With few exceptions, organizations in every sector and industry face compliance risks, and those risks grow every year. This is reflected in statistics that show compliance audits account for an increasing percentage of internal audit plans.
In health care, compliance with laws and regulations is critical. Not only do compliance breaches subject health-care providers to potential fines and penalties, they are often literally a matter of life or death. I think everyone could learn something from the way cultures of compliance are built within that highly regulated industry.
The U.S. Department of Health and Human Services (HHS) oversees hundreds, if not thousands, of regulations and rules designed to make the provision of health care safe and efficient. The department’s Office of Inspector General (OIG) has published a list of seven elements for effective compliance that offers sound advice for building a strong compliance culture, regardless of the industry.
As internal auditors are increasingly called upon to assess the effectiveness of their organizations’ compliance programs, they might do well to benchmark these compliance programs against the HHS OIG’s seven elements:
- Designate a compliance officer and compliance committee. The best compliance cultures are led by highly qualified compliance officers who enjoy the strong support of their compliance committees. The OIG recommends organizations ask a series of questions to establish the health of that relationship, including: Does the compliance department have a clear, well-crafted mission? Is the department properly organized and funded? Does the compliance officer regularly report to the board and management?
- Create compliance policies and procedures, including standards of conduct. Such policies and procedures should be clearly written, relevant to day-to-day responsibilities, and designed to help employees comply while carrying out their jobs.
- Develop open lines of communication. Strong and open communication is the product of a healthy organizational culture. This should include processes for encouraging the reporting of potential fraud and abuse.
- Establish appropriate training and education. Failing to adequately train and educate staff increases the likelihood of straying from laws and regulations, no matter the industry. Internal audit should focus on the quality of trainers, the processes for keeping training up to date, and staff attitudes. With compliance training, there always is a risk of employees developing a checklist attitude toward such exercises.
- Ensure regular internal monitoring and auditing. This should go without saying, but effecting auditing and monitoring plans can identify emerging issues that can be addressed before they become major problems. This is why following up on previous findings and recommendations is critical.
- Respond to detected deficiencies. As previously mentioned, following up on findings to see how they were addressed is an important role for internal audit. Just as vital is having a clear-eyed understanding of how the organization deals with identified problems. A strong compliance culture is reflected in a consistent approach to dealing with deficiencies and developing effective plans to correct them.
- Enforce disciplinary standards. Effective compliance cultures are built around a commitment to ethical behavior. This can be quickly eroded by inconsistent disciplinary standards that send mixed signals to staff. Disciplinary standards should be clearly communicated and enforcement should be consistent and well-documented.
These seven steps offer a strong foundation for developing a healthy compliance culture. But let me offer a word of warning: While a strong compliance culture is an important goal for all organizations, internal audit functions should not fall into the trap of obsessing on compliance audits that find fault and offer no solutions.
Great internal auditors dig to find the root cause of compliance failures, then offer solutions. Stakeholders will quickly grow weary of audits that criticize and offer no way to help them improve the efficiency and effectiveness of their operations.
As always, I welcome your comments.