Stay informed and subscribe. Signup

Why Compliance Audits Are Non-Negotiable

March 25, 2025

In today’s heightened enforcement environment, compliance auditing isn’t just a best practice—it’s a necessity. Federal and state laws and industry guidance, including the Office of Inspector General (OIG) Compliance Program Guidance (CPG), emphasize the importance of auditing and monitoring compliance programs. Some states, such as Massachusetts and Nevada, even require compliance officers to certify that audits have been performed.

Beyond legal obligations, compliance auditing is essential for proactively identifying and mitigating risks before they escalate into enforcement actions. Recent government investigations and settlements highlight that companies failing to conduct thorough audits—and detect compliance issues before a whistleblower does—face significant financial penalties, reputational harm, and even criminal liability.

Compliance Auditing: A Key Pillar of an Effective Compliance Program

The OIG’s Compliance Program Guidance (CPG) outlines seven essential elements of an effective compliance program, with auditing and monitoring serving as a core component. These activities help companies: detect and prevent fraud, waste, and abuse; assess compliance with internal policies and applicable laws; identify and mitigate emerging risks; and strengthen internal controls while promoting a culture of compliance.

Auditing vs. Monitoring: Understanding the Difference

While both auditing and monitoring play a role in compliance oversight, they serve distinct functions:

  • Auditing: A structured, periodic review of company practices against legal and regulatory standards. Typically conducted under attorney-client privilege, audits assess whether policies and procedures are followed and identify gaps needing remediation.
  • Monitoring: An ongoing, real-time compliance oversight process. Monitoring includes day-to-day compliance management, hotline report reviews, periodic compliance committee meetings, and direct oversight of high-risk activities such as HCP interactions.

What Should Be Audited? A Risk-Based Approach

Audit topics should be selected using a risk-based approach tailored to the organization's industry, business model, operational practices, and regulatory environment. Companies should prioritize auditing the topics of highest compliance risk by considering factors such as recent enforcement action trends, internal compliance assessments, government scrutiny, and known vulnerabilities in their operations.

Recent Enforcement Actions: Key Lessons for Compliance

Recent settlements highlight key risk areas that should be prioritized in audits:

  • Pfizer (January 2025): Pfizer Inc. and its subsidiary Biohaven Pharmaceutical Holding Company Ltd. agreed to pay nearly $60 million to settle False Claims Act and Anti-Kickback Statute allegations. The settlement highlighted problematic speaker program practices, including excessive payments, inappropriate attendees, lavish meals, and repeat attendance by the same HCPs. Read our previous alert on this settlement here.
  • Teva Pharmaceuticals (October 2024): Teva agreed to pay $450 million to settle allegations that it used charities to cover Medicare patients’ out-of-pocket drug costs, which prosecutors deemed an illegal kickback scheme to boost drug sales.
  • Innovasis (May 2024): Innovasis paid $12 million (company and two senior executives) to settle AKS allegations related to improper consulting fees, intellectual property acquisition without valuation, licensing fees, performance shares, and lavish trips. Read our previous alert on this settlement here.
  • Endo Health Solutions (May 2024): The company settled for $1.086 billion in criminal fines and $450 million in criminal forfeiture, admitting to falsely marketing its opioid drug as abuse-deterrent without clinical data or FDA approval.

Key Compliance Audit Focus Areas:

Manufacturers should prioritize the following areas in their audits:

  • Speaker Programs: Ensure compliance with the Anti-Kickback Statute and industry codes like PhRMA and AdvaMed.
  • HCP Consulting Arrangements: Verify fair market value (FMV) compensation and adherence to contractual requirements to prevent overpayments.
  • Meals and Entertainment: Assess compliance with federal and state gift ban laws. Luxury trips and lavish meals remain hot enforcement topics.
  • Promotional Materials and Social Media: Review marketing and promotional content for regulatory compliance.
  • Discounts, Rebates, and Free Products: Confirm proper structuring to comply with the Discount Safe Harbor to the Anti-Kickback Statute.
  • Transparency Reporting: Validate accuracy of Sunshine Act reporting and state law disclosures.
  • Privacy Compliance: Assess compliance with HIPAA and other applicable data protection regulations.
  • Research and Grants: Confirm compliance with internal policies and external regulations.
  • Patient Assistance Programs & Charitable Foundations: Ensure these programs meet compliance standards to avoid anti-kickback scrutiny.
  • Cybersecurity Compliance: Recognized as a False Claims Act risk area, requiring companies to assess vulnerabilities.
  • Billing Practices: Identify improper billing, lack of medical necessity, and unnecessary services.

Overcoming Barriers to Auditing

Many manufacturers hesitate to conduct audits due to concerns about resource constraints, potential findings, or fear of uncovering noncompliance. However, failing to audit is a riskier strategy. Regulators and whistleblowers are increasingly scrutinizing compliance lapses, and noncompliance can lead to severe legal and financial repercussions. A proactive approach—dedicating appropriate resources to auditing and monitoring—helps companies address issues internally before they escalate into government investigations. Take it from Gardner Law partner Amanda Johnston:

“Too often, audits are viewed as a burden or a box to check. But when done right, they’re incredibly valuable. They surface blind spots, validate what’s working, and give companies a roadmap to strengthen operations and mitigate future risk. Over time, regular auditing makes compliance more sustainable and less reactive—because it becomes part of how the business runs, not just a legal requirement.”

How Gardner Law Can Help

Gardner Law can assist in conducting compliance audits, advising on audit structure and scope, and providing a comprehensive compliance risk assessment tailored to your company’s specific needs. For guidance on developing a risk-based auditing program that enhances compliance and mitigates regulatory exposure, contact Gardner Law.