Measuring success in a compliance programme goes beyond the policies and procedures. Having policies and procedures alone is simply not good enough unless you have regular auditing and monitoring mechanisms. Here is why:
It is imperative that a compliance programme is regularly monitored to ensure that the objectives of the programme are being achieved. In an operational sense, this monitoring should be a continuous activity so that any issues can be readily identified and solved. A traditional audit involves collating data, conducting assessments and compiling a report on findings; however, this function is often only done on a periodic cycle, sometimes as infrequently as only once to twice a year. It is therefore often a point of confusion as to what role conducting an audit plays in the monitoring process.
The traditional audit is a unique function with a tendency to focus on (amongst other things):
- business and financial risks
- analysis and assessment of execution of business risk controls
- analysis and assessment of financial record-keeping
- numerical analysis.
The above functions are all extremely important parts of any business operation, but they are limited in terms of how much information they can provide on the performance of a compliance programme. As such, a compliance monitoring scheme, including a compliance audit, is crucial to understanding the status of such a programme.
In most large companies there is a host of “corporate” people who perform audits: senior staff from head office reaching out to different locations globally. This can often lead to a fair degree of angst and misunderstanding of local-level issues when performed beyond the corporate sphere. The audits are often conducted during busy periods and involve asking the same questions on the same limited resources at each location. As most audits are carried out by financial-based auditors, the real compliance issues are often missed.
Monitoring your compliance programme
A firm’s compliance department should design and implement a system by which it can monitor the performance of its programme. They should also aim to go beyond relying on the results of periodic audits performed by an internal committee. Typically, there are inadequate systems to monitor compliance at a local level as it is more often done at a corporate level. Compliance departments often exhibit an inability to capture local trends as there is no “corporate” mechanism to do so. Instead, local markets are often buried in internal and external audits, which rarely achieve the purpose of understanding the implementation of a compliance programme. Equally, there is a tendency to neglect utilising other techniques as part of the review process, such as holding discussion groups and seeking an understanding of issues that may be permeating at the lower levels of the company.
Looking to build a perfect due diligence programme for your business?
Compliance audits are a specific technique that can be conducted in a manner that mirrors that of a “healthcheck” or conducting group-chat sessions where compliance issues are raised in an informal environment. These are less-invasive measures and rely on interaction with various levels of the business. They also support a growth in the understanding of compliance, as opposed to a mentality of compliance personnel being those who try to ascertain what people have done wrong. It should be kept in mind that a local team can often end up answering numerous queries from a corporate level, and compliance officers should be sensitive to the fact that regional offices often have to report to many locations. Local markets benefit significantly from receiving clarity on “need-to-know” issues and from being kept in the loop regarding any identified risk elements that face their particular region, and the company as a whole. Compliance-specific audits are not designed to keep people in the dark; they are there to engage and educate – a stark contrast to the traditional audit.
One of the best sources of obtaining data is from staff members themselves. Find out from staff members if messages are getting across – gather information through interviews, sporadic testing, tracking access to policy documents, and so on. Engaging staff in the process will become a mutually-beneficial exercise in understanding what outlying risks remain and what can be done to remedy them.
Some key elements that you should actively seek feedback on after performing a review of a compliance programme or performing a specialised compliance audit are:
- the effectiveness of training
- the functionality of internal reporting criteria and obligations
- the functionality of record keeping mechanisms.
There is no reason why compliance programmes and traditional audits cannot work hand in hand. Audits are necessary for the sustainability and growth of a business; however, compliance personnel should not rely on the results of these audits as a sole indicator of the effectiveness of their programme. Instead, those responsible need to think beyond traditional monitoring techniques, seek ways to obtain feedback and data from alternative sources, and encourage all levels of a business to provide honest and constructive feedback.