Sampling as a Compliance Strategy
In the technology age in which we live, CCOs often come face to face with a new phenomenon – too much information or data. TMI is not something to laugh at nor ignore. CCOs often face situations where they need to understand what is occurring through a monitoring or audit function. In those cases, CCOs have to decide whether it is worth the cost in money and/or resources (e.g. personnel, time) to review every piece of information to see if some event or trend can be discerned.
Luckily, there is a less burdensome way to solve this problem. It is a well-understood concept – sampling. Even when I took a basic statistics class and learned about sampling, it was easy to see why this would be a good solution — less time, less work and relevant results.
The concept of sampling is a practical solution to many difficult issues that come up for CCOs in managing a compliance program.
For example, a company may identify through risk-ranking the ten riskiest third party agents working on behalf of the company. In order to monitor the conduct of the third parties, the company does not have the resources to conduct full financial audits of each of the ten agents. Hence, the CCO faces a dilemma — limited resources dilemma and thinned to review a large amount of transactional data.
Working with the audit group (internal or external resources), the CCO may develop an auditing plan for the third parties based on the risk ranking and relying on sampling of transactions. In other words, the CCO may leverage the limited resources to identify potential red flags and areas for follow up. The sampling of third party transactions does not eliminate risk but it is completely justified based on the set amount of resources allocated to the CCO and internal audit for monitoring and auditing risky third party conduct.
A company should document its consideration and review of a sampling audit strategy. It is a proactive and highly effective means to leverage limited resources and maximize compliance protection.
A sampling strategy can be used in a variety of settings beyond financial situations. Consider another scenario – a company has a large number, in the thousands, of third party intermediaries. The company wants to know how many third parties have written contracts and how many have anti-corruption contractual provisions. Assuming there is no east data sorting or analytical capability to search all of these relationships, the CCO may face a dilemma. How does the CCO get insight into the frequency with which third parties are operating without a written contract or anti-corruption contractual provisions?
To develop data on this issue, the CCO should consider taking a manageable sample of third parties that reflects the overall third party population (e.g. country, type, amount of revenue or money involved) and collect data on the key issues. While this sounds fairly obvious, the sampling strategy can bring insight into a number of questions across the company where a data point would be very helpful in prioritizing competing issues and tasks.
Technology is the future of compliance. Data analytics will be the key function in compliance. CCOs will rely on data analytics to identify trends and prioritize compliance resources.
In reality, however, most organizations cannot afford expensive data analytic programs nor do they even have the capability to collect, much less analyze, internal data. Most companies have the ability to collect data concerning its financial operations. However, few companies have the ability to analyze the data in meaningful ways to support the corporate compliance function. In those situations, a CCO has to rely on creative sampling inquiries to gain the insights needed to direct the compliance function.