Introduction
Effective compliance programs include auditing and monitoring as key elements to their success. The Office of Inspector General (OIG) at the Department of Health and Human Services (HHS) has emphasized in several publications that an ongoing evaluation process is critical to a successful compliance program. The Federal Sentencing Guidelines (FSG) require that an organization takes reasonable steps to ensure it follows its compliance and ethics program, including auditing and monitoring to detect criminal conduct. In designing auditing and monitoring activities, it is important that the research compliance professional work closely with the organization’s chief compliance professional in order to gain a clear understanding of auditing and monitoring expectations and how these activities can be leveraged together to help minimize and mitigate risks for the organization.
The research compliance professional should implement an auditing and monitoring program that periodically audits the research operation for compliance to applicable regulatory requirements, detects and prevents noncompliant behavior, and reviews that management has implemented corrective action to address noncompliance through ongoing performance management.
General Research Auditing and Monitoring Concepts
Independence and objectivity are important concepts to consider when defining auditing vs. monitoring. Commonly, monitoring is conducted as a management tool in daily operations to concurrently check on performance. This type of scenario is not considered independent due to management performing this function for their own departments. There is a real and/or perceived view of a “vested interest” in the outcomes. Monitoring is usually an informal method of self-review. Auditing is a formalized method which is always independent of the business function being audited and where the auditor has no clear interest in the findings and/or overall outcome of the audit.
Objectivity assures that auditing and monitoring attributes can be measured, and the integrity of the attributes is consistent regardless of who performs the activities. Additionally, objective measurement of the attributes provides clarity in the overall auditing and/or monitoring outcomes.
Annual auditing and monitoring plan. If a research compliance program is part of a comprehensive compliance program, it is important to consider how the research risks will be integrated into the overall programmatic elements of successful auditing and monitoring. The process for developing the plan should consider the following:
-
What are the high risk research priority areas identified through the risk assessment process for inclusion in the plan? Consider:
-
Is there any other business area in the organization that is conducting an audit or monitor activity in this area?
-
If yes, could you leverage this resource for assistance in completing the stated activity OR utilize their activity and integrate the results into the overall plan?
-
-
-
What resources are needed? (i.e., subject matter experts) Consider:
-
Is the subject matter in-house?
-
If subject matter requires outsourcing, budget considerations and overall risk priorities may need to be re-evaluated.
-
-
How many hours are needed to complete the plan?
-
What are the projected timeframes?
-
What are the auditing or monitoring activity definitions and are they outcome or process-oriented?
-
Is there flexibility in the plan for changes in risk priorities and possible unplanned compliance risks/crises which may need auditing or monitoring?
It is important that senior leadership participate in and agree with the determination of high risk priorities for the auditing and monitoring plan. This assures buy-in and management focus on compliance risk priorities. Also, if management is involved at the plan’s development stage, they will be educated about the types of activities being planned and resources needed to conduct those activities. Then during the plan year, management will understand if there is a need for additional resources and/or change in focus in the plan as the business environment and priorities may change.
Process for conducting research compliance audits and/or monitors (each referred to as an “activity”). Each activity should have a defined framework which will provide management with an understanding of the overall expectations and approach as you execute the plan. The framework for your activities should include:
-
Purpose and goal for activity (auditing or monitoring). Consider:
-
Scope will be identified from the purpose or goal, but needs to be objective, measureable, and concise
-
Before conducting activities in high risk priority areas, it is important to consider whether legal advice may be needed in establishing activity approach
-
-
Initial discussion with business area for input related to audit attributes, timing, and process. Consider:
-
Concurrent vs. retrospective activity may be determined at this point. Their definitions:
-
A concurrent activity happens in “real time” and before the end point of what you are looking at has occurred
-
A retrospective activity happens after the end point has occurred, (i.e., the claim has been submitted, the research has concluded, etc.) Milestones should be determined for rationale as to how far back to go (i.e., when a new law passed, or a new system went into effect, etc.)
-
-
-
Finalized approach and attributes. Consider:
-
That the sampling methodology will be determined largely by the scope (purpose and goal) of your activity (e.g., the sample used in self-reporting a risk area to an outside enforcement agency may be predetermined by the precedent the enforcement agency has set in the industry to determine if education is needed in a risk area, etc.)
-
Audience’s frame of reference when receiving activity results and developing an appropriate format for reporting
-
-
Conduct activity
-
Preliminary findings/observations
-
An opportunity for findings/observations to be validated by business area
-
Finalized report
-
System to follow up on execution of management corrective action related to activity findings/observations
-
Data collection and tracking, which provide trend analysis and measurement of progress
-
-
Key points of activity that may be provided to leadership and/or in board reporting
Documentation. Document the overall process of developing the auditing and monitoring plan. This includes describing how the risk assessment was conducted and the methodology for the prioritization of risks. Additionally, unless the activity is under attorney-client privilege (the attorney will direct what they want to be documented for that work product), work papers to support the audit findings, reports, and corrective action plans should be documented. Be sure to define prior to the audit activity, what should be considered in “work papers” and documented.
Annual evaluation of execution of auditing and monitoring plan. At the end of each plan year, it is important to conduct an evaluation of the overall effectiveness of the plan. Questions to consider may include: Was the plan was fully executed? Were appropriate resources utilized for plan execution? Were the activities conducted in a timely manner? Did the plan “make a difference” in regards to the organization’s strategy and business? Did the plan reach the goal of detecting, deterring, and/or preventing compliance research risks from occurring? Annual evaluations may be conducted through self-reviews or independent of the compliance function by the organization’s internal audit or by a third party. However, it is recommended that independent reviews are conducted on a biannual basi to determine the effectiveness of the plan.