Conflicts of interest monitoring

Most recently, we looked at auditing for COIs.  In this post, we examine what might be called auditing’s first cousin – monitoring, and particularly monitoring for COIs.

Monitoring is a broadly used concept in the C&E world.  It can refer both to monitoring by business personnel (front-line monitoring – or what is sometimes seen as part of the “first line of defense”) and also monitoring by a compliance or risk function (the “second line of defense”).

Auditing  (the “third line of defense”) differs from monitoring in that the former  a) occurs less in “real time” and b) is more  independent than the latter.

An example of COI monitoring by businesses/first line of defense is managers reviewing employee inputs into a gifts and entertainment data base.   Another – which overlaps with the more traditional notion of an internal control – is supervisors reviewing employee T&E reimbursement requests. (In this example the review can be considered the monitoring – at least to the extent that the supervisor is looking for COI-related information.  The necessity that the supervisor approve the request before the employee can be reimbursed is the more traditional control, at least under some definitions.)

An example of the second line of defense applied to COIs (in this case, third-party ones) is the practice in the pharma industry of C&E personnel attending some of their company’s events involving health care providers, to ensure compliance with fraud and abuse standards (which are COI based).  Another instance is where the C&E function gathers and reviews information through data bases, such as for gifts and entertainment (as mentioned above), and/or through certifications.

In the above examples monitoring essentially means preventing or detecting COIs.  But monitoring – both first and second line of defense types – can also refer to managing COIs that have been disclosed and approved.  This can be essential in various highly regulated fields, such as health care, where it may be impossible/undesirable to ban all COIs but where those that are permitted to exist must be carefully watched.

While not every organization needs to have robust COI monitoring, I believe that many organizations should do more to mitigate with this sort of approach than currently do, particularly given the abundant evidence that as individuals we don’t do a good job managing our own conflicts (as this is not an area where “inner controls” – i.e., our moral sentiments – provide much of a “defense”).