The Four “Audit” Worlds — Compared Clearly

Welcome back everybody after the holidays. As a CPA, I have always been uncomfortable when the word “Audit” is used to describe activity since the term audit comes with specific requirements as CPA. 

That being said, let’s talk about the four audit worlds in healthcare and how it may impact you.

1. Unified Program Integrity Contractors (UPICs)

Purpose: Detect and investigate fraud, waste, and abuse in Medicare & Medicaid

Who they work for: The Centers for Medicare & Medicaid Services (CMS)

Who they target: Providers, suppliers, billing companies

What they do:

• Advanced data mining (peer comparisons, utilization spikes)
• Deep claim reviews (often 5–10 years back)
• Medical record requests
• Extrapolation of overpayments
• Referrals to OIG / DOJ

Key powers:

• Recommend payment suspension
• Recommend revocation or exclusion
• Build cases for civil or criminal action

Tone: Investigative, adversarial

Translation: “We think something is wrong — prove us wrong.”

2. Office of Inspector General (OIG – HHS)

Purpose: Oversight, enforcement, and law enforcement support

Who they work for: Department of Health & Human Services

Who they target: Providers, vendors, states, CMS itself

What they do:

• Criminal and civil investigations
• National audit reports (e.g., Medicare Advantage risk adjustment)
• Subpoenas and interviews
• Corporate Integrity Agreements (CIAs)
• Exclusions from federal programs

Key powers:

• Can refer cases directly to DOJ
• Can impose exclusions
• Can negotiate settlements

Tone: Law enforcement

Translation: “This could end in handcuffs or headlines.”

🔥 Important: UPICs often build the case → OIG prosecutes or escalates it.

3. Government Accountability Office (GAO)

Purpose: Oversight of federal programs, not individual providers

Who they work for: Congress

Who they target: CMS, HHS, states, federal programs

What they do:

• Policy and performance audits
• Program effectiveness studies
• Cost-benefit and efficiency reviews

What they do not do:

• No provider-level recoupments
• No payment suspensions
• No fraud investigations

Tone: Analytical, policy-focused

Translation: “Is the system working the way Congress intended?”

GAO findings often change policy, not prosecute providers.

4. “DOGE Audits” (Let’s Be Precise)

There is no standing federal audit authority called DOGE that:

• Replaced UPICs
• Conducted Medicare fraud audits
• Had statutory program integrity authority

What people call “DOGE audits” were:

• Informal efficiency reviews
• Internal data pulls
• Contract and spending reviews
• Not audits under GAGAS or CMS rules

Key point: DOGE could not ignore UPICs — and UPICs never answered to DOGE.

Side-by-Side Reality Check:

Why This Confusion Keeps Happening

• Providers use “audit” as a catch-all word
• UPICs replaced ZPICs but kept the same fear factor
• Policy audits (GAO) get mistaken for enforcement
• Political rhetoric blurred lines between oversight and investigation

Bottom Line

• UPICs = the hunters
• OIG = the prosecutors
• GAO = the architects
• DOGE = not in the enforcement chain

If a provider receives the following:

• A UPIC letter → this is serious
• An OIG subpoena → call counsel immediately
• A GAO report mention → policy risk, not repayment risk