Internal Testing and Monitoring of a Compliance Program
Compliance is a dynamic subject and a profession that “never sits still.” Compliance professionals are always developing new ideas, strategies and approaches to solve problems, and increase efficiency and effectiveness. It is a fast-growing profession that is quickly gaining greater acceptance as a critical member of the corporate governance team.
As compliance gains a greater foothold, compliance professionals hopefully will gain access to increased resources. It is a critical issue that companies have to monitor to ensure that the compliance function is not strangled or restricted in effectiveness by lack of resources.
In those companies committed to ethics and compliance, I have observed increasing interest in creating a self-monitoring and review function internal to the compliance function. It is a welcome idea and has the potential to increase the ability of a company to assess, monitor and improve their compliance programs.
Many companies depend on internal audit and outside consultants/law firms (such as The Volkov Law Group (here)) to test, assess and evaluate their compliance programs. Internal audit functions, however, are usually stretched thin and rarely, if ever, have adequate opportunities to conduct a wholesale review of a company’s compliance program. In most cases, an internal audit function can review a specific office’s adherence to the ethics and compliance program.
To the extent that companies rely on outside law firms/consultants to conduct ethics and compliance program evaluations, these reviews rarely provide ongoing monitoring and usually are conducted periodically (every 2 to 3 years). The absence of continuous monitoring or assessments is a glaring deficiency in this option.
Companies are exploring creating in-house assessment, audit and review teams that are dedicated to monitoring, auditing and testing compliance programs. Like an audit function, these review teams schedule different reviews of compliance programs by geography, function, and other relevant topics. The professionals assigned to the function are well familiar with the company’s compliance program and within a year or two they can conduct timely and efficient testing and reviews of compliance programs.
A small staff of five or six members can make a real difference in the operation of a compliance program. The reviews can include not only compliance controls but extend to financial controls that are relevant to the compliance function.
The internal review function can operate in addition to existing internal audit reviews and outside counsel/consultant assessments of a compliance program. The new function can easily report information and recommendations for remediation to compliance program leadership. Compliance improvements can be quickly implemented based on these focused and timely reviews.
The independence of the internal review function is important to maintain. While the small unit may report to senior compliance leadership or a compliance committee, the team should be permitted to conduct independent reviews, free from any influence from other compliance staff or other corporate functions. The credibility and authority of the compliance review team will depend on its strict adherence to independence and the unit’s reputation as an honest broker of compliance issues.
The creation of an independent review function may not be the highest priority of a compliance program. There may be other projects that are more important. Nonetheless, if possible, a compliance review team can be an effective adjunct to other important compliance functions.