Catherine Boerner (cboerner@boernerconsultingllc.com), President of Boerner Consulting LLC, New Berlin, WI.
The compliance department relies on information technology (IT) systems to provide the lists of individuals to be assigned to receive the code of conduct and compliance training. These lists of individuals provided are also key to initiate and maintain monthly sanction check screening for the List of Excluded Individuals and Entities and System for Award Management (formerly the Excluded Parties List System maintained and updated by the General Services Administration).
The compliance department should consider auditing the current flow of information from various IT systems to ensure the accuracy of: (1) the number of employees, including allied health professionals; (2) the number of employed physicians; (3) the number of independent physicians; (4) the number of volunteers; and (5) the number of employees assigned to the organization by vendors/contractors and consultants.
The IT systems involved in this audit may include human resources IT, payroll IT, contracts management IT, vendor management IT, volunteer management IT, electronic medical record access, credentialing, etc.
Compliance should confirm and audit the list of employees flowing into the electronic learning management system.
Also, consider the various ways initial sanction checks are conducted in, perhaps, human resources, credentialing, vendor management system, volunteer services, etc.
These various IT systems, as well as comprehensiveness of data and flow to other supportive IT programs and applications, directly affect the accuracy of assignments to training systems and sanction check screening. It is important to validate how these systems flow information to each other.
In addition to auditing and confirming the flow of this information, the compliance department should audit the processes in which the sanction checks are conducted by other departments to verify there is adequate documentation retained to support that these initial sanction checks have been conducted as well as the monthly sanction check processes.
The compliance department may also want to think about cross-checking payments from accounts payable with the vendor management lists to confirm required code of conduct, compliance training, and sanction checks are in place along with business associate agreements, where applicable.
Oftentimes these processes get set up, and then IT systems change, and it is assumed the flow of information has been maintained. The other reason for the compliance department to perform this audit is employee turnover. There is always a risk with employee turnover that the next person has not been trained appropriately on the set-up processes, and these gaps create compliance risk.