Hospital administrators, physicians, and members of every healthcare office billing department know that if their practice or hospital provides services to Medicare patients, they must be prepared to potentially receive a request to be audited from the Medicare Parts C and D Oversight and Enforcement Group. The Centers for Medicare and Medicaid Services (CMS) is responsible for devising the audit strategy and enforcing it on a year-to-year basis.

While this process may seem overwhelming, becoming familiar with the process will allow your organization to be prepared if an audit does occur. CMS provides documents online to help you further understand the process in more detail.

What are the 4 Phases of the Medicare Audit Process?

The Medicare Audit process is divided into four phases:

  • Phase 1 – Audit Engagement and Universe Submission
  • Phase 2 – Audit Field Work
  • Phase 3 – Audit Reporting
  • Phase 4 – Audit Validation and Close Out

Phase 1: Audit Engagement and Universe Submission

The Audit Engagement and Universe Submission phase involves formally notifying the organization that the audit will take place and includes a request for pertinent materials. This phase occurs six weeks prior to the field work portion and includes the request to submit required data outlined in the respective Program Audit Data Request document. CMS will test the integrity of the organization’s submissions and select sample cases to be tested during the audit fieldwork.

Phase I includes these four steps in the following order:

  1. Engagement Letter: CMS will notify the sponsoring organization of audit selection, identify the scope and logistics, and provide instructions for audit submissions
  2. Universe Submission: Organization will submit requested universes and supplemental documentation to CMS
  3. Universe Integrity Testing: CMS will test the integrity of the sponsoring organization’s submissions
  4. Audit Sample Selection: CMS will select sample cases to be tested during audit field work

Phase 2: Audit Field Work

The Audit Field Work phase is conducted over three weeks and is a review of sample cases and supporting documentation, a CMS documentation analysis, and the organization’s presentation of compliance tracer reviews and supporting documents. Generally, the field work is conducted via webinar with the exception of the CPE review, which may occur onsite during the final week of field work. CMS will issue a preliminary draft report with their observations from the audit.

Phase II includes these five steps in the following order:

  1. Entrance Conference: CMS will provide audit objectives and expectations. The sponsoring organization may give a voluntary presentation on the organization
  2. Webinar Reviews: CMS tests sample cases and reviews supporting documentation with the sponsoring organization systems via webinar
  3. (Onsite) Audit of Compliance Program Effectiveness: Sponsoring organization presents compliance program tracer reviews and submits supporting documentation (screenshots, root cause analyses, impact analyses, etc.); CMS will provide a documentation analysis
  4. Preliminary Draft Audit Report Issuance: CMS will issue a preliminary draft report to the sponsoring organization identifying the preliminary conditions and observations noted during the audit
  5. Exit Conference: CMS will review and discuss the preliminary draft audit report with the sponsoring organization

Phase 3: Audit Reporting

The Audit Reporting phase includes CMS classification of non-compliance and an audit score, a notice of immediate corrective action required (ICAR), a corrective action plan (CAP) from the organization, and draft and final audit reports from CMS. This will occur at the conclusion of audit field work and includes five stages. However, the findings in this preliminary draft report are subject to additional review and evaluation after all supporting documentation has been received and evaluated.

Phase III includes these five steps in the following order:

  1. Condition Classification and Audit Scoring: CMS classification of noncompliance and calculation of sponsoring organization’s audit score
  2. Notification of Immediate Corrective Action Required (ICAR) conditions (as applicable): CMS will notify the sponsoring organization of any conditions requiring immediate corrective action; the sponsoring organization ICAR Corrective Action Plan (CAP) must be submitted within 3 business days
  3. Draft Audit Report Issuance: CMS will issue a draft audit report including a condition classification and audit score to the sponsoring organization approximately 60 calendar days after the exit conference
  4. Draft Audit Report Response: Sponsoring organization must submit comments to the draft audit report within ten business days of the draft audit report receipt
  5. Final Audit Report Issuance: CMS will issue a final audit report with responses to the sponsoring organization’s comments and updated audit score (if applicable) approximately ten business days after receipt of sponsoring organization’s comments to draft audit report 

