The concept of Commercial Compliance in U.S. manufacturing has evolved very quickly over the past 5 or 6 years, resulting in increased regulatory requirements and investigation activity. While the security of the supply chain and the ethical promotion of drugs has been a significant focus, recent investigative trends show a shift in the government’s focus. Now, the federal government and states are becoming increasingly interested in sales, marketing, and distribution activities that ultimately affect the sales or prices witnessed by the government. This has led to an increase in Federal False Claims Act investigations and Off-Label Promotion investigations.
The need for a manufacturer to understand and mitigate the risk of doing business with the federal government is real. Various enforcement agencies exist across state and federal government. The Office of the Inspector General (OIG) is one common enforcement agency representing the federal government in the Commercial Compliance space. Responsible for the prevention and detection of fraud, waste, abuse, and mismanagement in programs legislated by the Social Securities Act, the OIG conducts and supervises audits, evaluations and investigations within Commercial Compliance. In addition to the OIG, the Department of Justice, state Attorneys General, Medicaid Fraud Control Units, and other enforcement agencies enforce regulations, statute, and guidance related to Commercial Compliance.
The best, most appropriate measure of the effectiveness of a manufacturer’s risk management program is to evaluate it against a standard of enforcement agency audit. Utilizing OIG Audit Readiness as a standard of measure helps develop the highest level of compliance. Establishing the improvement of your overall compliance gets you the same thing in the end, but it is a more positive statement that your senior management can embrace as part of the “tone at the top.” With senior management aligned on risk, and by establishing your audit and monitoring programs to manage risk and develop increased compliance, you can develop transparency and a roadmap that will demonstrate that you take the responsibility seriously and have developed an effective Compliance Program. So don’t make monitoring and audit the “tail of the dog” that you apply at the end; use it up front to define your strategy and develop better compliance.
Step by step
Through a series of steps, you can develop a Risk Profile and a Risk Management Program, with monitoring and audit as a key component (Fig. 1). Step one is to develop and understand the Government’s view of risk. At this time, a manufacturer can get a pretty clear understanding of the OIGs view of risk by looking at the following:
- The OIG Recommendations to Pharmaceutical Manufacturers, April 2003. This document creates an outline of “commercial compliance,” by defining the government’s view of the three key risk areas, and providing an outline for a Corporate Compliance Program
- The OIG Work Plan. The annual work plan outlines areas where the OIG intends to put its audit focus, and includes sections specifically for manufacturers. (Note, the OIG is now budgeted for proactive audits!)
- Recent Investigations and Corporate Integrity Agreements (CIAs). These show the trends in investigative activity, how the government is applying statute, such as the False Claims Act and FDA guidelines on Off Label promotion, as well as the evolving and complex nature of CIA’s (including audit and monitoring provisions).
- The new PhRMA code – although this is not an OIG or government document, it does show the industry’s focus on developing guidelines to manage key government risk areas, such as interactions with healthcare professionals.
- Applicable regulations and guidance – it is also important, of course to follow the actual guidance in the Commercial areas.
STEP TWO is to conduct and initial audits. The initial audit activity has to be broad and deep enough to look at all potential risk areas. The initial audit can be used as the basis for developing your Risk Profile and your Risk Management Plan, as with it you will have your internal report card on Compliance Gaps so that you can develop a management action plan.
STEP THREE, develop the plan and roadmap. As a result of the audit activity, you should be able to identify compliance risk which may require immediate attention, develop a Risk Profile based upon the audit finding (matching the defined government risk areas to your company, and showing which areas are more pertinent to you), and develop a Risk Management Plan and a roadmap.
STEP FOUR is alignment. This is often the hardest step, as it can involve a change in the corporate culture. This involves bringing the relevant results of the audit to Senior Management and the Compliance Committee. This can be done in a coordinated effort between Internal Audit, the Compliance Officer, and Internal Counsel. Alignment on the Risk Profile and Risk Management Plan is necessary for the Compliance Officer and Internal Audit to develop a plan that is achievable, and has management buy-in.
Steps 1 through 4 provide a basis for a meaningful Risk Management Plan and Audit Plan, enabling ongoing periodic monitoring and audit, based upon corporate risks, and designed to achieve the highest level of compliance. It also provides the core components of transparency. There is no such thing as perfect compliance; what is important is to develop a practical and meaningful plan. If you have a documented plan in place, with prioritized objectives, and you can show your consistent progress to the plan, then you are better positioned in the event of an external audit, as you can tell a meaningful story of why you are where you are.
