Pharmaceutical Regulatory and Compliance Congress * Pharmaceutical Regulatory and Compliance Congress The HHS OIG Model Compliance Guidance, Sarbanes-Oxley, and Other Hot Compliance Issues John T. Bentivoglio john_bentivoglio@aporter.com 202.942.5508 918464 ver. 2 February 5, 2019 *

Overview HHS OIG Guidance Sarbanes-Oxley * Overview HHS OIG Guidance Background and History Scope Risk Areas Compliance Program Structure Compliance Activites PhRMA Code Sarbanes-Oxley NYSE Corporate Governance Standards Questions and Answers 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Background & History * HHS OIG Guidance -- Background & History HHS OIG and compliance guides for industry Prior industry guidance OIG guidances are “voluntary” Consequences of not following “voluntary” guidelines Guidance for the pharmaceutical industry Initial OIG solicitation (June 11, 2001) Public comments (August 9, 2001) Draft guidance (September 30, 2002) Remarks of IG Rehnquist on release Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Scope * HHS OIG Guidance -- Scope Focused on (1) the sales and marketing activities, (2) of pharmaceutical manufacturers Focus is more narrow than originally contemplated by the OIG as outlined in solicitation for comments Little overlap with FDA jurisdiction (exception: drug sampling) Does not address R&D issues (though discussion of grants, physicians as consultants may impact on R&D activities) Application to medical device and other industry sectors? Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Risk Areas * HHS OIG Guidance -- Risk Areas Integrity of data used for gov’t reimbursement Kickbacks and other illegal remuneration Relationships with purchasers Discounts and other terms of sales Average wholesale price Relationships with physicians and other HC professionals Switching arrangements Consulting and advisory payments Other remuneration Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Risk Areas (cont’d) * HHS OIG Guidance -- Risk Areas (cont’d) Sales Agents Contains troublesome language that calls into question common industry practices with respect to compensation of sales representatives, use of contract sales forces “… any compensation arrangement between a … manufacturer and a sales agent for the purpose of selling health care items or services [reimbursable by the government] implicates the anti-kickback statute, irrespective of the methodology used to compensate the agent.” OIG draft calls on companies to “establish an effective system for tracking, compiling, and reviewing information about sales force activities.” Drug samples Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Program Structure * HHS OIG Guidance -- Program Structure Compliance officer “High-level” with “direct access” to Board, CEO, senior mgmt Needs sufficient funding, resources, and staff Should have access to all documents, materials “Optimal placement” of CO will vary, but OIG looks unfavorably on subordination to GC, CFO (no change) Divisional or regional compliance liaisons should be considered in companies with multiple divisions, regions Little change from prior guidances Compliance committee No real change from prior guidances Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Program Structure (cont’d) * HHS OIG Guidance -- Program Structure (cont’d) Responsibility of senior management Formal commitment of Board or governing body Evidence of that commitment (e.g., adequate resources, timetable for implementation of compliance program) Receiving “periodic” reports from compliance officer Little change from prior guidances Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Compliance Activities * HHS OIG Guidance -- Compliance Activities Education and training OIG considers this to be a “must” do General training for everyone on the compliance program Specific training on risk areas (those in guidance and those identified by other means) for employees associated with relevant activities Guidance suggests sales representatives should receive training on anti-kickback safe harbors Minimum number of hours per year (though number is unspecified) New employee and refresher training is important; failure to attend should result in disciplinary action; should be part of employee evaluation Documentation and tracking Flexibility on training methodology Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Compliance Activities * HHS OIG Guidance -- Compliance Activities Internal communication and reporting Supervisors should serve as first line of communication, other mechanisms may include: emails, newsletters, exit interviews, hotlines Calls for adoption of confidentiality and non-retaliation policies Suggests use of rewards for appropriate use of reporting system, posting of HHS OIG hotline in employee areas Record keeping is important, as is reporting to Board, CEO, etc. Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Compliance Activities * HHS OIG Guidance -- Compliance Activities Auditing and Monitoring Little guidance offered on monitoring except a statement that it should be built into an effective program Flexibility on frequency and subject of audits; could be prospective or retrospective Use of “internal or external evaluators who have relevant expertise” Enforcement of disciplinary standards Need for clear and specific disciplinary policies Penalties to include termination Language appears to say manufacturers not required (though encouraged) to screen employees/contractors against HHS OIG exclusion list Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Compliance Activities * HHS OIG Guidance -- Compliance Activities Mechanisms for corrective action Duty to investigate “reasonable indications of suspected noncompliance” Must take decisive steps to correct any problems Actions could include a prompt report to the government where you believe that the misconduct may violate a law (no more than 60 days) Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Other Key Issues * HHS OIG Guidance -- Other Key Issues PhRMA Code: “useful guidance for evaluating relationships with physicians and other healthcare professionals” “OIG recommends that pharmaceutical manufacturers at a minimum comply with” PhRMA Code “Arrangements that fail to meet the [Code’s] minimum standards … are likely to receive increased scrutiny from government authorities” While a useful benchmark, compliance “will not necessarily protect a manufacturer from prosecution or liability” IG comments: Companies should view PhRMA Code policies as minimum, additional safeguards may be required in some areas Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Other Key Issues * HHS OIG Guidance -- Other Key Issues Vendors and other agents: CO should “ensur[e] that independent contractors and agents … are aware of company’s compliance program …” Companies should consider training vendors on compliance-related matters Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

