE

B

FTE function and
responsibilities

CHAR Always
Required
CHAR Always
Required

C

Component

CHAR Always
Required

100

D

Activity Type

CHAR Always
Required

10

E

Compliance or FWA?

CHAR Always
Required

10

Enter whether the activity was a
“compliance” or a “FWA” activity.
In situations where the activity can
be both compliance and FWA
related, sponsoring organizations
should list “FWA” in the record
layout and, during the universe
validation process, the sponsoring
organization can explain to the
audit team which issues are related
to both compliance and FWA.

F

Activity Frequency

CHAR
Always
Required

10

G

Activity Rationale

CHAR Always
Required

200

H

Activity Description

CHAR Always
Required

400

Provide the frequency of the audit or
monitoring activity (e.g. weekly,
monthly, quarterly, annually, or adhoc).
Provide the rationale for conducting the
audit or monitoring activity (e.g.,
monitoring activity was implemented
because the function has an immediate
impact on members’ access to
immediate medical care and
prescription drugs).
Provide a description of the audit or
monitoring activity (e.g., operational
area, training requirements, timeliness,
accuracy of organization
determinations and notifications,
messaging errors, contractual
agreements, pharmacy or provider
claims, unannounced or onsite audits,
spot checks, compliance monitoring,
targeted or stratified sampling, audit
protocols).

Page 13 of 26

Field
Length
100
400

Description
Name of the first-tier entity (FTE) that
was audited or monitored.
Brief description of the administrative
or health care service function(s) and
responsibilities the FTE conducts on
behalf of the sponsor.
Name of the sponsor’s component(s),
department(s) and/or operational
area(s) that work in part or whole with
the FTE.
Enter whether the activity was an
“audit” or a “monitoring” activity.

v. 12-2019

Column
ID
I

J

Field Name

Field Type

Activity Start Date

CHAR Always
Required

Activity Completion Date

CHAR
Always
Required

Field
Length
10

10

K

Identified Deficiencies

CHAR Always
Required

3

L

Number of Deficiencies

CHAR Always
Required

3

Description
Date that the specific audit or
monitoring activity was initiated,
started or reopened by the sponsor. For
example, if the sponsor started
monitoring a function of the PBM to
ensure it properly implemented its
transition policy for new beneficiaries
on January 1, 2019, that is the date that
would be used for the date the audit or
monitoring started.
Submit in CCYY/MM/DD format (e.g.,
2019/01/01).
Date that the audit or monitoring
activity ended. For example, if the
sponsor completed monitoring a
function of the PBM to ensure it
properly implemented its transition
policy for new beneficiaries on January
31, 2019, that is the date that would be
used for the date the audit or
monitoring completed.
Submit in CCYY/MM/DD format (e.g.,
2019/01/01). Answer TBD (To Be
Determined) if the audit or monitoring
activity is currently in progress.
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were
discovered during the audit or
monitoring activity. Answer TBD if
deficiencies have yet to be identified
for an ongoing activity.
Provide the number of deficiencies,
findings or issues identified.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.

M

Description of
Deficiencies

CHAR Always
Required

1000

Provide a summary of deficiencies,
findings or issues identified during the
audit or monitoring activity. If the audit
or monitoring activity was identified in
the pre-audit issue summary submitted
to CMS, provide the issue number in
the description.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.

Page 14 of 26

v. 12-2019

Column
ID
N

Field Name

Field Type

Corrective Action
Required

CHAR Always
Required

Field
Length
200

Description
Yes (Y), No (N), or To Be Determined
(TBD) indicator of whether corrective
action was required for each
deficiency/issue identified.
Answer “Y” if every previously
described deficiency identified during
the audit or monitoring activity
required a corrective action. Answer
“N” if none of the previously described
deficiencies required a corrective
action. If some but not all of the
previously described deficiencies from
the audit or monitoring activity
required corrective action, specify
which deficiencies needed a corrective
action and separate by a number as
needed (e.g., 1. Part D coverage
determinations processed incorrectly –
Y, 2. Part D coverage determinations
Timeliness – N).

