©2004 Deloitte Development LLC. All rights reserved. 2004 Pharmaceutical Regulatory and Compliance Congress Compliance Auditing & Monitoring 3.02 Auditing.

Slides:



Advertisements
Similar presentations
Contractor Code of Business Ethics and Conduct Laura K. Kennedy Senior Vice President, Ethics and Compliance SAIC.
Advertisements

Auditing Concepts.
IS3350 Security Issues in Legal Context
Auditing Computer-Based Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Security Controls – What Works
Spreadsheet Management. Field Interviews with Senior Managers by Caulkins et. al. (2007) report that Spreadsheet errors are common and have been observed.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Corporate Ethics Compliance *
WORKING WITH THIRD- PARTY VENDORS AND STRATEGIC PARTNERS Pharmaceutical Regulatory and Compliance Congress October Washington, D.C. David Davidovic,
Building a Compliance Risk Monitoring Program HCCA Compliance Institute New OrleansApril 19, 2005 Lois Dehls Cornell, Esq. Assistant Vice President, Deputy.
Information Systems Controls for System Reliability -Information Security-
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Patch Management Strategy
Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies.
OH&S Management System
Internal Auditing and Outsourcing
Staff Structure Support HCCA Special Interest Group New Regulations: A Strategy for Implementation Sharon Schmid Vice President, Compliance and.
© 2009 The McGraw-Hill Companies, Inc. All rights reserved. 1 McGraw-Hill Chapter 5 HIPAA Enforcement HIPAA for Allied Health Careers.
Auditing Internal Control over Financial Reporting
D-1 McGraw-Hill/Irwin ©2005 by the McGraw-Hill Companies, Inc. All rights reserved. Module D Internal, Governmental, and Fraud Audits “I predict that audit.
ISMMMO, Antalya April Internal Audit, Best Practices Özlem Aykaç, CIA,CCSA CAE Coca-Cola İçecek.
CORPORATE COMPLIANCE Tim Timmons Vice President Compliance and Regulatory Services Health Future, LLC.
DSDS Quality Assurance Unit State of Alaska, Dept. of Health and Social Services Division of Senior and Disabilities Services (DSDS) Quality Assurance.
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Introduction In 1992, the Committee Of Sponsoring Organizations of the Treadway Commission (COSO) published Internal Control-Integrated Framework (1992.
Internal Control in a Financial Statement Audit
Improving Quality and Reducing Risks Positive and Powerful Quality Assessment.
© 2013 Cengage Learning. All Rights Reserved. 1 Part Four: Implementing Business Ethics in a Global Economy Chapter 9: Managing and Controlling Ethics.
1 CT DDS Quality Service Review Connecticut Community Providers Association Presented by Fred Balicki, DDS Quality Management Services May 27, 2008.
Implementing and Auditing Ethics Programs
Coding Compliance Plan July 12, Benefits of a compliance program  To demonstrate our commitment to honest and responsible conduct, decrease the.
1 Strategies for a Compliant Grant Process CIA Monitoring Obligations A. Monica Jonhart Director-U S Pharmaceuticals Compliance Bristol-Myers Squibb.
1 Today’s Presentation Sarbanes Oxley and Financial Reporting An NSTAR Perspective.
CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -
CONFIDENTIAL © 2014 Barnes & Thornburg LLP. All Rights Reserved. This page, and all information on it, is confidential, proprietary and the property of.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
Connecting the Dots A Practical Approach to Integrating Compliance, Risk and Quality Jody Ann Noon RN, JD Partner Health Care Regulatory Practice.
Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.
Risk Management & Corporate Governance 1. What is Risk?  Risk arises from uncertainty; but all uncertainties do not carry risk.  Possibility of an unfavorable.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/Irwin.
McGraw-Hill/Irwin © 2003 The McGraw-Hill Companies, Inc., All Rights Reserved. 6-1 Chapter 6 CHAPTER 6 INTERNAL CONTROL IN A FINANCIAL STATEMENT AUDIT.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
How to Operationalize the Guidance In A Pharmaceutical Company OIG Guidance Pharma Audioconference Doug Lankler May 21, 2003.
Guidance Training (F520) §483.75(o) Quality Assessment and Assurance.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Company: Cincinnati Insurance Company Position: IT Governance Risk & Compliance Service Manager Location: Fairfield, OH About the Company : The Cincinnati.
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
COMPLIANCE MANAGEMENT – VARIOUS PROVISIONS OF LABOUR LAW and STATUTORY REGULATIONS BY OPTIMUM COMPLIANCE CONSULTANTS PVT LTD.
1 Compliance vs. the Law Department: How to Work Together Michael Dusseau Senior Director, Compliance North America Schering-Plough David Ralston, Esq.
California Department of Public Health / 1 CALIFORNIA DEPARTMENT OF PUBLIC HEALTH Standards and Guidelines for Healthcare Surge during Emergencies How.
0 Due Diligence Monitoring and Auditing of Third Party Vendors October 28, 2008 Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum.
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Compliance at the Crossroads: How can the Compliance Profession Move to the Second Generation? A Practical Approach to Integrating Compliance, Risk and.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Copyright © Houghton Mifflin Company. All rights reserved.8-1 Chapter 8 Developing an Effective Ethics Program.
Developing an Audit Program By Rodney Kocot President Systems Control and Security Incorporated Copyright © 2005 Rodney Kocot.
12/06/20161 ObjectiveProcess Risk Inherent Risk – risk of not achieving objectives Inherent risk Inherent risk – before the assessment of any controls.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
OH&S Management System
Auditing Concepts.
OH&S Management System
Sarbanes-Oxley Act (404) An IT Viewpoint
Risk Management: why and how to protect your health center
Defining An Effectiveness Standard
HIPAA Policy & Procedure Strategies
An IT Viewpoint Darin Kreimeyer, Senior Manager Newel Linford, Manager
Presentation transcript:

