Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
AUDITING AND MONITORING: HOW TO USE DATA EFFECTIVELY
An Interactive Benchmarking Session
October 23, 2018
2
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Presenters
Alison J. FethkeChicago (312) [email protected]
Amanda N. RaadLondon 44 20 [email protected]
Mimi YangHong Kong852 3664 [email protected]
33
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
4
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Auditing and monitoring are essential components of an effective compliance program. They should be driven by an assessment of risks and codified in an annual compliance work plan.
There are many ways that responsibility for testing compliance processes and procedures can be handled and companies often have various functions share responsibility.
Coordination and cooperation create efficient use of resources, leverage knowledge, and ensure a consistent global perspective.
No matter how functions are set up, the use of data and data analytics can greatly enhance the effectiveness, efficiency, and results of auditing and monitoring.
Introduction
5
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Why Use Interactive Benchmarking?
– This webinar will explore how healthcare organizations employ monitoring and audit functions, and how they incorporate data analytics in these efforts. There are no bright line rules but industry benchmarks are useful guideposts.
How It Works:
– Pertinent multiple choice benchmarking questions are dispersed throughout the presentation. Please select one or more answers, as directed, and press “submit.”
– The polling results will be displayed and discussed immediately.
– You may also contribute to the discussion by writing in questions at any time throughout this presentation and we encourage you to do so in real time to allow us to tailor this presentation to your needs.
Interactive Benchmarking
66
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
7
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Government agencies in the U.S. and abroad have made it clear that compliance monitoring and auditing is a vital part of a compliance program.
The OIG’s Compliance Program Guidance for Pharmaceutical Manufacturers (“CPG”) and Federal Sentencing Guidelines mandate that compliance auditing and monitoring be part of an effective compliance program.
– The CPG expressly specifies that one of the seven elements of an effective compliance program is “the use of audits and/or other risk evaluation techniques to monitor compliance, identify problem areas and assist in the reduction of identified problems.”
– Reiterated in Corporate Integrity Agreements with OIG
Government Expectations
8
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
In its 2017 guide to assessing compliance programs, DOJ highlighted the importance of monitoring and auditing. That guide broadly addresses:
Government Expectations
– Failure of Auditing Efforts
– Scope and Process of Audits
– Addressing Audit Findings
9
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Independence
Expertise
Resources
Reporting
Government Expectations
10
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
In December 2016, Teva Pharmaceuticals Industries Ltd. and its Russian subsidiary paid $519 million to resolve criminal and civil charges for schemes involving bribery of officials in Russia, Ukraine, and Mexico over a period of several years in violation of the FCPA.
In settling the case, Teva admitted that it failed to implement an adequate system of internal accounting controls and failed to enforce the controls it had in place at its Mexican subsidiary.
If the company had stronger monitoring and auditing controls at the time, this conduct would have been caught and remediated much earlier.
Case Studies on the Importance of Audits / Monitoring
11
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
In September 2017, Alere, now part of Abbott, settled an FCPA investigation with the SEC for $13M – nearly four times its alleged profit from the corrupt payments.
Alere allegedly mischaracterized items in its financial statements, including payments made through subsidiaries that would ultimately benefit government officials.
The SEC found that Alere failed to devise and maintain an adequate system of accounting controls or maintain internal accounting controls sufficient to provide reasonable assurances that its funds would not be used to make improper payments in contravention of Alere’s policies
Case Studies on the Importance of Audits / Monitoring
12
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
In June 2016, Analogic entered into a non-prosecution agreement but paid more than $14 million to resolve allegations that its Danish subsidiary used a distributor in Russia to make improper payments. – The subsidiary issued invoices and falsely inflated the sales prices on
equipment to essentially create a slush fund to pay third parties, at least some of whom were Russian government officials.
– The distributor then overpaid BK Medical the inflated amount and BK Medical transferred the excess funds to third parties as directed by the distributor.
The conduct occurred over a ten year period which was one of the factors the DOJ considered when finding that Analogic lacked adequate internal controls.
Case Studies on the Importance of Audits / Monitoring
1313
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance
Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
14
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Compliance auditing and compliance monitoring are related but distinct activities.
Compliance Audit vs. Compliance Monitoring
• More formal and systematic approach designed to evaluate and improve the effectiveness of processes/controls.
• Generally retrospective.• Usually conducted by Internal Audit or
Compliance.