HHS OIG Guidance -- Future Action * HHS OIG Guidance -- Future Action Comment period open through December 2, 2002 Final guidance not likely before late Spring 2003 (at the earliest) Efforts of the Ad Hoc OIG Compliance Group Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

What It Means for Pharmaceutical Compliance Professionas * Sarbanes-Oxley: What It Means for Pharmaceutical Compliance Professionas Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Overview * Sarbanes-Oxley: Overview New oversight responsibilities for Board, Audit Committee New provisions that overlap with HHS OIG Guidance Internal controls and report Hotline Codes of conduct Whistleblowers Document retention Other provisions Role of Audit Committee: Audit Committee and auditor independence seen as key to restoring faith in the process of financial reporting and oversight. New Auditor Independence Requirements: Will affect nature and scope of relationship between public companies and public accounting firms. Accounting firms will be prohibited from performing certain non-audit services for audit clients. 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Board, Audit Committee Issues * Sarbanes-Oxley: Board, Audit Committee Issues Audit Committee Resources: Can hire independent counsel Company must provide funding Audit Committee can hire auditors Audit Committee Responsibilities: Directly responsible for “appointment, compensation and oversight” of auditors Complaint Procedures: Must establish procedures to receive and address complaints regarding accounting, internal accounting controls and auditing issues. Unclear what “oversight” of outside auditors means -- is it hands-on oversight or something else? Currently, this is just a reporting obligation. From a compliance perspective, this means that the Audit Committee will need to establish procedures to receive and respond -- on a confidential basis -- to complaints from employees and others pertaining to accounting or auditing matters. Will require revision of current “Internal Procedures for Reporting Suspected Wrongdoing” -- to add the new reporting requirement, now involving Audit Committee, and to inform employees about procedures for raising concerns relating to accounting and auditing issues. 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) * Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) Procedures include providing mechanism for employees to submit concerns -- on a confidential, anonymous basis -- regarding questionable auditing or accounting matters. Must pre-approve all auditing and non-auditing service to be performed by outside auditors. New Auditor Independence Requirements Registered public accounting firms will be prohibited from providing eight types of non-audit services to audit clients All of these non-audit services are currently prohibited under the SEC’s Auditor Independence Rules, with the exception of one category (Act prohibits “expert services,” SEC Rule doesn’t) With respect to each type of non-audit services, the SEC rules explain more fully the types of services covered by the prohibition. We anticipate that the SEC will use many of the same definitions when it gets to rulemaking on the Sarbanes-Oxley Act. Note that these requirements will apply to “registered” public accounting firms -- and that firms will not be able to “register” until the SEC creates the new Oversight Board, which will be known as the “Public Company Accounting Oversight Board.” This process will take 6-8 months, and it will several months beyond that until the Board is up and running. In the meantime, the current SEC rules apply. 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) * Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) Auditor Independence (cont’d) Mandatory auditor rotation: Partner cannot be lead or review partner for more than 5 consecutive years Auditor must timely report to Audit Committee: All critical accounting policies and practices to be used in financial reports All alternative treatments of financial information within GAAP that have been discussed with management, ramifications of their use, and treatment preferred by the auditor Other material written communications with management 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) * Sarbanes-Oxley: Board, Audit Committee Issues (cont’d) Act requires an internal control report in company’s annual reports Internal control report must: (1) State management’s responsibility for establishing and maintaining an adequate internal control structure and procedures for financial reporting, and (2) Contain an assessment of the effectiveness of those controls, as of the end of the company’s most recent fiscal year. Is internal control structure limited strictly to financial reporting issues? Outside auditors will be required to attest to management’s statement (Sec. 404) 918464 ver. 2 February 5, 2019 *

