With some of Germany's best-known companies rocked by bribery and corruption scandals in recent years, the danger of a compliance system failure has become a growing concern inside the country's boardrooms.
German companies have been investing to improve their compliance systems in response and have turned to audit firms for help designing them and for assurance that they are suitable. But the firms have been reluctant to provide that certification, given the lack of any standards covering such work and the potential liability should a system subsequently fail.
That is, until now. Earlier this year Germany's equivalent of the AICPA (the Institut der Wirtschaftsprüfer, or IDW) stepped in and created a standard that sets out how audit firms should provide assurance over compliance management systems. Believed to be the first such standard anywhere in the world, it has just become available in an English translation.
With regulators here in the United States increasingly pushing for similar assurances that compliance systems are up to par, the standard could become a model that is followed around the world.
The standard, titled “IDW Assurance Standard: Principles for the Proper Performance of Reasonable Assurance Engagements Relating to Compliance Management Systems,” specifies how a company should engage an audit firm to provide compliance management system assurance and what kind of work the auditor should do in order to provide the desired level of assurance.
The standard sets out three levels of assurance, each of which uses a description of the compliance system written by management as its starting point. An audit firm can assess whether the compliance system described by management is suitable, whether it was operating effectively at a specific point in time, and whether it operated effectively over a given period.
The first kind of review results in a long-form report for management identifying any improvements needed to make the system suitable; the later two result in a shorter report that the company can issue to shareholders or regulators. The standard contains pro forma examples of each.
The standard stresses that the auditor review only covers management assertions about the compliance system and does not cover whether the business actually complied with relevant regulations—although it does say that if the audit firm comes across any non-compliance it should tell management.
When assessing whether a company's compliance system is suitable, the standard tells auditors to reference a list of seven “basic components” that feature in any effective compliance system. These cover areas such culture, monitoring for improvement, and risk identification.
Principles Based
The standard does not specify in more detail what kind of compliance system a company should have in place. Instead, it says the company should decide which principles to apply and suggests a list of “generally accepted” compliance frameworks that they might consider using. These include the COSO ERM framework, the OECG Red Book, and the OECD's Guidelines for Multinational Enterprises.
“The IDW developed this assurance standard to help ensure quality engagements could be performed in response to market demand. Indeed, the very existence of a standard may foster the acceptance of such engagements as a valuable service.”
—Ulrich Schneiss,
Director, Auditing,
IDW
Other national audit institutes around the world have developed compliance management standards, such as Australia's Compliance Engagements standard ASAE 3100, but they focus on whether a company has complied with specific requirements, explains Ulrich Schneiss, director of auditing at IDW. The German standard, by contrast, focuses on the quality of the compliance system itself, he said.
There is also an international standard on assurance engagements from the International Auditing and Assurance Standards Board (ISAE) 3000: Assurance Engagements Other Than Audits or Reviews of Historical Financial Information—but Schneiss said German companies needed something that specifically covered assurance over compliance management systems.
While the IDW standard has been written specifically for the German market, Schneiss said it has been made “jurisdiction neutral” so that companies with international operations can use it too.
The standard will help senior management determine whether they are doing enough to avoid personal liability risks and possible legal consequences for the company arising from a compliance failure, says Heinz Wustmann, a partner at Deloitte. “In the absence of detailed legal regulations, management and supervisory boards have struggled to date to assess what is the minimum necessary to meet their respective duties of care and to effectively and sustainably counter liability risks resulting from neglect of duty,” he says. “Even companies that pour a lot of energy into the issue of compliance and invest heavily in developing and operating a compliance management system are not necessarily in the clear.”
IDW STANDARD OBJECTIVES
Below is a summarized explanation of IDW Assurance Standard 980 objectives:
Entity's objectives in engaging a practitioner to perform an assurance engagement
… during the process of setting up a CMS, an entity's management or its
internal governing body (i.e., supervisory board) may wish to have an independent assessment of the overall design approach pertaining to the CMS (i.e., whether the overall approach to design is suitable to reach the objectives. This does not include consideration of specific detailed elements, rather of the overall design approach), or as to the design and implementation (i.e., whether the CMS will be capable of detecting and preventing noncompliance, provided it is implemented as designed, and also whether the system has indeed been implemented). In such cases the practitioner will be engaged to provide a long-form report to the entity's management or its internal governing body. This enables the entity to take necessary corrective action at an early stage in the process of implementing their CMS, or to make certain refinements, where necessary.
