©2004 Deloitte Development LLC. All rights reserved. 2004 Pharmaceutical Regulatory and Compliance...
-
Upload
leona-warren -
Category
Documents
-
view
217 -
download
0
Transcript of ©2004 Deloitte Development LLC. All rights reserved. 2004 Pharmaceutical Regulatory and Compliance...
©2004 Deloitte Development LLC. All rights reserved.
2004 Pharmaceutical Regulatory
and Compliance Congress
Compliance Auditing & Monitoring3.02 Auditing and Monitoring for Compliance
Karen R. Lines, Esq.Associate General CounselGenentech, Inc.South San Francisco, CA
November 16, 2004
Sheryl Vacca, CHCWest Coast Practice Leader, Life Sciences & Health Care RegulatoryDeloitte & Touche LLP
Copyright © 2004 Deloitte Development LLC. All rights reserved. 2Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 2
2004 Pharmaceutical Regulatory
and Compliance CongressBuilding the Emerging Model
Departmental Procedures
Standard Operating Procedures
Compliance Standards
Code of Conduct Corporate Policies
Day-to-Day Operations
Corporate Compliance
Program
Financial Risk Regulatory Risk
Systems/IT Risks Operational Risks
Board & Executive Committee
Copyright © 2004 Deloitte Development LLC. All rights reserved. 3Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 3
2004 Pharmaceutical Regulatory
and Compliance Congress
The Compliance Program Design Dilemma
• Designing an integrated compliance program that operates as one unit rather than many silos is challenging
• The business’s processes and operations often function in silos
• The compliance-related risks touch every aspect of the organization’s business & are difficult to “compartmentalize”
• The design should be based upon the organization’s business strategies
• The design should result in an organization-wide compliance monitoring plan
BusinessStrategy
Business Processes
Monitoring
Risk Mitigation
Copyright © 2004 Deloitte Development LLC. All rights reserved. 4Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 4
2004 Pharmaceutical Regulatory
and Compliance Congress
• Monitoring plan should be designed with the Compliance Program dilemma in mind.
• Monitoring creates the crosswalk between the Business Strategies and the Risk Areas.
Create a Compliance “Crosswalk”
Business StrategyWill be impacted by
many risk areas Risk AreaApply to more than
one business strategy
Monitoring
Vaccines will be available for the public
Monitoring Quality Control and Drug Safety
Copyright © 2004 Deloitte Development LLC. All rights reserved. 5Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 5
2004 Pharmaceutical Regulatory
and Compliance Congress
• Sarbanes –Calls for evaluation of internal controls
• COSO Standards–Compliance with laws and regulations
• Federal Sentencing Guidelines–Calls for evaluation of internal controls
• HHS Office of Inspector General –Regulatory-specific standards
–Employee Training–Compliance Audits
Focus on Regulatory Risks and Controls• The vast majority of health care/life science regulatory &
compliance program requirements align with Sarbanes & Internal Audit standards.
Copyright © 2004 Deloitte Development LLC. All rights reserved. 6Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 6
2004 Pharmaceutical Regulatory
and Compliance Congress
How Sarbanes 404 Integrates into your Auditing and Monitoring
• Objectives – Operations– Financial reporting– Compliance
• Components of a 404 Readiness– Monitoring– Information & Communication– Control Activities– Risk Assessment– Control Environment
Copyright © 2004 Deloitte Development LLC. All rights reserved. 7Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 7
2004 Pharmaceutical Regulatory
and Compliance Congress
Finalize Report & Corrective Action
Plan
Education, Remedial Action
Auditing and Monitoring Cycle
ReviewProcess for
Each Risk Area
Conduct Review
Develop ReviewCriteria
Define ReviewSample
Obtain Management
Response
Define Review Scope &
Assumptions
Test Inter-raterReliability with Multiple Reviewers
Document Observations & Findings
ReauditDefine Methodology
Validate Findings
Copyright © 2004 Deloitte Development LLC. All rights reserved. 8Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 8
2004 Pharmaceutical Regulatory
and Compliance CongressContinuous Monitoring Cycle• Monitoring never ends… each review leads to the next, and the monitoring
plan and unplanned issues drive additional monitoring activities. It is a continuous process…
Define Review Scope &
Assumptions
Develop ReviewCriteria
Define ReviewSample
Test InterratorReliabilityConduct Review
Document Observations & Findings
Obtain Management
Response
Finalize Report & Corrective Action Plan
Define Review Scope &
Assumptions
Develop ReviewCriteria
Define ReviewSample
Conduct Review
Document Observations & Findings
Obtain Management
Response
Finalize Report & Corrective Action Plan
Define Review Scope &
Assumptions
Develop ReviewCriteria
Define Review Sample
Test InterratorReliability
Conduct Review
Document Observations & Findings
Finalize Report & Corrective Action Plan
Re-audit and add new audits to the cycle
Re-audit and add new audits to the cycle
Copyright © 2004 Deloitte Development LLC. All rights reserved. 9Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 9
2004 Pharmaceutical Regulatory
and Compliance Congress
Practical Considerations Related to Auditing and Monitoring Strategy
• Developing your Auditing and Monitoring Plan– Deciding what to monitor
