How to Prepare Your ACO for a Successful CMS Audit

Receiving notification of a CMS audit can trigger panic across your entire organization. Suddenly, your quality team is scrambling to pull records, your IT department is racing to validate data submissions, and leadership is worried about potential penalties that could cost millions.

But audits don't have to be crises; with the right preparation, they're manageable checkpoints that actually strengthen your operations. CMS requires ACOs to maintain and give auditors access to all books, contracts, records, documents, and other evidence for a period of 10 years from the final date of the agreement period or from the date of completion of any audit.

This guide walks you through exactly how to prepare your ACO for a successful ACO CMS audit, from internal compliance reviews to leveraging the right technology to make the process as painless as possible.

What is a CMS Audit and Why It Matters for ACOs

A CMS audit is a comprehensive review of your ACO's compliance with Medicare Shared Savings Program requirements. CMS employs a range of methods to monitor and assess ACO performance, including analysis of specific financial and quality measurement data, analysis of beneficiary and provider complaints, and audits involving claims analysis, chart review (medical record), beneficiary survey reviews, coding audits, and on-site compliance reviews.

The goal is straightforward: CMS wants to verify that the quality data you're reporting is accurate, that you're meeting program requirements, and that you're not gaming the system to artificially inflate shared savings or avoid at-risk beneficiaries.

Why This Matters Financially

Failed audits have serious consequences. An ACO that does not submit eCQMs/CQMs will not have its performance scored for quality, in effect scoring a zero. The ACO may lose eligibility for shared savings and could be subject to additional CMS review. Beyond losing shared savings eligibility, your participating physicians face additional risks—the ACO's physicians and tax-identification numbers (TINs) that lean on their ACO submission also would fail to meet their Merit-Based Incentive Payment System (MIPS) reporting requirements. The MIPS program has implications for Medicare Part B payment adjustments, which can mean massive financial losses across your entire network.

Your ACO's reputation is also on the line. Audit failures signal to CMS that you can't manage compliance effectively, which affects future program participation, contract negotiations, and your ability to recruit high-quality providers.

Common CMS Audit Challenges for ACOs

Understanding where ACOs typically struggle during audits helps you proactively address vulnerabilities before CMS finds them.

Inconsistent Quality Reporting

One of the biggest audit triggers is inconsistencies between what you report and what's actually in your medical records. CMS auditors conduct chart reviews to validate reported quality measure data, and even small discrepancies raise red flags.

Common issues include:

• Documentation that doesn't support reported measure numerators (e.g., reporting that a patient received diabetes screening when the chart doesn't document it)
• Incorrect patient population identification (including patients who should have been excluded from the denominator)
• Timing problems where services were documented outside the measurement period
• Missing supporting documentation for quality actions reported as complete
  

Incomplete Documentation or Data Validation Issues

Data aggregation is crucial for eCQMs. It involves combining data from diverse sources, often including multiple EHRs, which increases the challenges it poses.

When data lives in multiple systems and needs manual aggregation, errors multiply fast. Missing fields, duplicate records, and data that doesn't sync across systems create submission problems that auditors catch immediately.

Lack of Interdepartmental Coordination

Audit preparation requires coordinated effort across your entire organization—quality teams, IT, clinical staff, billing, and compliance all play critical roles. When these teams operate in silos without clear communication channels, gaps emerge.

For example, your quality team might not know about EHR workflow changes that affect measure capture, or your IT team might not understand which data fields auditors will scrutinize. These disconnects lead to preventable audit failures.

Outdated or Manual Processes

Many ACOs still rely heavily on manual chart abstraction and spreadsheet-based reporting. While this might have worked when the CMS Web Interface allowed sample reporting, the reporting complexity has increased significantly as ACOs are now required to report on their entire patient population, representing a dramatic expansion of reporting applications from about 3,300 patients under the CMS web interface to potentially over 2 million for large health systems.

Manual processes simply can't scale to handle population-level reporting while maintaining the accuracy auditors demand.

Steps to Ensure Your ACO is Audit-Ready

Audit preparation isn't a one-time sprint before CMS sends notification—it's an ongoing process built into your quality reporting operations.

Start with Internal Compliance Reviews

Conduct your own internal audits before CMS does. This means regularly reviewing a sample of charts to verify that your reported quality data matches actual documentation.

What to audit internally:

• Pull random samples of patients included in quality measure numerators and verify documentation supports inclusion
• Check that denominator exclusions are properly documented with appropriate diagnosis codes or clinical criteria
• Validate that data extraction from your EHR accurately captures documented care
• Review edge cases where the measure logic might be ambiguous

Each ACO must have a compliance plan in accordance with 42 CFR § 425.300, including details regarding to whom compliance issues are reported and a description of the policy of non-intimidation and non-retaliation for good faith participation in internal monitoring and reporting processes.

Treat these internal reviews seriously—they're your early warning system for problems that would become costly during actual CMS audits.

Validate Your Reporting Workflows

Map out exactly how data flows from clinical documentation through your EHR and into your quality reporting submissions. Identify every point where data could be lost, misinterpreted, or incorrectly formatted.

Critical workflow validation steps:

• Document data sources: Know exactly which EHR fields feed which quality measures
• Test data extraction: Run trial extracts and compare against manual chart review to catch discrepancies
• Validate measure logic: Ensure your reporting system interprets measure specifications correctly
• Check for common errors: Look for systematic issues like missing timestamps, incorrect value sets, or dropped records

The goal is to catch workflow problems during routine reporting, not when CMS auditors are reviewing your records.

