Beyond Paperwork: Assessing the Effectiveness of a Compliance Program

June 21, 2023

Compliance Image - Amanda Session

by Amanda Johnston, J.D., R.A.C.

In the world of FDA-regulated companies, compliance with regulatory requirements is not just a matter of paperwork. It is a critical aspect that can significantly impact mergers and acquisitions (M&A) and the overall success of your business. In this alert, we delve into the importance of healthcare compliance in M&A for FDA-regulated companies and provide key insights on evaluating the effectiveness of a compliance program.

Click below to see an on-demand webinar on this topic at Gardner Law's Navigating the M&A Waters of FDA-Regulated Companies program.


Why is compliance important in M&A due diligence?

Potential for post-close enforcement and litigation

Compliance gaps within the acquired company may have severe consequences for the acquiring company, even if they were not involved in non-compliant activities. Such gaps can result in enforcement actions, legal disputes, and other consequences, including financial penalties and reputational damage. Thoroughly assessing the compliance posture of the target company during due diligence becomes crucial to mitigate these risks.

Impact on valuation and risk allocation

Compliance program gaps or risks can directly impact the valuation of an M&A deal. Identifying compliance issues allows for adjustments to be made to account for remediation efforts, ensuring a fair valuation. Moreover, compliance weaknesses may influence the allocation of risks between the acquiring and acquired companies. Proper due diligence is essential to identify and evaluate these risks, protecting the deal's value and ensuring an equitable risk allocation.

Post-close remediation costs

Compliance deficiencies identified post-close can lead to unexpected costs to remediate and strengthen the compliance program. These costs may involve implementing new policies, conducting training programs, enhancing monitoring and reporting systems, or even self-reporting and voluntary disclosure. Taking proactive steps to address compliance during due diligence helps mitigate the risk of incurring post-close remediation costs.

How can one accurately ascertain the effectiveness of a company's compliance program?

4 key inquiries to assess compliance program effectiveness in due diligence

When time constraints may prevent a thorough examination of a company's compliance program, we recommend focusing on key inquiries that can provide valuable insights into its effectiveness. It is important to note that these questions are not foolproof methods for determining a company's compliance status. While ensuring proper documentation and adherence to regulatory requirements remains essential, the responses to these inquiries may serve as reliable indicators of a company's compliance program.

1.  Review the last 2 years of Compliance Committee Meeting Minutes and related materials.

  • Reviewing the Compliance Committee's meeting minutes and related materials offers valuable insights into the company's compliance efforts, areas of concern, and actions to address compliance issues. Some key details to pay attention to include:
    • Format: Pay attention to the structure and organization of the committee materials, ensuring they provide clear and comprehensive information.
    • Meeting cadence/frequency: Determine how often the compliance committee meets to address compliance matters, as regular and consistent meetings demonstrate a commitment to compliance oversight.
    • Substantive discussions: Look for evidence of in-depth and substantive discussions on compliance issues, indicating a proactive approach to addressing and resolving compliance challenges.

2.   Inquire about what triggers the need for a compliance audit, and what the company does with the results.

  • The company's response to this question tells a lot about the maturity of its compliance program. Understanding the circumstances that prompt compliance audits and how the company responds to audit findings demonstrates its commitment to identifying and rectifying compliance gaps. Some key details to pay attention to include:
    • Plans: Evaluate whether the target company has established plans or protocols that dictate when a compliance audit should be conducted, such as on a scheduled basis or in response to specific events.
    • Auditor(s): Identify the individuals or teams responsible for conducting the compliance audit, ensuring they possess the necessary expertise and independence.
    • Outside counsel involvement: Assess whether outside counsel is utilized to provide legal expertise and guidance on audit topics and during the compliance audit.

3.   Inquire about what triggers a compliance investigation, and what the company does after the investigation is completed.

  • Exploring the circumstances that trigger compliance investigations reveals the company's responsiveness to potential misconduct and dedication to ensuring compliance. Some key details to pay attention to include:
    • Process: Evaluate the procedures and protocols for initiating and conducting a compliance investigation, ensuring a thorough and systematic approach.
    • Privilege: Determine whether compliance investigations are conducted under attorney-client privilege. Inquire about the involvement of legal counsel in the compliance investigation process, ensuring appropriate protection of sensitive information and legal privileges.
    • Decision-makers: Identify the key individuals or stakeholders responsible for making decisions regarding the initiation and direction of compliance investigations, ensuring their authority and expertise in the matter.

4.   Inquire about how the company's risk assessment process feeds into its compliance program.

  • Examining how the company's risk assessment process integrates with its compliance program demonstrates the alignment between identified risks and implemented controls, enabling a comprehensive compliance strategy. Some details to pay attention to include:
    • Knowledge of applicable compliance risk areas: Assess the target company's understanding of the specific compliance risks relevant to its industry and operations.
    • Process: Evaluate the methodology and procedures used by the company to identify and assess compliance risks.
    • Follow-up: Inquire about the actions taken based on the risk assessment findings, including the implementation of controls and mitigation strategies


A special note on compliance risk assessments...

The risk assessment is an often-forgotten, yet foundational, component of an effective compliance program. The risk assessment process is vital in ensuring that the company's compliance program is targeted, proactive, and responsive to the specific compliance risks it faces. It allows for a more efficient allocation of resources and helps drive a comprehensive and effective compliance program.

Navigating the risk assessment process can be a daunting task, and it's understandable to feel overwhelmed and unsure of where to begin. We can help you navigate this critical aspect of your compliance program.

Whether you have questions or need assistance with your compliance program, regardless of your current engagement in due diligence activities, our experienced team is here to support you.

Contact us to ensure your compliance program is robust, effective, and ready to meet the challenges of the healthcare industry.

Contact Us

Information provided on this website is not legal advice. Communications sent to or from this site do not establish an attorney-client relationship. © 2023 Gardner Law. All Rights Reserved.