global compliance auditing & monitoringalso graduated at the amp program at iese in barcelona. 5...
TRANSCRIPT
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
Global Compliance Auditing & Monitoring
Presented by:
L. Stephan Vincze, Director, Deloitte Financial
Advisory Services LLP
Luca M. Liberatore, Director Compliance
Amgen
Sharing of Best Practices
The International Pharmaceutical Compliance Congress, Budapest, Hungary
May 15, 2012
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.2
Agenda
Introductions
Key Global Compliance Auditing and Monitoring Considerations
Q&A / Thank You
Introductions
Steve VinczeL. Stephan Vincze (“Steve”), Director, Deloitte Financial Advisory Services LLP, Boston, MA. Steve serves as a Director of the Life Sciences practice within Forensic & Dispute Services, Deloitte Financial Advisory Services LLP (Deloitte FAS).
Mr. Vincze advises pharmaceutical, biotech and medical device companies on how to design and implement effective compliance structures and processes (to include due diligence, risk assessment, monitoring, training tools, and performance metric tools) to implement Corporate Integrity Agreements (“CIA’s”) with the Office of Inspector General (“OIG”) of the Department of Health and Human Services (“DHHS”) or Deferred Prosecution Agreements (“DPA’s) with the Department of Justice (“DOJ”).
Mr. Vincze joined Deloitte FAS after serving as vice president, ethics & compliance officer/privacy officer for TAP Pharmaceutical Products Inc. Among the first and largest of its kind in the pharmaceutical industry, “the TAP case” involved sales & marketing, drug pricing and sampling issues and resulted in an $885 million dollar settlement with the DOJ and a complex CIA with the DHHS OIG.
As part of Mr. Vincze’s responsibilities at TAP, he worked closely with the legal and compliance audit teams to conduct gap and risk assessments and made regular reports to the TAP Board of Directors and Executive Management Team. Mr. Vinczewas recruited by TAP in September 2001 to oversee and implement TAP’s 7-year CIA. Under Mr. Vincze’s leadership, TAP’sethics & compliance program was nationally recognized with awards for training and auditing excellence. Mr. Vinczesuccessfully negotiated with the OIG to terminate TAP’s CIA early. Mr. Vincze was recognized by his industry peers and The PharmaVoice trade journal as one of “The Pharma 100 Most Inspiring Leaders” in the pharmaceutical industry in 2007.
Prior to his TAP role, Mr. Vincze served as President and CEO of an award-winning national healthcare compliance consulting firm, Vincze & Frazer, LLC. Prior to his consulting experience, Mr. Vincze was recruited by Medaphis Corp. in Atlanta, GA in 1995 to serve as their first VP, Chief Compliance Officer and establish a compliance program. He was recruited from Washington, D.C. from his position as a counsel to the Committee on Government Reform in the U.S. House of Representatives, where he advised the Chairman on National Security matters and conducted investigations into matters of alleged fraud and abuse in the Department of Defense. He was recommended for this congressional position after distinguished service in the Office of the Secretary of Defense as an officer in the United States Marine Corps, receiving the Defense Meritorious Service Medal for exemplary service while at the Pentagon.
Mr. Vincze is a noted author and speaker, serving on several editorial advisory boards, and has been a guest lecturer at Harvard University and currently serves as an adjunct faculty member at the University of Miami School of Business Executive Education Program for life science executives in Latin America.
Mr. Vincze earned a bachelor's degree from Columbia University (A.B., History), law degrees from Georgetown University Law Center (LL.M., International & Comparative Law, with distinction) and Southern Methodist University School of Law (J.D.) and a Master of Business Administration degree (M.B.A) from the University of Chicago Booth School of Business.
4 As used in this document, “Deloitte” means Deloitte Financial Advisory Services LLP
Director Compliance, Large Countries and CEE, Amgen Int’l.
After joining Amgen Italy in 2002 as Director Regulatory and Government Relations, Luca held several positions of growing responsibility as Compliance Lead for the Italian Affiliate and Director Corporate Affairs. He then moved to Amgen Int’l in 2007 as Director Compliance for South Region and became Director Compliance for Large Countries and CEE in 2010.
Prior to that, Luca was a lawyer by practice, then served at CNR - National Research Council in Rome, Italy as Legal Advisor of the General Manager. In this capacity, he also coordinated legal and contractual aspects of the expansion of the Public Research Program in Southern Italy.
