AUDITING AND MONITORING: HOW TO USE DATA EFFECTIVELY

1

AUDITING AND MONITORING: HOW TO USE DATA EFFECTIVELY

An Interactive Benchmarking Session

October 23, 2018

2

PRIVILEGED & CONFIDENTIAL ATTORNEY-CLIENT COMMUNICATION ATTORNEY WORK PRODUCT

Presenters

Alison J. FethkeChicago (312) [email protected]

Amanda N. RaadLondon 44 20 [email protected]

Mimi YangHong Kong852 3664 [email protected]

33

Introduction

Compliance Monitoring and Auditing

Government Expectations Compliance Audit and Compliance Monitoring Risk Assessments

Use of Data Analytics to Focus Compliance Monitoring and Auditing

Results of Data

Agenda

4


Auditing and monitoring are essential components of an effective compliance program. They should be driven by an assessment of risks and codified in an annual compliance work plan.

There are many ways that responsibility for testing compliance processes and procedures can be handled and companies often have various functions share responsibility.

Coordination and cooperation create efficient use of resources, leverage knowledge, and ensure a consistent global perspective.

No matter how functions are set up, the use of data and data analytics can greatly enhance the effectiveness, efficiency, and results of auditing and monitoring.

Introduction

5


Why Use Interactive Benchmarking?

– This webinar will explore how healthcare organizations employ monitoring and audit functions, and how they incorporate data analytics in these efforts. There are no bright line rules but industry benchmarks are useful guideposts.

How It Works:

– Pertinent multiple choice benchmarking questions are dispersed throughout the presentation. Please select one or more answers, as directed, and press “submit.”

– The polling results will be displayed and discussed immediately.

– You may also contribute to the discussion by writing in questions at any time throughout this presentation and we encourage you to do so in real time to allow us to tailor this presentation to your needs.

Interactive Benchmarking

66

Introduction




Results of Data

Agenda

7


Government agencies in the U.S. and abroad have made it clear that compliance monitoring and auditing is a vital part of a compliance program.

The OIG’s Compliance Program Guidance for Pharmaceutical Manufacturers (“CPG”) and Federal Sentencing Guidelines mandate that compliance auditing and monitoring be part of an effective compliance program.

– The CPG expressly specifies that one of the seven elements of an effective compliance program is “the use of audits and/or other risk evaluation techniques to monitor compliance, identify problem areas and assist in the reduction of identified problems.”

– Reiterated in Corporate Integrity Agreements with OIG

Government Expectations

8


In its 2017 guide to assessing compliance programs, DOJ highlighted the importance of monitoring and auditing. That guide broadly addresses:


– Failure of Auditing Efforts

– Scope and Process of Audits

– Addressing Audit Findings

9


Independence

Expertise

Resources

Reporting


10


In December 2016, Teva Pharmaceuticals Industries Ltd. and its Russian subsidiary paid $519 million to resolve criminal and civil charges for schemes involving bribery of officials in Russia, Ukraine, and Mexico over a period of several years in violation of the FCPA.

In settling the case, Teva admitted that it failed to implement an adequate system of internal accounting controls and failed to enforce the controls it had in place at its Mexican subsidiary.

If the company had stronger monitoring and auditing controls at the time, this conduct would have been caught and remediated much earlier.

Case Studies on the Importance of Audits / Monitoring

11


In September 2017, Alere, now part of Abbott, settled an FCPA investigation with the SEC for $13M – nearly four times its alleged profit from the corrupt payments.

Alere allegedly mischaracterized items in its financial statements, including payments made through subsidiaries that would ultimately benefit government officials.

The SEC found that Alere failed to devise and maintain an adequate system of accounting controls or maintain internal accounting controls sufficient to provide reasonable assurances that its funds would not be used to make improper payments in contravention of Alere’s policies


12


In June 2016, Analogic entered into a non-prosecution agreement but paid more than $14 million to resolve allegations that its Danish subsidiary used a distributor in Russia to make improper payments. – The subsidiary issued invoices and falsely inflated the sales prices on

equipment to essentially create a slush fund to pay third parties, at least some of whom were Russian government officials.

– The distributor then overpaid BK Medical the inflated amount and BK Medical transferred the excess funds to third parties as directed by the distributor.

The conduct occurred over a ten year period which was one of the factors the DOJ considered when finding that Analogic lacked adequate internal controls.


