Integrating probability sampling into compliance programs

By Gary S. Green, PhD

Gary S. Green (gary3855@outlook.com) is retired Professor of Government at Christopher Newport University in Newport News, Virginia, USA.

Auditing is the bedrock of any compliance program because without meaningful attempts to identify wrongful behaviors or the risk that they will occur, those problems can never be addressed. “Auditing” in this article will refer to any proactive effort to verify the effectiveness of an organizational compliance and ethics program.

Auditing seeks to prevent all harms associated with legal noncompliance. Although auditing certainly attempts to prevent wrongful acts against an organization, it must also attempt, with equal zeal, to prevent actions committed by the organization that inflict legal harms on employees, customers, vendors, stakeholders, and all other parties. It must seek to identify crimes, torts, breaches of contract, and other legal violations (especially those related to regulatory law) in addition to seeking to identify the risks associated with their possible occurrence.

Organizations are expected to identify and then immediately fix any actual or potential noncompliance, and “best practices” in compliance make specific reference to auditing as a prerequisite to a quality compliance program. Thus, auditing responds to legal expectations to self-police with due diligence. Auditing should produce information that may be used as evidence for compliance program effectiveness and identify weaknesses in compliance, allowing the organization to respond appropriately.

Auditing through sampling allows the examination of only a small fraction of organizational things in order to derive information that represents all of those things in an organization. Sampling is a fundamental aspect of self-evaluation associated with organizational compliance programming because it makes the investigation of key compliance questions considerably more feasible and much less expensive.

There are many reasons to use probability sampling to identify compliance breaches. First, it allows you to monitor efficiently large numbers of anything without monitoring everything. You can use probability sampling to monitor financial transactions, vendor contracts, product liabilities, place-based working condition safety or environmental risk, whether internal reporting mechanisms are effective, or anything else related to legal compliance initiatives. Second, it demonstrates “due diligence” in pursuit of a meaningful compliance program, which may serve to mitigate criminal and civil liabilities. Third, probability sampling promotes ethical organizational behavior because it does not target individuals. And, fourth, compliance auditing through sampling recursively sends the message that the higher-level personnel in an organization are serious about maintaining compliance program effectiveness.

Sampling is applicable to virtually all areas of auditing because it:

  • Identifies past compliance breaches,

  • Establishes baselines for compliance needs when programs are developed and as reference points for future audits, and

  • Performs ongoing monitoring of compliance program elements.

Why nonprobability sampling designs should be avoided

Nonprobability designs should be avoided in serious auditing of compliance issues because they are inefficient, biased, and will never yield meaningful results. Nor do they demonstrate “due diligence” and will therefore be much less likely to help organizations mitigate criminal and civil liabilities.

Examples of nonprobability sampling designs to avoid are:

  • “Quota” samples that use one or only a few criteria proportionately to draw a sample (e.g., 75% male and 25% female if that is the makeup of your workforce, 10 financial records from one department and five from another department that is half the size).

  • “Convenience” samples that use readily available documents, employees, inventory, etc. that are on hand and easy to find.

Detection is the fundamental cornerstone of due diligence because one cannot respond to, and often cannot prevent, compliance irregularities that remain invisible. An organization that uses nonprobability sampling will be hard-pressed to convince its detractors that a missed compliance problem was not in actuality the result of its willful ignorance to purposely hide the problem. Put another way, organizations that use nonprobability designs when probability samplings are more appropriate and reasonably practicable can rightly be accused of having a compliance program that is merely cosmetic.

This document is only available to members. Please log in or become a member.
Become a Member Login


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings