Compliance Auditing & Monitoring

Transcription

1 November 16, Compliance Auditing & Monitoring 3.02 Auditing and Monitoring for Compliance Karen R. Lines, Esq. Associate General Counsel Genentech, Inc. South San Francisco, CA Sheryl Vacca, CHC West Coast Practice Leader, Life Sciences & Health Care Regulatory Deloitte & Touche LLP Deloitte Development LLC. All rights reserved.

2 Building the Emerging Model Board & Executive Committee Corporate Compliance Program Financial Risk Regulatory Risk Systems/IT Risks Operational Risks Code of Conduct Corporate Policies Compliance Standards Standard Operating Procedures Day-to-Day Operations Departmental Procedures Copyright Deloitte Development LLC. All rights reserved. 1 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 1

3 The Compliance Program Design Dilemma Designing an integrated compliance program that operates as one unit rather than many silos is challenging The business s processes and operations often function in silos The compliance-related risks touch every aspect of the organization s business & are difficult to compartmentalize The design should be based upon the organization s business strategies The design should result in an organization-wide compliance monitoring plan Risk Mitigation Business Processes Business Strategy Monitoring Copyright Deloitte Development LLC. All rights reserved. 2 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 2

4 Create a Compliance Crosswalk Monitoring plan should be designed with the Compliance Program dilemma in mind. Monitoring creates the crosswalk between the Business Strategies and the Risk Areas. Vaccines will be available for the public Monitoring Quality Control and Drug Safety Business Strategy Will be impacted by many risk areas Monitoring Risk Area Apply to more than one business strategy Copyright Deloitte Development LLC. All rights reserved. 3 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 3

5 Focus on Regulatory Risks and Controls The vast majority of health care/life science regulatory & compliance program requirements align with Sarbanes & Internal Audit standards. Sarbanes Calls for evaluation of internal controls COSO Standards Compliance with laws and regulations Federal Sentencing Guidelines Calls for evaluation of internal controls HHS Office of Inspector General Regulatory-specific standards Employee Training Compliance Audits Copyright Deloitte Development LLC. All rights reserved. 4 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 4

6 How Sarbanes 404 Integrates into your Auditing and Monitoring Objectives Operations Financial reporting Compliance Components of a 404 Readiness Monitoring Information & Communication Control Activities Risk Assessment Control Environment Copyright Deloitte Development LLC. All rights reserved. 5 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 5

7 Auditing and Monitoring Cycle Define Review Scope & Assumptions Reaudit Develop Review Criteria Define Review Sample Define Methodology Education, Remedial Action Finalize Report & Corrective Action Plan Review Process for Each Risk Area Test Inter-rater Reliability with Multiple Reviewers Conduct Review Obtain Management Response Validate Findings Document Observations & Findings Copyright Deloitte Development LLC. All rights reserved. 6 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 6

8 Continuous Monitoring Cycle Monitoring never ends each review leads to the next, and the monitoring plan and unplanned issues drive additional monitoring activities. It is a continuous process Re-audit and add new audits to the cycle Finalize Report & Corrective Action Plan Define Review Scope & Assumptions Finalize Report & Corrective Action Plan Develop Review Criteria Define Review Scope & Assumptions Develop Review Criteria Finalize Report & Corrective Action Plan Define Review Scope & Assumptions Obtain Management Response Obtain Management Response Define Review Sample Document Observations & Findings Define Review Sample Develop Review Criteria Document Observations & Findings Conduct Review Document Observations & Findings Test Interrator Reliability Conduct Review Conduct Review Test Interrator Reliability Define Review Sample Re-audit and add new audits to the cycle Copyright Deloitte Development LLC. All rights reserved. 7 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 7

9 Practical Considerations Related to Auditing and Monitoring Strategy Developing your Auditing and Monitoring Plan Deciding what to monitor Prioritize Risk Areas Internal Factors, i.e.: any system changes, people changes, new practice, etc. External Factors, i.e.: new regulation, national and local enforcement activity Compliance Program evaluation Identify controls that make the process work : PROCESS AUDIT Determine overall purpose effective: OUTCOMES AUDIT Resources available to execute plan Consider integration with Internal Audit Plan Identify timeframes for audits Communication and Commitment to Plan Copyright Deloitte Development LLC. All rights reserved. 8 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 8

10 Developing Your Audit Approach Deciding the scope Narrow down the purpose of the audit Avoid scope creep before you start Resources available to execute the audit Methodology Sample size determination Communication/Reporting Results Copyright Deloitte Development LLC. All rights reserved. 9 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 9

11 Sampling Methodologies Things to Consider: The purpose of the sample or the review objective The universe/population/sources of data The size of the sample What you are going to do with the results Copyright Deloitte Development LLC. All rights reserved. 10 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 10

12 Sampling Methodology What should you consider before you decide what your sample size will be? Who do you expect to share the information with and what is their frame of reference? Are you trying to figure out whether there is really a problem? What is the organization s perspective on fixing problems? What resources are available to audit this area? Does Senior Management agree this risk area is important? What is the worst case scenario if this audit reflects unfavorable outcomes? Attorney/Client Privilege? Copyright Deloitte Development LLC. All rights reserved. 11 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 11

