Internal Audit + Compliance: Relationship status - it’s complicated!
When the U.S. Department of Justice measures an effective compliance program one of the factors it looks to is whether internal audits are conducted. So, why is this relationship complicated? It’s three issues:
There is often a mismatch in the financial fraud expertise of most internal auditors and the regulatory, legal and industry code expertise of life science legal and compliance programs. This mismatch can result in an ineffective audit that is focused on compliance procedures that aren’t going to improve the effectiveness of the compliance program or an audit that is focused on the right procedures but identifies insignificant issues for improvement.
2. Audit Reports Don't Convey Nuance
There is a standard cadence to audit reports: (a) what are we auditing, (b) the risks and (c) audit findings. When it comes to compliance audits, the “risks” and “findings” sections often have some of the absolute worst soundbites in the context of potential future investigations and litigation.
I get it, lawyer speak can be annoying: Businessperson: Is this legal, Lawyer: It depends...
But legal and compliance speak with caution because issues are often nuanced. Audit reports aren’t a problem when you are talking about black and white issues but nuance is not typically conveyed in the report. Moreover, to compound terrible soundbites, internal audit reports go to the highest levels of the company so they are given significant importance.
3. No privilege protection
There is no privilege over most internal audit reports or work product. When internal audit alone is reviewing a high-risk area this creates huge potential land mines, especially in conjunction with issues 1 and 2.
The purpose of this post is not to say internal audit should not review compliance programs. Audits are an essential component of an effective compliance program. The DOJ expects them, and practically we all know what it is like when you look at the same problem every day, you only see what you are focused on. The purpose of this post is that these audits need to be done thoughtfully.
My strong recommendation is whenever internal audit intends to review an aspect of the compliance program that is subject to substantial legal risk (payments to HCPs, patient services, pricing, rebates) this work should be a joint exercise involving internal audit and a lawyer with expertise.
This can be an in-house lawyer but realize having an in-house lawyer supervise an internal audit creates an additional issue –it could be seen as undermining the independence of your internal audit function? Alternatively, the company or the Board can engage independent outside counsel to work with internal audit, which avoids questions about the independence of the function.
Adding a lawyer to the compliance audit team can give the team compliance expertise, create a privilege over the work product and generate a report with nuance.