Gary S. Green (email@example.com) is retired Professor of Government at Christopher Newport University in Newport News, Virginia, USA.
Auditing is the bedrock of any compliance program because without meaningful attempts to identify wrongful behaviors or the risk that they will occur, those problems can never be addressed. “Auditing” in this article will refer to any proactive effort to verify the effectiveness of an organizational compliance and ethics program.
Auditing seeks to prevent all harms associated with legal noncompliance. Although auditing certainly attempts to prevent wrongful acts against an organization, it must also attempt, with equal zeal, to prevent actions committed by the organization that inflict legal harms on employees, customers, vendors, stakeholders, and all other parties. It must seek to identify crimes, torts, breaches of contract, and other legal violations (especially those related to regulatory law) in addition to seeking to identify the risks associated with their possible occurrence.
Organizations are expected to identify and then immediately fix any actual or potential noncompliance, and “best practices” in compliance make specific reference to auditing as a prerequisite to a quality compliance program. Thus, auditing responds to legal expectations to self-police with due diligence. Auditing should produce information that may be used as evidence for compliance program effectiveness and identify weaknesses in compliance, allowing the organization to respond appropriately.
Auditing through sampling allows the examination of only a small fraction of organizational things in order to derive information that represents all of those things in an organization. Sampling is a fundamental aspect of self-evaluation associated with organizational compliance programming because it makes the investigation of key compliance questions considerably more feasible and much less expensive.
There are many reasons to use probability sampling to identify compliance breaches. First, it allows you to monitor efficiently large numbers of anything without monitoring everything. You can use probability sampling to monitor financial transactions, vendor contracts, product liabilities, place-based working condition safety or environmental risk, whether internal reporting mechanisms are effective, or anything else related to legal compliance initiatives. Second, it demonstrates “due diligence” in pursuit of a meaningful compliance program, which may serve to mitigate criminal and civil liabilities. Third, probability sampling promotes ethical organizational behavior because it does not target individuals. And, fourth, compliance auditing through sampling recursively sends the message that the higher-level personnel in an organization are serious about maintaining compliance program effectiveness.
Sampling is applicable to virtually all areas of auditing because it:
Identifies past compliance breaches,
Establishes baselines for compliance needs when programs are developed and as reference points for future audits, and
Performs ongoing monitoring of compliance program elements.
Why nonprobability sampling designs should be avoided
Nonprobability designs should be avoided in serious auditing of compliance issues because they are inefficient, biased, and will never yield meaningful results. Nor do they demonstrate “due diligence” and will therefore be much less likely to help organizations mitigate criminal and civil liabilities.
Examples of nonprobability sampling designs to avoid are:
“Quota” samples that use one or only a few criteria proportionately to draw a sample (e.g., 75% male and 25% female if that is the makeup of your workforce, 10 financial records from one department and five from another department that is half the size).
“Convenience” samples that use readily available documents, employees, inventory, etc. that are on hand and easy to find.
Detection is the fundamental cornerstone of due diligence because one cannot respond to, and often cannot prevent, compliance irregularities that remain invisible. An organization that uses nonprobability sampling will be hard-pressed to convince its detractors that a missed compliance problem was not in actuality the result of its willful ignorance to purposely hide the problem. Put another way, organizations that use nonprobability designs when probability samplings are more appropriate and reasonably practicable can rightly be accused of having a compliance program that is merely cosmetic.