Compliance

How to Prepare for a Credentialing Audit: The Complete Readiness Guide for 2026

By Super Admin | | 35 min read
Reviewed by PayerReady Credentialing Team

In This Article

Key Takeaways

  • NCQA credentialing audits evaluate eight CR standards covering initial credentialing, re-credentialing, ongoing monitoring, delegation oversight, and organizational provider credentialing, and a single failed standard can result in conditional accreditation or full loss of status.
  • Since 2025, NCQA requires monthly OIG/SAM exclusion checks and license verification for all credentialed providers, replacing the previous standard of checks at credentialing and re-credentialing only.
  • The average cost of remediating a failed audit" style="text-decoration:underline;text-decoration-style:dotted;text-underline-offset:3px;color:inherit;" title="Credentialing Audit: View Definition">credentialing audit ranges from $25,000 to $100,000 when you factor in consultant fees, staff overtime, technology purchases, and potential payer contract penalties.
  • CMS Medicare revalidation audits can include unannounced site visits, and failure to respond within 60 days of a revalidation request results in automatic deactivation of your Medicare billing privileges.
  • A proper audit preparation timeline requires a minimum of 60 to 90 days of lead time, starting with a self-audit of a random 10-file sample to identify systemic gaps before the auditor reviews your full credentialing program.
  • Organizations using delegated credentialing agreements must maintain separate documentation proving the delegated entity meets the same standards, and auditors review delegation oversight files as closely as they review provider files.

The Audit Notice That Changes Everything

Karen Whitfield had been managing the credentialing department at a 140-provider multispecialty group in Charlotte, North Carolina, for seven years. On a Tuesday morning in February 2026, she opened an email from the group's largest contracted health plan, a regional Blue Cross affiliate that represented 38% of the organization's payer mix. The email informed her that NCQA would be conducting an on-site credentialing audit in 90 days as part of the health plan's accreditation renewal cycle, and her organization's credentialing files would be included in the audit sample.

Karen had been through audits before, but the last one was in 2022, before NCQA updated its continuous monitoring requirements. Her team of three credentialing specialists had maintained provider files and processed re-credentialing applications on schedule, but she was not confident that every file met current standards. She knew that two providers had changed practice locations without updated CAQH attestations. She suspected that the organization's OIG and SAM exclusion monitoring had gaps in documentation from a three-month period when their vendor contract had lapsed. And she was almost certain that their peer reference documentation for several recently credentialed physicians was incomplete.

Karen had 90 days. That sounds comfortable. It was not.

This guide covers everything you need to know about credentialing audit preparation: what auditors look for, what documents you need ready, where organizations most commonly fail, and how to build processes that keep you audit-ready year-round instead of scrambling every time that email arrives.

What a Credentialing Audit Actually Is and Why It Happens

A credentialing audit is a formal review of an organization's credentialing program to verify that it meets established standards for evaluating and approving healthcare providers. The audit examines whether you are correctly verifying provider qualifications, maintaining accurate files, conducting ongoing monitoring, and making credentialing decisions through an appropriate committee process.

Credentialing audits happen for several reasons:

Accreditation cycles. Health plans that hold NCQA accreditation must demonstrate that their credentialing programs, including any delegated credentialing arrangements, meet NCQA standards. NCQA conducts these audits on a three-year cycle.

Payer contract compliance. Commercial payers audit their delegated credentialing partners to verify that the delegated entity is meeting the terms of the delegation agreement. If your organization holds delegated credentialing authority from a health plan, you are subject to annual or biennial audits by that plan.

CMS enrollment integrity. CMS conducts revalidation audits of Medicare-enrolled providers and organizations on a five-year cycle (three years for high-risk provider types). These audits verify that enrollment information is accurate and that the provider still meets Medicare participation requirements.

State Medicaid requirements. State Medicaid agencies and managed care organizations conduct their own credentialing audits, often aligned with state-specific regulations that may exceed federal minimums.

Complaint-triggered reviews. An audit can be triggered outside the normal cycle by a complaint, a pattern of adverse events, or a data integrity issue identified during claims processing.

The common thread across all of these is verification. Auditors want to see that you are doing what you say you are doing, that you have documentation to prove it, and that your processes meet the applicable standards.

Who Conducts Credentialing Audits

Different audit bodies focus on different aspects of your credentialing program, and the preparation requirements vary based on who is doing the reviewing.

NCQA (National Committee for Quality Assurance)

NCQA is the dominant accrediting body for health plan credentialing programs. If your organization holds NCQA accreditation, or if you perform delegated credentialing for an NCQA-accredited health plan, NCQA's credentialing (CR) standards are the benchmark your audit will be measured against. NCQA audits involve document submission, file reviews, and often an on-site component where auditors interview staff and review processes in real time.

