Benefits and Scope of Work
With the New Year, it may be time to consider an independent evaluation and assessment of the compliance program’s effectiveness. In their new November 2023 “General Compliance Program Guidance,” the OIG clarified that Compliance Officers are responsible for ongoing monitoring of their Compliance Program to ensure it functions properly. However, they further note that “[e]ntities also should periodically assess the compliance program’s effectiveness…[t]he review should include an assessment of how effective each element of the compliance program is.” The Guidance further states that “[t]he Compliance Committee’s primary duties should include evaluating the effectiveness of the compliance program…[t]he board should direct the entity to perform the compliance program effectiveness review and have the reviewers report their findings and recommendations directly to the board.” These must be independent and free from the Compliance Office’s control. They can provide considerable value, including (a) evidencing progress in building an effective compliance program, (b) reassuring management/board the program is mitigating the likelihood of future liabilities, (c) providing “fresh eyes” that provide additional perspective and ideas for improvement, (d) identifying deviations, aberrations, and weaknesses in the program that can be corrected, (e ) offering best practices from extensive experience to improve efficiency and effectiveness, (f) seeing what the government would find in a review, and (g) providing a “road map” for enhancing program effectiveness.
Tips for Establishing Scope and Expectations
Engaging an outside third-party expert firm to assess the compliance program’s effectiveness should be done by the Management Compliance Committee or the board. The scope of work should encompass a wide variety of testing, review, and assessment to be of real value, including the following:
- Independence. Must ensure those doing the assessment have no Conflict of Interest due to current or past engagements that would undercut the credibility of results. It is a standard that the OIG mandates in their CIAs.
- Standard Program Elements. Verifying the underlying support for all seven standard elements of the compliance program are operating as it should and avoiding a process and output checklist review that would produce information of limited value. The objective should be to validate the effectiveness of the process.
- Multi-Level Evaluation. Includes examination and assessment of the program design/plan, progress in implementation, and how well it is functioning (impact). This is a matter of “looking under the hood” to find out how things work.
- Written Guidance. Review the content of the Code of Conduct and compliance-related policies for adequacy, completeness, and user-friendliness.
- Opportunities for Improvement. Assessments should focus on improving the program with useful findings, recommendations, and suggestions. The absence of information to enhance the program is a failure of effort.
- Ongoing Compliance Monitoring. Assessment should address how well the compliance program monitors operations, including keeping up to date with the changing regulatory environment, translating changes into written guidance and controls, educating staff on written guidance, and verifying guidance is followed.
- Assessing Risk Processes. A primary focus should be how well program managers carry out their responsibilities in monitoring high-risk areas within their operational areas. This would include how well they keep up with changing rules and standards, updating written guidance (policies) and internal controls, training their staff on following the written guidance, and verifying they are following instructions.
- Effectiveness Metrics. The OIG stresses the importance of metrics to evidence program effectiveness. Efficiency focuses on output metrics, but effectiveness is related to outcome. For example, the number of individuals trained in compliance is less important than what they learned from the process. The difference is significant, and the assessment should assist in finding the right metrics.
- Conduct Employee Survey. Compliance knowledge and culture surveys used in the assessment can provide useful evidence regarding the employee’s compliance knowledge, attitudes, and perceptions. The OIG refers explicitly to using this method in evaluating compliance program effectiveness. For more credible and useful results, use widely tested and validated surveys anchored in an extensive database of users that can provide comparative results to other organizations.
- Report Presentation. Request that the report be presented in two parts. The first should be an “Executive Report” highlighting key findings and recommendations for presentation to the executive leadership and board. The second should be a “Management Implementation Report” that is more detailed and provides supporting evidence for findings and recommendations for the Compliance Officer and management to implement program improvements.
You can keep up-to-date with Strategic Management Services by following us on LinkedIn.Subscribe to blog