Continuous improvement of a compliance program requires robust auditing and testing.  The Justice Department and regulatory agencies have articulated a number of key issues and principles to assist CCOs and Internal Auditors in this area.  It is likely to become an area for DOJ and regulatory agency focus — what steps does the company take to review its compliance program to ensure that it is not stale?

In describing this inquiry, DOJ noted that “[s]ome companies survey employees to gauge the compliance culture and evaluate the strength of controls, and/or conduct periodic audits to ensure that controls are functioning well, though the nature and frequency of evaluations may depend on the company’s size and complexity.”

DOJ specifically referenced the United States Sentencing Guidelines inquiry language, whether a company has taken “reasonable steps” to “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” and “evaluate periodically the effectiveness of the organization’s program.”

OFAC has made similar statements:

A comprehensive and objective testing or audit function within an SCP ensures that an organization identifies program weaknesses and deficiencies, and it is the organization’s responsibility to enhance its program, including all program-related software, systems, and other technology, to remediate any identified compliance gaps.

In the face of these important principles, companies have to look internally to assess their performance in this area.  An important part of this function should be coordinated in part with the Internal Auditor. CCOs and Internal Auditors are, by definition, best friends, or should be, as part of an effective compliance program.  Some of the testing and audit functions can be carried out by compliance and some by internal audit.

There are several important issues to examine. A CCO and Internal Auditor have to develop a common audit plan for testing and assessment of specific functions, divide responsibility for the conduct of the audits, define the audit objectives and procedures, and determine the scope of relevant findings and remediation steps.  In developing the audit plan and procedures, CCOs and Internal Auditors have to maintain a keen eye on high-risk areas and operations for heightened scrutiny. 

Within this plan, CCOs and Internal Auditors need to develop specific control-testing procedures, collection of compliance data, and interviews of key personnel, if warranted, on specific anomalies or issues of concern. A CCO and Internal Auditor should report results to senior management and the board, along with remediation schedules and progress.

A CCO and Internal Auditor are responsible for and have to commit to updating risk assessments, review of compliance policies and procedures, and gap analysis.  This should be a regular task that can be coordinated between the two functions.  In practice, this should result in modification of certain policies, procedures, and practices for specific businesses to address these issues.

Companies need to include specific practices to monitor and evaluate a company’s (or division thereof) culture.  It is preferable that a company avoid reliance on an enterprise-wide survey with general questions in contrast to targeted surveys tailored to the division or region’s specific risk profile taking into account overall compliance performance.  A specific culture survey can provide an invaluable picture of an organization’s culture of ethics and compliance that may require an immediate intervention to prevent further deterioration and increased risk of misconduct.