Phase 4: Audit Validation and Close Out

The final phase of the audit process is the Audit Validation and Close Out phase and includes the organization’s submission of non-ICAR CAPs, CAP review and acceptance by CMS, a validation audit in which the organization demonstrates the correction of audit conditions, and the audit closeout when CMS evaluates whether conditions have been substantially corrected. This is the longest phase as it occurs over a period of approximately six months.

Phase IV includes these four steps in the following order:

  1. Non-ICAR CAP Submission: Sponsoring organization must submit non-ICAR CAPs within 30 calendar days of final audit report issuance
  2. CAP Review and Acceptance: CMS performs CAP reasonableness review and notification to sponsoring organization of acceptance or need for revision
  3. Validation Audit: Sponsoring organization must demonstrate correction of audit conditions cited in the final audit report via validation audit. This must be completed within 180 calendar days of CAP acceptance
  4. Audit Close Out: CMS will evaluate the validation audit report to determine whether conditions have been substantially corrected and notify the sponsoring organization of next steps or audit closure. If CMS determines that the audit can be closed, any isolated issues of noncompliance that remain will be referred to the CMS Account Manager for follow-up with the sponsoring organization. If CMS determines that the audit conditions have not been substantially corrected, the audit will remain open, and the sponsoring organization must submit new CAPs and undergo another validation audit for the remaining uncorrected conditions. In addition, any uncorrected conditions that require another validation audit may be referred to DCE to determine if enforcement action is warranted.

In order to pass a Medicare audit, medical administrators and/or physicians should outsource their medical credentialing to professionals who are familiar with the process. By doing so, they will better position themselves to avoid the numerous and common errors that cause practices and hospitals to fail their Medicare audits.

How to Prepare for a Medicare Audit

  1. Comply with deadlines.  Most CMS notifications arrive by mail, so make sure your front office knows what to do with these letters when they’re received. CMS only allows a window of 45 days to respond, so time is of the essence and unpaid claims may be the result of missing the deadline.
  2. Educate your office staff. A Medicare audit is not something to take lightly and everyone must understand how important it is to comply accordingly.
  3. Gather all requested information and documents. CMS will notify your organization of submissions under review and which supporting documents are needed. Select team members to run point on this to streamline communication within the office and with the Medicare contractor.
  4. If you’ve been audited by CMS previously, review those audits. Make sure your staff took the proper steps to rectify the problems that triggered the previous audits. Medicare can look at claims as old as four years, so review as many claims as possible and look for mistakes. If you have a plan in place to correct the mistakes you discovered, it will save time during the audit.
  5. Who will meet with the auditor? Your point person is critical in the auditing process – he or she must be knowledgeable and well-informed on Medicare billing practices and your own internal billing systems.

A Medicare audit is not something that should be taken lightly, but it can be prepared for ahead of time by instituting best practices. By knowing what errors are most common, you and your staff can determine which areas you are already proficient in and which areas may need improvement. When it comes to a Medicare audit, being prepared and ahead of the curve is always the best course of action.

Verisys is one of the most trusted credentialing and network management sources to ensure ongoing compliance for your organization. By implementing processes that follow CMS regulatory guidelines for Medicare, your healthcare organization can be confident in your ability to weather an audit. Contact us today to learn more.


Verisys Written by Verisys
Verisys transforms provider data, workforce data, and relationship management. Healthcare, life science, and background screening organizations rely on our comprehensive solutions to discover their true potential. Visit to learn how we turn problems into power.

  • Secure, configurable, and proven solutions
  • Accurate, compliant, and complete information
  • NCQA, URAC, and ISO accreditations/certifications

Follow us on LinkedIn