An effective ethics and compliance program includes developing a dynamic, risk based auditing and monitoring plan. What is auditing and monitoring? Auditing is viewed as a formalized method for the audit process (define review scope, develop review criteria, identify sampling methodology and select sample, conduct review, document findings, and follow up on management action plans to assure observations are resolved). Auditing is independent of management, without any real and/or potential vested interest in the outcome. Monitoring is a day-to-day process and commonly used by management to assist them in identifying how controls in their operations are working, identifying any risks that have escalated, or tracking emerging risks in their respective management area. Monitoring is a way to evaluate effectiveness, efficiency, and consistency of operational controls.
Monitoring does not have to be independent but it can be. Independence is an important concept in auditing. Independence assures the audit has integrity related to the outcomes without any interest evident by those that are auditing. This function provides the organization a prevention and detection mechanism for compliance. The integrity of the audit, with a credible method and approach, will help to provide objective information concerning noncompliance or mitigation activities related to identified risks. Compliance auditing and monitoring plans are developed based on a risk assessment process, which helps to identify and prioritize compliance risks that should be included in the plan. The risk assessment process does not have to be conducted by compliance specifically if another function is performing this activity, but it is important that compliance become involved in the process in identifying compliance risk priorities to develop the compliance auditing and monitoring plan. The auditing and monitoring plan should be dynamic and evaluated periodically to assure that it is meeting the priorities of the organization regarding compliance risks. Again, if another function in the organization is accountable for implementing the auditing and monitoring plan for compliance, it is important that compliance become involved in the activity and is aware of the outcomes related to compliance risks.
If the compliance department is covering only a single area of compliance, e.g., financial, contract management, etc., then it is important that there is a common communication channel for all compliance risks and that they are integrated into a comprehensive, enterprise-wide compliance plan. If compliance risks outside of the compliance program’s purview are to be reported to senior leadership and the board, they should be coordinated with the compliance officer so there is transparency in the compliance function, regardless of who performs the oversight.
The compliance officer needs to identify available resources that they can leverage to assist with implementing the organization’s compliance auditing and monitoring plan. Some resources may exist within the compliance department, and some may occur elsewhere in the organization, but could be leveraged for helping to implement the plan. This is commonly done by reviewing the priority risks identified, seeing which functions might be performing compliance activities in those risk areas, and determining if/when/what in the risk area will be audited and by whom. Such a global assessment will allow the organization to view, at a glance, the overall compliance auditing and monitoring plan, and to identify whether available resources are utilized efficiently and effectively without redundancies occurring in the compliance auditing and monitoring areas. It will also assure that appropriate subject matter experts are available for these activities, which will increase credibility and integrity of outcomes.