Auditing and Monitoring for Conflicts of Interest Compliance

Given the personal nature of many conflicts of interest (COIs or conflicts) and the reliance that most companies necessarily place on proactive disclosure of conflicts, auditing and monitoring in this area can be challenging. I recall giving a speech on conflicts of interest at an SCCE Compliance and Ethics Institute years ago, where one of the attendees accused me of “punting” when I answered his question on how to audit for compliance with a COI policy. The truth is that it’s really tough. However, it’s not impossible.

There are two primary ways to audit for compliance with COI policies: auditing for the implementation of the conflicts of interest program (which I refer to as “Process Auditing,” and which the CEI attendee referred to as “punting”) and auditing for compliance with the requirements of the COI policy (which I refer to as “Policy Auditing”). Below is a short discussion of both Process and Policy Auditing and of COI monitoring techniques.

Process Auditing

Process auditing involves testing the components of the conflicts compliance program to ensure they are deployed and implemented as intended. Various means of auditing COI compliance programs include:

1. Review of whether COI disclosures are appropriately documented, reviewed, managed, and retained.
2. Review of whether those controls developed to manage disclosed COIs are appropriate, consistent, compliant with company guidelines, and followed by relevant employees. This type of review would likely involve reviewing documentation related to COI disclosures and the controls created to manage COIs, as well as interviewing relevant employees.
3. Review of whether the conflicts of interest policies and standards of conduct are communicated and available to all employees, including new hires, and to relevant third parties, as contemplated by the COI program. This could include reviewing documentation reflecting dissemination of the COI policy and/or certifications attesting to receipt and review. Additionally, it may be helpful to test the imposition of consequences for failing to complete conflicts certifications, including whether any disciplinary or other action was taken.
4. Review of whether employees have attended/completed any required conflicts of interest or related training as well as required general compliance training. If training includes testing, the auditor could also review the test results as part of an assessment of the efficacy of training. In addition, the auditor can review the consequences of failure to complete required training.
5. Review of whether conflicts of interest policies and standards are otherwise communicated to employees as and to the extent contemplated by the compliance program. Where organizations have compliance communications plans, the auditor can review whether communications regarding the conflicts policy were disseminated as planned.
6. Review of whether employees are aware of individuals and other resources within the company to disclose COIs or ask questions regarding potential COIs. This could be achieved through employee interviews and/or surveys.
7. Review of whether employees understand the company’s COI policies and standards. This could be achieved through employee interviews. In addition, if the company’s conflicts training includes testing, the results can be indicative of the extent to which employees understand the company’s standards.

Policy Auditing

A conceptually distinct (but related) category of COI auditing, Policy Auditing, consists of auditing for substantive violations of the company’s conflicts of interest rules. This may involve, for example, review for the existence of undisclosed financial or personal relationships between employees and the company’s customers or suppliers; receipt of inappropriate or excessive gifts or entertainment; or the undisclosed employment of relatives or romantic relationships in a reporting line.

This category of COI auditing can include:

1. Data analytics of information such as physical addresses, email addresses, telephone numbers, company registration numbers, bank account numbers, and other relevant areas to identify undisclosed connections and relationships between employees and/or suppliers and/or other third parties.
2. Data analytics of information such as supplier use, (anomalies in) background checking, invoice numbers, and payment inconsistencies.
3. Use of tools such as Benford’s Law to detect hidden patterns and anomalies. Benford’s Law is a statistical tool that can reveal inconsistencies in the expected numerical distribution of digits in data sets. It can be used to detect conflicts of interest by analyzing financial records and other datasets for unusual digit patterns.
4. Requesting that third parties disclose information regarding COIs involving company employees. Review of such disclosures may also reveal anomalies that are instructive.
5. Asking employees (during site visits, e.g.) about any undisclosed conflicts of interest.  

This list feels unsatisfactory to me. (A punt, perhaps!) There is undoubtedly much more that can be done in the area of Policy Auditing. I would be very interested to hear from readers if you have other thoughts on how one might audit for compliance with the COI policy.

Monitoring

Monitoring for potential violations of a conflicts of interest policy can facilitate detecting violations at an early stage. Some potential means of monitoring include:

1. Monitoring email and other forms of communication for keywords or patterns suggesting a conflict of interest, such as undisclosed business relationships or favoritism.
2. Building notification triggers into the expense review and gifts and entertainment disclosure systems when limits are exceeded.

Considerations

Given the personal nature of conflicts of interest, the use of auditing and monitoring techniques can be quite intrusive and may not always be efficient. It is therefore crucial to thoughtfully weigh the advantages of these methods against their possible drawbacks.

If you have other ideas on effective COI auditing and monitoring techniques, please share!