Internal Controls and Monitoring 28 9-2015

Jose Manuel Garcelan 1

PROGRAMA DE COMPLIANCE

Madrid, 27 Abril de 2015How to Conduct a Comprehensive Compliance Risk Assessment and Build an Effective Compliance Program


Bio IntroductionAn experienced Ethics & Compliance Director, supported by a wide background occupying positions of increasing responsibility in Compliance, Ethics, Privacy and Finance

and in other functions in the Internal Control and optimization of resources. Experience in successful

implementation and management of robust integrated customized compliance programs across various

countries.

Jose Manuel Garcelanes.linkedin.com/in/JoseManuelGarcelan


2004 MBA Executive Master in Pharma business MADRID, SPAINEPHOS-Escuela Superior de Estudios Farmacéuticos

1991-1993 Degree in ECONOMICS Specialty in Finance MADRID, SPAIN

Universidad Complutense de Madrid 1987-1990 Graduate in BUSINESS ADMINISTRATION MADRID, SPAIN

Specialty: Marketing Escuela Univ. de Estudios Empresariales Complutense

LANGUAGES Spanish – Mother Tongue. Fluent in ENGLISH and basic knowledge of French. FUTHER LEGAL TRAINING• 2015 Legal-Compliance Post-grade - Universidad Carlos III De Madrid• 2010 Healthcare Compliance Ethics & Regulation Certification - Seton Hall Law/ Sciencespo Paris, FRANCE• 2013 Certified Information Privacy Profesional/Europe - (Cipp/E) International Association


Education


APRIL 2015-PRESENT COMPLIANCE CONSULTANCY

2009-2015 MERCK SHARP & DOHME Chief Compliance & Privacy Officer Director Spain and Portugal

1996-2009 SCHERING-PLOUGH 2006 -2009 Compliance & Business Practices Director 2001-2005 Accounting, Internal Audit And Tax Asoc. Director1996-2000 Controlling And Reporting Finance Manager

1995 - 1996 QUESERÍAS BEL ESPAÑA Administration Manager

1990 - 1995 SWATCH Finance Manager

1986 - 1990 ZAMBELETTI ESPAÑA Finance Senior Analyst


Professional Experience


Madrid, 27 Abril de 2015

AGENDAMONITOTING ,EVALUATING , REPORTING & AUDITING

Defense lines and Risk Concept How to trace payments through Monitoring Working with finance, internal audit and accounting departments in Compliance

Reporting Auditing Reporting findings to compliance officers, audit committees and legal counsel How to implement controls to prevent improper payments and fraud

WHISHTLEBLOWINGINVESTIGATIONS & REMEDIATION DISCIPLINE & RESPONSE

Why you need a whistleblowing program and how to make it work in Spain Data Protection the new face of privacy compliance Employees facing corruption aligning anti-corruption measures to the influencing

factors of decision-making


MONITOTING ,EVALUATING , REPORTING & AUDITING


ESTRATEGIA

RIESGO

PROCESOS

PROCEDIMIENTOS

CONTROL

EVIDENCIA

CONTROLPROCEDIMIENTOS

POLITICAS

MonitorizaciónEl CMS debe ser monitorizado para asegurar suadecuado rendimiento. Esta monitorización debe sercontinua.La monitorización de Compliance es el proceso por elcual se obtiene información indicativa de la efectividaddel CMS y su rendimiento. Incluye, entre otras cosas:1. ‐ Efectividad de la formación.2. ‐ Efectividad de los controles mediante muestreos.3. ‐ Efectividad de la asignación de responsabilidades deCompliance.4. ‐ Efectividad en corregir las no conformidades y los nocumplimientos, etc.


Métodos para captar de información

Existen muchos métodos para obtener información útilpara poder valorar el rendimiento del CMS y la cultura decumplimiento, entre los cuales están: ‐ Los informes y reportes periódicos que se realicen ante no

cumplimientos. ‐ La obtenida por los canales de comunicación y/o

denuncia.- La obtenida por barómetros de cumplimiento y DD. ‐ La que se obtiene de sistemas de Control y data analytics

- ..etc….


Análisis de información y clasificación.

Una clasificación y gestión eficaz de la información esfundamental. El CMS debe incorporar un sistema declasificación de la información según, por ejemplo, suorigen, departamento, descripción del no cumplimiento,indicadores, etc.

