Building a Sanctioned Provider Testing ProgramSeptember 19th, 2016

Stephen Siano, IT Audit Manager – C.R. BardRobert Luu, Senior Solution Leader - ACL

• Background

• Why are we here?

• Common Challenges

• How can ACL help?

• Who else needs to be involved?

• Quick Demonstration / Overview

• Wrap up / Q&A

Agenda

There are a variety of regulations globally which hinge upon ensuring disbursements are made in accordance with applicable laws in the countries in which a company does business.

• FCPA (Foreign Corrupt Practices Act) - Prohibits companies from paying bribes to foreign government officials and political figures for the purpose of obtaining business.

• PPSA (Physician Payments Sunshine Act) – Part of the Affordable Care Act - payments or other transfers of value to physicians and teaching hospitals must be reported to the Secretary of HHS.

• UK Bribery Act – Passed in 2010, contains 4 general offenses - promising or giving of an advantage, and requesting, agreeing to receive or accepting of an advantage, bribery of a foreign public official, and prevent a bribe being paid to obtain or retain resources.

• Canadian Corruption of Foreign Public Officials Act (CFPOA) – “Every person commits an offence who, in order to obtain or retain an advantage in the course of business, directly or indirectly gives, offers or agrees to give or offer a loan, reward, advantage or benefit of any kind to a foreign public official or to any person for the benefit of a foreign public official” 1

Background

1 http://laws-lois.justice.gc.ca/eng/acts/c-45.2/page-1.html#h-2

Digging into the Details…

What are we really talking about here?

*Comparing your organization’s data against a globally recognized / authoritative source of “bad guys” (individuals and entities)*

Some lists we’ve come across or heard of include:• PEP (Politically Exposed Persons)• OFAC (Office of Foreign Assets Control) list - SDN (Specially Designated Nationals)• SAM (System for Award Management) - entity records from CCR/FedReg and ORCA and exclusion records

from EPLS• OIG LEIE (Office of the Inspector General; List of Excluded Individuals and Entities)

1

1 - https://www.sam.gov

Warning from SAM.gov:

Why?

Why should we perform sanctioned vendor / individual matching?

To help your company avoid fines and other penalties, which,

Saves your company money, which,

May advance your career

Also,

• Reputational Damage – your company’s name in the headlines

• Be a positive influence on the bottom line instead of a cost center

• Sense of Business Ethics (Do you want to fund criminals? (terrorists,

arms dealers, drug dealers, etc.)

Your CEO

There’s A Lot at Stake…

2

2 - http://www.nytimes.com/2010/02/06/business/global/06bribe.html?_r=0

1 - http://www.fcpablog.com/blog/2016/4/1/fcpa-enforcement-report-for-q1-2016.html

Tweetable Takeaways

@ACL_RobLuu

#ACLCONNECTIONS

Common Challenges

• Support from Management

• Gaining access to and retrieving sanctioned vendor lists from online resources

• PEP (Politically Exposed Persons)• OFAC (Office of Foreign Assets Control)

list - SDN (Specially Designated Nationals)

• SAM (System for Award Management) - entity records from CCR/FedReg and ORCA and exclusion records from EPLS

• OIG LEIE

• Multiple Vendor Management or Employee Master data sources

• Complex Name Matching

Common Challenges

SanctionedVendor List

PEP

SAM

OFAC

OIG LEIE

Name Matching - how do we know if we have a hit? How do we know we don’t?• Normalize data• Straight perfect match – higher degree of accuracy, lower # of hits• Removing “extras” (prefixes, suffixes, middle initials?, etc)• Fuzzy matching• SoundEx, Soundslike• DICE Coefficient• NYSIIS

Where do I go for additional help?

■ https://www.treasury.gov/resource-center/faqs/Sanctions/Pages/faq_compliance.aspx

Common Challenges

Tweetable Takeaways

Your analysis will only be as good as your data, so

if relying on a 3rd party source, make sure to get

the best available.

@ACL_RobLuu

#ACLCONNECTIONS

How can ACL help?

Don’t re-invent the wheel

ACL provides Inspirations on how to tackle these challenges and also

provides pre-written scripts within ScriptHub

How can ACL help?

How can ACL help?

How can ACL help?

Who else needs to be involved?

Sunshine Act & FCPA – complying with Anti-Corruption / Compliance Policies

For example, if spending with 3rd parties, need to answer questions:

• Charitable Contribution Due Diligence Checklist• Amount Requested, Who’s Requesting, Purpose of Contribution• Has the entity received contributions in the past?• Is the receiver a government entity or affiliated with a government entity?

• Request For Approval of Sponsorship of Healthcare Professional to Attend a Medical Education Event

• Who is sponsoring the event?• Provide the total budget for the event and provide an itemized cost breakdown

• Gift Giving to Healthcare Professionals or Government Officials• Is the value of the proposed gift over $25?• Does the gift elevate the annual gift to the HCP total to over $250 for the year?• Will the gift be given in the form or cash or a cash equivalent (giftcard, etc.)?

Who else needs to be involved?

Disbursement Categories – How to Mitigate Risk

Disbursements can be broken down into 3 main categories:

1) Expenses Unrelated to Government Officials, HCPs, etc.

- Subject to normal set of data analytics used for audit support (ad-hoc) or continuous controls monitoring (ACL Analytics or AX (Audit Exchange))

2) Reported through approval process of expenditures

- Data Driven Questionnaires in ACL Results Manager– customized for FCPA, Sunshine Act, UK Bribery, etc.

3) Unreported Expenses Related to Government Officials, HCPs, etc.

- Detective Process – Identify expenses “under the radar” (riskiest because they haven’t been reported)

Who needs to see the results?

Let’s take a look!

https://www.justice.gov/opa/file/838386/download

Q&A

THANK YOUCONTACT ME AT

Stephen.Siano@crbard.comor

Robert_Luu@acl.com