Scenario: Suppose RutRo required its first tier entities to submit an attestation by the 15th
of each month, attesting that it had screened its employees against the OIG/GSA exclusion lists
the previous month.
Example of monitoring FDRs: The monitoring of this requirement might be a spot check of
varying first tier entities monthly to see if they had timely submitted the attestations. If the
sponsor found from this monitoring that month after month a significant percentage of the
number of entities checked were not submitting the attestation, then the sponsor has a good
early indication that there is a compliance problem.
Example of auditing FDRs: The outcomes of RutRo’s ongoing monitoring trigger a formal
audit of the non-compliant first tier entities. The Sponsor’s independent audit team uses its
organization audit tools and CMS audit protocols to perform a detailed review of the entities’
policies and processes to identify the root cause of the noncompliance. Some questions that
may be asked during the audit may include: Is there a problem with submitting the attestation? Is it too burdensome to be realistically complied with? If so, what kind of confirmation of
screening would be less burdensome but still provide some assurance that the first tier entity
was screening employees against OIG/GSA exclusion lists monthly? Is this a result of lax
enforcement by RutRo or poor communication, such that first tier entities are not aware of the
requirement to submit attestations monthly? Conversely, are first tier entities not submitting the
attestation because they are not doing the screening, which may raise a different set of
questions?