La información bien gestionada permite analizar lasraíces de los no cumplimientos y detectar problemas

recurrentes.. Jose Manuel Garcelan 23

Desarrollo de indicadoresSon necesarios indicadores que permitan conocer si se han alcanzado los objetivos de cumplimiento y poder así cuantificar el rendimiento de la organización en materia de Compliance. Estos indicadores son importantes para evidenciar la efectividad del CMS. Pueden incluir, entre otras cosas:

Indicadores activos ‐ Porcentajes y frecuencia de formación. ‐ Nivel de utilización de mecanismos de

retroalimentación (canales de comunicación/denuncia), etc.Indicadores reactivos ‐ No cumplimientos detectados y sus consecuencias así

como acciones correctivas, etc.Indicadores predictivos ‐ Tendencias de no cumplimiento, nuevos riesgos de cumplimiento, etc.



My Expertise and Specialty : Compliance Analytics“The bar is raised “ Compliance Monitoring now requires big data analytics

Area Observations Management Actions Owner Due Date1. Not clear if l ist of 51 government intermediaries is complete (customs agents, meeting logistics agencies)

1. Edi t the customer master file and incl ude an indicator i f customer is gvt intermediary or not i n SAP

Dmi try & Marina De Rosa

2. Unclear if the right peopl e are on the l ist.

2. Reconfirm the accurracy and completeness of l ist - ensure only the gvt intermediaries that need to be on the l ist are & provide dialogue to management on why certain items are on the l ist or not.

Nicolai

Training Completion

1. Signifi cant percentage of colleagues in Russia that have NOT taken training: FCPA: 35% (324 colleagues incomplete) FYEO: 48% (444 colleagues incomplete) Privacy: 54% (505 colleagues incomplete) OVS: 90% (836 due by 10/31)

1. Focus on Getting FCPA training complete in October.

1. Two open audit commitments due in Sep (Di ethard) (6/29/2012-"Distributor Margins for Tender Business" and 2/27/2012-"Travel & Entertainment")

1. Close open audit items from September Diethard

2. One open audit commitment due in Dec from 2/27/2012 - "Meetings with HCPS" Marina De Rosa Dec-121. Turnover rate i s steadily around 22%; no s ignificant increase or decrease in the past 12 months2. 13 out of 99 procedures do not have any dates (no creation/last update)3. 31 out of 99 procedures were l ast updated 2-3 years ago. 1. 5 out of 14 distributors have inconsistent gross to net percentage. Typical= 7%, range of 5 outliers are 16% -37%

1. Investigate root cause

2. One distributor has negative sales 2. Investigate root cause3. 13 out of 60 products (22%) have inconsistencies in distributor bonus, composing 10.5% of total sales(42 track consistently, 5 onl y have 1 distributor)

3. Investigate the 13 products and determine root cause for deviation from typical bonus

1. 12% of employees on average exceed the 8000p l imit per month2. 351000p reimbursed above June l imit3. Fourth highest risk score, is the 2nd biggest spender4. 15 people have over 20 rounded (to the nearest 500p) transactions in over 6 months (doesn't incl ude per diem)5. 50% of spend is made up of mi ni meetings and gasoline (51Mp)

Grants 1. Total dollars in grants: 8.1Mp (250K USD) across 25 entities. Not clear if transactions went through company's donations committee.

1. Confi rm with the minutes of the donation committee that all transactions went through the committee

HCP 1. Unclear if data is accurate1. Get new set of data, and upload to spotfire. Re-assess how many HCPs are over the l imit.2. Use payroll to veri fy aggregate number

1. Not able to clearly monitor total spend by meeting or expense type: Inconsistent recordi ng of expenses across meeting types & expense types 1. Need launch of new meeting management system

2. Not all meetings are Planned into SAP: Manual Aggregate Spend Includes Estimates 2. Edit accounts in SAP. Determine timing if October or Jan 1.

