The Requirement for a Proactive Audit Program
As compliance programs (and the profession) continue to mature, there is growing interest in the need for measurement, monitoring and auditing of compliance programs. This is a natural evolution in the lifecycle of a compliance program.
Once a CCO has operationalized a company’s compliance program, the next challenge logically is to design strategies to ensure proper operation. The elements of an effective compliance program include the requirement for continuous improvement by periodic measurement and improvement of a compliance program.
Naturally, the need for collecting compliance program data, monitoring business and compliance activities, and testing/auditing a compliance program are essential aspects of such a function. CCOs have attempted to meet these requirements by trial and error – many CCOs are developing innovative approaches, while some are just starting to address the issue.
Some CCOs are taking shortcuts – relying on open source intelligence software products to satisfy the “monitoring” requirement and deferring to internal audit to carry out appropriate audits. This is not the way to go.
An effective monitoring strategy cannot be satisfied by relying on updates from open source intelligence searches of third parties and customers. While such monitoring activity is a helpful component of an overall strategy, this bare minimum only addresses one aspect of a compliance program and ignores a multitude of risks.
Similarly, relying on internal audit to conduct appropriate audits of a compliance program is unsatisfactory. Internal audit has a broad set of responsibilities and cannot be expected to conduct appropriate audits of a compliance program. Internal audit’s focus is understandably on material transactions. Notwithstanding this broad remit, I am always surprised at the extent to which internal auditors support the compliance program, collaborate in conducting audits, and are able to provide important insights and efforts. But to be candid, internal auditors cannot single-handedly audit a compliance program.
In this environment, CCOs are embracing innovative strategies and developing their own internal review, assessment, measurement and auditing strategies. As always, this requires resources and CCOs are continuing to struggle for resources in the corporate world. Some major companies have created their own review and auditing staff with responsibility for conducting “independent” audits of a company’s compliance program. This is a welcome development and should be supported.
As part of this strategy, CCOs have to implement a mechanism to prioritize audits and support proactive examinations of higher-risk compliance operations. This is the interesting part – a CCO knows where the company’s risks exists and can design a way to identify high-risk operations for review and audit.
The value of proactive audits is tangible – such audits provide important insights into how a compliance program is functioning, need for improvement and enhancement of company compliance and financial controls. If problems are identified, a root cause analysis can provide insights that apply across an enterprise and ultimately lead to proactive interventions to prevent problems before they occur.
CCOs have to commit to this new and innovative area. Of course, we have to be realistic given the difficulty CCOs face every day in securing appropriate resources to keep their compliance program operating. But CCOs have to protect their turf and promote their operations against competing forces demanding resources. In the end, CCOs have to use interpersonal skills and educational efforts to develop and build internal support for a proactive auditing program.