©2004 Deloitte Development LLC. All rights reserved Pharmaceutical Regulatory and Compliance Congress Compliance Auditing & Monitoring 3.02 Auditing and Monitoring for Compliance Karen R. Lines, Esq. Associate General Counsel Genentech, Inc. South San Francisco, CA November 16, 2004 Sheryl Vacca, CHC West Coast Practice Leader, Life Sciences & Health Care Regulatory Deloitte & Touche LLP

Copyright © 2004 Deloitte Development LLC. All rights reserved. 1 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Building the Emerging Model Departmental Procedures Standard Operating Procedures Compliance Standards Code of Conduct Corporate Policies Day-to-Day Operations Corporate Compliance Program Financial Risk Regulatory Risk Systems/IT Risks Operational Risks Board & Executive Committee

Copyright © 2004 Deloitte Development LLC. All rights reserved. 2 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress The Compliance Program Design Dilemma Designing an integrated compliance program that operates as one unit rather than many silos is challenging The business’s processes and operations often function in silos The compliance-related risks touch every aspect of the organization’s business & are difficult to “compartmentalize” The design should be based upon the organization’s business strategies The design should result in an organization-wide compliance monitoring plan Business Strategy Business Processes Monitoring Risk Mitigation

Copyright © 2004 Deloitte Development LLC. All rights reserved. 3 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Monitoring plan should be designed with the Compliance Program dilemma in mind. Monitoring creates the crosswalk between the Business Strategies and the Risk Areas. Create a Compliance “Crosswalk” Business Strategy Will be impacted by many risk areas Risk Area Apply to more than one business strategy Monitoring Vaccines will be available for the public Monitoring Quality Control and Drug Safety

Copyright © 2004 Deloitte Development LLC. All rights reserved. 4 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Sarbanes –Calls for evaluation of internal controls COSO Standards –Compliance with laws and regulations Federal Sentencing Guidelines –Calls for evaluation of internal controls HHS Office of Inspector General –Regulatory-specific standards –Employee Training –Compliance Audits Focus on Regulatory Risks and Controls The vast majority of health care/life science regulatory & compliance program requirements align with Sarbanes & Internal Audit standards.