• Prioritize Risk Areas– Internal Factors, i.e.: any system changes, people changes, new practice,
etc.– External Factors, i.e.: new regulation, national and local enforcement
activity
• Compliance Program evaluation• Identify controls that make the process work : PROCESS AUDIT• Determine overall purpose effective: OUTCOMES AUDIT
– Resources available to execute plan– Consider integration with Internal Audit Plan – Identify timeframes for audits – Communication and Commitment to Plan
Copyright © 2004 Deloitte Development LLC. All rights reserved. 10Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 10
2004 Pharmaceutical Regulatory
and Compliance CongressDeveloping Your Audit Approach
•Deciding the scope– Narrow down the purpose of the audit– Avoid scope creep before you start
•Resources available to execute the audit •Methodology •Sample size determination•Communication/Reporting Results
Copyright © 2004 Deloitte Development LLC. All rights reserved. 11Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 11
2004 Pharmaceutical Regulatory
and Compliance Congress
•Things to Consider:– The purpose of the sample or the review objective– The universe/population/sources of data– The size of the sample– What you are going to do with the results
Sampling Methodologies
Copyright © 2004 Deloitte Development LLC. All rights reserved. 12Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 12
2004 Pharmaceutical Regulatory
and Compliance CongressSampling Methodology
• What should you consider before you decide what your sample size will be?– Who do you expect to share the information with and what is
their frame of reference?– Are you trying to figure out whether there is really a problem?– What is the organization’s perspective on “fixing” problems?– What resources are available to audit this area?– Does Senior Management agree this risk area is important?– What is the worst case scenario if this audit reflects unfavorable
outcomes?
• Attorney/Client Privilege?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 13Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 13
2004 Pharmaceutical Regulatory
and Compliance CongressPurpose of the Sample
•Is the review for:– Self - disclosure?– Education?– Part of an on-going monitoring plan?– Response to the federal government, subpoena,
carrier or FI?– Known risk area?
Copyright © 2004 Deloitte Development LLC. All rights reserved. 14Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 14
2004 Pharmaceutical Regulatory
and Compliance CongressOther Considerations
•Priority– Internal –External
•Timeframe of data collection– concurrent– retrospective
•Availability of data–Manual–Leverage Technology
Copyright © 2004 Deloitte Development LLC. All rights reserved. 15Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 15
2004 Pharmaceutical Regulatory
and Compliance Congress
Tools Pros Cons
Manual Checklists •Low cost•No training required•Easy to customize
•Administration effort (collation of results)•Reporting effort
Excel based Spreadsheets (signoff process administered via email or on central server)
•Low cost•Simple, adaptable•Limited user training•Limited IT involvement
•Ongoing maintenance•Limited scalability•Limited reporting•Many efforts remain manual
Access based Databases
•Low cost•Simple, adaptable•Limited user training•Limited IT involvement•Enhanced reporting options
•Accessibility (not web enabled)•Limited scalability•Training may be required•No transparent dashboard reporting
Web based Assessment Systems
•Increased functionality•Usable for sophisticated, complex cos.•Improved reporting (dashboard)•Scalable
•Technology implementation effort & cost •Significant IT involvement•Ongoing maintenance – security, reporting
Sop
his
ticati
on
of
solu
tion
Leveraging Technology
Copyright © 2004 Deloitte Development LLC. All rights reserved. 16Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 16
2004 Pharmaceutical Regulatory
and Compliance CongressPractical Application : Case Study
• Define Review Scope & Assumptions
• Develop Review Criteria
• Conduct Review
• Document Findings and Observations
• Obtain Management Response
• Finalize Report & Corrective Action Plan
Compliance TrainingCompliance Training
Risk Area Review Process
Managed Care ContractingManaged Care Contracting
Copyright © 2004 Deloitte Development LLC. All rights reserved. 17Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 17
2004 Pharmaceutical Regulatory
and Compliance CongressCase Study
• Define Review Scope & Assumptions– Conduct interviews with Business Process Owners– Review Policies & Procedures– Review Education and Training materials– Document scope & assumptions
• Develop Review Criteria– Test Review Criteria– Enter criteria into database
• Conduct Review– Review documentation– Enter findings into database
• Document Findings and Observations• Query database for exception findings
– Summarize observations– Develop recommendations
• Obtain Management Response– Share findings with Business Process Owners– Obtain reactions to recommendations– Draft a Corrective Action Plan
• Finalize Report & Corrective Action Plan
Compliance TrainingCompliance Training
Risk Area Review Process
Managed Care ContractingManaged Care Contracting
Copyright © 2004 Deloitte Development LLC. All rights reserved. 18Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 18