CMS (Centers for Medicare & Medicaid Services)

CMS conducts enrollment revalidation audits through its Medicare Administrative Contractors (MACs). These audits focus on the accuracy of enrollment data in PECOS, the validity of practice location information, and compliance with Medicare enrollment requirements. CMS also conducts unannounced site visits through its contractor, Palmetto GBA, to verify that practice locations are operational and match the information on file.

State Medicaid Agencies

Each state's Medicaid program has its own credentialing audit requirements. Some states align closely with NCQA standards. Others have additional requirements, such as specific background check mandates or state-level exclusion list monitoring beyond the federal OIG and SAM databases.

Commercial Payer Audit Teams

Large commercial payers like UnitedHealthcare, Aetna, Cigna, and Anthem maintain internal credentialing compliance teams that audit delegated entities. These audits typically follow a standardized template aligned with NCQA standards, but individual payers may add requirements specific to their delegation agreements.

Hospital Medical Staff Offices

If your providers hold hospital privileges, the hospital's medical staff office conducts its own credentialing review. These audits focus on privilege-specific criteria, peer review documentation, and clinical competency verification. Hospital credentialing audits often follow Joint Commission or DNV GL standards rather than NCQA standards.

Understanding which audit you are preparing for matters because the documentation requirements differ. An NCQA audit requires evidence of a formal credentialing committee with meeting minutes. A CMS revalidation audit cares more about the accuracy of your PECOS enrollment data and practice location details. A hospital medical staff audit wants to see clinical competency documentation and case volume data. Start your preparation by confirming exactly which standards your auditor will be evaluating against.

The NCQA Audit Process: CR Standards 1 Through 8

NCQA's credentialing standards are organized into eight CR (Credentialing) standards. Understanding what each standard requires is the foundation of audit preparation for any organization subject to NCQA review. For a deeper look at recent changes, see our guide on NCQA credentialing standards for 2026.

CR 1: Credentialing Policies

This standard requires that your organization maintains written credentialing and re-credentialing policies and procedures. The policies must describe the process for initial credentialing decisions, the criteria for approval and denial, the appeals process for providers who are denied credentialing, and the scope of providers subject to credentialing. Auditors verify that your actual process matches what your policy documents describe. If your policy says you verify education through primary sources but your files show you accepted a copy of a diploma without contacting the issuing institution, that is a finding.

CR 2: Credentialing Committee

Your organization must have a credentialing committee that includes at least one physician member who participates in credentialing decisions. The committee must meet at designated intervals, maintain minutes documenting each decision, and demonstrate that credentialing decisions are made based on defined criteria. Auditors will review meeting minutes for the entire audit period to verify that the committee is active and that decisions are documented with sufficient detail.

CR 3: Initial Credentialing Verification

This is the most documentation-intensive standard. For every initially credentialed provider, NCQA requires primary source verification of:

  • Current, valid license to practice (verified directly with the state licensing board)
  • Education and training (medical school, residency, fellowship, verified with the issuing institution or an NCQA-approved primary source verification vendor)
  • Board certification status (verified with the relevant specialty board)
  • Work history (minimum five-year history with no unexplained gaps greater than six months)
  • Malpractice claims history
  • National Practitioner Data Bank (NPDB) query
  • OIG exclusion list check via the OIG LEIE
  • SAM.gov exclusion check
  • Medicare/Medicaid sanctions check

Each verification must be documented with the date it was performed, the source used, and the result. Verifications must be completed within 180 days of the credentialing decision, and the credentialing decision must occur within 180 days of the application date. Auditors will check every date in the file to confirm compliance with these timelines.

CR 4: Re-credentialing

Re-credentialing must occur at least every 36 months. The standard requires the same primary source verifications as initial credentialing, plus a review of the provider's performance during the previous credentialing cycle. This includes complaint history, quality data, utilization data, and any adverse actions. Auditors look for re-credentialing files that were processed after the 36-month deadline, even by one day, as this constitutes a finding.

CR 5: Ongoing Monitoring

This standard underwent significant revision in 2024, with enforcement beginning in 2025. It requires monthly monitoring of all credentialed providers between credentialing cycles. We cover the specifics in the continuous monitoring section below.

CR 6: Organizational Provider Credentialing

If your program credentials organizational providers (hospitals, home health agencies, skilled nursing facilities, behavioral health facilities), CR 6 specifies the verification requirements for those entities. This includes state licensure, CMS certification, accreditation status, liability insurance, and sanctions checks.

CR 7: Delegation of Credentialing

If you delegate credentialing activities to another entity, or if you accept delegated credentialing from a health plan, CR 7 requires written delegation agreements that specify the delegated activities, the monitoring process, and the right to audit. Auditors will review the delegation agreement, the pre-delegation assessment, and evidence of ongoing oversight (usually annual audits of the delegated entity).