1313

Introduction


Government Expectations Compliance Audit and Compliance

Monitoring Risk Assessments


Results of Data

Agenda

14


Compliance auditing and compliance monitoring are related but distinct activities.

Compliance Audit vs. Compliance Monitoring

• More formal and systematic approach designed to evaluate and improve the effectiveness of processes/controls.

• Generally retrospective.• Usually conducted by Internal Audit or

Compliance.

Compliance Audit

• Monitoring is an on-going process to ensure processes are working as intended and can take many forms.

• Usually involves on-going checking and measuring.

• Often conducted by Compliance or business functions.

Compliance Monitoring

15


Benchmarking Question #1:

Who is responsible for compliance monitoring globally?

– Compliance

– Legal

– Finance

– Business

– Some combination of these functions

– We do not conduct compliance monitoring

Global Compliance Monitoring

16


Compliance monitoring often identifies areas of interest for a compliance audit so sharing of results and communication among functions conducting monitoring and auditing is essential. – For example, monitoring results conducted by business functions should be shared

with both Compliance and Internal Audit.

Auditors can use the results of monitoring efforts to identify risks, reduce audit duration or frequency, and focus their audit efforts in other areas.

Monitoring is often driven by audit findings.

Coordination of Monitoring and Auditing

Monitoring Auditing

17



Who is responsible for compliance audits globally?

– Compliance

– Internal Audit

– Legal

– Finance

– Some combination of these functions

– We do not conduct global compliance auditing, but we do conduct compliance monitoring more informally

– We do not conduct global compliance monitoring or compliance audits

Global Compliance Audit

18


Compliance Audit vs. Internal Audit

• Office of Inspector General (“OIG”) guidance emphasizes that healthcare compliance auditing is an essential component of an effective compliance program.

• May approach risk management with a primary focus on compliance risks.

• Compliance audits generally test specific activities and processes to ensure compliance with laws and regulations.

Compliance Audit

• Approaches risk management from a potentially broader focus on an organization’s overall financial and operational controls.Internal Audit

19


Audit

LegalCompliance

Departments with Global Audit Responsibility

Compliance + Audit

Compliance + Audit + Legal

Audit only

Compliance only

2020

Introduction




Results of Data

Agenda

21


Risk Assessments are key in identifying monitoring and auditing targets to allocate resources appropriately.

Risk Assessment

22



How does your company select where to conduct compliance auditing or compliance monitoring?

– Targeting certain higher risk regions/countries

– Targeting certain higher risk activities

– Regular rotation that ultimately covers all of the business

– Based on a red flag or issue

– Using data analytics

Risk Assessment

23


Key Risk Areas and Relevant Data Points

Risk Areas Data Points to ConsiderSponsorships and exhibit booths Vendor/sponsorship paymentsHCP fees for service arrangements HCP contracts/payment dataOff-label promotion Medical Information Requests Clinical trials CRO and investigator contracts/paymentsTravel agents or event planners Vendor payments (A/P)Grants/Donations Grant committee approvals

Grant paymentsFree/Sample product Samples data, Sales system (e.g. ERP)Distributors and wholesalers Commission payments

Distributor/Agent sales recordsMeals and hospitality Meals and T&E Data (e.g., Concur)

Speaker program expenditures and attendees

2424

Introduction




Results of Data

Agenda

25



What areas do you think are most important to include in compliance monitoring?

– Engagements with HCPs

– Expense Reports/T&E

– Sponsorships and Grants

– Marketing and Promotion Expenditures

– Distributor/resellers

– Free product/services


26



What areas do you think are most important to include in compliance audit?

– Engagements with HCPs

– Expense Reports/T&E

– Sponsorships and Grants

– Marketing and Promotion Expenditures

– Distributor/resellers

– Free product/services


27


Your own data, used appropriately, can support compliance effectiveness or efficiencies

– To help identify potential risks or gaps

– To help mitigate potential risks or provide assurance of controls

– To help increase the effectiveness of controls

– To improve operational efficiency and enhance targeted efforts

– To enable holistic view of activities

Using data efficiently at the outset lets you immediately tailor your compliance program so that it is risk-based.

Data-Driven Risk Assessments

28



Have you tried to use data analytics in your monitoring or auditing? If no, why not?

– Data is not available.

– Data is not organized and/or hard to get access.

– We do not have the in-house expertise.

– We do use data analytics.