2004 Pharmaceutical Regulatory
and Compliance CongressCorrective Action Plan
Area of Focus Finding Recommendation Management Action Plan
Acct/Timeframes
1. Contract load 1. 20% data errors in contract load
2. Etc.
Periodically review data entry
Etc.
Develop a periodic review system
Accountable Party:John Smith, VP
Timeframe:2nd Quarter
Copyright © 2004 Deloitte Development LLC. All rights reserved. 19Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 19
2004 Pharmaceutical Regulatory
and Compliance Congress
Admissions
Customer Service
Marketing
Medical Records
Priv
acy
Indu
cem
ents
Privacy Notice
Employee Training
Complaints
Employee Discipline
Authorizations
Minimum Necessary
Access to Records
Amendment of Records
Confidential Communications
Facility Directory
Business Associate Agreements
Risk AreaDepartment
Or
•Develop the Report Card
Sample Report Card
Copyright © 2004 Deloitte Development LLC. All rights reserved. 20Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 20
2004 Pharmaceutical Regulatory
and Compliance CongressIntegration into Business Strategy
•Use monitoring findings to develop and document ROI
•Assist the business process owners to identify root cause of findings
•Use corrective action to enhance efficiency and mitigate risk
•Organization-wide (vs. silo) allow program leverage
Copyright © 2004 Deloitte Development LLC. All rights reserved. 21Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 21
2004 Pharmaceutical Regulatory
and Compliance CongressSummary
• An effective Auditing and Monitoring approach provides a method to:– Assist in identifying risk to the business that may have been
otherwise undetected internally– Assist by identifying if the controls developed to remediate a risk
are working and have actually helped to mitigate the risk– Assist with preventing a real and/or potential risk from escalating
by early detection through auditing which may help avoid additional harm to the company’s business
– Provides a “good faith” organization the ability to approach their real and/or potential risk weaknesses with a reasonable, scaleable method
• Auditing and Monitoring is a critical element for an effective compliance program which helps to drive compliance and behavior.
Copyright © 2004 Deloitte Development LLC. All rights reserved. 22Confidential and Proprietary Material of Deloitte Consulting. Copyright © 2002 Deloitte Consulting (US) LLC. All Rights Reserved 22
2004 Pharmaceutical Regulatory
and Compliance Congress
Karen R. Lines, Esq.Associate General CounselGenentech, Inc.South San Francisco, [email protected](650) 225-8673
Ms. Lines is Associate General Counsel with Genentech, Inc. in South San Francisco, California. Genentech, Inc. is a biotechnology company that discovers, develops, manufactures and markets human pharmaceuticals for significant unmet medical needs. She manages a team of lawyers responsible for providing legal advice and guidance to Genentech’s commercial organization. In the past few years, much of her focus has been on leading ongoing efforts to enhance Genentech’s Commercial Compliance Program. She began her legal career in private practice in Wilmington, Delaware. Ms. Lines is admitted to the practice of law in California, Delaware and Pennsylvania.
Sheryl Vacca, CHCWest Coast Practice LeaderLife Sciences and Health Care RegulatoryDeloitte & Touche LLP(714) [email protected]
Ms. Vacca is the West coast Leader for Deloitte & Touche’s National Life Sciences and Health Care Regulatory practice. She has assisted several life science companies develop their compliance programs, investigations, perform risk assessments and develop auditing and monitoring plans for the compliance department. She has significant experience consulting with life sciences and health care organizations on compliance issues including self disclosure, writing plans of correction, implementing systems in response to plans of correction, implementing QA systems and general regulatory compliance.