CR 8: Rights of Practitioners

Providers subject to your credentialing program must be informed of their rights, including the right to review the information in their file, the right to correct errors, the right to be notified of the credentialing decision, and the right to appeal an adverse decision. Auditors verify that these rights are communicated in writing and that your process includes a mechanism for providers to exercise them.

CMS Medicare Enrollment Audits: Revalidation and Site Visits

CMS Medicare enrollment audits operate on a different framework than NCQA accreditation audits, and they carry their own consequences.

Revalidation

Every Medicare-enrolled provider and organization must revalidate their enrollment information on a five-year cycle (three years for home health agencies and DMEPOS suppliers). CMS sends revalidation notices via mail and the PECOS portal. The provider has 60 days to submit updated enrollment information. Failure to respond within 60 days results in deactivation of Medicare billing privileges. Not a warning, not a probationary period, but immediate deactivation.

Reactivation after a deactivation requires submitting a new enrollment application, which restarts the 60-to-90-day enrollment timeline. During that period, the provider cannot bill Medicare. For a practice that derives 40% of revenue from Medicare, a three-month billing gap is a six-figure revenue loss.

Revalidation requires confirming or updating: practice locations, ownership and managing employee information, adverse legal history, final adverse action reporting, and reassignment of benefits information. CMS cross-references submitted data against external databases, and discrepancies trigger additional review.

Unannounced Site Visits

CMS contracts with Palmetto GBA and other entities to conduct unannounced site visits at Medicare-enrolled practice locations. The site visitor verifies that the practice location listed in PECOS is operational, accessible to patients, and equipped to provide the services billed. They check signage, verify that the provider is practicing at the location, and photograph the facility.

Site visit failures most commonly result from providers who have moved locations without updating PECOS, practice addresses that are virtual office spaces not equipped for patient care, or locations that are not accessible during normal business hours.

A failed site visit triggers a development request, giving the provider 30 days to correct the deficiency. Continued non-compliance leads to revocation of Medicare enrollment, with a one-to-three-year re-enrollment bar depending on the severity.

Preparing for CMS Audits

The preparation for a CMS audit is different from NCQA preparation. It centers on data accuracy:

  • Verify that every practice location in PECOS matches the current physical address
  • Confirm that all reassignment of benefits relationships are current (no terminated providers still listed)
  • Update ownership and managing employee information if there have been any changes
  • Ensure all enrolled providers have a current, valid license in the state where the practice location is listed
  • Maintain signage at each practice location that matches the enrolled business name

For a full walkthrough of keeping enrollment data current, see our re-credentialing deadline tracking guide.

Internal vs. External Credentialing Audits

Understanding the difference between internal and external audits shapes how you allocate preparation time.

External Audits

External audits are conducted by an outside body such as NCQA, a commercial payer, CMS, or a state Medicaid agency. You typically receive advance notice (30 to 90 days for scheduled audits; no notice for CMS site visits). The auditor reviews your files, interviews your staff, and issues findings with required corrective actions. External audit results have direct consequences: loss of accreditation, contract termination, corrective action plans, and financial penalties.

Internal Audits

Internal audits are self-assessments conducted by your own organization to identify and correct problems before an external auditor finds them. A well-structured internal audit program is the single most effective tool for passing external audits consistently.

The mistake many organizations make is treating internal audits as a checkbox exercise, reviewing a few files superficially once a year. An effective internal audit mirrors the external audit process: random file selection, standardized scoring criteria, documented findings, and tracked corrective actions. If your internal audit does not identify any deficiencies, it was not thorough enough. Every credentialing program has gaps. The question is whether you find them first.

Internal audits should be conducted quarterly at minimum. Monthly is better for organizations with large provider panels or those preparing for an upcoming external audit. Each audit cycle should review a different random sample of files to ensure coverage across your entire provider panel over the course of a year.

The Credentialing Audit Checklist: Every Document You Need Ready

When an auditor arrives, whether NCQA, a commercial payer, or CMS, they will request specific documentation categories. Having these organized and accessible before the audit is the difference between a smooth review and a finding-heavy report.

Free Consultation

Need help getting credentialed?

Our specialists handle 190+ payer enrollments across all 50 states. Average turnaround: 60–90 days.

