There remains considerable confusion among compliance officers regarding the proper management and ownership of monitoring and auditing functions.
“Monitoring” is the process of providing continuous oversight of risk controls by operational managers in their respective areas of responsibility. It provides a method to detect compliance and risk issues associated with an organization’s operational environment. It is important to understand that ongoing monitoring is the responsibility of program managers, not compliance officers. The associated responsibilities of operational managers include: (a) staying abreast of changes in applicable rules, regulations, and laws; (b) developing internal controls, policies, and procedures to comply accordingly; (c) training staff on these protocols; and (d) taking steps to monitor and verify compliance with new guidelines.
On the other hand, “auditing” is the review of the monitoring process by independent and objective parties. The compliance office, internal audit department, other program managers, external parties, or any combination thereof can carry out independent auditing. It involves verifying that program managers are properly carrying out their monitoring responsibilities and validating that the processes are achieving desired outcomes. This includes confirming that controls are in place and functioning as they were intended, or identifying weaknesses in the program that need to be addressed.
Regardless of who manages the process, the compliance officer should ensure that both monitoring and auditing are implemented and functioning properly. This includes ensuring that:
- Program managers understand their ongoing monitoring obligations;
- A compliance audit plan is developed to verify that ongoing monitoring addresses high-risk compliance areas;
- Program managers have identified all high-risk areas related to their operational functions and are engaged in evaluating them;
- Program managers have assessed the potential impacts of risk events, including the direct and indirect financial consequences (such as legal liabilities and governmental penalties);
- Program managers have also assessed the likelihood of risk events, taking into consideration whether the area is a current governmental enforcement priority (e.g., improper physician arrangements);
- All identified areas are ranked in terms of level of risk, probability of risk exposure, and impact or damage from a risk area, with priority given to address the areas of highest risk;
- Corrective action plans have been developed and implemented to address all identified risk areas;
- All compliance risk areas are being tested and reviewed on an ongoing basis;
- Internal audit activities validate that ongoing monitoring is effective in achieving the desired objectives, including reduction of the likelihood that unwanted high-risk events will occur;
- A process to evaluate the effectiveness of corrective action measures has been implemented; and
- Results of monitoring and auditing activities are included as regular agenda items for management- and board-level compliance committees.
For more information on this topic, contact Richard Kusserow at firstname.lastname@example.org.Subscribe to blog