Noncompliance with laws and regulations carries potentially steep consequences for organizations. Fines, penalties, sanctions, debarment, and public relations nightmares are among the many impacts of compliance failure, not to mention the reputational damage and loss of business that may occur. Moreover, failure to identify and consider laws and regulations may result in missed business opportunities and lack of strategic alignment. In many ways, neglecting to address and manage regulatory change can lead to significant organizational harm.
In fact, The IIA’s recent OnRisk 2020 research identified regulatory change as one of the most critical risks facing organizations this year. Other risks included cybersecurity, data protection, business continuity, talent management, and third parties. Depending on the industry, each of the risks identified in the report may have a regulatory component. For example, organizations that fail to protect personal data through a cybersecurity control framework can face significant penalties. The data may have been processed through an insufficiently vetted third party, or by unqualified employees whose inclusion in the organization resulted from inadequate talent management. If a data breach occurs, the organization must be able to respond within regulatory time frames and, depending on the significance of the breach, possess reliable crisis response and business continuity plans.
Internal auditors have a responsibility, under the International Standards for the Professional Practice of Internal Auditing, to help ensure their organizations are addressing and managing regulatory risk effectively. According to Standard 2120: Risk Management, internal audit “must evaluate the effectiveness and contribute to the improvement of risk management processes.” More specifically, according to The IIA’s interpretation for this standard, “The internal audit activity must evaluate risk exposures relating to the organization’s governance, operations, and information systems regarding … compliance with laws, regulations, policies, procedures, and contracts.” Practitioners may benefit from an assessment tool aimed at achieving that objective.
The Assessment Model
Using a top-down framework based on compliance guidance from the U.S. Federal Sentencing Guidelines, internal auditors can assess whether the organization is addressing and managing regulatory change effectively. Governments of other countries have emulated the guidance when outlining steps to ensure compliance with major laws and regulations. It can guide auditors, step by step, through a structured review of what’s to be expected by regulators in the management of regulatory risk.
Identification of Laws and Regulations The group responsible for identifying regulatory change can vary from one organization to the next. Depending on the size, regulatory complexity, and maturity of the organization, internal auditors may be able to perform a top-down assessment of how well the enterprise risk management program, or risk management function, identifies and manages changes in regulatory risk. Moving down a level, if these functions do not exist or are ineffective, auditors can assess the overall compliance program, if one exists. Otherwise, the legal department may be responsible for identifying and disseminating information on changes in laws and regulations. And while not optimal, business management of each function, as the first line of defense, may hold sole responsibility for knowing and managing legal and regulatory changes, as well as regulatory risk overall.
To assess whether regulatory change is managed effectively, internal auditors should be aware of the common categories of laws and regulations that impact most organizations. These include employment/labor; tax; advertising; environment, health, and safety; financial crimes/anti-bribery/anti-money laundering/anti-trust; and data protection. Internal auditors must also be aware of the laws and regulations that impact their specific industry. Finding reliable sources of industry knowledge and perusing them regularly helps in the identification process. And while the best sources will vary depending on country and industry, one free resource that compiles global legal analysis from law firms is Mondaq.com. Auditors may also find it helpful to develop relationships with those in the organization who would most benefit from sharing news of regulatory change.
Risk Assessment Regulatory change risk assessment occurs after identification of regulatory and legal requirements. Internal auditors should examine the effectiveness of processes in place to assess how and where regulatory change will impact the organization, and how that information is communicated to those who need to know. As with the identification process, which function performs the risk assessment depends on the size, maturity, and regulatory complexity of the organization.
Policy Development To help ensure all impacted employees — and in some cases even third parties — understand what is expected of them, the organization needs to provide an overview of the new law or regulation. Regardless of which function develops such policies, the organization should have a standard template, centralized storage location, and established controls for publishing, reviewing, and updating them. Assessment of these elements may be included in the internal auditor’s program.
Compliance Procedures Organizations develop procedures to provide employees with the exact steps they need to perform to ensure compliance with changes in laws or regulations. Procedures may be developed by a dedicated function, a committee, the chief risk officer, compliance, the first line of defense, or other areas. They may be published at the same time, and even within the same document, as the corresponding policy. Internal auditors may determine whether policies are developed timely, are updated periodically, and describe the steps to be taken to ensure compliance.
Regulatory Communication The organization’s communication on upcoming regulatory change may include general information about the change, implementation timing, and training. The targeted audience depends on who will need to comply. Communication may be in any form, including emails, intranet bulletins, and staff meetings. Regardless of the vehicle, communications about regulatory change should be maintained in a data repository as documentation for regulators, if needed. Internal audit may decide to assess the timeliness, effectiveness, and retention of the communication.
Staff Training Effective training is key to ensuring that employees, and in some cases third parties, understand the regulatory change and the importance of compliance. Depending on the targeted audience, training may be general or include specific procedures. For example, everyone in the organization needs to know the importance of complying with anti-bribery and corruption laws and regulations. However, employees in the finance department, for example, may need detailed training on how to monitor payments to ensure compliance.
Training should be provided to the appropriate targeted populations — including new hires and new third parties — as applicable. The training should include information on available resources, as well as specifics on how to report potential issues of noncompliance. Depending on the topic, targeted population, and in some instances regulatory requirements, the training may be provided online or in person. Regardless of the offering, detailed records of training completion must be maintained, and an escalation procedure should be in place to follow up with individuals who have not completed the training.