Compliance Audit
• Monitoring is an on-going process to ensure processes are working as intended and can take many forms.
• Usually involves on-going checking and measuring.
• Often conducted by Compliance or business functions.
Compliance Monitoring
15
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #1:
Who is responsible for compliance monitoring globally?
– Compliance
– Legal
– Finance
– Business
– Some combination of these functions
– We do not conduct compliance monitoring
Global Compliance Monitoring
16
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Compliance monitoring often identifies areas of interest for a compliance audit so sharing of results and communication among functions conducting monitoring and auditing is essential. – For example, monitoring results conducted by business functions should be shared
with both Compliance and Internal Audit.
Auditors can use the results of monitoring efforts to identify risks, reduce audit duration or frequency, and focus their audit efforts in other areas.
Monitoring is often driven by audit findings.
Coordination of Monitoring and Auditing
Monitoring Auditing
17
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #2:
Who is responsible for compliance audits globally?
– Compliance
– Internal Audit
– Legal
– Finance
– Some combination of these functions
– We do not conduct global compliance auditing, but we do conduct compliance monitoring more informally
– We do not conduct global compliance monitoring or compliance audits
Global Compliance Audit
18
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Compliance Audit vs. Internal Audit
• Office of Inspector General (“OIG”) guidance emphasizes that healthcare compliance auditing is an essential component of an effective compliance program.
• May approach risk management with a primary focus on compliance risks.
• Compliance audits generally test specific activities and processes to ensure compliance with laws and regulations.
Compliance Audit
• Approaches risk management from a potentially broader focus on an organization’s overall financial and operational controls.Internal Audit
19
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Audit
LegalCompliance
Departments with Global Audit Responsibility
Compliance + Audit
Compliance + Audit + Legal
Audit only
Compliance only
2020
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
21
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Risk Assessments are key in identifying monitoring and auditing targets to allocate resources appropriately.
Risk Assessment
22
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #3:
How does your company select where to conduct compliance auditing or compliance monitoring?
– Targeting certain higher risk regions/countries
– Targeting certain higher risk activities
– Regular rotation that ultimately covers all of the business
– Based on a red flag or issue
– Using data analytics
Risk Assessment
23
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Key Risk Areas and Relevant Data Points
Risk Areas Data Points to ConsiderSponsorships and exhibit booths Vendor/sponsorship paymentsHCP fees for service arrangements HCP contracts/payment dataOff-label promotion Medical Information Requests Clinical trials CRO and investigator contracts/paymentsTravel agents or event planners Vendor payments (A/P)Grants/Donations Grant committee approvals
Grant paymentsFree/Sample product Samples data, Sales system (e.g. ERP)Distributors and wholesalers Commission payments
Distributor/Agent sales recordsMeals and hospitality Meals and T&E Data (e.g., Concur)
Speaker program expenditures and attendees
2424
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
25
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #4:
What areas do you think are most important to include in compliance monitoring?
– Engagements with HCPs
– Expense Reports/T&E
– Sponsorships and Grants
– Marketing and Promotion Expenditures
– Distributor/resellers
– Free product/services
Use of Data Analytics to Focus Compliance Monitoring and Auditing
26
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #5:
What areas do you think are most important to include in compliance audit?
– Engagements with HCPs
– Expense Reports/T&E
– Sponsorships and Grants
– Marketing and Promotion Expenditures
– Distributor/resellers
– Free product/services
Use of Data Analytics to Focus Compliance Monitoring and Auditing
27
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Your own data, used appropriately, can support compliance effectiveness or efficiencies
– To help identify potential risks or gaps
– To help mitigate potential risks or provide assurance of controls
– To help increase the effectiveness of controls
– To improve operational efficiency and enhance targeted efforts
– To enable holistic view of activities
Using data efficiently at the outset lets you immediately tailor your compliance program so that it is risk-based.
Data-Driven Risk Assessments
28
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #6:
Have you tried to use data analytics in your monitoring or auditing? If no, why not?
– Data is not available.
– Data is not organized and/or hard to get access.
– We do not have the in-house expertise.
– We do use data analytics.
Use of Data In Compliance Monitoring and Audit
29
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Examples of Using Data to Locate Red Flags
Risk Factor Potential Red Flag How to Locate in Data
HCP Contracts Multiple agreements across business areas
Centralized database of all HCP contracts or payments to HCPs would reveal repeat payments from varied sources.