O

Corrective Action
Description

CHAR Always
Required

1000

Answer TBD if corrective actions have
yet to be determined for an ongoing
activity.
Provide a summary of the corrective
action(s) implemented by the sponsor
and FTE in response to the
noncompliance or potential FWA,
including any root cause, timeframes
for specific achievements and any
ramifications for failing to implement
the corrective action satisfactorily.
For an audit or monitoring activity that
identified multiple issues, separate the
corrective actions implemented for
each issue by a number as needed (e.g.,
1. employee coaching was completed
between 2019/02/01 and 2019/02/15
for the errors identified during the
2019/01/01 pharmacy mail order
monitoring activity, 2. member
remediation was conducted for 50
members that never received their
approved medication).
Answer TBD if corrective measures
have yet to be determine for an ongoing
activity. Answer NA if corrective
action was not taken or determined
necessary by the sponsor for any of the
identified issues.

Page 15 of 26

v. 12-2019

Column
ID
P

Field Name

Field Type

Activity Results Shared?

CHAR Always
Required

Field
Length
500

Description
Provide a summary that describes how
the results of the audit or monitoring
activity were communicated or shared
with sponsor’s affected components,
compliance department, senior
management, and/or the FTE.
Answer TBD if results have yet to be
determined and shared with others for
an ongoing activity.

Page 16 of 26

v. 12-2019

Table 2: Employees and Compliance Team (ECT) Record Layout
• Include: all current employees of the sponsor (permanent, temporary, full-time, part-time)
including: senior management, volunteers (e.g., unpaid interns) who have job duties related to the
sponsor’s Medicare Advantage (Part C) and/or Prescription Drug (Part D) business, and members
of the governing body (i.e. Board of Directors) responsible for oversight of the Medicare program
who worked/served at any time during the audit review period.
• Exclude: individuals that have left the sponsor, terminated or resigned as of the date of the
audit engagement letter.
Column
ID
A

Field Name

Field Type

Employee ID

B

Employee First Name

C

Employee Last Name

D

Employee’s Title

E

Employee’s
Organizational
Component
Physical Location

CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required

F

G

Date of Hire or
Appointment

H

Employee Type

Page 17 of 26

CHAR
Always
Required

Field
Length
15

Description

50

First name of the employee or governing body
member.

50

Last name of the employee or governing body
member.

50

Position or title of the employee or governing
body member.

50

Component or department in which the
employee works (e.g., appeals, marketing,
customer service)
Geographical or office location of the
employee (e.g., Baltimore, MD. Central
Headquarters)
Enter the employee’s start date with the
sponsor or governing body member
appointment. Submit in CCYY/MM/DD format
(e.g., 1940/01/01).

100

10

20

Internal employee ID assigned by the sponsor.
Answer NA if no employee ID was assigned.

Indicate whether the individual is a governing
body member, full-time employee, part-time
employee, temporary employee, or a volunteer.
If an employee fills multiple roles (e.g., fulltime employee and governing body member),
identify all roles in this field separated by a
forward slash (e.g., full-time/BOD).

v. 12-2019

Table 3: Internal Auditing (IA) Record Layout
• Include:
o Compliance and fraud, waste and abuse (FWA) audit activities (formal review of
compliance with a particular set of standards as base measures) performed by the sponsor
to ensure that its internal business and/or operational areas are in compliance with
Medicare Parts C and D program requirements and to ensure that corrective actions are
undertaken timely and effectively.
o Audit activities performed during the audit review period to identify and address potential
or suspected non-compliance and FWA at the sponsor level in the delivery of Medicare
Part C and/or D benefits.
o Audit activities that reviewed reports from internal operational areas to detect noncompliance and FWA trends and abnormalities.
o Audit activities to investigate allegations of non-compliance and fraudulent ,wasteful,
abusive or questionable behavior performed by employees and board members involved
in administering or overseeing the sponsor’s Medicare Part C and/or D operations (e.g.
employee misconduct, internal operations, fraudulent provider or pharmacy claims,
fraudulent FTE invoices, misuse of Medicare beneficiary information, overpayments,
complaints or tips received through hotlines, referrals, members, MEDIC, law
enforcement, etc.)
o Audit activities initiated, started, re-opened or completed during the audit review period.
This includes audit activities that started prior to the audit review period, but were
completed within the audit period and activities that were started during the audit review
period but not yet completed.
o Audit activities that are performed on a scheduled basis (e.g., monthly, quarterly,
annually, ad-hoc), should be included in the universe each time it was performed.
• Exclude:
o Audit activities for non-Medicare lines of business (e.g., commercial, Medicaid) and
audit activities performed for first-tier entities during the audit review period.
o Audit activities that are performed on a daily basis.

