The Importance of Compliance Program Audits
Chief compliance officers spend a significant amount of time comparing their compliance programs with other companies’ programs. CCOs often find solace when benchmarking their respective programs against other companies’ programs. I often refer to “benchmarking” as a process designed to reduce anxiety.
CCOs need feedback on their efforts. CCOs want to know where they stand and develop priorities for initiatives. So where should CCOs turn?
As a profession, CCOs are willing to share information, techniques and strategies with each other. Unlike other professions, compliance officers are cooperative and very helpful to each other. CCOs should take advantage of the ability to share with other professionals, and use such information to provide some feedback or context for their own program.
Rather than spending so much time on “benchmarking,” and comparing themselves to industry or professional standards, CCOs should focus more attention on conducting self-assessments, reviews and audits. By relying on internal compliance audits, CCOs will quickly identify issues that need to be addressed. To carry this process out, CCOs need to create their own internal review process.
Most CCOs rely on internal audit to check compliance issues while conducting specific audit projects. While helpful, using the piggyback strategy is not a very effective approach. CCOs need to jettison their reliance on internal audit, and expand their own operation to include compliance reviews.
A compliance program audit program should be developed each year. Such a program allows the CCO to identify and manage program priorities, learn about potential weaknesses, and develop a continuous process. In conducting such audits, compliance officers should rely on risk-ranking, sampling and transaction testing to leverage existing resources and conduct as many compliance audits as possible.
Where appropriate, compliance reviews can be coordinated with internal audit. In these situations, a joint compliance and financial audit is an ideal. However, compliance reviews can be conducted remotely, although on-site audits are preferable. Given this situation, some compliance audits can be conducted remotely and some in coordination with internal audit. This underscores the need for CCOs and internal audit to coordinate on their priorities and activities.
Compliance program audits can be organized and scheduled on a continuous basis. Relevant findings can be addressed and the schedule adjusted based on identified issues. Compliance reviews can be focused on specific geographic operations or functions such as third party due diligence and contracting.
Compliance program audits provide important metrics that can be used as a basis to report to senior management and the board. A CCO can learn valuable information by comparing audit data from one year to another. This information, in turn, provides relevant data for assessing the compliance program.
To the extent a CCO cannot secure resources needed to conduct such audit programs, CCOs have contracted with outside consultants and law firms to audit their compliance program. While such audits are helpful, a CCO should seek to develop a consistent, in-house approach, using internal resources.
An effective compliance program requires comprehensive assessments, audits and reviews. CCOs know they are required to satisfy this basic requirement. Whether CCOs use internal resources or rely on outside providers, CCOs need to attend to this issue and develop more robust strategies rather than the piggyback approach using internal audit resources.