Is Your Organization Ready for a Compliance Audit?

Written By Veronica Melendez

Most CalAIM providers are doing exactly what they set out to do: deliver Enhanced Care Management (ECM) and Community Supports to the people who need them. So when the topic of a fraud, waste, and abuse (FWA) audit comes up, the instinct is understandable — we’re doing the right thing, so we have nothing to worry about.

That instinct is mostly right. The problem is that audits don’t measure intentions. They measure documentation, billing accuracy, and operational controls. And the gap between “we’re doing good work” and “we can prove it under review” is where even well-run organizations get caught off guard.

Why audits happen in the first place

Under the CalAIM framework, Managed Care Plans (MCPs) are responsible for administering ECM and Community Supports in close collaboration with their network of community-based providers, and the Department of Health Care Services (DHCS) monitors MCP and provider implementation and compliance across multiple domains. Federal Medicaid managed care rules require that MCPs — and, where responsibility is delegated, their subcontracted providers — maintain arrangements and procedures designed to detect and prevent fraud, waste, and abuse.

In practice, this means DHCS and MCPs periodically review providers to confirm that the care being billed matches the care being delivered. Sometimes a review is routine. Sometimes it is targeted — prompted by claims that don’t quite add up, documentation that looks incomplete, or billing patterns that stand out. The purpose isn’t to punish good providers; it is to protect members and safeguard public funds. But that distinction offers little comfort if your organization receives a records request and realizes its files aren’t ready to tell a clean, consistent story.

The readiness gap

Here is the pattern we see most often: a provider understands the CalAIM rules conceptually. Leadership can speak to the program’s goals. Staff are committed to the mission. But the operational evidence — the care plans, progress notes, billing reconciliations, staff credentials, and policies — hasn’t been stress-tested against how an auditor actually reviews them.

Knowing the rules is not the same as being ready to demonstrate compliance with them. Readiness is a discipline, not a disposition.

What auditors actually examine

An FWA-focused review reaches well beyond claims. Federal regulation requires that an MCP compliance program include written policies and standards of conduct, a designated compliance officer, effective training, and systems for detecting and responding to compliance issues — expectations that flow down to delegated providers.3 A comprehensive provider audit typically spans multiple domains, including:

  • Program structure and governance — leadership, reporting lines, compliance officer role, and FWA-prevention policies

  • Policies and procedures — alignment with MCP provider manuals, DHCS guidance, and CalAIM standards

  • Clinical documentation — care plans, assessments, and progress notes reviewed for completeness, timeliness, and quality

  • Billing and claims compliance — accurate coding, supporting documentation, and reconciliation between services delivered, documented, and billed

  • Staffing and credentialing — qualifications, training records, and exclusion screening

  • Data quality and reporting — accuracy and timeliness of the data submitted to plans and the state

  • Member rights and cultural competency — language access, accommodations, and person-centered practices

Billing is where many providers expect scrutiny — but documentation, governance, and data quality are just as often where deficiencies surface.

How to prepare: find the gaps before an auditor does

The most effective preparation is a mock audit — a structured, internal review that mirrors how DHCS and MCPs conduct the real thing. Done well, it surfaces problems while you still have time to fix them. A strong preparation effort typically includes:

  1. Documentation review — sampling care plans, assessments, and notes the way an auditor would.

  2. Billing controls testing — checking that what was delivered, documented, and billed all reconcile.

  3. Policy strengthening — closing gaps between written policy and actual practice.

  4. Staff interview rehearsal — preparing your team to answer auditor questions clearly and confidently.

  5. The goal is simple: convert “we think we’re ready” into “we’ve tested it and we know.”

The cost of waiting

Preparation has a cost. But it is almost always lower than the alternative. Federal rules direct MCPs to recover overpayments — including those arising from fraud, waste, or abuse — and to refer potential FWA to state program-integrity authorities. Recoupments, corrective action plans, and the reputational strain of a difficult audit are far more expensive — in dollars, in staff time, and in standing with your managed care partners — than the work of getting ready in advance.

More importantly, readiness protects the two things that matter most: your funding, and the members who depend on your programs continuing without disruption.

Ready to explore how your organization can prepare for an FWA and compliance audit?

BlueRidge Management Solutions helps CalAIM providers get audit-ready — before the request ever arrives. Reach out to start the conversation.

Veronica Melendez
Next

The 2026-27 May Revision: What It Means for CalAIM Providers