Risk Sampling: The Key to a Successful Audit and Monitoring Program
Companies are always trying to do more with less. Senior executives will spend hours designing policies and programs to stretch dollars, resources and reduce costs. Committees are established for such research projects, consultants are brought in and solutions are reviewed and eventually implemented.
Senior managers could reduce the time, the expense and angst involved in this process by just applying common sense. Companies waste inordinate amounts of money to justify what they already want or have decided to do. It is a colossal waste of time and effort.
Senior managers also ignore stakeholders inside the company who could assist them in these projects – most especially the Chief Compliance Officer. For years, CCOs have developed what I call “efficiency skills” or doing more with less. In carrying out these projects, CCOs have learned how to allocate limited resources, redesign policies and procedures, and develop lower-cost alternatives, in order to maintain a compliance program which can still detect and prevent violations of law and compliance policies.
One area that CCOs have pioneered is the area of graduated monitoring systems. CCOs have to monitor their compliance program and they have to do so with limited resources, often cajoling audit staff, legal staff and others to assist in the process. A graduated monitoring program is built on several assumptions – (1) not every compliance activity can be monitored; (2) resources are limited; (3) audits and sampling techniques should be used to maximize information to identify potential risk areas.
With the assistance of internal auditors, CCOs can develop a graduated risk monitoring program by calculating specific risk factors for each activity. For example, risk rankings of distributors and third party agents can easily be developed for assigning risk factors to each distributor or agent. Once that is done, depending on the amount of available resources, specific monitoring techniques can be assigned to conduct some kind of “audit” of the third party or distributor.
The term “audit” can be assigned to a range of monitoring techniques ranging from a formal “boots-on-the-ground audit to an employee survey. In between these two extremes are a range of “sampling” programs which can be used to gather information, examine an issue or issues, and then reach a risk indication.
Risk sampling is an essential part of any audit and monitoring program because it provides the ability of a CCO to spread the limited resources through low-cost sampling programs. For example, a sampling of transactions can be reviewed to determine whether there are any red flags; a sampling of third party agent contracts in a high-risk country can be reviewed to determine if adequate anti-corruption compliance warranties and certifications or payment terms are included in the contracts; a sampling of distributors could be limited to determining whether or not each distributor has a written contract or has participated in training programs.
Each of these examples demonstrate the principle behind risk sampling – important information can be gathered on a low-cost basis since the sampling costs are lower than full audits or reviews of every contract in a specific country or area.
The principle of risk-ranking and sampling can be applied to a number of areas where verification of information is important such as training programs, gifts, meals and entertainment procedures, or employee certifications. It is an important technique to stretch compliance dollars and bring in valuable information to inform the company’s compliance program.