Luca received a degree in Law from University La Sapienza of Rome. He also graduated at the AMP Program at IESE in Barcelona.
5
Luca Liberatore
Key Global Compliance Auditing and Monitoring Considerations
Global Compliance Program
7
Governance
Compliance Professional
Policies & Procedures
Employee Training
ReportingSystems
Monitoring & Auditing
Corrective Action
A structure for managing regulatory risks within the enterprise
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
8A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
Strategic
Tactical (Planning)
Supervisory (Monitoring)
Operational (Transactional)
Product Devmt. Research Sales & Mktg.Regulatory
Strategic Planning
Financial & Back Office
Clinical Trials Mfg. Dist. & LogisticsPre-Clinical
Order Mgt.
Manufacturing
MPSMRP
Procurement
Demand Forecasting
Decision Information Collection and Mgmt
Product Planning
Product Creation
Finance and HRLot Management
LIMS
IP Mgmt
Formulation
Research
Developm
ent
Quality Control
Yield Tracking
Transportation Management
Lot Control
Pricing
Compensation Planning
Com
mercial
Inventory Control
Product Recall
CRM
Product Disposition
Market Strategy
Tax Strategy
Market Analysis
Pharmacol ogy
Self Service
Project Costing
Strategic Planning
Clinical Research
Clinical
Protocol Development
Bio Statistics
Site Management
Data Management
MES
TaxePedigreeDocument
Management
Pre-Clinical
Silo-ed Operations Has Lead to Silo-ed Compliance
9A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
Current State Future State
• Managed in silo’s• Mostly reactionary• More projects than programs• Handled separately from
mainstream processes and decision-making
• People used as middleware• Limited and fragmented use of information
technology
• Enterprise approach• Integrated compliance program• Program based approach• Embedded within business
processes and decision-making • Effective use of information
technology
The Transformation Opportunity
10A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
• Changing regulations that require greater global consistency, speed, integration, coordination and reporting in a more highly regulated global market place with greater risks are driving this evolution toward “enlightened decentralization.”
• The goal is a fully integrated global program across business units that achieves the right mix between global consistency with local customization to achieve maximum compliance and business effectiveness.
Global Compliance Programs are moving toward a more centralized oversight model, acting as a hub to coordinate key global processes and policies
11A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
Compliance Road MapMonitoring & Auditing
• Develop auditing & monitoring plan
• Develop auditing and monitoring tools
• Prepare for each “audit”
• Define scope
• Define sample
• Test tool – inter-rater reliability
• Conduct review
• Document findings and observations
• Obtain management corrective action plan
• Confirm correction
Test Inter-raterReliability
Conduct Review
Document Observations& Findings
Obtain Management Response
Finalize Report& Corrective
Action Plan
DefineReview Scope &
Assumptions
Develop ReviewCriteria
Define ReviewSample
12A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.
Policies/ Procedures/ Training
Compliance RisksCompliance Risks
Prioritize
Resources Reprioritize Risks
Aggregation
of
Data
Policies/Procedures/TrainingPolicies/Procedures/Training
Compliance
"Audits"
Compliance
"Audits"
Compliance
CSA &
Monitoring
Compliance
CSA &
Monitoring
Compliance
Investigations
Compliance
Investigations
Compliance Data
Analysis and reporting of effectiveness of policies, procedures and
training
Enhancement of
Infrastructure
Aggregation of
Data
Enforcement of Standards
“Audit” in the context of a risk-based approach
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.13
DefineReview Scope &
Assumptions
ReviewProcess for
Each Risk Area
Conduct Review
Develop ReviewCriteria
Define ReviewSample
Obtain Management
Response
Test InterrelatorReliability
Document Observations & Findings
Finalize Report &
Corrective Action Plan
The Review Process
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.14
DefineReview Scope &
Assumptions
Develop ReviewCriteria
Define ReviewSample
Test InterrelatorReliabilityConduct Review
Document Observations
& Findings
Obtain Management
Response
Finalize Report& Corrective Action Plan
DefineReview Scope & Assumptions
Develop ReviewCriteria
Define ReviewSample
Conduct Review
Document Observations
& Findings
Obtain Management
Response
DefineReview Scope &
Assumptions
DevelopReviewCriteria
Define Review Sample
Test InterrelatorReliability
ConductReview
Document Observations
& Findings
Finalize Report& Corrective Action Plan
Monitoring never ends… each review leads to the next, and the monitoring plan and unplanned issues drive additional monitoring activities. It is a continuous process…
The Monitoring Plan
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.15
• Risk Assessment Data• Interviews with Senior Leadership• Input from Compliance Organizations and Legal• Linked to Enterprise Risk Management activities
Sample Risk Drivers
– Sales Growth
– Staff Inexperience Factor
– External Ethical Environment
– Prior “Audit”
– Management Team Turnover
– Self Assessment QuestionnaireR
isk
Impa