External parties, including shareholders, regulators and other parties may also increasingly demand comfort as to whether, in addition to the above, the entity's CMS operated effectively at a specific point in time, or was operating effectively over a given period. In such cases, alongside the internal long-form report, the practitioner may prepare a shorter-form report for wider issuance. The standard has received considerable support from business enterprises, which would be able to engage an independent practitioner to perform extensive procedures in relation to the operating effectiveness of their CMS and thereby obtain objective evidence that they have exercised due care in respect of their respective leadership responsibilities.
Practitioner's objective in performing the engagement
As IDW AssS 980 deals with a reasonable assurance engagement, the practitioner's objective is to reduce engagement risk to an acceptably low level in order to be able to form a conclusion, with reasonable assurance, on the following:
for an assurance engagement relating to operating effectiveness, to obtain
reasonable assurance about whether the assertions contained in the CMS description
about the CMS's policies and procedures are:
—fairly presented in all material respects, e.g., that all important elements have
been included, and are not presented in a misleading way (i.e., the specification
of areas to be covered is appropriate and their selection is not biased),
—in compliance with the applicable CMS principles,
—suitable for both identifying in due time and with reasonable assurance risks of material non-compliance and for preventing such non-compliance with reasonable assurance, and
—that the policies and procedures had been implemented at a given point in time, and were effective, during a given period.
for an assurance engagement relating to the overall design approach, to obtain reasonable assurance about whether the CMS description is fairly presented in all material respects as described above
for an assurance engagement relating to design and implementation, to obtain reasonable assurance about whether the assertions about the design of the CMS included in the CMS description are fairly presented in all material respects as described above, are suitable for both identifying in due time risks of material noncompliance and for preventing such non-compliance with reasonable assurance, and have been implemented.
Source: English Translation of IDW Assurance Standard 980 Executive Summary.
Wustmann adds that no compliance management system would be immune to “signi?cant violations of regulations.” But in a company opting for the most extensive form of assurance under the IDW standard “generally there should not be any structurally organized criminality that has not come to the attention of the management and gone unpunished,” he says.
The company's external auditor would be allowed to provide assurance under the standard without any conflict of interest, says Karl-Heinz Withus, a senior manager in KPMG Germany, who was part of the team that wrote the standard. “This will be the most efficient way, as the external auditor does already have a lot of knowledge about the entity risk-management and internal controls,” he says. “We do not see any conflict-of-interest risk, and we do not see that there is a general objectivity issue.”
Under the standard, the external auditor will, however, be barred from assisting with the implementation of a compliance system and then providing assurance over it, because its independence would be impaired, he says. Likewise, an audit firm would not be able to write the description of the compliance management system, against which assurance is provided, as that is a management responsibility, says Withus.
Nonetheless, one senior German compliance executive, who wished to remain anonymous, says he is concerned the standard will be a “ploy” for audit firms to create new revenue streams. Companies were uncertain about what benchmarks—beyond the IDW's seven broad principles—audit firms will use when assessing the adequacy of a compliance management system, he says. “Does the system used by a medium-sized company operating in a low-risk industry, and never having experienced major compliance failures, still need to be as comprehensive as those of a large, high-risk company?” the executive asks. “Some companies might fear that the audit will result in recommendations that exceed what they consider to be reasonable.”
The IDW's Schneiss says the standard is voluntary for companies and had received “considerable support” from German companies involved in the consultation process. (German auditors are obliged to use the standard if they provide compliance management system assurance, unless they can give good, written reasons for not following it.)
“The IDW developed this assurance standard to help ensure quality engagements could be performed in response to market demand,” he said. “Indeed, the very existence of a standard may foster the acceptance of such engagements as a valuable service.”
No comments yet