Russia Business Analytics Observations - October 2012

Employees

Audit Commitments

1. Investigate root cause

Meetings

Government Intermediaries

Distributor

Data Range: January 2012- June 2012

T&E

DashboardAction Items

CORRECT

DETECT

PREVENT

AnalysisRECOGNITION; BEST SELF-STARTER I have created a new Spotfire model to be able to manage: Prevention ,

detection and correction of Compliance Risks in the Organization


Compliance Dashboard Design

• Sales Activities Gross to Net Sales & Trend Sales by Products/Customers Discounts Free Goods Credit Notes/Returns Payments to Sales Customers Distributor Interactions (Tenders) Government Intermediaries (Distributors)

• HCP/AHCP Interactions Fees for Services Sponsorships T&E Samples

• Disbursements Grants, Donations and Charitable

Contributions All Other third party Payments Government Intermediaries (Other)

• Compliance Activities Training Audit Remediation Promotional Materials Employee Patient Programs Product Safety Request

Each risk and domain are evaluated per market for relevancy and data availability.Local markets may choose to add additional monitoring elements based on market needs.

Data / Risk Prioritization Model

Residual

Risk

High Work towards Obtaining Data

Dashboard Candidates

Dashboard Candidates

Medium Candidate When Available

Candidate When Available

Dashboard Candidate

Low Not included in Dashboard

Not Included in Dashboard

Not Included in Dashboard

Not currently Available

Available with Effort

Readily Available

Data Availability


Examples of Signals (I)Sales Activities

PERCENTAGE OF DISCOUNT BY CUSTOMER: Are any customers getting discount above the limits per commercial policy or compared to similar customers? Ensure that customers are aligned to the type of discounts allowed.

FREE GOODS - If expectation is no free goods, check if there are any products/distributors getting discount of 100%. If there are products in this case, ensure we have controls in place to handle free goods.

Outliers

High Discounts

100% Discounts


Examples of Signals (II):Disbursements & Compliance Activities

PAYMENTS: View actual payments to vendors for unusual activity such as travel expenses paid via PO, Vendors over authorization limits, or high payments to HCPs or Customers.

THIRD PARTY INTERMEDIARIES: Identify where third parties have not followed the proper approval process, documentation is missing, or contracts are invalid.

AuthorizationLimit

Outliers

Non Valid Contracts

Reporte de ComplianceEl órgano de gobierno social, la alta dirección y el equipodirectivo deben estar informados del rendimiento deCompliance de la organización, incluyendo los nocumplimientos relevantes que se hayan producido. Estosupone la inclusión de diferentes mecanismos de reporteque pueden contemplar su recepción y firma.

El reporting contemplará, por ejemplo: ‐ Aspectos que deban ser reportados al regulador. ‐ No cumplimientos producidos y sus consecuencias. ‐ Acciones correctivas adoptadas. ‐ Resultados de auditorías, etc.


Cuando se detecte una no conformidad o un nocumplimiento se deben tomar acciones para sucorrección y gestión de consecuencias.Se valorará la causa raíz de la no conformidad o nocumplimiento para desarrollar la acciones adecuadasy se comprobará la efectividad de las accionescorrectivas (corregir procedimientos y/o controles,variar la formación, alerta temprana cuando hayevidencias, mejorando mecanismos de escalado,etc).

Acciones frente a no conformidades yno cumplimientos


Mantenimiento de registros

Se deberán mantener registros adecuados que recojan las actividades de Compliance de modo que puedan ser monitorizadas o auditadas. Estarán dotados de las medidas de seguridad pertinentes.


La organización desarrollará auditorías en periodos programados (auditoría planificada). La auditoría verificará que se siguen los criterios del estándar y se ejecuta adecuadamente el CMS.

La auditoría se debe desarrollar de forma que garantice la objetividad e imparcialidad.

AUDITORIA


45Jose Manuel Garcelan

Mejora continua

Toda la información obtenida y gestionada en materia de Compliance debe ser utilizada para detectar oportunidades de mejora y adoptar acciones tendentes a mejorar el CMS de manera continua.



INVESTIGATIONS & REMEDIATIONWHTISTLEBLOWING

DISCIPLINE & RESPONSE

Why you need a whistleblowing program and how to make it work in Spain


3/1000

61Jose Manuel Garcelan


Some Tips


The greatest protection against corruption isan effective compliance program.

Fuentes y Referencias:• www.kpmgcumplimientolegal.es• Business Compliance

http://www.kpmgcumplimientolegal.es/

Internal Controls and Monitoring 28 9-2015

Healthcare

Transcript of Internal Controls and Monitoring 28 9-2015