With the New Year upon us, it may be time to consider an independent evaluation and assessment of the compliance program. The HHS Office of Inspector General (OIG) calls for this in compliance guidance, when it notes there should be ongoing monitoring and auditing of all operations, including the compliance program. Meeting these standards means the compliance officer is responsible for ongoing monitoring of the compliance program and verifying it is operating as designed. However, it also means that there should be periodic, independent, ongoing auditing of the program to validate that it is functioning effectively to achieve the desired goals. This needs to be done every two or three years, not annually. The compliance officer cannot independently audit his or her operation, nor would his or her results be credible. Auditing must be done using outside experts with extensive experience that are independent of the operation. Results from this audit should not be viewed as potentially threatening. If the evaluation is an initiative of compliance officers, all finding and recommendations can be viewed as a credit to their continuing efforts to improve the program. However, if the engagement is driven by management or the Board, the results are more likely to be considered negatively towards the compliance officer.
Benefits of independent evaluations
An independent evaluation:
- validates progress in building an effective compliance program which is always work in progress;
- reassures management/Board that the program is reducing the likelihood of future liabilities;
- provides “fresh eyes” that provide additional perspective and ideas for improvement;
- identifies deviations, aberrations, and weaknesses in the program that can be corrected;
- offers best practices from extensive experience to improve efficiency and effectiveness;
- presents a report with findings that would be similar to what the government would find; and
- evidences to outside authorities that the program is robust and continuing to evolve.
Tips for establishing scope and expectations
When engaging an outside third party expert firm to evaluate the compliance program effectiveness, entities should expect their work to encompass a wide variety of testing, review, and assessment, in order to be of real value. To ensure it provides useful and meaningful results, consider requiring it to meet the following in terms of scope of work and expectations in results.
- Independence. Ensure no conflict of interest or appearance thereof from current or past engagements that would undercut credibility of results. It is a standard that the OIG mandates in its corporate integrity agreements (CIAs).
- Standard program elements. Verify all the seven standard elements of the compliance program are in place and operating as they should (e.g., program infrastructure, code of conduct, compliance-related policies/procedures, training, hotline, sanction-screening, investigations, etc.), but avoid having an approach that checks off elements, as it will not produce much useful information unless there is a major element gap.
- Multi-level evaluation. Include examination and assessment of the program design/plan, progress in implementation, and how well it is functioning (impact). This is really a matter of “looking under the carpet” to find out how things are really working.
- Written guidance. Review the content of the code of conduct and compliance-related policies for adequacy and completeness. Written guidance has to be more than a recitation of regulations and rules. To be effective, it must be written to be understandable for all covered persons; otherwise it is problematic and may contribute to, rather than prevent violations. In organizations where many have English as a secondary language, this may be a challenge. Depending on size and complexity of entity, there should be 20-30 compliance program-related policies.
- Opportunities for improvement. To be of optimum value, the evaluation report should focus on ways in which the program can be improved. The program can only move forward if there are useful findings, recommendations, and suggestions for program improvement. Any checklist evaluation that comes with results that everything is okay is worthless, and could come back to haunt the compliance officer. It is advisable to advertise internally that such information is being sought to enhance the program. This will alert third parties that entities expect findings, recommendations, and suggestions from the review.
- Ongoing monitoring. Evaluate how well the compliance program is monitoring its operation, including how it keeps up to date with the ever-changing regulatory environment; translates changes into written guidance and controls; educates staff on written guidance; and verifies guidance is being followed.
- Risk assessment. The major effort and guts of any independent assessment is how well program managers are carrying out their responsibilities in monitoring high-risk areas within their operational areas. This would include how well they keep up with changing rules and standards; update written guidance (policies) and internal controls; train their staff on following the written guidance; and verify they are following instructions.
- Review Metrics. The OIG stresses the importance of metrics to evidence program effectiveness. Efficiency is often measured in output metrics, but effectiveness is related to outcome. For example, the number of individuals trained on compliance is less important than what they learned from the process. The difference is great and the assessment should assist in finding the right metrics.
- Conduct employee survey. If possible, it is desirable to have as an added compliance dimension the evaluation of the attitude, perception, and compliance program knowledge of employees and other covered persons, through conducting independent compliance culture and knowledge surveys. The OIG specifically refers to using this method in evaluating compliance program effectiveness. For more credible and useful results, internally and externally, use only widely tested and validated surveys that are anchored in a large database of users. That can provide comparative results to other organizations.
- Report presentation. Request that the report be presented in two parts. The first report should be an executive report that provides a highlight summary of key findings and recommendations for improvement for presentation to the Board and executive leadership. The second report should be a management implementation report that is more detailed and provides supporting evidence for findings and recommendations, for use by the compliance officer and management in implementing program improvements.
Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.
Connect with Richard Kusserow on Google+ or LinkedIn.
Copyright © 2017 Strategic Management Services, LLC. Published with permission.