Broadly understood, compliance is an important mechanism that helps make governance effective. Monitoring and maintaining compliance is not just to keep the regulators happy; compliance with regulatory requirements and the organization’s own policies is a critical component of effective risk management. It is one of the most important ways an organization achieves its business goals, maintains its ethical health, supports its long-term prosperity, and preserves and promotes its values.
An effective compliance and ethics program is best organized as integrated processes, assigned to designated business functions and managed by individuals who have overall responsibility and accountability. Compliance can be a daunting challenge, but it is also an opportunity to establish and promote operational effectiveness throughout the entire organization.
The board and management periodically need to evaluate the design and operating effectiveness of the company’s compliance and ethics program. Such evaluations supplement the ongoing, day-to-day monitoring of responses and control activities. Not only do these reviews—audits, really—provide for a more in-depth analysis of the program’s design and effectiveness; they also provide an opportunity to consider new practices and technologies that may have been developed since the program was first implemented.
Determining Key Risks
Defining objectives of that internal audit is the first and one of the most critical steps in setting the audit direction, because it defines the level of assurance the board and management will be provided. From the start, then, internal audit staff should hold discussions with management and the board (or the audit committee and legal counsel, as necessary) regarding the assurance needs of the key stakeholders to ensure the audit meets the assurance needs of the organization—and it should all be done prior to finishing the audit plan.
Compliance and ethics programs cover a very broad span of activities, and the planning phase needs to ensure the proper focus of the audit efforts. The audit should be based on a comprehensive audit risk assessment—that is, auditors must determine what the key risks of the company’s compliance and ethics program are. The participation of legal counsel in the audit is another critical factor that should be decided here, during the audit planning (or subsequently if the plan’s assumptions turn out to differ from the actual audit situation). If wrongdoing is identified during the internal audit a dialogue with legal counsel is needed—indeed, it’s often critical.
What objectives to set? Three goals should be:
Application—To determine whether the compliance and ethics program provides reasonable assurance of compliance with organizational policies and applicable laws and regulations;
Documentation—To determine if the program’s management framework is documented, in place, and appropriately resourced to meet the organization’s needs;
Implementation—To determine whether the program has been implemented effectively, and that its performance reporting system has been defined and accurately presents the results of the program’s efforts.
Some key issues to explore during the audit include ensuring that there is:
Universality—Consistency and integration of compliance and ethics programs among different business units within the organization;
Integration—Coordination between the central compliance and ethics office and individual business units;
Accountability—A clear and effective division of roles and responsibilities among the ethics office, compliance, HR, legal, and other relevant units.
Down To Business
Any internal audit has three phases: planning, fieldwork and reporting. Audits of compliance and ethics programs are no different. During the planning phase, the internal audit team should ensure that all key issues are considered, that the audit objectives will meet the organization’s assurance needs, and that the compliance and ethics program is well understood. It is extremely important that the audit focus on evaluating the significant components of a compliance and ethics program; that is, auditors should use a risk-based approach to find the program’s elements most likely to fail and in most need of attention. The planning phase is an opportunity to confirm that the audit scope is appropriate, and the cost won’t give anyone heartburn.
In the fieldwork phase, the team analyzes the compliance program’s various components, based on the goals and methodologies identified in the planning phase. Among some of the most important questions to answer are how the board sets its “tone at the top;” how it communicates those values to employees; how employees at all levels of the company perceive management’s commitment to those values; and how the company handles compliance or ethics issues that arise from compliance failures.
Audit tests could include reviewing employee files for signed Code of Conduct or training confirmations, looking at training materials and training program results, reviewing responses to violations, conducting surveys and reviewing the results of them, reviewing management’s communications to employees for ethical content, quantifying the organizational resources available for program operation, and assessing the quality of the support for the program’s performance reporting.
The reporting phase is where the internal audit the team should ensure all stakeholders are properly informed of the audit results and any management plans to improve the compliance and ethics program. A well-planned and executed internal audit (phase 1 and 2) should make audit reporting straight forward: tell them what you did, what you found, and what management plans to do about it. That’s all there is to it.
Internal auditors must take a risk-based approach while planning a compliance and ethics program audit. With limited resources, auditors simply have no choice but to focus on the highest-risk areas and always strive to add value to the organization. Audit best practices suggest internal auditors should be involved throughout the program's life cycle, not just in post-implementation program evaluations.
The internal audit of a compliance and ethics program also needs to be part of a larger overall audit plan. Internal auditors should craft a plan that meets the long-term assurance requirements of the board and management. A series of internal audits to manage complexity (if deemed appropriate during the planning phase) might not be a bad move, since a compliance and ethics program can be very information-intensive.
Management should not be developing processes, procedures, reports, and so forth during the audit. Rather, the audit team should be evaluating the efforts of the compliance and ethics program in meeting the organization’s needs. Finally, management should complete a self assessment prior to an internal audit, and study various pieces of guidance such as the OCEG guide for the audit of a compliance and ethics program.
No comments yet