Nonprofit Audits

As a Medicaid or Medicare provider, maintaining your status as a federally recognized nonprofit, eligible for funding and reimbursements, requires passing financial and compliance audits. Whether you are a behavioral health program, mental health facility, intellectual and developmental disability support organization, or housing agency, we know that the biggest rewards come from caring for your community. Don’t let the fear of an audit compromise your priorities.

Start by reviewing the differences between the two programs and learning what types of audits they entail. This can help improve your readiness to respond to any external auditor engagement inquiries. As you feel more prepared, you can select enhanced customization options for your EHR and Case Management System. Taking practical steps to digitize your records can reduce the risk of triggering an audit and increase the likelihood of surviving one if they flag you.

What Is the Difference Between Financial and Compliance Audits?

Many social service providers operate as nonprofit organizations. As such, you are subject to financial audits based on your revenue. These thresholds vary by state but typically include organizations that have annual revenues or assets above $500,000. The federal funding threshold is $750,000 for an OMB A-133 audit, also known as a Single Audit. Not all nonprofits are providers of Medicare and Medicaid Services. But many Medicare and Medicaid service providers are registered nonprofits.

If federal nonprofit status applies to you, ensure that you stay apprised of the possibility of nonprofit financial audits. Since many of these programs rely on taxpayer dollars, oversight is closely related to the potential for fraud. Some of the triggers of a financial audit include:

  • High utilization of services.
  • Late or never filed tax returns.
  • Discrepancies between state and federal taxes or reports.
  • Anonymous complaints or direct fraud allegations.
  • Random selection by the government.
  • Referral from another compliance agency.
  • Threshold-based single audits.

What Triggers Medicare and Medicaid Compliance Audits?

Compliance audits arise from government grants or contracts associated with serving people covered by Medicare and Medicaid. Besides being a source of grant funding, state and federal governments also engage in an insurance reimbursement system. Compliance audits oversee the legal and efficient payout of coded procedures performed by contracted doctors, social workers, and other authorized agents.

Some of the most common triggers of compliance audits include:

  • Missing date and time stamps.
  • Multiple edits on an EHR without signatures.
  • Notes that appear identical.
  • Frequently billing for the same code.
  • Over utilization of specialized, high payout codes.

What Are the Differences Between a Medicare and Medicaid Audit?

The two main differences between a Medicare and Medicaid audit are who performs the audit and which regulations apply. The Centers for Medicare and Medicaid Services (CMS), the Office of Inspector General (OIG), and the state Medicaid office are the agencies responsible for most auditing and oversight besides the IRS. Here’s a little more detail about how Medicare and Medicaid audits differ:

Medicare Audit

Medicare is a federal program with a uniform set of codes for billing, reimbursement, and coverage, monitored by CMS. Medicare audits may focus more on preventing large sums of billing fraud and ensuring operational compliance. If it is a prepayment audit, they will send a Medicare Administrative Contractor (MAC) to assess claims submission feasibility, detect coding errors, and monitor provider infrastructure. If it is a postpayment audit, they will send a Recovery Audit Contractor (RAC) to review processed claims, discover payment errors, and initiate collections on overpayments.

Medicaid Audit

Medicaid is a joint federal and state program administered by the states. Each state has its own set of policies, procedures, and eligibility requirements, so audits may come from CMS or the state. Medicaid may use audits of nonprofits to eliminate fraud at the level of individual participant eligibility or scams. Managing each of these types of fraud ensures program integrity, monitors administrative and legal compliance, and controls costs.

There are several types of administrative CMS audits for Medicaid:

  • Medicaid RACs.
  • Medicaid Integrity Contractors (MICs).
  • Zone Program Integrity Contractors (ZPICs).
  • State Medicaid Fraud Control Units (MFCUs).
  • Comprehensive Error Rate Testing (CERT).
  • Payment Error Rate Measurement (PERM).

The OIG aims to identify and prevent fraud and abuse in the Medicare and Medicaid programs. This office investigates anonymous reports of fraud or flagged activities which may indicate fraud. Governments may also contract with independent external auditors to conduct the nonprofit audit on their behalf.

What Are the Most Common Types of Medicare and Medicaid Fraud?

As the service volume of your agency increases, billing accurately for every service and procedure may become more challenging. Some organizations set strategic targets for services rendered or annual revenue to boost morale and begin to scale. Our software can help you track how individual practitioners and administrative employees strive to reach these goals while maintaining impeccable transparency. Whether from a customer service representative or a member of the Board, fraudulent reporting or misuse of government-issued funds is illegal.

Some examples of fraud include:

Coding and Billing

Every Medicare and Medicaid billing code is unique to a specific service. It is a form of program abuse to receive higher reimbursement from the government by billing for a higher payout code even if it appears similar. You can’t submit insurance claims for services that were never provided or those that were provided by a different agency, an unqualified staff, a doctor who is not registered under the program, or an unlicensed facility.


Providers enrolled in Medicare or Medicaid may never offer or receive money or gifts from either clients or other providers for upcoding, hiring, referrals, or buying medical equipment, especially not with government funds.