Assess, then reduce risk
With an evaluation of risk complete and prioritized, a company must now develop a Risk Management Strategy. Commercial Risk Management is a strategic program designed to decrease compliance risks by using one or more evaluation techniques to identify potential risk. Evaluation techniques may vary, however the most effective Risk Management programs use two or more techniques/tools to proactively identify and mitigate potential risk. The OIG defines this layered approach to Risk Management in three main elements of compliance; Auditing and Monitoring, Enforcing Standard through Well-Publicized Disciplinary Guidelines, and Responding to Detected Offenses and Developing Corrective Action Initiatives (Fig. 2). Specific to Auditing and Monitoring, the OIG Compliance Program Guidance for Pharmaceutical Manufacturers states:
An effective compliance program should incorporate thorough monitoring of its implementation and an ongoing evaluation process. The compliance officer should document this ongoing monitoring, including reports of suspected noncompliance, and provide these assessments to company’s senior management and the compliance committee. The extent and frequency of the compliance audits may vary depending on variables such as the pharmaceutical manufacturer’s available resources, prior history of noncompliance, and the risk factors particular to the company. The nature of the reviews may also vary and could include a prospective systemic review of the manufacturer’s processes, protocols, and practices or a retrospective review of actual practices in a particular area.
In order to develop an appropriate Auditing and Monitoring function, it is important to first understand the current or baseline status of the respective area for which a Risk Management Program is being developed. Even if a defined Risk Management Program does not exist within a company, there are often some Monitoring and Auditing functions present. These functions may not be clearly defined as such, and so through the Assessment phase of Risk Management development, they can be identified and formalized.
From a monitoring perspective, internal controls, business metrics, management reviews, and routine self-assessments all represent potential monitors. Sarbanes Oxley (SOX) testing, internal audit and financial audit represent auditing functions which may overlap with Compliance Audit. Reviewing existing Monitoring and Auditing Functions and developing a Business and/or Risk Assessment based on the identified gaps will help to ensure an effective and meaningful Risk Management Program is developed.
Monitoring, typically defined as the first step in an effective Risk Management Program, is defined as the ongoing, real-time checks and balances implemented and executed by a functional/operational group to ensure proactive evaluation, identification, and mitigation of risk. It is a company’s first line of defense. Carried out on a routine, if not daily basis, Monitoring is the responsibility of respective functional/operational process owners.
Monitoring differs from control activities in that monitoring is a review function. Monitoring looks at execution across an entire process, including controls, to ensure that processes are being performed appropriately and are meeting business requirements. Monitors should be built into departmental processes and reviewed, if not executed, by functional/operational area management. Identified trends or risks could result in process improvements including changes to process flows and updates to departmental process documentation.
An effective Monitoring program should meet the following criteria:
- Conducted on an ongoing basis
- Completed or overseen by departmental management
- Review of all key controls as part of monitoring
- Identified risks or process changes are mitigated/implemented.
Evaluating the effectiveness of a Monitoring program can be done by ensuring that documented monitors are meeting the criteria above, however even more powerful evaluation can be done by moving on to the next phase of Risk Management, the Testing phase. If Monitors have worked effectively, the Testing, and later the Auditing Phase should have few findings.
Testing is the Risk Management phase which is conducted periodically by a party once removed from the functional/operational area being evaluated. Similar to audit in many capacities, Testing is distinguished from Audit by its more frequent occurrence and more limited or specific scope. Tests are typically developed based on the identification of key risk areas. Through an assessment and prioritization of risk, a Test Plan can be developed outlining the anticipated scope and timing of given tests.
Tests, in support of the Test Plan, can be developed in many different ways. Some companies chose to identify key controls and test the control activities executed against these key controls (similar to SOX), other companies chose to test process components based on Risk Assessment. There isn’t a prescriptive definition for Testing; however at a minimum it must assure that monitors and controls are working effectively and providing the appropriate level of assurance that compliance is being maintained on an ongoing basis.
Test scripts document frequency, timing, scope, sample size, and test criteria for each test defined in the Test Plan. Developing test scripts can be challenging for an individual that is removed from a given functional/operational role. In order to ensure that test scripts are appropriately developed, the developer should reference the department’s guiding policies and procedural documentation. This documentation should sufficiently outline controls, monitors, and processes related to the group’s responsibilities. Should it be found that policy and procedure documentation is insufficient in defining these components, departmental staff interviews may be necessary.
Tests should be executed in alignment with the Test Plan and documented test scripts. Test results are documented within the test scripts and in management reports. Results should be provided to functional/operational area management and to senior company management as appropriate. Risks or potential risks identified through testing must be mitigated.
It is not the responsibility of the tester to mitigate identified risks. The tester reports identified risks and potential risks to the appropriate management and it is the responsibility of management to develop and execute against corrective action/mitigating risk plans. Testers may choose to make recommendations on how to appropriately mitigate a risk, however it is not required.
The effectiveness of a Testing program can be evaluated by its ability to identify key risks and communicate those risks to management. If a Testing program is working appropriately, it is evaluating a functional/operational group against government regulation, company policy, and departmental process documentation. If Testing is working appropriately, the Auditing level of Risk Management should have fewer significant findings.
