One of the biggest challenges facing organizations today is keeping up with the ever-changing regulatory environment. Companies are dealing with complex compliance requirements in every area of the world in which they operate. Some new requirements, such as the European Union’s General Data Protection Regulation (GDPR), impact organizations regardless of whether they have a physical presence in the location where the law was enacted. Noncompliance with these regulatory requirements, whether it be involuntary or criminal, can create significant risks to an organization, including legal, reputation, and financial risks. Organizations must have strong governance around their compliance programs to ensure these risks are assessed and managed across the organization.
Internal audit can use their expertise in risk management and internal control to effectively offer assurance as to whether the risks associated with compliance are being managed to an acceptable level. The audit can be scoped to evaluate the governance process as a first step, and third parties can be used when additional assurance on specific regulations is necessary.
There are frameworks internal audit can leverage to help ensure it assesses all of the key components of a well-governed compliance program. For example, Chapter 8, Part B, of the U.S. Sentencing Commission Guidelines Manual presents guidelines for an effective ethics and compliance program (see “7 Elements of an Effective Compliance and Ethics Program” below). Although this framework is commonly used after an allegation of criminal misconduct has been made or adjudicated, it also can be used to ensure all of the elements of a robust compliance program are in place.
It can be overwhelming when internal audit begins analyzing a compliance program, given its overall complexity and the knowledge necessary to adequately audit all of the various regulations both in the home country and abroad, but this framework helps identify manageable components to be assessed. Management can begin by identifying all of the key compliance areas that affect the organization — environmental, data privacy, import/export, and anti-bribery/anti-corruption, just to name a few. Each key compliance area should have a designated individual with an appropriate level of authority and responsibility to oversee the compliance program. Using the framework, that person, or his or her delegates, can begin documenting how the organization would demonstrate a program that prevents or detects misconduct. A steering team of cross-functional leaders from legal, human resources, compliance, risk management, internal audit, and other key areas can help identify common program elements, such as an overall code of conduct, investigation processes, and hotline management. Internal audit can play a key role in monitoring the overall compliance program and auditing specific risk areas.
In early 2017, the U.S. Department of Justice issued supplementary guidance titled Evaluation of Corporate Programs (http://bit.ly/2Pec0fl). This evaluation guide aligns with the federal sentencing guidelines and other referenced guidance and provides tactical questions that internal audit could use to evaluate the program. Two components, third-party and merger and acquisition risk, were added that should be considered when evaluating the effectiveness of the overall compliance program.
Third parties may be an integral part of organizational processes and considered part of the extended enterprise. The organization may have significant risk if those third parties, acting on behalf of the organization, commit an act of noncompliance. The third party may put the organization at a significant amount of reputation risk, and in certain instances, the organization may be liable for the actions of the third party. The evaluation guide indicates that certain actions must be taken such as due diligence, appropriate controls, management of the relationship, and appropriate consequences if noncompliance or misconduct is identified.
With mergers and acquisitions, management must ensure that a robust due diligence process is in place, and that the compliance function is integrated into the overall process to ensure that compliance risk is addressed. In the case of an acquisition, integration and transition of the compliance program to the new entity must be completed and any risks identified during due diligence addressed.
Overall, the framework and guide provide a solid base on which internal audit can ensure governance over compliance programs is effective. These documents should not be used as a checklist, as the elements may be present but a culture of compliance may not be developed, and the program becomes more form than substance. Internal audit should evaluate the adequacy of the evidence maintained in support of the program and ensure that the organization can demonstrate, both internally and externally, that the compliance program is robust. Both quantitative and qualitative factors should be evaluated. Soft controls evidence, such as how employees and leadership talk about the culture, also should be considered.
Although compliance can be a complex area to evaluate, these tools, along with third-party experts when needed, should enable internal audit to offer assurance around the effectiveness of the governance of compliance programs.
|7 Elements of an Effective Compliance and Ethics Program|
The U.S. Sentencing Commission’s seven elements of an effective program include:
- The organization will establish standards and procedures to prevent and detect criminal conduct.
- The organization’s governing body should be knowledgeable of the ethics and compliance program. High-level employees within the organization should be responsible for program oversight, with day-to-day responsibility delegated to specific individuals.
- The organization will exercise due diligence to ensure that delegation of authority is not granted to individuals who have previously engaged in illegal activity or other conduct inconsistent with an effective compliance and ethics program.
- The organization will periodically communicate its ethics program, including standards and procedures, by conducting effective training programs, for employees and third parties, and otherwise disseminating information as appropriate.
- The organization will take steps to ensure that the compliance program is followed, including monitoring. The program must be periodically evaluated to assess its effectiveness, considering both quantitative and qualitative evidence. In addition, a system must be established whereby employees, or third parties, may anonymously and confidentially voice concerns.
- The program must be promoted and consistently enforced across all levels of the organization, including appropriate incentives to act in accordance with the program and disciplinary actions when noncompliance is identified.
- When criminal conduct is identified, the organization must respond appropriately and take steps to prevent further similar misconduct, including adjusting the overall compliance program.
Source: U.S. Sentencing Commission, §8B2.1: Effective Compliance and Ethics Program, http://bit.ly/2Ped56T.