CMS Open Payments audits are now a real and growing part of the transparency landscape, designed to confirm that reported data is accurate, complete, and submitted on time. For life sciences companies, this reality underscores the importance of understanding how audits truly work—and of building a robust, audit-ready compliance program well before an audit notification ever arrives.
How CMS Open Payments Audits Start
CMS (or its designee) initiates an Open Payments audit with a formal audit notice or notice of inquiry, sent by mail and email using the contact information in your Open Payments registration. Keeping those contacts current—and periodically reviewing your historical data on the Open Payments website for anomalies—are basic but critical readiness steps.
After the notice, the auditor typically schedules a kick‑off meeting to outline the scope, objectives, criteria, and anticipated timeline, and to learn how your organization tracks and reports payments and transfers of value. This meeting is your chance to present a clear, organized view of your transparency program and to ensure the right internal stakeholders and outside counsel are at the table from day one.
Planning, Questionnaires, and Documentation
Following the kick‑off, auditors generally move into a planning phase that includes detailed questionnaires focused on internal controls, Open Payments processes, and fraud and abuse risks. In parallel, they request core documentation such as past Open Payments submissions within the lookback period, the company Code of Conduct, written policies and procedures, and key financial records like the chart of accounts and general ledger.
At this stage, auditors are building baseline evidence of how your program operates, and companies must balance responsiveness and transparency with careful control of scope. Being intentional about which supporting documents you provide—while not withholding relevant information—helps demonstrate both strong governance and cooperative engagement.
Fieldwork and Transaction Testing
The fieldwork phase usually centers on transaction testing over a multi‑year lookback period, often three to five years, depending on the audit’s scope and rationale. Auditors select specific transactions and request underlying records—such as invoices, contracts, receipts, calendars, and third-party vendor data—to reconcile reported Open Payments entries back to source systems. Companies should scrutinize all auditor requests, especially those that are outside the audit’s scope or may compromise your business operations.
They may also ask for broader datasets, including portions of the general ledger or certain spend categories, to look for potentially missing, misallocated, or misclassified payments that should have been reported. Because external auditors may not fully understand life sciences operations, this is a key opportunity to explain operational nuance (for example, how you handle no‑shows, de minimis items, and internal allocation rules) so that valid non‑reportable activity is not misinterpreted as non‑compliance.
Findings, Representation Letter, and Follow‑Up
After fieldwork concludes, CMS auditors issue draft or preliminary findings for company review. This stage is critical and warrants a thorough, strategic evaluation, as the findings ultimately reported to CMS may raise broader fraud and abuse concerns beyond Open Payments. Companies should use this opportunity to carefully challenge inaccurate assumptions, clarify data nuances, and document remediation efforts for any legitimate issues identified. Equally important is reinforcing to auditors the organization’s good-faith commitment to accurate and complete reporting—particularly given the volume of data involved, the number of systems it spans, and the multiple entities responsible for reporting transfers of value.
The process typically concludes with a management representation letter in which executives attest to compliance with Open Payments requirements and disclose known instances of non‑compliance during the audited period. After the final audit report is submitted to CMS, companies should translate lessons learned into concrete corrective actions—updating policies, strengthening controls, improving data quality, and enhancing training to reduce the likelihood and severity of future findings.
CMS has authority to impose civil monetary penalties of up to a statutory cap (adjusted annually) for failures to report in a timely, accurate, or complete manner, underscoring why responsive remediation is essential.
Turning the Audit Process into a Readiness Blueprint
The same phases auditors follow—planning, fieldwork, and close‑out—can form the backbone of your Open Payments audit readiness plan. Leading organizations treat readiness as an ongoing discipline, not a one‑time exercise triggered by an audit letter.
Key elements include:
- Document everything and keep it accessible. Maintain up‑to‑date, accurate policies, procedures, process maps, and governance documents that reflect how your Open Payments program actually works. CMS requires reporting entities to keep all records related to financial transactions with covered recipients and ownership or investment interests for at least five years after the data is published on the Open Payments website. Store these materials in a central, searchable repository so you can respond quickly when a notice arrives. Additionally, build an audit readiness policy and procedure, using the phases of the audit as the foundation, and ensure to include processes for the kick-off meeting, fieldwork and audit close-out phases.
- Assemble the right cross‑functional team. Establish a working group spanning Internal Audit, Finance, Legal, Compliance, Medical/Clinical, R&D, and Commercial to oversee transparency operations and audit readiness on an ongoing basis. Use recurring meetings to review metrics and trends, address emerging issues, and align on playbooks for responding to auditor requests and questions.
- Inventory and map all data sources. Identify every system and source that contributes to Open Payments reporting—such as CRM, grants and HCP engagement platforms, event management, consulting, investigator‑initiated research, samples, expense management, and vendor feeds. Document how data flows from each source into your aggregate spend and reporting environment, highlighting where missing, duplicate, or misrouted transactions are most likely to occur—the same pressure points auditors will probe.
- Manage third‑party and vendor data. Clarify ownership of data, processes, and controls where third‑party vendors capture or process transfers of value on your behalf. Many companies are now adding contractual and procedural requirements for vendors to certify that data they submit is complete, accurate, timely, and supported by documentation that can withstand audit scrutiny.
- Test your audit plan with mock audits. Run internal “mock audits” that mirror CMS audit requests and timelines, including transaction samples, supporting records, governance documentation, and management representation considerations. Use the results to refine workflows, close process gaps, remediate data issues, and ensure teams and vendors can respond consistently under real audit pressure.
Why This Matters Now—and How Technology Helps
Open Payments audits are distinct from civil investigative demands or enforcement actions, but they can surface issues that raise broader fraud and abuse concerns if they reveal systemic control weaknesses or inaccurate reporting. Treating the audit process with enforcement‑level diligence, transparency, and documentation rigor helps protect both your organization and your stakeholders.
Forward‑looking companies are also leveraging modern transparency platforms, such as Medispend, to centralize data, standardize processes, and strengthen audit readiness across global operations. A single, trusted repository for all transparency data—aligned with clear governance and robust documentation—can be the difference between a frantic scramble and a disciplined, confident response when CMS comes knocking.
Jay Ward
Director, Life Sciences Solutions