An enforcer's view of compliance

by Leigh Faugust, Esq., CCEP

Leigh Faugust (lafaugust@gmail.com) is Enforcement Counsel at a not-for-profit international regulatory authority in Washington DC.

Finding a problem, assessing the risk and cause of that problem, and addressing and preventing recurrence of that problem are key factors in establishing an effective compliance program. I have had a unique perspective on internal controls related to compliance at the end of the life cycle of non-compliance. Although I have personally reviewed thousands of instances of non-compliance, few of these have posed a serious risk. Companies with robust internal controls find problems early, address those problems, and prevent repeat issues, thereby — most importantly — reducing the risk those problems may pose.

Identifying non-compliance

“Sense and deal with problems in their smallest state, before they grow bigger and become fatal.”

― Pearl Zhu

When considering an internal compliance program, the first question I ask is always, “How did the company discover there was an issue?” If an entity’s internal compliance program cannot find a problem, then how good of a program is it? Compliance programs must put an emphasis on finding issues and encourage company employees to report non-compliance quickly and accurately. If a culture does not encourage identifying issues, or inadvertently incentivizes hiding non-compliance to protect financial gain or for other reasons, there can be only bad results.

A company that truly wants to create a culture of compliance will encourage its employees to proactively identify potential issues. A program could include a variety of methods of detection. These may include regular internal reviews, hiring external compliance professionals, or performing spot checks of records and procedural documents to identify areas of concern. Many companies perform internal reviews when they know a regulator audit is approaching, but the companies that review on a regular basis, regardless of audit schedule, receive the greatest benefit — both in improving culture and, potentially, from reduction or elimination of regulator sanctions.

When a company identifies a problem, a robust compliance program must determine the full scope of that problem. If investigating and determining the extent of the condition would prevent notifying its regulator in a timely manner, then the entity could perform this step later as part of mitigation. No matter if the company determines the extent of condition at the time of discovery or through mitigation, reviewing the following helps ensure a full picture:

  • Other facilities across the corporate structure;

  • Procedures, assets, facilities, or personnel that could be affected as part of the non-compliance;

  • Whether other regulations were violated based on the facts of the identified issue;

  • Prior compliance history; and

  • Additional instances discovered during mitigation.

This document is only available to members. Please log in or become a member.
Become a Member Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings