In the ever-evolving landscape of business and regulations, compliance auditing and monitoring are critical to ensure that companies operate within the confines of laws, regulations, and ethical standards.
As businesses navigate the complex environment of legal and ethical obligations, the strategic execution of audits at regular intervals becomes imperative to identify, rectify, and prevent potential compliance risks.
Compliance auditing and monitoring play a pivotal role in evaluating the effectiveness of a company’s compliance program. When regulators assess these programs, they focus on three key criteria:
-
Is the company’s compliance program well-designed?
-
Is it being applied in good faith (i.e., how well is it implemented)?
-
Even if it is well-designed and implemented, does it work? Is it effective, and what is the impact?[1]
To determine what and when to audit, we must first understand the objectives of compliance auditing and monitoring. For this, let’s explore the three primary purposes of these activities that align with the seven elements of an effective compliance program as defined by the U.S. Sentencing Guidelines.
I. Prevention
Element 1: Written policies, procedures, and standards of conduct
An effective compliance program begins with well-documented policies, procedures, and standards of conduct, which set the foundation for ethical behavior and compliance with relevant laws and regulations.
Element 2: Designate a compliance officer and governance committee
The compliance officer and committee are responsible for overseeing and implementing the compliance program within the organization in alignment with the organization’s values and goals.
Element 3: Provide regular and effective education
Regular training and communication are essential to ensure that employees understand compliance standards, guidelines, and processes, helping them grasp the dos and don’ts of the organization’s operations.
II. Detection
Element 4: Reporting and investigation
This element focuses on creating a culture where employees feel comfortable reporting potential violations. Investigative procedures should be in place to examine reported issues thoroughly, ensuring non-retaliation and preventing adverse actions against those who report in good faith.
Element 5: Conduct internal auditing and monitoring
These proactive measures help identify compliance risks and weaknesses in the system. Regular assessments enable early detection and correction, contributing to the program’s overall effectiveness.
III. Remediation
Element 6: Enforcement and discipline
When violations occur, a clear, fair, and transparent system of enforcement and discipline is crucial. It ensures breaches are addressed promptly and consistently, building trust with employees and business partners.
Element 7: Response and prevention
This element focuses on strategies for responding to violations and implementing preventive measures to avoid future breaches.
Auditing and monitoring processes can work together to help an organization understand its risk landscape and allocate resources accordingly. Trends observed at the organizational, regional, or country level can point to an area where a company may want to dig deeper through a process audit. The following are some examples:
-
Distributor margins: Trend analysis done as part of monitoring distributor margins may show a sudden increase in a country or reveal wide variations between margins paid to similar distributors used by different business units in the same country. This may indicate that the higher margins distributors are being allowed to charge are helping to create a slush fund to be used for bribes. Auditors may want to dig deeper in the form of a special audit for distributor margins.
-
Channel stuffing: If there is a spike in month-end sales to distributors, followed by a high number of products being returned at the beginning of the next month, this may indicate a deceptive business practice used by the company to inflate its sales and earnings figures. Observing such a trend may necessitate an audit of the sales incentives and bonus schemes to check how sales variables are tied to incentives and find the right balance to check these deceptive practices.
-
Gifts and hospitality: Likewise, an audit may reveal process gaps around gifts and hospitality expenses and result in audit recommendations to regularly monitor such expenses.
While planning what to audit, it’s essential to evaluate the audit universe—which means all the different kinds of reviews/audits for various areas, processes, and activities within an organization. We’re talking about any kind of review that may be done by different functions in relation to compliance controls, as well as complementary internal controls.
Regardless of who does the auditing and/or monitoring work—internal audit, compliance, or an external consultant—involvement of the compliance function is essential while deciding what and when to audit.
If the compliance function is not developing the compliance auditing and monitoring plan, it would be good to ask that the plan include how priority risks are evaluated and ongoing monitoring occurs. It is also important to focus on how compliance will be integrated into another function’s process of forming and implementing the compliance auditing and monitoring plan.