Provider File Completeness

Every credentialed provider's file must contain:

  • Completed credentialing application with the provider's signature and attestation date. The application must be dated within 180 days of the credentialing decision. For re-credentialing, a re-attestation or updated application is required within 180 days.
  • Current, valid state license verified through the state licensing board. The verification must show the date it was performed and the result. A printed screenshot from the licensing board's online verification portal with the date annotated is acceptable. A photocopy of the license certificate is not primary source verification.
  • CAQH ProView attestation dated within 180 days. The CAQH profile must be attested (not just updated), and auditors check the attestation date specifically. For guidance on setting up CAQH correctly from the start, see our credentialing checklist for new medical practices.
  • DEA certificate (for providers with prescriptive authority) verified through the DEA or a primary source verification vendor.
  • Board certification verified through the relevant specialty board. If the provider is not board certified, the file must document the organization's policy for credentialing non-board-certified providers and any time-limited exceptions granted.
  • Malpractice insurance face sheet showing current coverage dates, coverage limits, and the provider's name. Coverage must be continuous, and any gaps require explanation and documentation.
  • Education and training verified through the issuing institution or an approved verification organization (such as the AMA Physician Masterfile for medical school and residency training).
  • Work history covering at least the most recent five years, with explanations for any gaps exceeding six months.
  • NPDB query results dated within 180 days of the credentialing decision.

Primary Source Verification Documentation

For each verification item, the file must contain documentation that shows:

  • The source contacted (state licensing board, specialty board, NPDB, etc.)
  • The date the verification was performed
  • The result (verified, discrepancy found, unable to verify)
  • The name of the person or system that performed the verification

If you use a credentials verification organization (CVO) for primary source verification, the file must contain the CVO's verification report. You must also maintain documentation that the CVO itself meets NCQA standards, typically through the CVO's own NCQA certification or through your organization's assessment of the CVO's processes.

Peer Reference Documentation

NCQA requires peer references as part of the initial credentialing process. At minimum, two peer references from providers in the same or similar specialty who can attest to the applicant's clinical competence. The references must be documented in the file, whether as completed reference forms, documented phone conversations with the date and the reference provider's name, or written letters.

The most common finding related to peer references is missing documentation. The credentialing coordinator collected the references verbally but did not document the conversation. Or the organization's policy requires two references but only one is in the file. Or the references are from providers in unrelated specialties.

Committee Meeting Minutes and Decisions

The credentialing committee must maintain minutes that document:

  • The date of each meeting
  • Attendees (including at least one physician participant)
  • Each credentialing and re-credentialing decision made at the meeting
  • The basis for each decision (clean file, issue identified and resolved, issue identified and provider denied, etc.)
  • Actions taken on any identified concerns

Auditors pay particular attention to whether the minutes demonstrate actual review and decision-making versus rubber-stamping. Minutes that simply list "all 47 providers approved" without any notation of the criteria applied or issues identified will raise questions.

Ongoing Monitoring Documentation

Between credentialing cycles, you must maintain documentation of continuous monitoring activities:

  • Monthly OIG LEIE exclusion checks for all credentialed providers
  • Monthly SAM.gov exclusion checks for all credentialed providers
  • Monthly state license status monitoring
  • Malpractice claims monitoring
  • Medicare/Medicaid sanctions monitoring
  • Any adverse actions identified and the organization's response

Each monitoring event must be documented with the date, the providers included, the results, and any follow-up actions taken. A spreadsheet showing that you ran the OIG check on a specific date with zero matches is acceptable documentation. The absence of any documentation for a given month is a finding.

Complaints and Adverse Action Documentation

Your file must include documentation of:

  • Any complaints received about the provider during the credentialing cycle
  • Any adverse actions reported (malpractice settlements, license restrictions, hospital privilege actions)
  • The organization's review and response to each complaint or adverse action
  • Any modifications to the provider's credentialing status based on complaints or adverse actions

Delegation Agreement Documentation

If your organization delegates credentialing activities or accepts delegated credentialing authority, you need:

  • The written delegation agreement specifying the delegated activities
  • Pre-delegation assessment results
  • Annual audit results of the delegated entity
  • Evidence of ongoing monitoring between annual audits
  • Documentation of any corrective actions required of the delegated entity

Common Audit Findings and How to Fix Them Before the Auditor Arrives

After reviewing hundreds of audit reports, certain findings appear with predictable regularity. Knowing what auditors most commonly flag gives you a targeted preparation checklist.

Expired or Lapsed Verifications

The most frequent finding: a primary source verification in the file is dated more than 180 days before the credentialing decision. This happens when the credentialing process takes longer than expected. You verify the license in month one, the application stalls for seven months, and by the time the committee makes a decision, the license verification is expired.

Fix: Build a 150-day alert into your tracking system. If any verification is approaching 180 days without a credentialing decision, re-verify before the deadline passes.

Missing CAQH Attestation Dates

The provider's CAQH profile was last updated but not re-attested. NCQA requires a signed attestation, meaning the provider logged in, reviewed the information, and confirmed its accuracy. An administrative update by staff does not count as an attestation.

Fix: Run a CAQH attestation status report for all credentialed providers. Any provider whose attestation date is older than 180 days needs to log in and re-attest immediately. Track attestation dates separately from profile update dates.

Incomplete Work History

A five-year work history is required, and gaps greater than six months need written explanation. The most common issue is a provider who transitioned between employers with a seven-or-eight-month gap that nobody asked about.