Acknowledgment Procedure Employee and, in some instances, third-party acknowledgment of the regulatory change, and any corresponding policy and procedures, is critical to document and maintain. Acknowledgment often is tied to, or included in, training completion. An escalation process should be in place to ensure receipt, and documentation of follow-up efforts should also be maintained. Internal auditors can assess whether acknowledgments have been received and stored, and whether the escalation process has been followed.
Whistleblower Hotline An anonymous reporting mechanism, or whistleblower hotline, represents an important element of the overall legal and regulatory compliance program. Many organizations outsource this responsibility to third-party providers, which offer the ability to report online or by phone. The topics that may be reported depend on the data privacy regulations in each country, although most at least allow reporting of noncompliance with financial laws and regulations. In some countries, however, anonymous reporting is discouraged. The most effective reporting mechanisms include vetting of potential compliance concerns or questions.
The organization needs to have formal procedures in place for conducting investigations. The procedures should involve the functions that will lead or conduct the investigations, as well as legal counsel. They should also specify how the crisis management plan will be triggered, and the insurance carrier notified, as applicable, and a process for closing and reporting on each investigation. Internal audit may be part of the intake process and investigation. Regardless, internal audit may include in its review an assessment of how concerns or potential issues of noncompliance brought to the hotline are handled, closed, and reported.
Monitoring Controls The organization needs to implement monitoring controls to ensure that employees, and in some cases third parties, are following procedures. If procedures are not being followed, additional training may be warranted or disciplinary action may be taken, depending on the root cause. Often, the second line of defense establishes and performs the monitoring process. If that’s the case, internal audit can review the work of the second line to assess effectiveness. Monitoring may be continuous or performed at periodic intervals. Regardless, the organization needs to follow established time frames.
Compliance Auditing Although often mistakenly combined with monitoring, auditing is a separate activity. Whereas the focus of monitoring controls is to ensure procedures are followed, auditing focuses on all of the elements that have been put in place to ensure compliance with regulatory change in a particular risk area. For example, a monitoring control to ensure compliance with insider trading laws may entail electronically scanning emails for keywords and phrases. Auditing for compliance with insider trading laws, on the other hand, would involve a review to ensure the establishment of policy, procedures, training, effective monitoring controls, and disciplinary action in the event of noncompliance. If the second line of defense is responsible for auditing the program’s elements, internal audit may assess its effectiveness. Otherwise, internal audit would perform the audit, including a review of all of the elements.
Corrective Action The organization needs to take corrective action in response to monitoring, auditing, and investigations. Corrective action may mean implementing additional or different controls or training, or disciplining noncompliant employees. In the case of discipline, employees should be treated equitably, regardless of their position in the organization. For example, a lower level employee should not be treated more harshly than a company officer for the same offense. Often, the organization assigns a committee to monitor equity of disciplinary measures across the board.
To ensure future compliance, control measures must be evaluated whenever noncompliance is discovered. The review needs to be conducted timely and include root cause identification as well as implementation of appropriate controls.
Keeping Pace With Change
Internal audit should serve as a trusted advisor to management by helping the organization address regulatory change. It all starts by understanding and staying current on industry-specific developments, and considering the regulations that may impact the organization. Using a top-down approach, internal audit may review the entire framework, the compliance program, or the specific elements in place, depending on its risk assessment. The right approach can enable internal auditors to get a bead on regulatory change and help ensure the organization is prepared for what lies ahead.
The Model in Practice
To demonstrate how the model works in practice, consider the high-risk area of data protection — more specifically, the European Union’s General Data Protection Regulation (GDPR). The regulation’s purpose is to strengthen and unify data protection for individuals within the EU, regardless of where their personal data is processed. Noncompliance with GDPR carries steep penalties, with fines of up to 4% of worldwide turnover. Following the model’s cadence, internal audit can perform a step-by-step examination of GDPR-related change impacting the organization.
Step 1. After identifying relevant GDPR provisions, the organization performs a risk assessment to determine whether the regulation will impact it, and if so, how, where, and when. Because many organizations already have data protection controls in place, the assessment may include a gap analysis to determine changes or additions that may be needed to ensure compliance.
Step 2. Because data protection constitutes an area of high risk, and given the entitywide importance of data protection compliance, the organization establishes a compliance policy. Specific procedures are developed for the marketing function, as just one example, to ensure all contacts are vetted before release of communications.
Step 3. The organization develops messaging and disseminates it to employees, explaining GDPR requirements, their impact on the organization, and each individual’s responsibility for compliance. The communication informs employees that the organization is developing GDPR policy and procedures, and provides a time frame for rollout of these items.
Step 4. The organization implements a training course for all employees that includes explanation of organizational policy on compliance with all data protection laws and regulations, and specifically on GDPR. During the training, employees are required to acknowledge the GDPR policy. Meanwhile, the marketing department employees, as one example, are trained on vetting contacts for campaigns.
Step 5. The organization has already established an anonymous reporting mechanism to help address any potential issues of noncompliance. However, it adds the data protection policy to both the hotline resources and the company intranet resource section.
Step 6. The organization implements monitoring controls. For example, emails sent directly by individuals
to more than 40 external recipients are reviewed each quarter for marketing content, to determine whether contact vetting controls may have been bypassed.
Step 7. Internal audit either reviews the second line of defense’s program to ensure compliance with data protection regulations, or it reviews the specific elements that have been put in place, depending on the size, maturity, and regulatory complexity of
Step 8. If monitoring controls reveal that procedures are not followed, or if internal audit finds that elements of the program are deficient, the organization initiates corrective action.