Audits are part of a standard Risk Management Program and are proactive in nature (as opposed to reactive Investigations). Executed by an independent party, Audit is a holistic review and identification of risk. The frequency of an independent Audit is driven by multiple factors including a company’s audit resources and the risk associated with a given function or operation.
Similar to Testing, an Audit Plan is developed based on assessed risk. Execution against the Audit Plan may happen through detailed scripting, or occur as a less rigid review of a given process. Findings from an Audit are documented and communicated to both functional/operational management and senior management.
Like Testing, corrective action and/or mitigating action plans are not the responsibility of the Auditing party. Instead, it is the responsibility of the respective management to ensure the appropriate action is taken to mitigate identified or potential risk.
When evaluating the effectiveness of an Audit Program, ask the following questions:
- Are Audits conducted at the appropriate level and at the appropriate frequency, relative to risk?
- Are Audits conducted by individuals with the appropriate level of subject matter expertise?
- Are the Auditors independent of influence or bias related to a given function or process?
- Are Auditors evaluating processes from a compliance perspective, and not financial or other?
An effective Audit Program will identify any potential gaps or risks not identified through Monitoring and Testing. Completely independent of influence or bias, the Auditing party is able to provide an outsiders perspective on a given functions or process’ level of compliance. When executed proactively, the auditing function can help to determine a company’s or department’s level of “audit readiness.” Audit readiness is the idea that a company should be able to efficiently, effectively, and completely respond to an external audit request, thus resulting in a favorable audit outcome. Further, proactive Audit helps to show a company’s commitment to ongoing compliance. As a company’s final safety net, the effectiveness of an Auditing function is critical.
Corrective action / mitigation
Corrective and Mitigating Action Plans are arguably the most important component of Risk Management. Without appropriate response to identified risks, a Risk Management Program fails. The development and implementation of corrective actions is not the responsibility of testing or auditing parties, and therefore falls to functional/operational areas and management to ensure that the appropriate corrective actions are identified and implemented. Having a party responsible for the oversight of corrective action is highly recommended. Most companies chose to utilize a compliance department or senior manager in this function.
The individual or department tasked with oversight of corrective actions is not responsible for implementing the actions, but instead assuring that functional/operational staff implements the actions and that the implemented actions are appropriate based on the identified risk or potential risk. Based on these implemented corrective and mitigating actions, it is likely that a given functional/operational area’s processes will need to be updated, thus leading to subsequent updates and changes to existing controls, monitors, tests, and audit plans.
Risk management maintenance
The goal of Risk Management is to be both preventive and detective in identifying risk and potential risk. In order for the level of effectiveness to remain high within a Risk Management Program, the program must be routinely evaluated and updated. Changes in business process, updates to process and controls based on corrective actions, revisions to company policies or departmental processes, and changes in legislative guidelines can all drive updates to a Risk Management Program.
A Program that is not routinely reviewed and updated is not effective. Companies should identify an owner for the Risk Management Program. The owner is responsible for coordinating updates, staying abreast of business and regulatory changes, and conducting ongoing assessments of business risks. Without this commitment, even the best built Risk Management Program will eventually fail to provide the level of scrutiny needed to protect the company and ensure ongoing compliance.
The risk of not having risk management
Gaining management support for a Risk Management Program is critical. Often times pointing out the risk of not having a Program can help to gain support. Beyond the legal actions that can be levied against a company that is found to be incompliant with government requirements, a Risk Management Program helps to create accountability across the organization. On an ongoing basis, staff is held accountable for the processes that they are responsible for overseeing. Because Policy and Procedure documentation is relied on heavily for various Risk Management phases, accountability for maintaining documentation in alignment with actual process is heightened. Processes are scrutinized by both internal stakeholders and independent parties providing well rounded perspective and ensuring that no lapses in compliance occur. Finally, and most importantly, an effective Risk Management Program shows a company’s commitment to compliance. PC
1. Mission. http://www.oig.hhs.gov/. Accessed February 15, 2009.
2. OIG Compliance Program Guidance for Pharmaceutical Manufacturers. Federal Register. Volume 68. Number 86. April 23, 2003.
3. OIG Compliance Program Guidance for Pharmaceutical Manufacturers. Federal Register. Volume 68. Number 86. April 23, 2003.
ABOUT THE AUTHORS
Christopher Coburn is the commercial compliance practice lead at Compliance Implementation Services, LLC (Media, PA; tel: 484 445 7200; cis-partners.com). His experience includes commercial audits, government programs and Sarbanes-Oxley 404 testing. Clarissa Crain is a senior compliance specialist and audit lead. Her background includes commercial contracting, logistics and distribution, government programs and corporate compliance.