Fix: Review every provider file for work history completeness. For any gap exceeding six months, contact the provider and obtain a written explanation. Document the explanation in the file with the date it was obtained.

Credentialing Committee Minutes Deficiencies

Missing minutes, minutes without a physician participant documented, or minutes that lack individual decision documentation. Some organizations approve providers via email rather than in committee, which does not meet the standard.

Fix: Review all committee minutes for the audit period. Verify that each meeting had a physician participant, that each credentialing decision is individually documented, and that the basis for the decision is noted. If you have gaps in meeting documentation, you cannot retroactively create minutes, but you can ensure that all meetings going forward are properly documented and note in your audit preparation that you identified and corrected the process gap.

OIG/SAM Monitoring Gaps

The organization ran OIG and SAM checks at credentialing and re-credentialing but not between cycles. Or the organization ran checks monthly for most of the year but missed two consecutive months during a staff transition.

Fix: Assemble documentation for every monitoring event during the audit period. If there are months where monitoring was not performed or not documented, acknowledge the gap in your corrective action plan and show evidence that monthly monitoring is now in place and documented consistently.

Delegation Oversight Deficiencies

Organizations that hold delegated credentialing authority often fail to conduct or document the annual audit of their delegated entity's processes. The delegation agreement exists, but the oversight documentation does not.

Fix: If your annual delegation audit is overdue, conduct it immediately. Document the audit findings, any corrective actions required, and the delegated entity's response. Going forward, calendar the delegation audit as a mandatory annual event.

Credentialing File Organization: Paper vs. Digital

How you organize credentialing files directly impacts audit efficiency. An auditor who can quickly locate every required document in a file will view your program more favorably than one who watches your staff search through filing cabinets for 20 minutes to find a single peer reference form.

Paper-Based Systems

If you maintain physical credentialing files, organize each provider's file using tabbed dividers that correspond to audit categories:

  1. Application and attestation
  2. State license verification
  3. DEA verification
  4. Board certification verification
  5. Education and training verification
  6. Work history
  7. NPDB query results
  8. OIG/SAM/sanctions checks
  9. Malpractice insurance
  10. Peer references
  11. Committee decision documentation
  12. Ongoing monitoring records
  13. Complaints and adverse actions

Each tab should contain documents in reverse chronological order (most recent on top). Every document should be dated. Every verification should show the source, the date, and the result.

Digital Systems

Digital credentialing file management is now the standard for organizations managing more than 25 providers. A digital system should mirror the same organizational structure as a paper file, with folder categories matching audit requirements.

The advantage of digital systems is searchability and reporting. You can quickly generate a list of all providers with license verifications older than 150 days, all providers with CAQH attestations approaching expiration, or all providers missing a specific document type. This kind of reporting is what makes proactive audit preparation possible.

The disadvantage is that digital systems are only as good as the data entry supporting them. If staff scan documents into the wrong folder, fail to update verification dates, or skip entries because the system interface is cumbersome, your digital files will be as disorganized as a paper file, just harder to flip through during an audit.

For organizations evaluating digital credentialing management, PayerReady's credentialing platform provides structured file management with built-in audit preparation reporting. You can also use our readiness checker to identify gaps in your current documentation.

NCQA Continuous Monitoring Requirements Since 2025

The most significant change to NCQA credentialing standards in recent years is the expansion of ongoing monitoring requirements under CR Standard 5. These changes took effect in 2025 and represent a fundamental shift from periodic verification to continuous monitoring.

What Changed

Prior to 2025, NCQA required organizations to monitor credentialed providers between credentialing cycles, but the frequency requirements were less prescriptive. Many organizations ran OIG and SAM exclusion checks quarterly or semi-annually and considered that sufficient.

The updated CR 5 standard now requires monthly monitoring for:

  • OIG LEIE exclusion status: Check every credentialed provider against the OIG's List of Excluded Individuals and Entities every month. Not quarterly. Not semi-annually. Monthly.
  • SAM.gov exclusion status: Check every credentialed provider against SAM.gov exclusion records monthly.
  • State license status: Verify that every credentialed provider's license remains active and unrestricted on a monthly basis.
  • Medicare/Medicaid sanctions: Monitor for new sanctions actions monthly.

Additionally, NCQA requires that organizations monitor NPDB reports on a continuous basis through NPDB's Continuous Query enrollment. This means that any new report filed against a credentialed provider in the NPDB is flagged immediately rather than discovered only at re-credentialing.

