compliance auditing & monitoring - global health care auditing & monitoring ... as one unit rather...

Click here to load reader

Post on 17-Jun-2018

217 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

  • 2004 Deloitte Development LLC. All rights reserved.

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Compliance Auditing & Monitoring3.02 Auditing and Monitoring for Compliance

    Karen R. Lines, Esq.Associate General CounselGenentech, Inc.South San Francisco, CA

    November 16, 2004

    Sheryl Vacca, CHCWest Coast Practice Leader, Life Sciences & Health Care RegulatoryDeloitte & Touche LLP

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 1Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 1

    2004 Pharmaceutical Regulatory

    and Compliance CongressBuilding the Emerging Model

    Departmental Procedures

    Standard Operating Procedures

    Compliance Standards

    Code of Conduct Corporate Policies

    Day-to-Day Operations

    Corporate Compliance

    Program

    Financial RiskRegulatory Risk

    Systems/IT RisksOperational Risks

    Board & Executive Committee

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 2Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 2

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    The Compliance Program Design Dilemma

    Designing an integrated compliance program that operates as one unit rather than many silos is challenging

    The businesss processes and operations often function in silos

    The compliance-related risks touch every aspect of the organizations business & are difficult to compartmentalize

    The design should be based upon the organizations business strategies

    The design should result in an organization-wide compliance monitoring plan

    BusinessStrategy

    Business Processes

    Monitoring

    Risk Mitigation

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 3Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 3

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Monitoring plan should be designed with the Compliance Program dilemma in mind.

    Monitoring creates the crosswalk between the Business Strategies and the Risk Areas.

    Create a Compliance Crosswalk

    Business StrategyWill be impacted by

    many risk areas Risk AreaApply to more than

    one business strategy

    Monitoring

    Vaccines will be available for the public

    Monitoring Quality Control and Drug Safety

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 4Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 4

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Sarbanes Calls for evaluation of internal controls

    COSO StandardsCompliance with laws and regulations

    Federal Sentencing GuidelinesCalls for evaluation of internal controls

    HHS Office of Inspector General Regulatory-specific standards

    Employee TrainingCompliance Audits

    Focus on Regulatory Risks and Controls The vast majority of health care/life science regulatory &

    compliance program requirements align with Sarbanes & Internal Audit standards.

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 5Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 5

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    How Sarbanes 404 Integrates into your Auditing and Monitoring

    Objectives Operations Financial reporting Compliance

    Components of a 404 Readiness Monitoring Information & Communication Control Activities Risk Assessment Control Environment

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 6Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 6

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Finalize Report & Corrective Action

    Plan

    Education, Remedial Action

    Auditing and Monitoring Cycle

    ReviewProcess for

    Each Risk Area

    Conduct Review

    Develop ReviewCriteria

    Define ReviewSample

    Obtain Management

    Response

    DefineReview Scope &

    Assumptions

    Test Inter-raterReliability with Multiple Reviewers

    Document Observations & Findings

    ReauditDefine Methodology

    Validate Findings

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 7Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 7

    2004 Pharmaceutical Regulatory

    and Compliance CongressContinuous Monitoring Cycle Monitoring never ends each review leads to the next, and the monitoring

    plan and unplanned issues drive additional monitoring activities. It is a continuous process

    DefineReview Scope &

    Assumptions

    Develop ReviewCriteria

    Define ReviewSample

    Test InterratorReliabilityConduct Review

    Document Observations

    & Findings

    Obtain Management

    Response

    Finalize Report& Corrective Action Plan

    DefineReview Scope &

    Assumptions

    Develop ReviewCriteria

    Define ReviewSample

    Conduct Review

    Document Observations

    & Findings

    Obtain Management

    Response

    Finalize Report& Corrective Action Plan

    DefineReview Scope &

    Assumptions

    DevelopReviewCriteria

    Define Review Sample

    Test InterratorReliability

    ConductReview

    Document Observations

    & Findings

    Finalize Report& Corrective Action Plan

    Re-audit and add new audits to the cycle

    Re-audit and add new audits to the cycle

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 8Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 8

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Practical Considerations Related to Auditing and Monitoring Strategy

    Developing your Auditing and Monitoring Plan Deciding what to monitor

    Prioritize Risk Areas Internal Factors, i.e.: any system changes, people changes, new practice,

    etc. External Factors, i.e.: new regulation, national and local enforcement

    activity

    Compliance Program evaluation Identify controls that make the process work : PROCESS AUDIT Determine overall purpose effective: OUTCOMES AUDIT

    Resources available to execute plan Consider integration with Internal Audit Plan Identify timeframes for audits Communication and Commitment to Plan

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 9Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 9

    2004 Pharmaceutical Regulatory

    and Compliance CongressDeveloping Your Audit Approach

    Deciding the scopeNarrow down the purpose of the auditAvoid scope creep before you start

    Resources available to execute the audit Methodology Sample size determinationCommunication/Reporting Results

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 10Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 10

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Things to Consider:The purpose of the sample or the review objectiveThe universe/population/sources of dataThe size of the sampleWhat you are going to do with the results

    Sampling Methodologies

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 11Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 11

    2004 Pharmaceutical Regulatory

    and Compliance CongressSampling Methodology

    What should you consider before you decide what your sample size will be? Who do you expect to share the information with and what is

    their frame of reference? Are you trying to figure out whether there is really a problem? What is the organizations perspective on fixing problems? What resources are available to audit this area? Does Senior Management agree this risk area is important? What is the worst case scenario if this audit reflects unfavorable

    outcomes?

    Attorney/Client Privilege?

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 12Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 12

    2004 Pharmaceutical Regulatory

    and Compliance CongressPurpose of the Sample

    Is the review for:Self - disclosure?Education?Part of an on-going monitoring plan?Response to the federal government, subpoena,

    carrier or FI?Known risk area?