13 Purpose of the Sample Is the review for: Self - disclosure? Education? Part of an on-going monitoring plan? Response to the federal government, subpoena, carrier or FI? Known risk area? Copyright Deloitte Development LLC. All rights reserved. 12 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 12

14 Other Considerations Priority Internal External Timeframe of data collection concurrent retrospective Availability of data Manual Leverage Technology Copyright Deloitte Development LLC. All rights reserved. 13 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 13

15 Leveraging Technology Tools Pros Cons Manual Checklists Low cost No training required Easy to customize Administration effort (collation of results) Reporting effort Sophistication of solution Excel based Spreadsheets (signoff process administered via or on central server) Access based Databases Low cost Simple, adaptable Limited user training Limited IT involvement Low cost Simple, adaptable Limited user training Limited IT involvement Enhanced reporting options Ongoing maintenance Limited scalability Limited reporting Many efforts remain manual Accessibility (not web enabled) Limited scalability Training may be required No transparent dashboard reporting Web based Assessment Systems Increased functionality Usable for sophisticated, complex cos. Improved reporting (dashboard) Scalable Technology implementation effort & cost Significant IT involvement Ongoing maintenance security, reporting Copyright Deloitte Development LLC. All rights reserved. 14 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 14

16 Practical Application : Case Study Risk Area Review Process Compliance Compliance Training Training Define Review Scope & Assumptions Develop Review Criteria Conduct Review Managed Managed Care Care Contracting Contracting Document Findings and Observations Obtain Management Response Finalize Report & Corrective Action Plan Copyright Deloitte Development LLC. All rights reserved. 15 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 15

17 Case Study Risk Area Compliance Compliance Training Training Managed Managed Care Care Contracting Contracting Review Process Define Review Scope & Assumptions Conduct interviews with Business Process Owners Review Policies & Procedures Review Education and Training materials Document scope & assumptions Develop Review Criteria Test Review Criteria Enter criteria into database Conduct Review Review documentation Enter findings into database Document Findings and Observations Query database for exception findings Summarize observations Develop recommendations Obtain Management Response Share findings with Business Process Owners Obtain reactions to recommendations Draft a Corrective Action Plan Finalize Report & Corrective Action Plan Copyright Deloitte Development LLC. All rights reserved. 16 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 16

18 Corrective Action Plan Area of Focus Finding Recommendation Management Action Plan Acct/Timeframes 1. Contract load 1. 20% data errors in contract load Periodically review data entry Develop a periodic review system Accountable Party: 2. Etc. Etc. John Smith, VP Timeframe: 2 nd Quarter Copyright Deloitte Development LLC. All rights reserved. 17 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 17

19 Sample Report Card Develop the Report Card Department Privacy Inducements Risk Area Privacy Notice Employee Training Admissions Customer Service Or Complaints Employee Discipline Authorizations Minimum Necessary Access to Records Marketing Amendment of Records Confidential Communications Facility Directory Medical Records Business Associate Agreements Copyright Deloitte Development LLC. All rights reserved. 18 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 18

20 Integration into Business Strategy Use monitoring findings to develop and document ROI Assist the business process owners to identify root cause of findings Use corrective action to enhance efficiency and mitigate risk Organization-wide (vs. silo) allow program leverage Copyright Deloitte Development LLC. All rights reserved. 19 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 19

21 Summary An effective Auditing and Monitoring approach provides a method to: Assist in identifying risk to the business that may have been otherwise undetected internally Assist by identifying if the controls developed to remediate a risk are working and have actually helped to mitigate the risk Assist with preventing a real and/or potential risk from escalating by early detection through auditing which may help avoid additional harm to the company s business Provides a good faith organization the ability to approach their real and/or potential risk weaknesses with a reasonable, scaleable method Auditing and Monitoring is a critical element for an effective compliance program which helps to drive compliance and behavior. Copyright Deloitte Development LLC. All rights reserved. 20 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 20

22 Karen R. Lines, Esq. Associate General Counsel Genentech, Inc. South San Francisco, California (650) Ms. Lines is Associate General Counsel with Genentech, Inc. in South San Francisco, California. Genentech, Inc. is a biotechnology company that discovers, develops, manufactures and markets human pharmaceuticals for significant unmet medical needs. She manages a team of lawyers responsible for providing legal advice and guidance to Genentech s commercial organization. In the past few years, much of her focus has been on leading ongoing efforts to enhance Genentech s Commercial Compliance Program. She began her legal career in private practice in Wilmington, Delaware. Ms. Lines is admitted to the practice of law in California, Delaware and Pennsylvania. Sheryl Vacca, CHC West Coast Practice Leader Life Sciences and Health Care Regulatory Deloitte & Touche LLP (714) svacca@deloitte.com Ms. Vacca is the West coast Leader for Deloitte & Touche s National Life Sciences and Health Care Regulatory practice. She has assisted several life science companies develop their compliance programs, investigations, perform risk assessments and develop auditing and monitoring plans for the compliance department. She has significant experience consulting with life sciences and health care organizations on compliance issues including self disclosure, writing plans of correction, implementing systems in response to plans of correction, implementing QA systems and general regulatory compliance. Copyright Deloitte Development LLC. All rights reserved. 21 Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 21