By: Meredith Taylor, Esq., CIS Senior Compliance Manager
In order to have an effective Corporate Compliance Program, it is not sufficient to point to a binder full of Policies and Procedures on your Compliance Officer’s desk. This is a common pitfall for many pharmaceutical companies that do not have a robust Corporate Compliance Program and do not have many resources to implement, monitor, and audit the documents. Without a process in place to monitor and audit employees’ compliance with written Policies and Procedures, the documents are nothing more than words on a page, and they certainly do not constitute a Corporate Compliance Program.
Does this sound at all familiar? Imagine that PharmaCo is a small pharmaceutical company with 10 NDCs. The Compliance Officer is also the VP Finance, with no compliance staff to support him. The Compliance Officer, in an attempt to create an effective Compliance Program pursuant to OIG guidelines, decides that Sales and Marketing and Operational Compliance documents must be drafted. He studies the relevant laws, regulations, and guidance documents; conducts interviews and meets with key stakeholders; and begins to draft the documents. After a year of hard work and long hours, PharmaCo has plethora of Corporate Compliance documents! The Compliance Officer follows his new Document Control SOP, finalizes all of the documents, and ensures that they are signed. Over the course of the next few months, the Compliance Officer holds various training sessions for relevant employees, and all the employees sign off on the documents, pursuant to the new Training SOP. A few months pass, and there are some regulatory and company changes that require him to update his documents. He does this, and holds the appropriate training sessions. This pattern goes on for the next two years.
Seems like PharmaCo is in pretty good shape right? Not quite. PharmaCo failed to monitor and audit its employees’ compliance with the terms of its Policies and Procedures. For all the Compliance Officer knows, the sales reps could be distributing sports tickets to doctors, the Marketing Department could be promoting the Grants Program, and employees could be forgetting to retain documents pursuant to the Document Retention Policy. Just having the documents and training the employees on them is not enough; there is no way to know if the employees are compliant without systematically monitoring and auditing their compliance.
Monitoring and auditing may seem synonymous, but I can assure you they are not. Your Company must conduct both on an annual basis in order to maintain an effective Corporate Compliance Program.
Monitoring
Monitoring is defined as ongoing, real-time checks and balances implemented and executed by a functional/operational group to ensure proactive evaluation, identification, and mitigation of risk.
Monitoring is typically performed by the Corporate Compliance Officer. It is his or her responsibility to determine whether employees are complying with established Policies and Procedures, and whether the documents should be revised. Typically, documents are scheduled for monitoring every quarter, but monitoring can also take place on an ad hoc basis when deemed necessary. The Compliance Officer will review those documents to ensure that they still make sense from a compliance standpoint; he may also seek assistance from the legal department. If he feels there is a need to revise a document, it should be put through the Document Control process. Assuming the document is sound, he will interview a few (not many and not randomly selected) employees, pull training records to ensure employees are being trained, review call notes or other documentation (not many and not randomly selected), etc to see if the employees are following the policies and procedures in those documents. If not, the document should be re-reviewed by the Compliance Officer and another member of senior management, and revised if necessary.
Monitoring is defined as ongoing, real-time checks and balances implemented and executed by a functional/operational group to ensure proactive evaluation, identification, and mitigation of risk.
Monitoring is typically performed by the Corporate Compliance Officer. It is his or her responsibility to determine whether employees are complying with established Policies and Procedures, and whether the documents should be revised. Typically, documents are scheduled for monitoring every quarter, but monitoring can also take place on an ad hoc basis when deemed necessary. The Compliance Officer will review those documents to ensure that they still make sense from a compliance standpoint; he may also seek assistance from the legal department. If he feels there is a need to revise a document, it should be put through the Document Control process. Assuming the document is sound, he will interview a few (not many and not randomly selected) employees, pull training records to ensure employees are being trained, review call notes or other documentation (not many and not randomly selected), etc to see if the employees are following the policies and procedures in those documents. If not, the document should be re-reviewed by the Compliance Officer and another member of senior management, and revised if necessary.
The training materials should also be reviewed and revised if necessary to ensure they are in line with the document. Then, training should be held again for relevant employees. This document should be monitored again at least one year later.
Auditing
Auditing is defined as the routine evaluation of the effectiveness of controls and adherence to laws, regulations, and guidance documents as incorporated in Company Policies and Procedures. Audits should be performed by a party who possesses substantive expertise in the subject matter, but is not affiliated with the functional/operational group or task being audited.
Audits typically assume the legal sanctity of the Policies and Procedures, and test criteria is prepared to test compliance against the requirements in the documents.
The process of auditing compliance with the documents begins by selecting a sample size. This typically should be random, but some subjective decision making may be required. Next, a formal communication should go out to all employees in the sample, and to all audit sponsors, to announce the audit. A document request may also be distributed to the sample size. The employees in the sample size are then interviewed, and may be asked to perform a task. The auditors may then perform the same task, using the Policy and/or Procedure document as a guide, to ascertain if the same result is found. Testing criteria against the Policy and Procedure is typically developed and completed during a review of any documentation. A final Audit Report is prepared with a section for Management Reponses. The key stakeholders have an opportunity to respond and remediate.
Here is a summary chart (courtesy of Clarissa Crain, CIS Compliance Director) to decipher between Monitoring and Auditing:
I cannot stress enough how important it is to systematically monitor and audit compliance with your Policies and Procedures. If the Government ever audits your compliance in this area, it will want to know whether your documents are actually implemented and whether employees are truly complying with them.
0 COMMENT ON THIS ARTICLE:
Post a Comment