Follow These Audit Planning Steps to Master 340B Internal Audits

Written by Risk Management Team on December 7, 2021

As a 340B covered entity (CE), you are subject to audits to remain in good standing and continue using preferred drug pricing. These 340B audits can differ, so your internal audit plan should be unique to your organization. However, you can use general audit planning steps to prepare a successful strategy.

Internal compliance audits can help reveal unique insights that can better prepare your organization for eventual external audits. This article explains how you can use general audit planning steps to master 340B internal audits. These steps are: 1) Setting up an Objective (going beyond compliance, each audit should focus on transactions, Office of Pharmacy Affairs Information System (OPAIS), Medicare Costs Reports, and more); 2) Showing Data Sources; 3) Developing a Sample; and 4) Collecting Data.

Establishing Audit Objectives

When ensuring compliance, it can be beneficial to break your organization into discrete segments for testing. Segments can include transactions, OPAIS, Medicare costs reports, and other data sources. By creating specific audit goals, rather than a blanket internal audit, you can more quickly find and correct problems. 

Audit goals also help ensure that each segment of your organization is up to date for the eventual external audit. For example, one audit objective could be to review each type of documentation that is likely to be reviewed by an external auditor such as policies, procedures, key personnel, and internal controls.

Policies and procedures include steps your organization takes to ensure it is meeting 340B program requirements. These include: 

  • Updating your organization’s information within OPAIS 
  • Showing eligibility and managing annual recertification
  • Preventing the transfer or sale of 340B drugs to ineligible patients
  • Preventing duplicate discounts from the 340B and Medicaid drug rebate programs. 

For key personnel, your internal audit should mirror the steps that an external auditor would take. The first step would be to name your CE’s Primary Contact and Authoring Official. These individuals handle the organization’s annual recertification and often serve as the point of contact for ensuring compliance across the organization’s various departments. 

Finally, testing internal controls involves reviewing all processes and procedures that are triggered when something goes wrong. Internal controls for a 340B CE can help prevent the sale of drugs with 340B pricing to ineligible patients. And if such a sale does it occur, internal controls can alert key personnel and ensure that accurate reports are generated to rectify the oversight. 

Identifying Data Sources

Most audits involve checking data sources to assess how well the data aligns with the organization’s goals. For instance, a 340B covered entity is required to keep track of all transactions, especially those that use preferred pricing. These data sources should be robust enough to help create systems that prevent duplication and to issue alerts if an oversight event occurs. Developing such a robust system requires multiple data sources, all of which should be assessed rigorously prior to external audits. 

An external auditor will first profile the organization’s data and find the interactions between each data source. Second, they will find the impact of poor data on operations and meeting 340B compliance. Lastly, the auditor will review all data sources, cross referencing the data between each source to find faults. This process, also known as data auditing, is an evaluation of the organization’s information systems and the integrity of its data. 

By naming your data sources ahead of time, you can create a sampling system that aligns with each internal audit’s objectives to better prepare your organization for an external audit. You can use third-party administrator (TPA) software to help manage these systems. 

Developing a Sample

Once you have found all your organization’s data sources, the next step is to create samples of each data source that aligns with each internal audit objective you wish to test. Samples should be discrete, random data sets from each data source filtered to meet each internal audit objective. 

For example, if you want to create an audit objective to list all transactions from a certain supplier, then you should ensure that your transaction sample allows you to filer by supplier name. 

Collecting Data

Of course, real world scenarios can differ due to the sheer scale and complexity of the systems involved. One strategy is to add the ability to inject test, mock data that allow you to evaluate various systems. For example, if you want to create an audit objective to test your system’s ability to issue alerts when a faulty discount is issued then you should create a data sample from your transactions that includes a mock, non-compliant transaction. Your internal audit should see the corresponding alert.

These tests should run on a separate database that mirrors your real-world systems. Creating tests and mock transactions that anticipates real-world mistakes or builds off prior mistakes can help you develop a robust testing suite that covers all your bases. 

Perfect Your Compliance Plan with ComplianceBridge

ComplianceBridge’s auditing software is a more sustainable, affordable way to manage your compliance plan with multiple stakeholders. Use ComplianceBridge to follow proven audit planning steps to help you master 340B internal audits and prepare your organization for external auditing. 

By setting objectives, identifying data sources, developing samples, and collecting data, you can create an effective audit plan that addresses all major 340B regulations. With ComplianceBridge, you can streamline these audit planning steps by creating a source of truth for all your processes and procedures with your internal team and third-party stakeholders. Create question sets easily and weigh each question differently to aid in analysis. Send questions out to precisely who needs them, and watch in real-time as results come in. Reminders will ensure everyone completes their questions on schedule. Once you’ve collected responses, you’re able to analyze them and identify areas for improvement. 

Mastering your 340B audit planning steps doesn’t need to be difficult or time-consuming when you employ the right tools. Request a demo with ComplianceBridge today to see the simplest auditing software on the market for yourself.

Watch a 2 Minute Demo of ComplianceBridge

Find out more about ComplianceBridge’s Policy & Procedure Software, as well as its Risk Management Software by watching a two-minute demo.

Watch Demo Now