Column
ID

Field Name

Field Type

Field
Length

Description

A

Component

100

B

Component
Responsibilities

C

Auditor Type

CHAR
Always
Required
CHAR
Always
Required
CHAR
Always
Required

Name of the sponsor’s component,
department or operational area that was
audited.
Brief description of what responsibilities
the component, department or operational
area conducts on behalf of the sponsor.
Indicate who was responsible for
conducting the audit activity (e.g.,
compliance officer, internal audit
department, appeals & grievances
staff/manager, external audit firm).
For internal staff, provide the name(s) of
staff/department involved with
conducting the audit activity. For external
audit firms, provide the name(s) of the
firm/company.

Page 18 of 26

400

100

v. 12-2019

Column
ID

Field Name

Field Type

Field
Length

Description

D

Compliance or FWA?

CHAR
Always
Required

10

Enter whether the activity was a
“compliance” or a “FWA” activity.
In situations where the activity can
be both compliance and FWA
related, sponsoring organizations
should list “FWA” in the record
layout and, during the universe
validation process, the sponsoring
organization can explain to the
audit team which issues are related
to both compliance and FWA.

E

Audit Frequency

10

F

Audit Rationale

CHAR
Always
Required
CHAR
Always
Required

G

Audit Description

CHAR
Always
Required

400

H

Audit Start Date

CHAR
Always
Required

10

Provide the frequency of the audit
activity (e.g. weekly, monthly, quarterly,
annually, or ad-hoc).
Provide the rationale for conducting the
audit activity (e.g., audit activity was
implemented because the function has an
immediate impact on members’ access to
immediate medical care and prescription
drugs).
Provide a description of the audit activity
(e.g., operational area, training
requirements, timeliness, accuracy of
organization determinations and
notifications, messaging errors,
contractual agreements, unannounced or
onsite audits, spot checks, compliance
monitoring, targeted or stratified
sampling, audit protocols).
Date that the specific audit activity was
initiated, started or reopened. For
example, if the sponsor started an audit of
the appeals process/function within the
sponsor on January 1, 2019, that is the
date that would be used for the date the
audit started.

I

Audit Completion Date

CHAR
Always
Required

200

10

Submit in CCYY/MM/DD format (e.g.,
2019/01/01).
Date that the specific audit activity ended.
For example, if the sponsor ended an
audit of the appeals process/function
within the sponsor on January 31, 2019,
that is the date that would be used for the
date the audit ended.

Submit in CCYY/MM/DD format (e.g.,
2019/01/01). Answer TBD (To Be
Determined) if the audit activity is
currently in progress.

Page 19 of 26

v. 12-2019

Column
ID

Field Name

Field Type

Field
Length

Description

J

Identified Deficiencies

CHAR
Always
Required

3

Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were discovered
during the audit activity. Answer TBD if
deficiencies have yet to be identified for an
ongoing activity.

K

Number of Deficiencies

CHAR
Always
Required

3

Provide the number of deficiencies,
findings or issues identified.

L

M

Description of
Deficiencies

Corrective Action
Required

CHAR
Always
Required

CHAR

1000

200

Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Provide a summary of all deficiencies,
findings or issues identified during the
audit activity. If the audit was identified
in the pre-audit issue summary submitted
to CMS, please include the issue number.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether corrective
action is required for each
deficiency/issue identified.
Answer “Y” if every previously described
deficiency identified during the audit
activity required a corrective action.
Answer “N” if none of the previously
described deficiencies required a
corrective action. If some but not all of
the previously described deficiencies
from the audit activity required corrective
action, specify which deficiencies needed
a corrective action and separate by a
number as needed (e.g., 1. Part D
coverage determinations processed
incorrectly – Y, 2. Part D coverage
determinations Timeliness – N).
Answer TBD if corrective actions have
yet to be determined for an ongoing
activity.

Page 20 of 26

v. 12-2019

Column
ID

Field Name

Field Type

Field
Length

Description

N

Corrective Action
Description

CHAR
Always
Required

1000

Provide a summary of the corrective
action(s) implemented by the sponsor in
response to the noncompliance or
potential FWA, including any root cause
analysis, timeframes for specific
achievements and any ramifications for
failing to implement the corrective action
satisfactorily.
For an audit activity that identifies
multiple issues, separate the corrective
actions implemented for each issue by a
number as needed (e.g., 1. employee
coaching was completed between
2019/02/01 and 2019/02/15 for the errors
identified during the 2019/01/01
pharmacy mail order audit activity, 2.
member remediation was conducted for
50 members that never received their
approved medication).

