Assessing Internal Controls is Critical to Effective Compliance Programs
Compliance Officers are faced with ever-changing laws and regulations and intense scrutiny by regulatory and enforcement agencies. Unfortunately, Compliance Officers have limited resources, resulting in the need to “do more with less.” In the context of limited resources, a key element to success is ensuring that those resources are being used judiciously and efficiently. This can guard against instances and practices that could precipitate an investigation or call into question the integrity of the operation and its personnel. As such, organizations should focus on ensuring proper evaluation of risks, vulnerabilities, and internal compliance controls of the organization.
The U.S. Sentencing Commission Guidelines and the Department of Health and Human Services (HHS) Office of Inspector General (OIG) compliance guidance documents refer to this use of limited resources as ongoing monitoring and auditing, which is designed to proactively identify compliance problems and issues. In meeting these challenges, organizations should implement internal compliance controls that protect against the failure to follow established rules, regulations, or practices that can result in liability exposure. The organization should engrain internal compliance controls in all functions and operations to be effective, efficient, and relevant to the operational risks they are designed to protect.
It is the responsibility of program management to: (a) identify compliance risks in their respective areas of responsibility; (b) keep current with rules, standards, and applicable laws/regulations; (c) determine appropriate control system components; (d) establish written guidance as a control for identified risks; and (e) monitor staff to ensure that they are adhering to written guidance and controls. The only way to determine if controls are working is through monitoring and testing.
Ongoing compliance auditing is necessary to verify that program managers are performing these tasks. Auditing is also necessary to validate that the controls are functioning effectively to reduce vulnerability and risk of violations. The following list provides examples of control questions to consider when reviewing and verifying risk control effectiveness.
- Have significant compliance risks been assessed?
- Have control weaknesses been identified and addressed?
- Are there supervisory reviews and verifications of performance?
- Does legal counsel perform review of contracts for compliance?
- Are there written delegations of authority within operating functions?
- Have decision making authorities and parties responsible for entering into engagements been delegated?
- Have the staff been trained on applicable Centers for Medicare & Medicaid Services (CMS) rules and regulations that relate to their duties?
- Is there documentation on work-flow?
- Are all compliance-related policies and procedures reviewed and kept up to date?
- Is there documentation verifying the background and sanction screening of all engaged parties?
- Are reports (financial, workload, medical, etc.) on operations regularly produced?
- What evidence is there that computer, laptop, and cell phone passwords are tested/controlled?
- Do program managers identify and mitigate risks in their areas through ongoing monitoring?
- Is there evidence that employee meetings have taken place to explain new policies/priorities?
- Are their procedures in place to control access to medical records/supplies/drugs?
- Has there been periodic survey of employee compliance knowledge/perceptions/attitudes?
- Do employee performance standards include adhering to compliance with the code of conduct/policies?
To learn how the auditors and consultants at Strategic Management can evaluate or assist with your internal audits, please contact Steve Forman, CPA ([email protected]) a senior consultant who has built and managed compliance and audit functions for over 30 years.
Subscribe to blog