Documentation Requirements

For each monthly monitoring event, you must document:

  • The date the monitoring was performed
  • The complete list of providers included (or confirmation that all credentialed providers were included)
  • The source checked (OIG LEIE, SAM.gov, state licensing board portal, etc.)
  • The results (matches found or no matches)
  • For any positive match: the action taken, the timeline for action, and the outcome

Organizations managing 200 or more providers cannot realistically perform these checks manually every month. The volume alone (200 providers times four monitoring sources equals 800 individual checks per month) makes automation a practical necessity. Automated monitoring tools that run batch checks and produce dated, exportable reports are now a standard investment for credentialing departments preparing for NCQA audits.

The Audit Impact

Auditors will request documentation of continuous monitoring for the entire audit period, typically the 36 months since the last audit. That means you need 36 months of monthly monitoring documentation: 36 OIG check reports, 36 SAM check reports, 36 license monitoring reports. Any month without documentation is a finding.

If you are starting from scratch or have gaps in your monitoring history, the priority is to get monthly monitoring in place immediately and document it consistently going forward. You cannot retroactively monitor for past months, but you can demonstrate that you identified the gap and corrected it. Auditors view corrected gaps more favorably than unacknowledged gaps.

For more on how automation reduces the burden of these requirements, see our analysis of credentialing automation ROI.

How to Conduct a Self-Audit: The 10-File Random Sample Method

The self-audit is your most valuable preparation tool. It identifies systemic problems early enough to fix them and gives you a realistic picture of your audit readiness.

Step 1: Select Your Sample

Pull a random sample of 10 provider files from your credentialing database. The sample should be truly random, not your best files and not your most recently processed files. Use a random number generator against your provider roster. Include a mix of initial credentialing and re-credentialing files from different points during the audit period.

If you manage more than 100 providers, increase the sample to 15 to 20 files for a more representative assessment.

Step 2: Build Your Scoring Template

Create a scoring sheet that mirrors the NCQA file review template. For each file, evaluate:

  • Is the application complete and signed within 180 days of the credentialing decision? (Yes/No)
  • Is the state license verification from a primary source and dated within 180 days? (Yes/No)
  • Is board certification verified from the specialty board? (Yes/No)
  • Is the DEA certificate verified (if applicable)? (Yes/No)
  • Is education/training verified from primary sources? (Yes/No)
  • Is the five-year work history complete with no unexplained gaps? (Yes/No)
  • Is the NPDB query dated within 180 days? (Yes/No)
  • Is the OIG exclusion check documented? (Yes/No)
  • Is the SAM exclusion check documented? (Yes/No)
  • Are two peer references documented? (Yes/No)
  • Is the malpractice insurance face sheet current? (Yes/No)
  • Is the CAQH attestation dated within 180 days? (Yes/No)
  • Is the committee decision documented in meeting minutes? (Yes/No)

Step 3: Score and Identify Patterns

Score each file as a percentage of complete elements. An NCQA-passing file should score 100% on all required elements. In practice, most organizations conducting their first self-audit find average scores in the 70% to 85% range.

More important than individual file scores is identifying patterns. If 7 out of 10 files are missing peer reference documentation, that is a systemic process problem, not a one-off error. If every file has current license verifications but none have documented OIG checks between credentialing cycles, that tells you where to focus your remediation effort.

Step 4: Create Your Corrective Action Plan

For each systemic issue identified, document:

  • The finding (what is missing or deficient)
  • The root cause (why it is missing: staffing gap, process gap, system limitation)
  • The corrective action (specific steps to fix the issue)
  • The responsible person
  • The deadline for completion
  • The verification method (how you will confirm the fix is in place)

Step 5: Re-Audit After Remediation

After completing corrective actions, pull a different random sample of 10 files and repeat the process. Your second self-audit validates that the fixes are working. If the same findings appear, the corrective action was insufficient and needs to be strengthened.

Timeline: How Much Lead Time You Actually Need

When you receive notice of an upcoming credentialing audit, the clock starts immediately. Here is a realistic timeline for audit preparation, assuming you have a functional credentialing program with some known gaps.

90 Days Before Audit: Assessment Phase (Weeks 1-2)

  • Conduct the 10-file self-audit described above
  • Review all credentialing committee meeting minutes for the audit period
  • Generate a complete inventory of continuous monitoring documentation (monthly OIG, SAM, license checks)
  • Review all delegation agreements and oversight documentation
  • Identify all findings and create the corrective action plan

75 Days Before Audit: Remediation Phase (Weeks 3-6)

  • Complete all missing primary source verifications for files in the audit period
  • Contact providers with expired CAQH attestations and confirm re-attestation
  • Collect missing peer references and work history explanations
  • Fill documentation gaps in continuous monitoring records
  • Ensure committee meeting minutes are complete and properly documented
  • Review and update credentialing policies and procedures if they do not match current practice

45 Days Before Audit: Validation Phase (Weeks 7-8)

  • Conduct a second self-audit with a new random sample
  • Verify that all corrective actions are complete and documented
  • Organize all files (physical or digital) according to the standard tab structure
  • Prepare delegation oversight documentation for review
  • Brief all credentialing staff on the audit process, timeline, and their roles during the audit