* Sarbanes-Oxley and Other Hot Issues: Special Issues for Compliance Professionals Document retention and destruction Whistleblowers NYSE Listing Standards This plugs the gap in the previous law: Previous statute made it a crime for a person corruptly to obstruct, impede or influence a proceeding that was actually pending before a federal agency or Congress. For future proceedings, it was a crime to threaten or corruptly persuade another person to alter, destroy or mutilate an object to impair its integrity for use in an official proceeding. If you personally destroyed a document to obstruct a future proceeding, there was technically no violation. The obstruction of justice statute now applies to both pending and future proceedings. Companies are going to need DOJ Guidance in this area 918464 ver. 2 February 5, 2019 *

* Documents 18 U.S.C. § 1519: “Whoever knowingly alters, destroys . . . with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any [U.S.] department or agency . . . or in relation to or contemplation of any such matter or case . . .” Highlighted language raises questions: Could common document retention/destruction policies result in violations where they call for destruction of documents relevant to a matter that could arise in the future? Potential problem if a document retention program is set up with the intent to avoid future Government liability. Highlighted language is problematic: What does it mean? If you destroy a document that you have reason to believe could relate to some future Govt. inquiry, is this a violation of the statute? Minority Report of the Senate Judiciary Committee felt it would be, and raised its concerns about this situation. Majority never responded to this point (Per Rob Weiner). Although criminal statutes are to be narrowly construed as a matter of law -- this doesn’t provide much of a comfort level about the “in relation to” language. DOJ issued field guidance in connection with other provisions of the act, but not on the document retention issue. 918464 ver. 2 February 5, 2019 *

* Documents (cont’d) Need to develop a business justification for every element of the document destruction plan Document destruction program should exempt from destruction all documents that could be used in future investigations Company’s e-mail policy and document retention policies should be reviewed and revised to accord with new statutory requirements. 918464 ver. 2 February 5, 2019 *

Whistleblowers Sweeping new protections for whistleblowers-- * Whistleblowers Sweeping new protections for whistleblowers-- Modeled after protections for airline employees reporting safety violations Two new criminal provisions to protect whistleblowers 18 U.S.C. § 1513 18 U.S.C. § 1514A In addition to the new criminal provisions protecting whistleblowers, the Act also creates a new civil remedy for employees of public companies who believe that they have been discharged for whistleblowing. A company may not discharge, demote, suspend, threaten, harass, or in any other manner discriminate against an employee because the employee has provided information or has otherwise assisted in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of federal securities laws, mail or wire fraud, or other federal laws on fraud against shareholders, or participates in or otherwise assists in such proceedings (or proceedings about to be filed). Employee alleging such discharge/discrimination can file a civil complaint with the Secretary of Labor. Action must be commenced within 90 days of the date the violation occurs. 918464 ver. 2 February 5, 2019 *

Whistleblowers (cont’d) * Whistleblowers (cont’d) 18 U.S.C. § 1513: “Whoever knowingly, with the intent to retaliate, takes any action harmful to any person . . . for providing to a law enforcement officer any truthful information relating to the commission or possible commission of any Federal offense . . .” Elements added to 18 U.S.C. § 1513(e): Knowing and intentional action to retaliate Against any person (not just an employee) Providing truthful information relating to commission or possible commission A law enforcement official (not just a Federal agent) Regarding any Federal offense What is “truthful information?” Section 1107 does not define the term. 918464 ver. 2 February 5, 2019 *

Whistleblowers (cont’d) * Whistleblowers (cont’d) Elements of 18 U.S.C. § 1514A: Prohibits a company from sanctioning an employee because of any lawful act to provide information about “fraud against shareholders” to (1) a Federal agency, (2) Congress, or (3) employee’s supervisor. Authorizes civil action for damages and equitable relief, including reinstatement, back pay, attorneys’ fees, etc. 90-day statute of limitations: employee must file claim within 90 days of retaliation. Provision construed narrowly: applies only to information provided in connection with an ongoing proceeding. 918464 ver. 2 February 5, 2019 *