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 13Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 13

    2004 Pharmaceutical Regulatory

    and Compliance CongressOther Considerations

    PriorityInternal External

    Timeframe of data collection concurrent retrospective

    Availability of dataManualLeverage Technology

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 14Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 14

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Technology implementation effort & cost Significant IT involvementOngoing maintenance security, reporting

    Increased functionalityUsable for sophisticated, complex cos.Improved reporting (dashboard)Scalable

    Web based Assessment Systems

    Accessibility (not web enabled)Limited scalabilityTraining may be requiredNo transparent dashboard reporting

    Low costSimple, adaptableLimited user trainingLimited IT involvementEnhanced reporting options

    Access based Databases

    Ongoing maintenanceLimited scalabilityLimited reportingMany efforts remain manual

    Low costSimple, adaptableLimited user trainingLimited IT involvement

    Excel based Spreadsheets (signoff process administered via email or on central server)

    Administration effort (collation of results)Reporting effort

    Low costNo training requiredEasy to customize

    Manual Checklists

    Cons Pros Tools

    Soph

    isti

    cati

    on o

    f so

    luti

    on

    Leveraging Technology

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 15Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 15

    2004 Pharmaceutical Regulatory

    and Compliance CongressPractical Application : Case Study

    Define Review Scope & Assumptions

    Develop Review Criteria

    Conduct Review

    Document Findings and Observations

    Obtain Management Response

    Finalize Report & Corrective Action Plan

    Compliance TrainingCompliance Training

    Risk Area Review Process

    Managed Care ContractingManaged Care Contracting

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 16Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 16

    2004 Pharmaceutical Regulatory

    and Compliance CongressCase Study

    Define Review Scope & Assumptions Conduct interviews with Business Process Owners Review Policies & Procedures Review Education and Training materials Document scope & assumptions

    Develop Review Criteria Test Review Criteria Enter criteria into database

    Conduct Review Review documentation Enter findings into database

    Document Findings and Observations Query database for exception findings

    Summarize observations Develop recommendations

    Obtain Management Response Share findings with Business Process Owners Obtain reactions to recommendations Draft a Corrective Action Plan

    Finalize Report & Corrective Action Plan

    Compliance TrainingCompliance Training

    Risk Area Review Process

    Managed Care ContractingManaged Care Contracting

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 17Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 17

    2004 Pharmaceutical Regulatory

    and Compliance CongressCorrective Action Plan

    Develop a periodic review system

    Accountable Party:John Smith, VP

    Timeframe:2nd Quarter

    Periodically review data entry

    Etc.

    1. 20% data errors in contract load

    2. Etc.

    1. Contract load

    Management Action Plan

    Acct/Timeframes

    RecommendationFindingArea of Focus

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 18Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 18

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Admissions

    Customer Service

    Marketing

    Medical Records

    Priv

    acy

    Indu

    cem

    ents

    Privacy Notice

    Employee Training

    Complaints

    Employee Discipline

    Authorizations

    Minimum Necessary

    Access to Records

    Amendment of Records

    Confidential Communications

    Facility Directory

    Business Associate Agreements

    Risk AreaDepartment

    Or

    Develop the Report Card

    Sample Report Card

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 19Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 19

    2004 Pharmaceutical Regulatory

    and Compliance CongressIntegration into Business Strategy

    Use monitoring findings to develop and document ROI

    Assist the business process owners to identify root cause of findings

    Use corrective action to enhance efficiency and mitigate risk

    Organization-wide (vs. silo) allow program leverage

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 20Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 20

    2004 Pharmaceutical Regulatory

    and Compliance CongressSummary

    An effective Auditing and Monitoring approach provides a method to: Assist in identifying risk to the business that may have been

    otherwise undetected internally Assist by identifying if the controls developed to remediate a

    risk are working and have actually helped to mitigate the risk Assist with preventing a real and/or potential risk from

    escalating by early detection through auditing which may help avoid additional harm to the companys business

    Provides a good faith organization the ability to approach their real and/or potential risk weaknesses with a reasonable, scaleable method

    Auditing and Monitoring is a critical element for an effective compliance program which helps to drive compliance and behavior.

  • Copyright 2004 Deloitte Development LLC. All rights reserved. 21Confidential and Proprietary Material of Deloitte Consulting. Copyright 2002 Deloitte Consulting (US) LLC. All Rights Reserved 21

    2004 Pharmaceutical Regulatory

    and Compliance Congress

    Karen R. Lines, Esq.Associate General CounselGenentech, Inc.South San Francisco, [email protected](650) 225-8673

    Ms. Lines is Associate General Counsel with Genentech, Inc. in South San Francisco, California. Genentech, Inc. is a biotechnology company that discovers, develops, manufactures and markets human pharmaceuticals for significant unmet medical needs. She manages a team of lawyers responsible for providing legal advice and guidance to Genentechs commercial organization. In the past few years, much of her focus has been on leading ongoing efforts to enhance Genentechs Commercial Compliance Program. She began her legal career in private practice in Wilmington, Delaware. Ms. Lines is admitted to the practice of law in California, Delaware and Pennsylvania.

    Sheryl Vacca, CHCWest Coast Practice LeaderLife Sciences and Health Care RegulatoryDeloitte & Touche LLP(714) [email protected]

    Ms. Vacca is the West coast Leader for Deloitte & Touches National Life Sciences and Health Care Regulatory practice. She has assisted several life science companies develop their compliance programs, investigations, perform risk assessments and develop auditing and monitoring plans for the compliance department. She has significant experience consulting with life sciences and health care organizations on compliance issues including self disclosure, writing plans of correction, implementing systems in response to plans of correction, implementing QA systems and general regulatory compliance.