ctRisk Potential
Annual “Audit” Plan Development a Risk-Based Approach
“It is part of our business processes and practices”
“We do just as much as we have to do”
“It’s just a part of doing business”
“It helps us proactively remove potential liabilities”
“It is an integral part of how we do business and who we are as an organization”
Organizational dimensions drive increased maturity of the organization’s compliance programs and overall culture of compliance
Org
aniz
atio
nal
Dim
ensi
ons
No defined compliance processes or policiesSiloed and inconsistent practicesBusiness areas follow different paths to reconcile compliance issuesNo systems in place to track key processes
Compliance programs are centralized and ubiquitous, but may lack proactive efforts or coordinationManual or limited compliance testingLimited involvement from key stakeholders
Endorsement and buy-in from leadership and all business areasOwnership of content -policy, standards and procedural is established for ongoing maintenance
Actively managed and proactive compliance program with ability to anticipate risks and exposuresA combination of standard and custom-developed toolsMature records management practices
Compliance programs are managed in unisonPrograms offer complete visibility of requirements across the enterprisePrograms are regularly audited for complianceCompliance is an integral part of all business processes
16
A member firm ofDeloitte Touche Tohmatsu©2012 All rights reserved
Q & A / Thank You!
Appendix -- Back-up Slides
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.19
Auditing and Monitoring Strategy
• Consider integration with Internal “Audit” Plan • Determine resources available to execute the plan• Identify timeframes for “audits”• Prioritize risk areas• Communication of “audit” to stakeholders
There are many issues to consider when determining the organization’s auditing and monitoring strategy including:
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.20
Some key elements of HCC auditing
• Transparency on “audit” process and ratings• Clarity on expected role of local team• Preparation, fieldwork, closing• Agreement on corrective actions and timelines• Follow up and validation• Planned “audit” vs. surprise
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.21
Auditing Technique
Sampling: Determine the risk
Example :• High risk = pay more attention-use a standard sample size• Low risk = less monitoring-consider using a probe sample
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.22
Sampling Methodologies
Things to Consider:• The purpose of the sample or the review objective• The universe/population/sources of data• The size of the sample• What you are going to do with the results
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.23
Purpose of the Sample
Is the review for:• Self - disclosure?• Education?• Part of an on-going monitoring plan?• Response to the government, subpoena, etc.?• Known risk area?
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.24
Sampling Size
How much is enough?• What is the purpose of your sample?• If you are not sure you may want to start with a 30 probe sample
Do you need to test every commercial funding event?• If you have an employee new to the funding processing role you
might want to test to see if this employee is processing the requests as required.
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.25
Sampling Techniques
• There are many ways to make samples statistically significant.• Probe/Discovery Samples are used mainly to determine the size of the
full sample in order to meet the required precision and confidence levels.
• Use a statistical sampling when it is impossible or prohibitively expensive to “audit” all claims in an overall population using a census covering 100% of these claims.
• The alternative is to “audit” a statistical sample of these claims that is representative of the population using randomly selected & statistically significant number of claims in the sample where every member of the population has an equal positive probability of being selected.
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.26
Sampling Summary
• Random or judgmental sample selection• Things to consider:
• Size of the population/universe• Time and expense to review
• There are many ways and reasons to sample or test• Remember to :
• Determine why you are testing• Who or what you want to test• What you are going to do with the results
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.27
Information & Communication
• The right amount of the right information• At the right time• To the right people
A member firm ofDeloitte Touche Tohmatsu Limited©2012 All rights reserved.28
“Audit” Reporting – Board and Senior Management Oversight
• Aggregate results reported to “Audit” Committee and Senior Management
• Senior Management receives final report• Management action plan completed for critical issues are tracked by
“Audit” Services• Past due action plans for critical issues are reported to the “Audit”
Committee
.
Copyright © 2012 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited
About DeloitteAs used in this document, “Deloitte” means Deloitte Financial Advisory Services LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
DisclaimerThis presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.