Time to Test and Audit Your Compliance Program
We all enjoy citing government sources for guidance on an effective ethics and compliance program. Whether it is the United States Sentencing Guidelines, the Justice Department’s and SEC’s FCPA Guidance, Health and Human Services – Office of Inspector General, or the many other sources for guidance, companies have to test and audit their compliance programs to ensure that the program reflects the company’s changing constellation of risks and continuously improves.
As companies have scrambled to implement effective ethics and compliance programs, chief compliance officers understandably have devoted time and energy to building out compliance programs and controls. These basic tasks have included, just for example, updating risk assessments; adopting and revising compliance policies and controls; tailoring training to risks and specific audiences; adopting and implementing due diligence systems; updating and expanding internal investigations procedures and ensuring basic speak up culture messages are communicated throughout the organization. Even these tasks show that CCOs face a mountain of responsibilities and compliance tasks.
Government expectations for effective ethics and compliance programs are not standing still. To the contrary, prosecutors and regulators expect that the message of compliance has been heard and followed from the corporate boardroom, through the C-Suite and ultimately with the CCO. As a consequence, CCOs have a responsibility to act and address a significant responsibility – to test and audit the company’s ethics and compliance program, and report the results to senior management and the board of directors.
The board and senior management have a responsibility to oversee and monitor the company’s ethics and compliance program. To do so, they have to learn about the performance of the company’s compliance program. Such testing has to include objective measurements based on data as well as non-objective assessments of key compliance functions.
In order to test and audit a compliance program, a CCO should define the project and address key issues:
- Time frame
- Geographic areas
- Culture measurements (and possible surveys)
- Specific controls to conduct testing
- Documents to review
- Interviews (including focus groups)
- Internal investigations sampling
- Training program
I will discuss a few of these:
Culture Measurements: A testing review of a compliance program has to include an assessment of a company’s culture. This is perhaps one of the two important areas to assess –a company’s culture and its overall compliance with its controls. A company with a positive ethical culture has its most important and effective control against violation of its code of conduct or laws. Further, a company with an ethical culture is likely to perform better over the long run than a company without a positive culture. For this reason, the assessment has to measure and report on the company’s overall culture.
A culture assessment provides an important baseline against which future testing and focused testing of specific regions, divisions, and products can be conducted. A baseline culture assessment gives the company an important view on its overall values and whether those values are embraced and understood by the rank and file within the company.
Compliance Controls: A meaningful testing program has to develop data and performance measurements for each of its controls. To accomplish this task, the CCO has to examine each compliance control, identify control requirements, develop sampling approaches and define review criteria for each control. A sampling approach is often the most effective way to test a compliance program given the sheer number of compliance transactions that can occur within a large organization. Based on a sampling strategy, the CCO has to review each sample transaction and apply a consistent standard. In the end, a raw calculation can be computed for each control based on a sampling and analysis of relevant transactions.
I am often asked if a compliance department can conduct its own audits for fear of a conflict of interest. Assuming that a compliance function has sufficient resources to conduct the audit, there is no reason to prevent such a review so long as it is done transparently and fully documented. Obviously, if Internal Audit has the time and resources to conduct an assessment, a CCO can work closely with Internal Audit to develop a testing protocol. An independent test and audit process is also valuable as a means to ensure consistency and provide insights that reflect best practices and industry benchmarks.