Among my earliest memories as an internal auditor was the constant refrain from officials in my organization that, as internal auditors, our job was to keep them “out of jail.” It was their light-hearted way of signaling how important we were to them. I didn’t take them too seriously, because I didn’t know of too many people who went to jail because of an internal control or compliance failure. But, as Bob Dylan so famously sang, “the times they are a-changin’!”
The recent guilty plea by a former drug company compliance officer on conspiracy and other charges is yet the latest example of when willful compliance failures can lead to jail time for executive management. The related arrest of a second company executive, the former CEO, shows that prosecutors are willing and able to reach high into the C-suite to send a message.
The stunning arrests of the former Rochester Drug Cooperative executives reflect the high stakes associated with certain kinds of control and compliance failures and, more specifically, the dangers of willfully ignoring them. Some have gone as far as characterizing this as a test case for federal authorities prosecuting drug company executives for trafficking narcotics.
Prosecutors allege that the two indicted executives were repeatedly warned that the company was dispensing dangerous opioids, such as oxycodone and fentanyl, to individuals who had no legitimate need for them. What’s more, the company made deliberate decisions “not to investigate, monitor, and report” individuals it knew were diverting controlled substances for illegitimate use, according to charging documents filed by prosecutors in the U.S. District Court Southern District of New York.
As a registered drug distributor, Rochester Drug Cooperative was required to maintain “effective control[s] against diversion of particular controlled substances into other than legitimate medical, scientific, and industrial channels,” according to the charging document. It also was responsible for reporting to the U.S. Drug Enforcement Administration (DEA) any, “orders of unusual size, orders deviating substantially from a normal pattern and orders of unusual frequency.”
While the company met the requirement to create necessary policies and controls, it is accused of ignoring numerous red flags warning that drugs were being dispensed for other than legitimate medical purposes. One of the most damning incidents cited in the charging document was a 2014 compliance consultant recommendation. The consultant urged Rochester Drug to comply with the DEA’s “know-your-customer” due diligence policy, presciently warning that, unless the company changed its practices, it would become a DEA target, “because of [its] willful blindness and deliberate ignorance.”
Assuming the information in the charging document is accurate, this case is different from other recent, high-profile governance failures in three significant ways:
This incident points to the need for internal auditors to build strong relationships across all lines within the organization, not just with their audit committees and boards.
The 2019 North American Pulse of Internal Audit, Defining Alignment in a Dynamic Risk Landscape, addresses internal audit’s involvement in information going to the board. This is an area where internal audit can improve. According to the Pulse survey, nearly 6 in 10 CAEs report that internal audit rarely or never provides assurance on the quality of information given to the board, nor does internal audit have formal discussions about the information with the board and management.
As regulators’ expectations grow about board oversight, it is imperative that we fulfill our responsibilities as internal auditors. In doing so, not only will we fulfill our missions of protecting and enhancing organizational value, but we may also be keeping officials in our organizations out of jail.
I look forward to your comments.