March 27, 2008

March 27, 2008

Medical Device, Regulatory and Reimbursement Compliance CongressBest Practices: Monitoring and Auditing

Presented by

Charles Bell| Pharmaceutical and Life Sciences- Advisory Services

Jean Sands| Pharmaceutical and Life Sciences- Advisory Services

Agenda

1. Best Practices of Leading Companies

– Why consider best practices?

– Monitoring

– Auditing

2. Commercial Activities for Monitoring

3. How Do You Start Monitoring?

– Best Practice - example

– Items for Consideration

4. A Look into what CIAs and DPAs are Requiring

5. Closing Statements

Agenda Point 1Best Practices of Leading Companies

Medical Device Congress 2008

Why consider best practices? - RISK

• Within an environment of increased stakeholder scrutiny and expectations, leading companies constantly guard against any potential threats to business performance.

• They create a framework within which all business units take responsibility for detecting obstacles to achieving performance objectives.

• Aided by real-time automation, they continually monitor their internal and external environments within that framework to identify potential sources of risk early, assess those risks, and respond based on the organization’s risk tolerance.

• Risk is a very real element for every company in every industry amid today’s increasingly exacting business landscape.

• Companies that apply best practices excel at understanding how that risk can impede business performance. Aided by real-time automation, they continually monitor their internal and external environments to identify potential sources of risk.


Monitoring Best Practices of Leading Companies

The monitoring practices PwC is seeing in industry include the following actions:

• Employing a disciplined approach to identifying and managing risk which seeks out innovative risk response techniques, which sometimes provide new opportunities for enhanced business performance.

• Embedding risk and compliance monitoring in business processes enterprise wide to understand how various internal and external events enhance or impede the achievement of strategic objectives.

• Protecting Shareholders by reporting potentially damaging information as soon as practicable after it is confirmed, companies increase their chances of circumventing the loss of credibility.


Monitoring Best Practices of Leading CompaniesContinued

The monitoring practices PwC is seeing in industry include the following actions:

• Implementing sustainable remediation procedures that take disciplinary action against those who performed misconduct; recover and restore losses and other damage; and learn from an incident to improve controls and prevent recurrence.

• Installing automated software to improve risk management and compliance monitoring of transactions, to apply controls in gaps between separate IT systems, and to gain access to data confined in stand-alone systems or blocked by proprietary software platforms that do not communicate well with others.


Auditing Best Practices of Leading Companies

• At high-performing companies, the Audit function offers independent, objective analysis to evaluate and improve the effectiveness of risk management.

• Based on its analytical knowledge of the business, the Audit function is positioned to partner with functional departments to consider how new company initiatives can affect the application of risk management and to take that information into account during its internal controls assessments.

• Companies that position their Audit departments as strategically driven, build their audit plans on a risk-based audit schedule.

• Risk-based audits use audit resources more efficiently, ensure that management and the board are sufficiently focused on key risks, and provide flexibility to adjust to shifting priorities.

Agenda Point 2Commercial Activities for Monitoring


Commercial Activities for Monitoring

Typical compliance monitoring programs, include evaluating and enhancing monitoring processes, controls, and key performance indicators (KPIs) for the following commercial areas:

• Engagement of physicians for consulting, speaking and other advisory arrangements,

• Exchange of scientific information (off-label promotion),

• Awarding or payment of educational, clinical, and/or investigator sponsored study research grants, and

• Any component of the above-mentioned activities outsourced in whole/in part to a third party vendor.

• Any relationship with healthcare professionals where value is exchanged.

Agenda Point 3How do you start monitoring?


How do you start monitoring?

Conduct initial assessments in the selected areas, using interviews and process walkthroughs with key stakeholders to identify the current processes, risks, metrics and monitoring programs in place.

Consider identifying:

• The future process, metrics and monitoring needs for each stakeholder group,

• Assessing the existing infrastructure capacity (people, process, technology),

• Assessing data availability and data quality,

• Risk appetite and tolerance of the organization regarding the compliance risks associated with the selected activities, and

• The capacity of the current incident management process to effectively manage the likely increase in the volume of issues to be resolved upon implementation of the monitoring program.


Best Practices – example Create a Priority Map

Frequency of Activity Current Controls

(e.g. Legal Requirements, Policies and Training)

Current Monitoring & Current Auditing Activities Potential Regulatory Exposure

Review Areas (e.g. Educational Grants, Charitable Contributions)vs.