Meals and gifts Repeated expenditures for the same person/entity
Centralized expense data that includes recipients (such as in a Concur system) would reveal if multiple employees are taking out the same HCP repeatedly.
Donations Repeated donations to the same recipient; large payments broken down into several smaller payments, perhaps from different employees
Reviewing consolidated data around donations could show that multiple small payments have been made to the same source.
Service Agreements or Sponsorships
Tying sales volume to provision of service contracts or sponsorships
Comparing data on HCP sales volume against a database with all HCP service agreements could reveal possible patterns showing high volume HCPs receiving more agreements.
30
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Other Red Flags to Look For
Lack of written corporate policies and standard operating procedures
Lack of interest in or compliance with internal control policies, especially division of duties
Disorganized operations in such areas as bookkeeping, purchasing, receiving, and warehousing
Unrecorded transactions or missing records
Unusual journal entries (lacking proper support, containing round numbers, made post-close)
Counterfeit documents
Alterations of documents
Photocopied documents
Questionable handwriting on documents
Excessive voids or credits
Bank accounts not reconciled on a timely basis
Stale items on bank reconciliations
Continuous out-of-balance subsidiary ledgersUnusual financial statement relationships
Repeated unexplained differences between physical inventory counts and perpetual inventory records
Bank checks written to cash in large amounts
Handwritten checks in a computer environment
Continuous or unusual fund transfers among company bank accounts
Fund transfers to offshore banks
Transactions not consistent with the entity's business
Deficient screening procedures for new employees
Reluctance by management to report criminal wrongdoing
Unusual transfers of personal assets
Employees with lifestyles beyond their means
Unused vacation time
Frequent or unusual related-party transactions
Employees in close association with suppliers
Employees in close relationship with one another in areas where separation of duties could be circumvented
Expense-account abuse
Business assets dissipating without explanation
Inadequate explanations to management about loss
Impressive financial results that are inconsistent with poor industry performance*American Institute of Certified Public Accountants – Fraud Practice Aid
31
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Countries with Transparency Laws
– U.S. Physician Payments Sunshine Act (collect and track all financial relationships with physicians and teaching hospitals)
– Medicines Australia Code of Conduct (payments and transfers of value to HCPs, as well as sponsorships of third party educational meetings and symposia)
– France’s Loi Bertrand (any agreements with HCPs or any benefit in cash or in kind exceeding €10)
Using Transparency Data
– Peer Comparisons
– Outlier Analysis
– Analysis of Payments by categories
– Fair Market Value Analysis
Using Transparency Data
32
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Global systems are preferred– if data is in several incompatible local systems, a streamlined data-driven review may be more difficult.
– Avon conducted an internal investigation that preceded its FCPA settlement in 2014 that cost almost $350 million in legal fees. The fees were so high that the government took the unusual step of asking Avon why its legal bills were so high and, according to source quoted in a Bloomberg article, it was, in part, because the company operated in more than 100 countries without consolidated transaction records.
The successes of strategic improvement initiatives are dependent on the availability, accuracy, and consistency of a wide range of enterprise data.
Practical Challenges to Data Analytics
3333
Introduction
Compliance Monitoring and Auditing
Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments
Use of Data Analytics to Focus Compliance Monitoring and Auditing
Results of Data
Agenda
34
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Ensure reporting of monitoring/auditing results to executives and committees with oversight responsibility for the compliance program– Document your compliance monitoring and audit efforts in a
standardized way. – E.g., Board/Executive Compliance Committee, Audit Committee
Consider ways to facilitate identification of common themes across corrective actions and the need for any programmatic improvements.– Can be utilized to make resource allocation decisions.
Formalize consistent processes for tracking and validating corrective actions and ensure that progress is monitored and communicated to relevant stakeholders. – Conducting an audit and doing nothing to remediate negative
findings is a huge red flag. – Ensure discipline/remediation occurs when need identified.
Compliance Audit Results
35
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Benchmarking Question #7
How does your company report compliance audit and monitoring findings (check all that apply).
– Report to CEO
– Report to CCO
– Report to Audit Executive/CFO
– Report to Board of Directors
Compliance Audit and Monitoring Results
36
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Risk assessment
Compliance monitoring
Compliance audit
Remediation
Data Drives Risk-Prioritized Actions
37
PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT
Questions?