O

Audit Results Shared?

CHAR
Always
Required

500

Answer TBD if corrective measures have
yet to be determine for an ongoing
activity. Answer NA if corrective action
was not taken or determined necessary by
the sponsor for any of the identified
issues.
Provide a summary that describes how
the results of the audit activity were
communicated or shared with sponsor’s
affected components, compliance
department, senior management, and/or
the FTE.

Answer TBD if results have yet to be
determined and shared with others for an
ongoing activity.

Page 21 of 26

v. 12-2019

Table 4: Internal Monitoring (IM) Record Layouts
• Include:
o Compliance and fraud, waste and abuse (FWA) monitoring activities (routine, scheduled
and ad-hoc reviews as part of normal operations) performed by the sponsor to test and
confirm internal business and/or operational areas are in compliance with Medicare Parts
C and/or Part D program requirements and to ensure that corrective actions are
undertaken timely and effectively.
o Monitoring activities performed during the audit review period to identify and address
potential or suspected non-compliance and FWA at the sponsor level in the delivery of
Medicare Part C and/or D benefits.
o Monitoring activities that reviewed reports from internal operational areas to detect noncompliance and FWA trends and abnormalities.
o Monitoring activities to investigate allegations of non-compliance and fraudulent,
wasteful, abusive or questionable behavior performed by employees and board members
involved in administering or overseeing the sponsor’s Medicare Part C and/or D
operations (e.g. employee misconduct, internal operations, fraudulent provider or
pharmacy claims, fraudulent FTE invoices, misuse of Medicare beneficiary information,
overpayments, complaints or tips received through hotlines, referrals, members, MEDIC,
law enforcement, etc.)
o All monitoring activities initiated, started, re-opened or completed during the audit
review period. This includes monitoring activities that started prior to the audit review
period, but were completed within the audit review period and activities that were started
during the audit review period but not yet completed.
o For monitoring activities that are performed on a scheduled basis (e.g., weekly monthly,
quarterly, annually, ad-hoc), it should be included in the universe each time it was
performed.
•

Exclude:
o Monitoring activities for non-Medicare lines of business (e.g., commercial,
Medicaid).and monitoring activities performed for first-tier entities during the audit
review period.
o Monitoring activities that are performed on a daily basis.

Column ID

Field Name

A

Component

B

Component
Responsibilities

Page 22 of 26

Field
Type
CHAR
Always
Required
CHAR
Always
Required

Field
Length
100

400

Description
Name of the sponsor’s component,
department or operational area that was
monitored.
Brief description of what responsibilities
the component, department or
operational area conducts on behalf of
the sponsor.

v. 12-2019

Column ID

Field Name

C

Monitor Type

D

Field
Type
CHAR
Always
Required

Field
Length
100

Compliance or FWA?

CHAR
Always
Required

10

E

Monitoring Frequency

10

F

Monitoring Rationale

CHAR
Always
Required
CHAR
Always
Required

G

Monitoring Description

CHAR
Always
Required

400

H

Monitoring Start Date

CHAR
Always
Required

10

200

Description
Indicate who was responsible for
conducting the monitoring activity (e.g.,
compliance officer, internal audit
department, appeals & grievances
staff/manager, external audit firm).
For internal staff, provide the name(s) of
staff/department involved with
conducting the monitoring activity. For
external firms, provide the name(s) of
the firm/company.
Enter whether the activity was a
“compliance” or a “FWA” activity.
In situations where the activity can
be both compliance and FWA
related, sponsoring organizations
should list “FWA” in the record
layout and, during the universe
validation process, the sponsoring
organization can explain to the
audit team which issues are related
to both compliance and FWA.
Provide the frequency of the monitoring
activity (e.g. weekly, monthly, quarterly,
annually, or ad-hoc).
Provide the rationale for conducting the
monitoring activity (e.g., monitoring
activity was implemented because the
function has an immediate impact on
members’ access to immediate medical
care and prescription drugs).
Provide a description of the monitoring
activity (e.g., operational area, training
requirements, timeliness, accuracy of
organization determinations and
notifications, messaging errors,
contractual agreements, unannounced or
onsite audits, spot checks, compliance
monitoring, targeted or stratified
sampling, audit protocols).
Date that the specific monitoring
activity was initiated, started or
reopened. For example, if the sponsor
started monitoring of the appeals
process/function within the sponsor on
January 1, 2019
, that is the date that would be used for
the date the monitoring started.
Submit in CCYY/MM/DD format (e.g.,
2019/01/01).