PRIORITY – low, medium, high

IMPA

CT

– lo

w, m

ediu

m, h

igh


Items for Consideration

Have the policies been formally drafted and communicated to the company?

Is your monitoring program fitting into global compliance effort and strategic planning?

Is cooperation among departments common?

– Cross-departmental communication and coordination will be needed to reach objectives (Compliance, IT, Legal, Corporate, Commercial areas).

Data systems: isolated or connected?

Is documentation in a data accessible format for analysis of trends?


Items for Consideration

Is the fiscal data able to be matched with supporting documentation of Healthcare Professional activity?

Is there a defined ‘yardstick’ for measuring activity?

– Process to establish fair market value (FMV) uniformity.

– Documentation of business rationale for activities.

What do I do with detected compliance issues?

– Compliance Department’s Incident Management Systems need to be of a capacity to handle an increased volume of investigative activity.

Do you monitor your vendor relationships?

– Routine vendor audits to ensure contractual obligations are met.

Agenda Point 4A Look into what CIAs and DPAs are Requiring


A Look into what CIAs are Requiring

A review of processes, policies and procedures for:

– Interactions with Healthcare Professionals and Healthcare Institutions

– Medical Forums

– Grants (e.g. administered by Medical Affairs Department)

Auditing of Control documents:

– Includes documents or electronic records, submitted by sales reps or HQ personnel to request approval for certain activities, and

– Business rationale or justification forms, written contracts, attendance rosters and receipts.

> Determine whether control documents exist in appropriate files

> Determine whether completed and filed according to procedure

> Determine whether control documents show that the procedures were followed


A Look into what CIAs are Requiring

Commercial Activities Audited:

– Interactions with Healthcare Professionals and Healthcare Institutions,

– Ad boards, expert forums, market research and fee for service,

– Peer discussion groups, lectures, symposia, e-medical forums, physician facilitated interaction activities,

– In office and out of office facilitated meetings, business and other meetings over meals, display over meals, and external journal clubs, and

– CE/ CME grants, patient advocacy grants, and professional society grants.


A Look into what DPAs are Requiring

The Needs Assessment requires:

• Overall assessment of company’s consulting services needs for medical, clinical, training, educational, research and development needs,

• Pre-planning and robust processes for the hiring of all HCPs (Commercial and R&D),

• All consulting agreements must be arranged and agreed upon by someone who does not have a sales and marketing background, and

• Compliance Department must approve budget and requests for all HCP payments.


A Look into what DPAs are Requiring

The Needs Assessment covers:

– All payments to consultants including; honoraria, fellowships, gifts, donations, charitable contributions, etc.

– Companies must establish FMV processes, policies and procedures

Government reporting requirements include:

– All services made available by payment, per consultant, by region and by total payments with a list of services yet to be rendered (HCP Payment tracking)

Consulting payments must not exceed $500 per hour.

– If they do, an independent organization must conduct a value analysis

Agenda Point 5Closing Statements


Best Practices - Overview

• Employ a disciplined approach to identifying and managing risk within your organization.Goal of managing risk vs. eliminating risk is appropriate

• Embed risk and compliance monitoring throughout your organization.Independent audit function and partner that complements business needs and

shifting compliance priorities

• Implement sustainable remediation procedures.Highly ethical companies always document and act on deficiencies, no matter

how seemingly insignificant

Look beyond mitigating a single incident, focus on integrating governance, risk and compliance throughout organization

• Use technology to improve risk management and compliance capabilities.

Appendix 1Presenters/Team Members


PwC Team

PresentersNameCharles Bell, Pharmaceutical and Life SciencesManagerT: 646.471.1229 E: [email protected]

NameJean Sands, Pharmaceutical and Life SciencesSenior AssociateT: 312.298.3026 E: [email protected]

Team MembersNamePeter Claude, Pharmaceutical and Life SciencesPartnerT: 973.236.4289 E: [email protected]

NameJonathon Kellerman, Pharmaceutical and Life Sciences PartnerT: 267.330.2466 E: [email protected]

NameBrian Riewerts, Pharmaceutical and Life Sciences Global Risk & Compliance, PartnerT: 410. 659.3390 E: [email protected]

Documents

March 27, 2008