30 Days Before Audit: Preparation Phase (Weeks 9-10)

  • Conduct a mock audit with an external consultant or internal compliance officer reviewing files as an auditor would
  • Address any remaining findings from the mock audit
  • Prepare the audit workspace (conference room, computer access, file access, staff availability)
  • Compile a summary packet for the auditor: organizational overview, credentialing program description, policies and procedures, committee roster, monitoring reports

14 Days Before Audit: Final Review

  • Final spot-check of five random files
  • Confirm all staff are available on audit dates
  • Verify digital system access (if auditors will review files electronically)
  • Prepare response templates for anticipated questions about any known gaps

Organizations that receive less than 60 days' notice are at a significant disadvantage. If you receive a 30-day audit notice and have not conducted a self-audit in the past year, focus remediation on the three most common finding categories: primary source verification completeness, continuous monitoring documentation, and committee minutes. These are the areas where auditors focus first and where findings are most likely to result in adverse determinations.

The Cost of Failing a Credentialing Audit

Understanding the financial consequences of audit failure puts preparation costs into context.

Loss of NCQA Accreditation

NCQA accreditation has three possible outcomes: full accreditation (three-year cycle), provisional accreditation (corrective action required, one-year re-review), and denial/revocation. Loss of NCQA accreditation has cascading effects:

  • Payer contracts: Many commercial payer contracts require NCQA accreditation as a condition of participation. Loss of accreditation can trigger contract termination clauses, cutting off revenue from those payers. For a health plan, this can mean loss of employer group contracts. For a credentialing organization, it means loss of delegated credentialing authority.
  • Market reputation: NCQA accreditation status is publicly reported. Loss of accreditation signals to providers, employers, and regulators that your organization's credentialing program has significant deficiencies.
  • Re-accreditation costs: Regaining NCQA accreditation after a revocation requires a full new survey, which costs $15,000 to $50,000 in NCQA fees alone, plus the internal staff time and consultant costs for remediation.

Payer Contract Penalties

Commercial payers that audit their delegated credentialing partners impose escalating consequences for audit failures:

  • Corrective action plan (CAP): The payer requires documented remediation within 60 to 90 days. Staff overtime and consultant costs to complete a CAP typically run $10,000 to $25,000.
  • Increased monitoring: Following a failed audit, the payer may require quarterly file submissions, monthly reporting, or more frequent audits. Each additional oversight cycle costs $5,000 to $15,000 in staff time and reporting effort.
  • Financial penalties: Some delegation agreements include financial penalties for failed audits, ranging from $10,000 to $50,000 depending on the severity and the size of the delegated panel.
  • Contract termination: Repeated audit failures or a single catastrophic failure (such as discovering a credentialed provider who was on the OIG exclusion list) can result in termination of the delegation agreement. Replacing lost delegated credentialing revenue takes 12 to 18 months.

CMS Enrollment Consequences

CMS audit failures carry their own penalty structure:

  • Billing deactivation: Failure to respond to revalidation within 60 days means immediate loss of Medicare billing privileges. For a 10-provider group averaging $500,000 per provider in annual Medicare revenue, even a 30-day billing gap represents over $125,000 in lost revenue.
  • Revocation: Serious enrollment violations (operating at unlisted locations, billing for excluded providers) result in revocation with a one-to-three-year re-enrollment bar.
  • Repayment demands: If CMS discovers that claims were submitted for a provider who should not have been enrolled, overpayment demands follow. These can reach hundreds of thousands of dollars for high-volume providers.

Total Remediation Costs

When you add up the direct costs of responding to a failed audit (consultant fees of $150 to $300 per hour for credentialing compliance consultants, staff overtime, technology purchases to close monitoring gaps, re-audit fees, and revenue losses during any contract suspension), the total remediation cost for a significant audit failure ranges from $25,000 to $100,000 for a mid-sized organization. For large health plans or hospital systems, the number can exceed $500,000.

Compare that to the cost of maintaining audit-ready processes: dedicated credentialing staff, automated monitoring tools, regular self-audits, and a credentialing management system. For most organizations, the annual cost of audit readiness is $30,000 to $60,000, a fraction of a single failed audit's remediation cost.

Building Audit-Ready Processes Going Forward

The goal is not to prepare for audits. The goal is to build credentialing processes that are audit-ready at all times, so that an audit notification is an administrative event rather than an emergency.

Implement Monthly Monitoring With Documented Output

Set up automated monthly checks for OIG, SAM, state license status, and Medicare/Medicaid sanctions. Every check must produce a dated report that is stored in a retrievable format. If you are running checks manually, assign a specific staff member and a specific date each month. The check does not count unless it is documented.

