Catherine Boerner (cboerner@boernerconsultingllc.com) is President of Boerner Consulting LLC, in New Berlin, WI.
I like to approach compliance audits with the “Help me prove we are doing this right” mindset. I think gathering information from various departments or seeking help understanding how a process works can go much smoother when you are asking employees at various levels of the organization to help.
The proactive nature of conducting audits and looking at samples of compliance risk areas in order to verify that we are compliant is a nice place to be. It is so refreshing as a compliance professional to get out of a reactive mode.
Many audits can develop scope creep, so it is important to have a good audit plan for each audit to make it clear, for example, the purpose of the audit, the scope, size and sample selection, and documents reviewed. At the end, the audit report can include the project summary with elements from the audit plan. It should also try to include a regulatory summary, summary of audit findings, risks identified, and conclusions and recommendations.
Part of the recommendations might be to provide examples or suggestions on what would have made the audit easier and more straightforward to confirm compliance. Oftentimes, helping operations see processes from an auditor’s perspective will allow for changes to make an area more transparent to ensure compliance. Additional policies and procedures, as well as ongoing training, can also often help departments prove they are doing it right and are aware of the regulatory requirements.
Internal monitoring also is a great way for departments to help prove they have a compliance risk area covered. The compliance department can offer to do the monitoring or suggest ways the department can monitor and, perhaps, report the results of internal monitoring to the compliance committee. It is reassuring when the compliance committee can see compliance risk areas that are being monitored up front. This can become an effective way to catch potential problems early. I have found that the risks that staff turnover presents can be mitigated by a good monitoring and auditing program. The last thing an organization wants is to think they have a compliance risk well controlled only to find out, due to staff turnover, it has become a higher risk again.
A collaborative culture between operations and compliance can really create the best compliance culture. It is nice when we can help each other.