Copyright © 2004 Deloitte Development LLC. All rights reserved. 5 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress How Sarbanes 404 Integrates into your Auditing and Monitoring Objectives –Operations –Financial reporting –Compliance Components of a 404 Readiness –Monitoring –Information & Communication –Control Activities –Risk Assessment –Control Environment

Copyright © 2004 Deloitte Development LLC. All rights reserved. 6 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Finalize Report & Corrective Action Plan Education, Remedial Action Auditing and Monitoring Cycle Review Process for Each Risk Area Conduct Review Develop Review Criteria Define Review Sample Obtain Management Response Define Review Scope & Assumptions Test Inter-rater Reliability with Multiple Reviewers Document Observations & Findings Reaudit Define Methodology Validate Findings

Copyright © 2004 Deloitte Development LLC. All rights reserved. 7 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Continuous Monitoring Cycle Monitoring never ends… each review leads to the next, and the monitoring plan and unplanned issues drive additional monitoring activities. It is a continuous process… Define Review Scope & Assumptions Develop Review Criteria Define Review Sample Test Interrator Reliability Conduct Review Document Observations & Findings Obtain Management Response Finalize Report & Corrective Action Plan Define Review Scope & Assumptions Develop Review Criteria Define Review Sample Conduct Review Document Observations & Findings Obtain Management Response Finalize Report & Corrective Action Plan Define Review Scope & Assumptions Develop Review Criteria Define Review Sample Test Interrator Reliability Conduct Review Document Observations & Findings Finalize Report & Corrective Action Plan Re-audit and add new audits to the cycle

Copyright © 2004 Deloitte Development LLC. All rights reserved. 8 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Practical Considerations Related to Auditing and Monitoring Strategy Developing your Auditing and Monitoring Plan –Deciding what to monitor Prioritize Risk Areas –Internal Factors, i.e.: any system changes, people changes, new practice, etc. –External Factors, i.e.: new regulation, national and local enforcement activity Compliance Program evaluation Identify controls that make the process work : PROCESS AUDIT Determine overall purpose effective: OUTCOMES AUDIT –Resources available to execute plan –Consider integration with Internal Audit Plan –Identify timeframes for audits –Communication and Commitment to Plan

Copyright © 2004 Deloitte Development LLC. All rights reserved. 9 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Developing Your Audit Approach Deciding the scope –Narrow down the purpose of the audit –Avoid scope creep before you start Resources available to execute the audit Methodology Sample size determination Communication/Reporting Results

Copyright © 2004 Deloitte Development LLC. All rights reserved. 10 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Things to Consider: –The purpose of the sample or the review objective –The universe/population/sources of data –The size of the sample –What you are going to do with the results Sampling Methodologies

Copyright © 2004 Deloitte Development LLC. All rights reserved. 11 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Sampling Methodology What should you consider before you decide what your sample size will be? –Who do you expect to share the information with and what is their frame of reference? –Are you trying to figure out whether there is really a problem? –What is the organization’s perspective on “fixing” problems? –What resources are available to audit this area? –Does Senior Management agree this risk area is important? –What is the worst case scenario if this audit reflects unfavorable outcomes? Attorney/Client Privilege?

Copyright © 2004 Deloitte Development LLC. All rights reserved. 12 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Purpose of the Sample Is the review for: –Self - disclosure? –Education? –Part of an on-going monitoring plan? –Response to the federal government, subpoena, carrier or FI? –Known risk area?

Copyright © 2004 Deloitte Development LLC. All rights reserved. 13 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Other Considerations Priority –Internal –External Timeframe of data collection – concurrent – retrospective Availability of data –Manual –Leverage Technology

Copyright © 2004 Deloitte Development LLC. All rights reserved. 14 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress ToolsProsCons Manual ChecklistsLow cost No training required Easy to customize Administration effort (collation of results) Reporting effort Excel based Spreadsheets (signoff process administered via or on central server) Low cost Simple, adaptable Limited user training Limited IT involvement Ongoing maintenance Limited scalability Limited reporting Many efforts remain manual Access based Databases Low cost Simple, adaptable Limited user training Limited IT involvement Enhanced reporting options Accessibility (not web enabled) Limited scalability Training may be required No transparent dashboard reporting Web based Assessment Systems Increased functionality Usable for sophisticated, complex cos. Improved reporting (dashboard) Scalable Technology implementation effort & cost Significant IT involvement Ongoing maintenance – security, reporting Sophistication of solution Leveraging Technology

