How to Conduct Your Internal Risk Audit for Your Compliance Program
By Robert Zelinsky on June 28, 2019
When one of the world’s largest life sciences companies is accused of bribery, misconduct, and corruption, everyone in the industry takes notice. Fresenius Medical, a multinational dialysis equipment provider, agreed to pay $231 million towards resolving alleged FCPA violations in March 2019 after an investigation by the U.S. Department of Justice (DOJ) and the Securities Exchange Commission (SEC).
At the conclusion of the case, the SEC issued a warning to all companies in the biomedical and life sciences industries. The SEC stated that despite "known red flags of corruption since the early 2000s, [Fresenius] devoted insufficient resources to compliance."
During its investigation, the SEC found that Fresenius persistently failed to train employees on compliance or perform any due diligence on their agents. As questionable activities took place, company employees and contractors either looked the other way or actively participated in the schemes.
The SEC determined that Fresenius inappropriately took in $30 million in bribes and $140 million in profits by "using sham consulting contracts, falsifying documents, and funneling bribes through a system of third party intermediaries.” The company had poor training, poor oversight, and poor auditing processes.
Let’s examine how your company can prevent this kind of catastrophe from happening.
Using Compliance Tools
Life sciences companies with mature global compliance programs use a variety of methods to identify, manage, and remediate risk that is local in context but global in impact. The FCPA violations Fresenius allegedly committed were different across many of the regions where they were investigated.
This highlights the importance of investing in people, processes, and technology that can differentiate between markets that are higher and lower risk. It shows the value of using key data signals to trigger audits or investigations.
The lack of compliance controls evident across many of Fresenius' global markets is not unique. A Deloitte study of U.S. businesses found that 40% don’t conduct an annual compliance risk assessment and more than half use no compliance program or tools of any kind. As the Deloitte researchers concluded, “You can’t mitigate a risk if you don’t know it’s there.”
Compliance tools can provide deep, ongoing visibility into your organization to support targeted, risk-informed auditing and monitoring operations. Combined with well-defined reporting hierarchies and remediation protocols, they can prevent the lack of transparency that ultimately leads to out-of-control activities.
Using a compliance tool, a company can track things like:
- Day-to-day expenditures that exceed policy thresholds (meals, travel)
- Total variance to budgeted amounts
- Which reps and contractors habitually break the rules
- Individual instances of extreme payments (which can signify bribery or theft)
- Missing documentation
- Duplication and errors
- Attempts to tamper with documents and systems
- Failure to follow regulatory standards and legal advice
With the help of a compliance tool, a company’s risk managers gain transparency into the daily behavior of everyone that represents the company. Using dashboards and reports, they can see every activity, down to the smallest detail. Modern software tools should be configurable to ensure oversight of key risk areas that may vary between different business markets and business practices.
Identifying High-Risk Consultants
It’s common that a small handful of people represent your biggest compliance threat. These individuals, known as high-risk employees or high-risk consultants, act in ways that disrupt the company’s compliance plan.
Intentionally or unintentionally, high-risk individuals skirt the rules. They may act in “grey areas” that fall between official protocols and criminal behavior. These people make day-to-day decisions that put the company at risk, often without seeking guidance from management or compliance. The onus, therefore, falls on outside parties to identify the risky behavior, versus initiating healthy dialogue to discuss business practices not covered in training or corporate documentation.
Sometimes high-risk individuals are simply ignorant of the rules and have never received proper compliance training. They’re good people without good guidance. If they were educated about what is acceptable and unacceptable, they would play by the rules.
To identify and mitigate the behavior of individuals that put your company at risk, the key is to conduct internal risk audits on an ongoing basis. Your company needs an organized, comprehensive compliance program.
The Importance of an Organized Method
The U.S. Office of the Inspector General (OIG) provides guidelines for implementing strong internal compliance and auditing procedures. These guidelines allow a company to identify, monitor, and audit risky activities in an organized way.
The OIG lays out 7 Fundamental Elements of an Effective Compliance Program:
- Implementing written policies, procedures and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Here, we’ll focus on number 5: conducting internal monitoring and auditing. To conduct effective internal risk audits, a company needs to follow certain best practices. While every risk audit is unique, all world-class audits follow certain leading practices:
- Cross-functional, cross-departmental participation
- Leveraging of existing material from experts, reviews, and assessments
- Establishment of clear individual ownership of specific risk tasks
- Actionable assessments, prioritized by risk, with clearly-defined remediation actions
- Tapping of outside expertise to show blind spots internal stakeholders don’t see
- The use of plain language that is easy to understand around the world
- Data gathering that supports good decision-making
The compliance and auditing program should exist as a “living, breathing” thing, subject to constant updating as your business evolves. At minimum, a major audit should be conducted at least every 1 to 2 years, and smaller audits should take place monthly.
Ideally, compliance auditing takes place every moment of every day. Your company can leverage ongoing, automated monitoring to better inform periodic audits and track KRIs between them for flagged risks that indicate the need for ad-hoc reviews.
To provide the kind of every-moment oversight that is recommended by the authorities, you’ll need the help of an outside expert. Cresen Solutions provides a world-class compliance platform with innovative auditing, monitoring, and analysis tools.
Monitor-Mate enables you to automate and operationalize your entire compliance monitoring process. It is a highly configurable, cloud based global compliance monitoring platform with Integrated Global Risk Assessment, Monitoring Planning, Monitoring Execution, Remediation and Analytics functionality built right in and it is easy to implement, manage and use.
Data EZ is a powerful cloud-based data management platform that supports the aggregation, cleansing and standardization of information for global transparency. It gives you total control over your data.
Data Analytics can be leveraged against your internal, as well as, external data sources to help your company identify important KRIs. This can be a key component of developing a comprehensive Risk Assessment plan. In addition, you can easily assess and report on any of your Key Performance Indicators. Monitor-Mate also provides detailed reports and dynamic operational and business defined KRI insights. You will be able to make strategic decisions based quickly and easily using integrated dashboards and customized analytics.
Cresen Solutions also offers life sciences consulting services that help you excel at the complex tasks that come with compliance monitoring. Our talented life sciences professionals have decades of combined experience.
If your company needs assistance with internal risk auditing, KRI development, Compliance Monitoring, Data Aggregation and meeting compliance standards, turn to us.
Topics: Key Risk Indicators in Compliance Monitoring