“Audits can be life-changing experiences,” said Lisa Keilty, CMP, HCC, president /owner of the pharma compliance consulting firm PMC2 (Professional Meeting Compliance Connection) during a session on audit preparation and standard operating procedures at the 2013 Pharma Forum in Orlando. The Forum was co-organized by MeetingsNet/medical and The Center for Business Intelligence.

While an audit will raise your anxiety level, you can reduce that stress by making sure the record-keeping for your organization’s compliance with internal and external regulations is consistently kept up-to-date.

Anatomy of an Audit

According to Keilty, whose services include helping companies prepare for audits, pharma companies can undergo everything from financial reviews and operational audits, to assessments of information technology systems, to integrated audits that include all of the above. And then there are investigative auditsthat delve into everything from a meeting’s initiation to its execution and reconciliation. Audits can be performed by internal corporate assessors or by external organizations such as the Office of the Inspector General of the U.S. Department of Health and Human Services.

An internal audit measures how your department adheres to and enforces existing policies and procedures, the risk associated with outdated or non-existent policies, knowledge-training opportunities, and the effectiveness of communication. It also will assess how your department is self-auditing/monitoring, and how you respond to violations. At the minimum, you should have standard operating procedures, or SOPs.

The OIG has seven elements that must be included for a compliance program to be successful:

1.     Written policies and procedures

2.     Designated compliance officer and compliance committee

3.     Effectiveness of training and education

4.     Effectiveness of the lines of communication

5.     Internal monitoring and auditing

6.     Enforcement of standards through well-publicized disciplinary guidelines

7.     Prompt response to detected problems through corrective actions

Whether a company’s internal audit departments perform the audit(s) or an external vendor is hired to perform the audit(s),once they are done scrutinizing, they will give you a rating of unsatisfactory, satisfactory, or general satisfactory, which is the top rating. A bad audit result could end up costing your company not just in substantial fines and penalties and an OIG-enforced corporate integrity agreement, or CIA, but also in bad publicity, lowered productivity as staff is diverted from their regular work to accommodate the auditor’s needs, and even a loss of jobs.

“You are accountable,” said Keilty. “The key is to be organized and document as you go.”

Four Stages of Risk

Documenting as you go means developing a consistent thread of compliance documentation for each planning stage, said Keilty.

Stage 1/Meeting Development and Venue Sourcing: During the preliminary stage, you need to know how to qualify a meeting request, and you need to be able to show that the request went through the proper process. The meeting’s objective should drive everything that follows, so be sure to emphasize the key words of that objective when you talk with your meeting owners. There needs to be a business rationale for holding the meeting—which healthcare professionals you are inviting and why—a cost analysis, and a signed pre-approval form as required by SOPs. Get the proper authorization for your budget and the program’s dates, location, and attendee list.

While sourcing the venue, make sure the hotel understands and can comply with internal corporate rules and state and federal pharma regulations involving HCP meetings. “Make sure the venue isn’t on your hotel exclusion list, and that it can accommodate your spend caps,” she said. Also make sure all your vendor, venue, and speaker contracts are compliant. “It’s a red flag if you always use one hotel chain,”said Keilty. “Document that you got three bids. If you didn’t, document why you didn’t. Make sure the dates and budgets line up with what’s in your contract. Let your vendors know that you have to be able to audit everything.”

Also make sure you are complying with policies around air, ground transport, production, materials, presentations, and off-site events. “Think like an auditor and you’ll get through it,” she said.

Stage 2/Meeting Execution: Document everything, from the pre-con to on-site management. “Tell the venue what you need—let them know not to upgrade attendees without asking you, and not to upgrade you—ever. And know your company’s policy on what to do with frequent flier miles and hotel points. “If it’s in your SOPs, it should be in your addendum so the hotel knows what to do,” she said. And make sure the operations and program management by any third-party you use support your company’s SOPs.

Stage 3/Budget Reconciliation: Be sure you can tell the full story of everything that happened at the meeting, from the invoice and expense payments to the travel manifest to capturing the transfers of value—meaning direct or indirect payments—to HCPs. And be sure to include any compliance exceptions and violations. “Did Dr. X receive a bottle of wine? Did a spouse come to dinner? Even the best-laid plans can go awry. If you went over the variance, say why. Even if you were under the variance, explain why—an auditor might take that as a sign that you didn’t plan appropriately. Write down everything that happens.”

Stage 4/Audit: Have a checklist and review everything in a timely manner, according to your SOPs. If your SOP says the review should take place in 60 days and at 90 days you’re still working on it, an auditor might see that as a problem, said Keilty. Remediate any issues that arise, and be sure to have a repository to store the documentation, whether it’s electronic, paper, or both. If you don’t already have policies and procedures to handle document storage, develop them.

Auditors will look at the specifics: Have you adhered to your SOPs? Are there any deviations from SOPs? Did you do your due diligence in documenting and reporting? They also will look at compliance training policies and procedures. Who is trained, and when was the last time you updated your training? How do you monitor third-party compliance? Look at what your company agreed to in its CIA, if you have one. “Educate all your internal stakeholders—planners, accounting, compliance, legal—and consistently monitor what they are doing. Meet with vendors quarterly,” said Keilty. “You need to continually assess and evaluate—build due diligence into your processes.”

Helpful Audit Prep Hints

• Understand why something is expected of you—it makes the task easier and will improve your communication with an auditor and other stakeholders.

• Document, document, document—take notes immediately and use a date and time stamp. Keep them simple and to the point. Tell the story.

• If you have an intuition that something is not right, follow up. Stamp the information with the date and time and save it with the rest of your documentation.

• Be proactive, not reactive.

• Educate your:

-meeting host/project team

-country office contact

-other colleagues

-vendors (hotels, third-party planners, content vendors, etc.)

-attendees—let them know what is and is not acceptable, and what will expedite reimbursement and minimize consequences.

• Automate as much as possible. Auditors like systems to tell the story instead of hand-written notes, so use time stamps and find ways to automate matching your attendee list to the sign-in sheet if you can.

• Have a clean, accessible system for storing information that you can access quickly and easily.

• Don’t forget to follow through when deviations occur.

• Know who your company defines as an HCP—is it just MDs, or all the way down the line?

• Ask the hotel to provide detailed billing so auditors don’t have to come back for more on specific items.

• Train everyone who touches that meeting, including trip directors. Let them know what you need them to do if a deviation happens. It’s best to document as it happens so you don’t have to go back later and try to recreate the situation.