New Felonies and Increased Criminal Penalties * New Felonies and Increased Criminal Penalties Substantive new offenses added by the Act: 18 U.S.C. § 1348: Scheme or artifice to defraud 18 U.S.C. § 1350: Knowing violations involving new CEO/CFO certifications Enhanced Penalties: Multiple directives to U.S. Sentencing Commission to boost penalties for obstruction of justice, criminal fraud, accounting and securities fraud, and the new “white collar” provisions in the Act related to document destruction or tampering The day after passage of the Act, on 8/01/02, Attorney General Ashcroft issued a Directive to all U.S. Attorney’s offices and FBI Field Offices ordering immediate implementation of Sarbanes-Oxley Act to combat corporate fraud. In conjunction with the Atty. General’s directive, the Fraud Section of the Criminal Division issued Field Guidances to prosecutors and investigators outlining the new tools and penalties in the Act, and identifying which provisions of the Act can be applied retroactively or prospectively. The Atty. General also sent a letter to the U.S. Sentencing Commission, directing it to review and amend, as appropriate, within 180 days (from Aug. 1, 2002), the Sentencing Guidelines related to obstruction of justice, criminal fraud, accounting and securities fraud, and the new “white collar” provisions in the Act related to document destruction and tampering. Special “Heads Up” to Corporate Compliance Officials: Ashcroft’s letter also asked the Sentencing Comm’n to consider “revisions to discrete aspects of the organizational guidelines, including issuing guidance regarding internal investigations, voluntary self-disclosure and other compliance measures that will enhance the incentives for corporations to police themselves effectively, and to bolster the effectiveness of audit committees and other independent oversight personnel.” 918464 ver. 2 February 5, 2019 *

New Felonies and Increased Criminal Penalties (cont’d) * New Felonies and Increased Criminal Penalties (cont’d) Enhanced penalties for conspiracies (from 5 years to same level as underlying offense) Stiffer penalties for criminal ERISA violations Doubles the penalties for criminal violations of Securities Act of 1934 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Code of Conduct * Sarbanes-Oxley: Code of Conduct Section 406 of Sarbanes-Oxley Act requires adoption of “Code of Ethics” for senior financial officers Code is applicable to principal financial officer and controller or principal accounting officer, or persons performing similar functions The term “code of ethics” is defined broadly to mean standards reasonably necessary to promote (1) honest and ethical conduct, (2) full, fair, accurate, timely, and understandable disclosure in periodic reports the company is required to file, and (3) compliance with applicable Government laws and regulations. Both the NYSE and Nasdaq have proposed that listed companies draft Codes of Conduct. 918464 ver. 2 February 5, 2019 *

NYSE Listing Standards -- Codes of Conduct * NYSE Listing Standards -- Codes of Conduct Listed companies must adopt a code of business conduct and ethics, and must promptly disclose any waivers of the code for directors or executive officers Code must address a variety of issues, including issues beyond financial reporting matters Fourth bullet -- The June 6, 2002 Report issued by the NYSE’s Corporate Accountability and Listing Standards Committee, in addition to the recommended corporate governance listing standards, included detailed recommendations on the contents of Code of Business Conduct and Ethics, applicable to all officers, directors and employees. According to that Report, the Code must include the following topics: Conflicts of Interest Corporate opportunities Confidentiality Fair dealing with customers, suppliers and employees Protection and Use of Company Assets; Compliance with Laws, Rules and Regulations; and Reporting Misconduct (encouraging reporting of illegal or unethical behavior) Standards and procedures to implement the Code and ensure consistent action for violations (this goes far beyond what is typically contained in a Code) NYSE’s Report also recommends that each listed company be required to include its Code of Business Conduct and Ethics on its company website. 918464 ver. 2 February 5, 2019 *

Sarbanes-Oxley: Summary of Issues for Compliance Professionals * Sarbanes-Oxley: Summary of Issues for Compliance Professionals Clarification of responsibility for compliance with, oversight of financial reporting rules New requirement of process for internal reporting of financial fraud -- coordination with existing hotlines and internal reporting procedures Code of Conduct for financial executives -- develop separate Code or incorporate into existing Codes 918464 ver. 2 February 5, 2019 *

* Sarbanes-Oxley: Summary of Issues for Compliance Professionals (cont’d) Whistleblowers -- review in light of heightened risks, ensure appropriate coordination Document retention -- review in light of heightened risks, establish and document business justification Implications of direct reporting to Board, Audit Committee of compliance issues outside traditional mechanisms 918464 ver. 2 February 5, 2019 *