Use of Data In Compliance Monitoring and Audit

29


Examples of Using Data to Locate Red Flags

Risk Factor Potential Red Flag How to Locate in Data

HCP Contracts Multiple agreements across business areas

Centralized database of all HCP contracts or payments to HCPs would reveal repeat payments from varied sources.

Meals and gifts Repeated expenditures for the same person/entity

Centralized expense data that includes recipients (such as in a Concur system) would reveal if multiple employees are taking out the same HCP repeatedly.

Donations Repeated donations to the same recipient; large payments broken down into several smaller payments, perhaps from different employees

Reviewing consolidated data around donations could show that multiple small payments have been made to the same source.

Service Agreements or Sponsorships

Tying sales volume to provision of service contracts or sponsorships

Comparing data on HCP sales volume against a database with all HCP service agreements could reveal possible patterns showing high volume HCPs receiving more agreements.

30


Other Red Flags to Look For

Lack of written corporate policies and standard operating procedures

Lack of interest in or compliance with internal control policies, especially division of duties

Disorganized operations in such areas as bookkeeping, purchasing, receiving, and warehousing

Unrecorded transactions or missing records

Unusual journal entries (lacking proper support, containing round numbers, made post-close)

Counterfeit documents

Alterations of documents

Photocopied documents

Questionable handwriting on documents

Excessive voids or credits

Bank accounts not reconciled on a timely basis

Stale items on bank reconciliations

Continuous out-of-balance subsidiary ledgersUnusual financial statement relationships

Repeated unexplained differences between physical inventory counts and perpetual inventory records

Bank checks written to cash in large amounts

Handwritten checks in a computer environment

Continuous or unusual fund transfers among company bank accounts

Fund transfers to offshore banks

Transactions not consistent with the entity's business

Deficient screening procedures for new employees

Reluctance by management to report criminal wrongdoing

Unusual transfers of personal assets

Employees with lifestyles beyond their means

Unused vacation time

Frequent or unusual related-party transactions

Employees in close association with suppliers

Employees in close relationship with one another in areas where separation of duties could be circumvented

Expense-account abuse

Business assets dissipating without explanation

Inadequate explanations to management about loss

Impressive financial results that are inconsistent with poor industry performance*American Institute of Certified Public Accountants – Fraud Practice Aid

31


Countries with Transparency Laws

– U.S. Physician Payments Sunshine Act (collect and track all financial relationships with physicians and teaching hospitals)

– Medicines Australia Code of Conduct (payments and transfers of value to HCPs, as well as sponsorships of third party educational meetings and symposia)

– France’s Loi Bertrand (any agreements with HCPs or any benefit in cash or in kind exceeding €10)

Using Transparency Data

– Peer Comparisons

– Outlier Analysis

– Analysis of Payments by categories

– Fair Market Value Analysis

Using Transparency Data

32


Global systems are preferred– if data is in several incompatible local systems, a streamlined data-driven review may be more difficult.

– Avon conducted an internal investigation that preceded its FCPA settlement in 2014 that cost almost $350 million in legal fees. The fees were so high that the government took the unusual step of asking Avon why its legal bills were so high and, according to source quoted in a Bloomberg article, it was, in part, because the company operated in more than 100 countries without consolidated transaction records.

The successes of strategic improvement initiatives are dependent on the availability, accuracy, and consistency of a wide range of enterprise data.

Practical Challenges to Data Analytics

3333

Introduction




Results of Data

Agenda

34


Ensure reporting of monitoring/auditing results to executives and committees with oversight responsibility for the compliance program– Document your compliance monitoring and audit efforts in a

standardized way. – E.g., Board/Executive Compliance Committee, Audit Committee

Consider ways to facilitate identification of common themes across corrective actions and the need for any programmatic improvements.– Can be utilized to make resource allocation decisions.

Formalize consistent processes for tracking and validating corrective actions and ensure that progress is monitored and communicated to relevant stakeholders. – Conducting an audit and doing nothing to remediate negative

findings is a huge red flag. – Ensure discipline/remediation occurs when need identified.

Compliance Audit Results

35


Benchmarking Question #7

How does your company report compliance audit and monitoring findings (check all that apply).

– Report to CEO

– Report to CCO

– Report to Audit Executive/CFO

– Report to Board of Directors

Compliance Audit and Monitoring Results

36


Risk assessment

Compliance monitoring

Compliance audit

Remediation

Data Drives Risk-Prioritized Actions

37


Questions?

Documents

AUDITING AND MONITORING: HOW TO USE DATA EFFECTIVELY