The compliance officer is an independent and objective fact finder with the mission of ensuring the organization is in compliance with all applicable laws, regulations, standards, policies/procedures, and the code of conduct. A compliance officer’s major focus is the compliance high-risk areas; however, there are other functions that share some of the same space — internal audit and the external auditors. They also conduct their work independent of management, in an objective manner, to address high-risk areas. With limited resources available to all three functions, it is important sense that they coordinate their efforts and take steps to avoid duplication.
One thing is very clear and that is: “one size does not fit all.” Larger organizations can more fully staff their internal audit function to perform a wide range of audit activities, especially for those organizations that are “covered entities” under the Sarbanes-Oxley Act where there are prescribed internal control review requirements. Mid-size organizations, however, may have only very limited resources available for internal auditing and may have to contract out parts or all of the function — or not have the function at all. Smaller organizations are not likely to have any internal audit function.
For health care providers, the compliance officer is responsible for the operation of the organization’s compliance program; however, to be successful it is necessary to rely on operations managers to ensure that rules, regulations, and laws are being followed. The question, of course, is how does the compliance officer know that management is, in fact, carrying out its responsibilities effectively? Unfortunately, the compliance officer will never possess sufficient staff or resources to enable direct verification of effectively complying with all applicable laws, regulations, rules, standards, policies, et cetera. The answer to this problem is being able to properly leverage others to assist in this process. For those organizations with an internal audit function, the compliance offi cer should have engaged continuous contact and discussions with them. Furthermore, this contact should have led to substantive discussions with the external auditors. These two functions are similar to the compliance officer in that they are independent of program management and, as such, represent the best opportunities for leveraging limited resources.