Compliance Auditing

4th Annual Pharmaceutical Regulatory

and Compliance Congress and Best
Practices Forum
November 12-14, 2003

Teri Crouse, J.D.

Director of Compliance, Healthcare & Marketing
Eli Lilly and Company
T. Crouse, PharmaCongress 1
 Auditing Discussion
• Why do an audit?
• What should you audit?
• When should you audit?
• Who should you audit?
• Who should do the audit?
• How do you do the audit?
• What are the next steps?

2
 HOW

to go about conducting an
audit

3
 Risk / Exposure Profiling
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

4
Managing Business Risk
What can go wrong with my
business?

If that something goes wrong,

Does it matter?

If it matters,
Can I avoid, monitor, or manage
it?

5
 Risk Definition

• "Risk is the threat or

likelihood that an event or
action will adversely effect an
organization's ability to meet
business objectives or execute
its strategies."*

* Managing Business Risk, An Integrated Approach, The Economist Intelligence Unit, 1995

6
 Risk Assessment
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

7
 Why conduct a risk assessment?
• To quantify and use a constant method by which
compliance measures are assessed
• To identify those risk areas in the high risk
potential and/or high risk consequence region that
may require more resources to effectively
implement and enforce policies
• To identify which areas of an effective
compliance program are lacking across the
corporation
– Training and Education, Auditing and Monitoring
• To provide a starting point for to-be-created
centralized compliance group
8
 Risk Concepts

• Risk
Driver Impact

– A risk driver
increases or Probability
decreases the
probability that
a risk will
occur Risk Driver

9
 Risk Concepts
• Risk Drivers
– Environmental Drivers:
• External Environment
• Ethical Environment
• Control Environment

– Operational Drivers:
• Change – Business Complexity
• Growth – Pressure to Meet Goals

10
 Risk Concepts

• Exposure
Exposure =
Impact Impact

•Sales/activity level
•Assets
•Visibility
•Headcount

Probability

11
 Do I care if something
goes wrong?

This is
High where you
want to
focus!
Impact

High High Low

Low

Low High

Probability
12
Risk Assessment Model
Set Goals
What do you
want to
accomplish?

Assess Risk
What can
go wrong?

Do you No Assess Exposure

care? STOP
Yes

How can you

manage it?
Design Controls

13
 Audit Planning
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

14
 Prioritize Audit Units
PLANNING GUIDELINES

H Audit
Receives significant audit effort
Audit annually
EXPOSURE

Caution
Audit activity based on specific
risk factors
Caution
M Low
No Audit Services activity
current plan year
Low
Attention

L M H
RISK
15
 Audit Engagement Overview

Effort

Fieldwork Reporting
Audit Planning (end of
(2-3 weeks)
(2-3 months) final week)

Duration
 Audit Process
"Auditor" Responsibilities
Interviews
Observations
Testing
Arrive
on site

Planning Fieldwork Findings Report

Validation Leave
Feedback site
Action Plans
"Site" Responsibilities
17
 Program Development
• Outlines objectives for the audit
Program
1. ......
• Indicates what is to be done
2. ..........
• Decribes how it is to be done
3. ........
4. ... • Provides record of planned
procedures
• Assists audit control
Written policies and
procedures
Compliance Audits Training
Auditing/monitoring
Discipline/learning 18
 Population Selection and Data
Collection
Determining Audit Population
• All

• Cumulative %

• Square root of n +1

Data Collection
• Interview Questions

• Spreadsheets

19
 Fieldwork
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

20
 Fieldwork Process
• Opening Meeting (Audit Objectives and Scope)

• Gather information
• Conduct interviews
• Understand business processes
• Review procedures and documentation
• Perform testing and observations

• Document facts
• Review against control objectives
• Hold periodic "talk-ups" to validate facts
• Consolidate and assess results
• Write DRAFT report
• Closing Meeting (Distribute Final Report)

21
 Documentation Process

Facts

Workpapers
Program
PACs
1. ......
2. ..........
(Control weaknesses)
3. ........
4. ...

Facts
22
 Workpapers

• Workpapers document the audit

• Prepared by auditor and reviewed by lead

• Standard format
• Clearly state nature and extent of work
• Record of information obtained, analyses made,
findings, and conclusions
• Support for recommendations

23
 Workpapers & Evidence
Workpapers are based on facts (Evidence)

Observations

Review of Procedures, Interviews

Documentation
Tests, Analytical Processes

24
• Sufficient
• Convincing Evidence
• Adequate detail

• Relevant

• Competent
• Factual Facts
• Reliable
• From best source
(independent)
• Consistent with other
evidence

• Validity of audit evidence is a function of its

source

• The more independent the source, the greater the

value 25
 Reporting
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

26
Reporting Process
Revisions
Audit
Report
5 C's
.........
..........
PACs Comments ..........
..........
..........
..........
.........
.........
...
Talk-ups .........
.........
..
Workpapers Field Report

+ Management
Action Plans

Final Report

27
Potential Audit Comments (PACs)

PACs

• Summarized audit findings

• Basis for developing comments
• Verify findings with auditee (talk-up)
• Link between workpapers and report
• Not all PACs are in the report

28
 Report Comments
• Comments Should Not:

Describe detail auditing done

Document operating procedures

Educate readers about details of

processes

• The reader should know this data !

29
 Management Action Plans

• Auditees specify how and when they plan to

address the condition described in each
comment

• Signal to Audit Services that local

management will address audit results

30
 Audit Process
Talk Ups

Report
Audit
Services Potential Audit Audit Comment /
Comments (PAC's) Recommendation /
1. Planning Program MAPS
1a 1a. PAC #1 - Issue 3a
2. Standard 1a
1b
b. PAC
Audit Program b
c. PAC #2 - Issue 1a & 1b
or Prepare c 1c
Program 2a 2a 2a. PAC #3 - Issue 2a-c
b
2b b. PAC
3. Pre-fieldwork c
2c
c. PAC
3a
3a
3a. PAC
Document Evidence
& Findings
Collect Evidence in Workpapers

Combine &
Rationalize PACs into
Issues
Begin (Team Discussion)
Fieldwork

31
 Final Report
Final Report Distribution:
Detailed Comments  Line Management
Comment 1
Compliance Organization
Recommendation
General Auditor
MAP's Management Action Plan
Outside auditors
EXECUTIVE SUMMARY
HR
• Objectives
…
…
Executive • Risks & Exposures
… RED audits – who else?
Summary • Overall Assessment
• Rating

32
 Rating Scale
 Control environment is satisfactory.
 Continuing local management action and resource allocation
GREEN
is sufficient.
 Processes/policy/procedure/practice sufficient to meet
business objectives

 Improvement required.
YELLOW  Important business risk issues that justify management
action, resource allocation.
 Processes/policy/procedure/practice in place but
effectiveness needs to be enhanced.

 Direct, immediate management action and resources

required.
RED
 Serious business risks present.
 Processes/policy/procedure/practice insufficient to give
reasonable assurance of meeting business objectives.

33
 Follow-up
Risk/Exposure
Profiling

Risk
Assessment

Audit Planning

Fieldwork

Follow-up Reporting

34
 Red Comment Follow-up
• Audit Services will follow-up on any Red Comments
within 6 months of the audit
• The status of all Red Comments are reported to the
Audit Committee as one of the following:
Implemented, Past Due, or Not Yet Due
• An item is identified as Past Due if the Affiliate fails
to complete the Management Action Plan by the
Implementation Date stated in the Final Report

35