Run Quarterly Self-Audits

Pull a random 10-file sample every quarter. Score the files against the NCQA template. Track your scores over time. If your average score is trending upward, your processes are working. If scores plateau or decline, investigate and correct the underlying cause.

Maintain Real-Time Dashboard Tracking

Track key credentialing metrics in real time:

  • Number of providers with licenses expiring in the next 90 days
  • Number of providers with CAQH attestations older than 150 days
  • Number of re-credentialing applications due in the next 120 days
  • Number of providers missing any required verification element
  • Date of last OIG/SAM monitoring run
  • Date of next committee meeting

Having these numbers visible daily prevents the slow accumulation of gaps that become findings during an audit.

Standardize the Credentialing File Checklist

Create a file completeness checklist that staff use for every initial credentialing and re-credentialing file. The checklist should list every required element with a checkbox, a date field, and a source field. No file should be submitted to the committee for a decision until every item on the checklist is complete. This single process change eliminates the most common audit finding: incomplete files that were approved because nobody checked for completeness before the committee meeting.

Train Staff Annually on Current Standards

NCQA updates its standards periodically, and staff who were trained three years ago may not be current on today's requirements. Annual training should cover any standard changes, common audit findings from the past year, documentation requirements, and proper file organization. Document the training (date, attendees, topics covered) because auditors may ask about staff training as part of the organizational review.

Schedule Delegation Audits Proactively

If you hold delegated credentialing authority, put the annual delegation audit on the calendar 12 months in advance. Do not wait until the delegating entity asks for audit results. Conduct the audit on your schedule, document the findings, and share the results proactively. This demonstrates a mature oversight process and eliminates last-minute scrambles.

Invest in Technology That Produces Audit-Ready Documentation

The credentialing management system you use should produce reports that auditors can consume directly. Date-stamped verification records, monitoring run logs, committee decision tracking, and file completeness dashboards should all be exportable in formats that auditors can review without your staff translating between systems.

Our platform at PayerReady was built with audit readiness as a core design requirement. Every verification, monitoring check, and committee decision is date-stamped and stored in an audit-ready format. Provider files are organized according to NCQA standards, and gap reports identify missing documentation before it becomes a finding. For a quick check on where your practice stands, try our readiness checker tool.

Your Audit Preparation Action Plan

If you just received an audit notification, here is what to do this week:

  1. Confirm the audit scope and standards. Which accrediting body or payer is conducting the audit? Which standards will they evaluate against? What is the audit period (typically the 36 months since your last audit)?

  2. Pull a random 10-file sample and score it. Use the self-audit method described above. This gives you a baseline within 48 hours.

  3. Generate your continuous monitoring documentation inventory. Can you produce 36 months of monthly OIG, SAM, and license monitoring reports? If not, where are the gaps?

  4. Review your committee meeting minutes. Are they complete for the entire audit period? Does each meeting include a physician participant and individual decision documentation?

  5. Check every CAQH attestation date. Any attestation older than 180 days needs immediate re-attestation by the provider.

  6. Assign remediation tasks with deadlines. Every identified gap needs an owner, a fix, and a completion date. Track progress weekly.

You did not get to audit-ready overnight, and you will not fix every gap in a week. But a structured, prioritized approach to preparation gives you the best chance of a clean audit result, and the process improvements you make now will keep you ready for the next one.

For a complete walkthrough of building a credentialing program that stays audit-ready from day one, start with our credentialing checklist for new medical practices and our guide to NCQA credentialing standards for 2026.

Reviewed by the PayerReady Credentialing Team

Our credentialing specialists verify every article against current CMS regulations, NCQA standards, and payer-specific enrollment requirements. Last reviewed April 17, 2026. See our editorial process.

Sources Referenced

National Committee for Quality Assurance (NCQA)

All regulatory citations verified as of April 2026. Source links point to official government and industry organization websites.

Need help getting credentialed?

Our credentialing specialists handle the entire enrollment process: applications, follow-ups, and approvals across all 50 states.

Free consultation. No commitment required.

Tags

credentialing audit NCQA audit credentialing compliance audit preparation credentialing file review

Free Credentialing Tools

NPI Lookup

Search the NPI registry instantly

Timeline Estimator

Estimate credentialing timelines

Readiness Checker

Check if you are ready to apply
Credentialing Resource Hub
Guides, tools, and checklists for every payer
Payer Enrollment Guides
Medicare, Medicaid, and commercial payers

Related Credentialing Guides

Medicare Guide

Related Articles

Faster Approvals

Ready to Cut Your Enrollment Timeline in Half?

Join providers in all 50 states who handed off credentialing to a dedicated specialist. Create your free account in minutes and start enrolling the same day.

Get Started Today Request a Demo
All 50 States Covered
No Long-Term Contracts
HIPAA HIPAA Compliant Platform
Dedicated Specialist Included