Page 23 of 26

v. 12-2019

Column ID

Field Name

Field Type Field
Length

Description

I

Monitoring Completion
Date

CHAR
Always
Required

10

J

Identified Deficiencies

CHAR
Always
Required

3

K

Number of Deficiencies

CHAR
Always
Required

3

Date that the specific monitoring
activity ended. For example, if the
sponsor ended monitoring of the appeals
process/function within the sponsor on
January 31, 2019, that is the date that
would be used for the date the
monitoring ended.
Submit in CCYY/MM/DD format
(e.g., 2019/01/01). Answer TBD (To
Be Determined) if the monitoring
activity is currently in progress.
Yes(Y), No (N) or To Be Determined
(TBD) indicator of whether any issues,
deficiencies or findings were discovered
during the monitoring activity. Answer
TBD if deficiencies have yet to be
identified for an ongoing activity.
Provide the number of deficiencies,
findings or issues identified.

L

Description of
Deficiencies

CHAR
Always
Required

1000

Answer TBD if deficiencies have yet to
be identified for an ongoing activity.
Provide a summary of all deficiencies,
findings or issues identified during the
monitoring activity. If the monitoring
activity is identified in the pre-audit
issue summary submitted to CMS,
please include the issue number.
Answer TBD if deficiencies have yet to
be identified for an ongoing activity.

Page 24 of 26

v. 12-2019

Column ID

Field Name

Field Type Field
Length

Description

M

Corrective Action
Required

CHAR
Always
Required

Yes (Y), No (N) or To Be Determined
(TBD) indicator of whether corrective
action is required for each
deficiency/issue identified. Answer
TBD if corrective actions have yet to be
determined for an ongoing activity.

200

Answer “Y” if every previously
described deficiency identified during
the monitoring activity required a
corrective action. Answer “N” if none of
the previously described deficiencies
required a corrective action. If some but
not all of the previously described
deficiencies from the monitoring
activity required corrective action,
specify which deficiencies needed a
corrective action and separate by a
number as needed (e.g., 1. Part D
coverage determinations processed
incorrectly – Y, 2. Part D coverage
determinations Timeliness – N).
Answer TBD if corrective actions have
yet to be identified for an ongoing
activity.

Page 25 of 26

v. 12-2019

Column ID

Field Name

N

Corrective Action
Description

Field
Type
CHAR
Always
Required

Field
Length
1000

Description
Provide a summary of the corrective
action(s) implemented by the sponsor in
response to the noncompliance or
potential FWA, including any root cause
analysis, timeframes for specific
achievements and any ramifications for
failing to implement the corrective
action satisfactorily.
For a monitoring activity that identifies
multiple issues, separate the corrective
actions implemented for each issue by a
number as needed (e.g., 1. employee
coaching was completed between
2019/02/01 and 2019/02/15 for the
errors identified during the 2019/01/01,
pharmacy mail order monitoring
activity, 2. member remediation was
conducted for 50 members that never
received their approved medication).
Answer TBD if corrective measures
have yet to be determine for an ongoing
activity.

O

Monitoring Results
Shared?

CHAR
Always
Required

500

Answer NA if corrective action was not
taken or determined necessary by the
sponsor for any of the identified issues.
Provide a summary that describes how
the results of the monitoring activity
were communicated or shared with
sponsor’s affected components,
compliance department, senior
management and/or the FTE.
Answer TBD if results have yet to be
determined and shared with others for
an ongoing activity.

Page 26 of 26

v. 12-2019


File Typeapplication/pdf
File TitlePart C and D Compliance Program Effectiveness (CPE) Program Area
SubjectCompliance Program Effectiveness Protocols, Audit Protocols, Audit Process and Data Request
AuthorCenters for Medicare and Medicaid Services
File Modified2019-12-12
File Created2019-12-09

© 2024 OMB.report | Privacy Policy