Adopt a Centralized Audit Checklist

Create a standardized checklist that covers every aspect of audit preparation. This ensures nothing falls through the cracks when audit notification arrives.

Your audit checklist should include:

• Compliance documentation: Evidence of your ACO compliance plan, policies, and training records
• Quality measure specifications: Current year's measure specs and documentation showing how you implemented them
• Data validation reports: Internal audit results showing you've verified data accuracy
• Beneficiary assignment documentation: Records showing how beneficiaries were assigned to your ACO
• Financial records: Supporting documentation for shared savings calculations
• Provider participation records: Current participant lists and signed participation agreements
• Training documentation: Records showing staff received appropriate quality reporting training

Keep this checklist updated throughout the year so you're always audit-ready, not scrambling when notification arrives.

Conduct Staff Training and Mock Audits

Your staff needs to understand not just how to document care but why specific documentation elements matter for quality reporting and audits.

Training should cover:

• How clinical documentation affects quality measure capture
• Common documentation gaps that trigger audit findings
• Proper use of diagnosis codes that affect measure denominators and exclusions
• Documentation timing requirements (e.g., services must be documented within the measurement period)
• How to respond to requests for additional information during audits

Mock audits simulate the actual CMS audit process. Pull records as if you were CMS, review them with the same scrutiny auditors would use, and document findings. Then work with clinical staff to address identified problems.

Leverage Technology for Documentation

The financial burden of the complexity inherent in CMS's intensified quality reporting requirements for ACOs is threefold: The cost of infrastructure upgrades such as integrating data sources across multiple electronic health records (EHRs), ongoing operational costs related to data management, staff training and quality improvement, and training and operationalization of digital workflows.

Despite these upfront costs, technology investment is non-negotiable for audit readiness. Automated systems reduce human error, provide audit trails, and make it possible to validate data at scale.

Technology solutions that support audit readiness:

• Automated data aggregation that pulls from multiple EHRs into a single reporting platform
• Real-time validation that flags potential issues before submission
• Audit trail systems that document who entered or modified data and when
• Dashboard reporting that shows measure performance and identifies documentation gaps
• Automated documentation reminders that prompt clinicians for missing data elements
  

How CMS Audits Impact APP and eCQM Reporting

CMS audits don't happen in isolation—they tie directly to your performance under the Alternative Payment Model (APM) Performance Pathway (APP) and your eCQM reporting obligations.

CMS implemented a multi-year transition from 2021 to 2024 for MSSP ACOs to move from reporting quality data through the CMS Web Interface to using eCQMs under the Alternative Payment Model (APM) Performance Pathway (APP). This transition means audit expectations have fundamentally changed.

Under the new APP Plus quality measure set, reporting requirements for MSSP ACOs will progressively grow to 11 total measures in PY 2028 under APP Plus. Each additional measure represents another area where auditors will scrutinize your documentation and data accuracy.

APP reporting adds audit complexity because:

• You're reporting on your entire patient population, not samples
• eCQM specifications are technical and change annually
• Data must meet completeness thresholds to count
• Documentation requirements differ from traditional claims-based reporting

Key audit focus areas for APP/eCQM reporting:

• Data completeness: Do you have required data elements for enough patients to meet submission thresholds?
• Measure logic accuracy: Did your system correctly apply measure specifications?
• Population identification: Did you correctly identify numerator, denominator, and exclusion populations?
• Documentation support: Does clinical documentation in the medical record support what your eCQM data shows?
  
  

Building a Culture of Compliance and Continuous Improvement

Audit readiness isn't just about having the right systems—it's about creating an organizational culture where quality and compliance are everyone's responsibility.

Make Compliance Part of Daily Operations

Rather than treating compliance as an annual scramble, integrate it into routine workflows. Quality data review should happen monthly, not just before submission deadlines. Clinical staff should receive regular feedback on documentation quality. IT should proactively monitor data integrity rather than reacting to problems.

Foster Open Communication About Audit Risks

ACO compliance plans must include a description of the policy of non-intimidation and non-retaliation for good faith participation in internal monitoring and reporting processes. Staff need to feel safe raising concerns about potential compliance issues without fear of punishment.

Create channels for frontline staff to report problems they notice—they're often the first to spot workflow issues, documentation gaps, or system errors that could trigger audit findings.

Use Audit Findings to Drive Improvement

When internal or external audits identify problems, treat them as learning opportunities. Conduct root cause analysis to understand why the problem occurred, implement corrective actions, and monitor to ensure problems don't recur.

Share audit findings across the organization so everyone understands common pitfalls and how to avoid them. Over time, this creates institutional knowledge that makes your ACO naturally more audit-resistant.

Conclusion: Build Audit Readiness into Your Operations

CMS audits are inevitable for ACOs participating in the Medicare Shared Savings Program—the question isn't whether you'll be audited, but whether you'll be ready when it happens. The organizations that succeed treat audit preparation as an ongoing operational priority, not a crisis response when notification arrives.

By conducting regular internal reviews, validating your reporting workflows, training staff properly, and leveraging technology to automate data management, you can transform audits from existential threats into routine checkpoints. The investment in audit readiness pays for itself by protecting shared savings eligibility, avoiding MIPS penalties, and building the operational excellence that drives long-term ACO success.

Medisolv has helped hundreds of ACOs navigate complex CMS audits and build sustainable compliance processes. Our combination of automated reporting, data validation, and expert advisory support gives you the infrastructure and expertise needed to stay audit-ready year-round.

Ready to strengthen your ACO's audit readiness?