Identity Theft

Providers may never use the personal identifying information of program recipients to submit false claims for services that were not provided to them. They also cannot submit the provider number of registered providers to bill for services that were performed by an unregistered or unlicensed individual, even if they are in the same practice or agency.

How Far Back Can an Audit Go?

Both Medicare and Medicaid recovery audits have a standard lookback period of three calendar years. Within this, there are more nuanced regulatory guidelines that may limit a lookback period to six months or one year or may extend the period up to three years. The factors that contribute to how far back an audit can go include which program it is for, whether it is a prepayment or postpayment review, and whether there is evidence of negligent errors or more serious fraud and abuse.

How Much Does an Audit Cost for a Nonprofit?

Most times, the nonprofit organization hires a government-contracted or independent auditor. The costs can range from a few thousand dollars to $50,000 depending on the size of your organization and the complexity of the audit. If the government has requested the audit, there may be some assistance programs, cost-sharing, or reimbursement options available. You can independently research available grants or loans for audit assistance, contact your state office, or inquire with the auditor about available options.

Best Practices for Nonprofit Audits

If your nonprofit participates in the Medicare or Medicaid programs, here are some best practices to help you prepare for a possible audit:

Conduct a Regulatory Review

Make time to understand the specific regulations and guidelines that apply to your nonprofit organization. This includes understanding the documentation and record-keeping requirements, your state’s laws, and operational compliance requirements for your federal designation as a charity or nonprofit organization (NPO), private foundation, or managed care organization (MCO).

Keep All Your Records

Develop and maintain an organized documentation system. File receipts, invoices, bank statements, and other financial records electronically or store them in a safe location on or off the premises. Having copies of these records is also wise.

Train Staff on the Audit for Nonprofits Process

Empower your employees to answer audit questions confidently. Staff who are familiar with the documentation and record-keeping requirements can provide information about the organization’s financial transactions and activities efficiently.

Update Your Compliance Documents

Because these program details often change with each political administration, updating your governance and structure documents is key to maintaining your legal status for operations, your credibility for funding, and your reputation for future referrals. It can also help you maximize the funding and support you receive from the government and other grant-making authorities.

Generate Annual Reports

Identify and address any potential issues before the official audit takes place by implementing an internal audit first. You can keep some of this information private to inform your top-level decisions for the following year. You might also create visual diagrams of the organization’s billing process and records to share with your department leaders. For example, you can create a graph of the codes and charges you bill the most often compared to the doctors who deliver those services. This can help each level of management be accountable to each other.

Some of these reports and graphics may also be useful to the public, to your partners, or to present to the auditor. Boasting regular internal monitoring shows that you value transparency.

Use an EHR System

Maintaining digital records offers some of the best preparation and protection to stand up to an audit. Select a comprehensive EHR system, which can track demographics, provide real-time validation of billing codes and reimbursements, generate trackable insurance claims, automate compliance reminders, and quickly yield data and analytic reports. Assign staff who are confident with the EHR to work closely with the auditors and to be responsive to their requests for information.

If staff can search for and retrieve beneficiary accounts, statistical reports, and proof of compliance quickly, this can impress the auditor and save you time and money. Addressing concerns promptly and completing the audit efficiently will also minimize the impact of the audit on your regular staff and programming.

How Do You Survive an Audit?

If your organization receives an audit engagement from CMS or another entity, take the following steps:

Assign a Lead Staff Member to the Task

Appoint a designated staff member or team to lead the audit preparation and be the point of contact. Cooperation can build trust and rapport with the auditor, which may help you manage any concerns that arise. Choosing a knowledgeable employee who maintains a positive attitude to interface with the government can go a long way in resolving discrepancies during this tedious process.

Prepare for Legal Questions

Gather and prepare all necessary legal paperwork, including contracts, records of lawsuits, grievance reports, compliance documents, bylaws, policies, and procedures to ensure they are readily available for the auditor. You may choose to have a health care lawyer who is familiar with these programs formally respond to the audit engagement and represent you during the official process. Understand the appeals process in case of any disputes arising from the audit. Having a legal representative present from the beginning of the engagement process can benefit you greatly if you need to pursue an appeal later on.

Consider the Scope of the Audit

Review the organization’s compliance with other regulations such as OSHA and HIPAA before beginning the audit. Although these are not the primary focus of Medicare and Medicaid audits, the scope of review for auditing agencies like CMS, OIG, and state administrative agencies changes regularly. Any peripheral suspicious activities noticed during your CMS audit may trigger an internal report to another agency or limit your ability to receive continued government funding for these two programs.

Stay Optimistic and Provide Support to Staff Handling Audits

Nobody knows better than our customers that compromising integrity isn’t an option. Feeling overwhelmed or unsure of your compliance and reporting requirements is normal, especially if you’re just starting out or just starting to accept Medicare and Medicaid insurance coverage. Budgeting for audits is one part of the preparation. The other part is skills development. Our technology works best when its users understand the capabilities.

At Foothold Technology, we won’t let you compromise your capacity to thrive. We pride ourselves on our experience serving a diverse range of health and human services agencies. Whether through our comprehensive EHR system, train-the-trainer support, or organizational consulting, your audit report preparation needs will be taken care of.