Case Study: CVS Opioid

Instructions on CVS Opioid Case Study Topic

Write a report that address the five areas below. Use a word document, double space, include title, headings, and bibliography; use times new roman 12 point font). Address the report to the chair of the audit committee. You may use items in the

module plus other articles and documents. Answer fully but be succinct. Make sure the document reads seamlessly.

1. Research and write a summary what went on in the US with the explosive growth of opioids in the United States that eventually led to an opioid crisis being declared. Consult the following sources:

The following may be useful also for later parts to the assignment. Note the complaint and the attachments linked in the following Justice Department report.

Consider in these reading the following: how the mix of prescriptions ordered by doctors changed, who was writing the prescriptions, the dosage and frequency of the prescriptions, geographic regions that were affected more than others.

2. Based on your understanding of the facts in the opioid crisis, what impact would you expect to see at the pharmacy level? For example: Which pharmacies would have greater opioid volume? Were the dosages being prescribed suspicious?

Would people filling the prescriptions notice anything suspicious and if so what might they notice? What inventory records might show unusual volumes of transactions. Think about things that were going for which you might be able to collect data.

3. While law enforcement was likely made aware of the problem by dramatic increase in overdose deaths, the pharmacies must have been aware that something was going on. With hindsight of what went on, what type of data analytics (assuming

appropriate data was collected) might point to a problem to someone at CVS who might be monitoring compliance. Identify 10 types of analytics you might use to pick up on patterns of abuse if you had been in the compliance office looking for

potential violations of Drug Enforcement laws.

4. Comment on the governance structures that apparently failed in the Opioid case (think about monitoring, compliance, risk assessment, etc).

5. Based on what should have been learned in the CVS Meth case, what governance structures should CVS put in place to have avoided the $5 billion fine regarding excessive opioid prescriptions? This is in addition to what you identify in step 3.

Think about board level controls, internal audit, whistleblower complaints, what HR knew, what sales data showed, known risks mentioned in the 10-K, the role of the people who ensure compliance with laws and regulations, and the risk assessment process. There may be other

areas you may wish to include.

Recall from COSO that controls are not just related to financial reporting but also relate to compliance with laws and regulations and effectiveness and efficiency of operations.

The analysis should follow a logical progression from Step 2 through Step 4, clearly showing how each step builds on the previous one.

Step 2 should focus on identifying risks and operational weaknesses and should directly inform Step 3. This step should identify key red flags related to opioid distribution, including unusually high prescription volumes, significant increases in orders of controlled substances, and repeated internal complaints from pharmacists. These issues should be treated as enterprise-level risks involving regulatory compliance, public safety, and reputational exposure, not merely store-level concerns.

Step 3 involves analyzing data aberrations. Prescription data, inventory records, and purchasing trends should be examined to identify abnormal patterns, such as sudden spikes in opioid orders or purchasing activity that deviates from historical norms. Inventory, sales, and procurement personnel should have recognized that controlled substance orders were increasing at an unusual rate and questioned why these increases were occurring. Given the regulated nature of opioids, these anomalies should have been escalated through compliance and risk management channels. The failure to act on these warning signs indicates weaknesses in internal controls and risk response processes.

Part 4 requires consideration of ongoing monitoring and risk assessment. Continuous monitoring mechanisms should be in place to reassess opioid-related risks as conditions change. This includes regular compliance reviews, internal audits, and trend analyses focused on controlled substances. A structured risk assessment process, such as one aligned with the COSO Enterprise Risk Management framework, should be used to evaluate whether existing controls remain effective and to adjust them as risk levels increase.

In addition to operational controls, governance and oversight structures must be addressed. At the board level, there should be strong oversight of risk and compliance related to opioid distribution, including clear accountability and regular reporting to the board or relevant committees. Whistleblower complaints should be taken seriously and used as indicators of potential risk. Pharmacists reportedly raised concerns about excessive opioid prescriptions, raising questions about what Human Resources knew, when they knew it, and whether those concerns were escalated appropriately.

The role of compliance personnel should also be evaluated. Those responsible for ensuring regulatory compliance should have identified opioid distribution as a high-risk area and implemented enhanced controls. Gaps in oversight suggest deficiencies in the organizations risk assessment and internal governance framework.

Finally, the analysis should be placed in broader industry context by referencing cases such as Purdue Pharma, which demonstrate how failures in governance, risk oversight, and response to warning signs across the supply chain contributed to the opioid crisis. While Purdue operated upstream, CVS played a critical gatekeeping role at the retail level, making effective monitoring and compliance essential.

MAKE SURE YOU READ ALL THE FILES. NO PLAGARISM ALLOWED. NO AI.