Copyright © 2004 Deloitte Development LLC. All rights reserved. 15 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Practical Application : Case Study Define Review Scope & Assumptions Develop Review Criteria Conduct Review Document Findings and Observations Obtain Management Response Finalize Report & Corrective Action Plan Compliance Training Risk Area Review Process Managed Care Contracting

Copyright © 2004 Deloitte Development LLC. All rights reserved. 16 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Case Study Define Review Scope & Assumptions –Conduct interviews with Business Process Owners –Review Policies & Procedures –Review Education and Training materials –Document scope & assumptions Develop Review Criteria –Test Review Criteria –Enter criteria into database Conduct Review –Review documentation –Enter findings into database Document Findings and Observations Query database for exception findings –Summarize observations –Develop recommendations Obtain Management Response –Share findings with Business Process Owners –Obtain reactions to recommendations –Draft a Corrective Action Plan Finalize Report & Corrective Action Plan Compliance Training Risk Area Review Process Managed Care Contracting

Copyright © 2004 Deloitte Development LLC. All rights reserved. 17 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Corrective Action Plan Area of FocusFindingRecommendationManagement Action Plan Acct/Timeframes 1. Contract load1.20% data errors in contract load 2.Etc. Periodically review data entry Etc. Develop a periodic review system Accountable Party: John Smith, VP Timeframe: 2 nd Quarter

Copyright © 2004 Deloitte Development LLC. All rights reserved. 18 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Admissions Customer Service Marketing Medical Records Privacy Inducements Privacy Notice Employee Training Complaints Employee Discipline Authorizations Minimum Necessary Access to Records Amendment of Records Confidential Communications Facility Directory Business Associate Agreements Risk Area Department Or Develop the Report Card Sample Report Card

Copyright © 2004 Deloitte Development LLC. All rights reserved. 19 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Integration into Business Strategy Use monitoring findings to develop and document ROI Assist the business process owners to identify root cause of findings Use corrective action to enhance efficiency and mitigate risk Organization-wide (vs. silo) allow program leverage

Copyright © 2004 Deloitte Development LLC. All rights reserved. 20 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Summary An effective Auditing and Monitoring approach provides a method to: –Assist in identifying risk to the business that may have been otherwise undetected internally –Assist by identifying if the controls developed to remediate a risk are working and have actually helped to mitigate the risk –Assist with preventing a real and/or potential risk from escalating by early detection through auditing which may help avoid additional harm to the company’s business –Provides a “good faith” organization the ability to approach their real and/or potential risk weaknesses with a reasonable, scaleable method Auditing and Monitoring is a critical element for an effective compliance program which helps to drive compliance and behavior.

Copyright © 2004 Deloitte Development LLC. All rights reserved. 21 Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved Pharmaceutical Regulatory and Compliance Congress Karen R. Lines, Esq. Associate General Counsel Genentech, Inc. South San Francisco, California (650) Ms. Lines is Associate General Counsel with Genentech, Inc. in South San Francisco, California. Genentech, Inc. is a biotechnology company that discovers, develops, manufactures and markets human pharmaceuticals for significant unmet medical needs. She manages a team of lawyers responsible for providing legal advice and guidance to Genentech’s commercial organization. In the past few years, much of her focus has been on leading ongoing efforts to enhance Genentech’s Commercial Compliance Program. She began her legal career in private practice in Wilmington, Delaware. Ms. Lines is admitted to the practice of law in California, Delaware and Pennsylvania. Sheryl Vacca, CHC West Coast Practice Leader Life Sciences and Health Care Regulatory Deloitte & Touche LLP (714) Ms. Vacca is the West coast Leader for Deloitte & Touche’s National Life Sciences and Health Care Regulatory practice. She has assisted several life science companies develop their compliance programs, investigations, perform risk assessments and develop auditing and monitoring plans for the compliance department. She has significant experience consulting with life sciences and health care organizations on compliance issues including self disclosure, writing plans of correction, implementing systems in response to plans of correction, implementing QA systems and general regulatory compliance.