Here are some suggested steps in planning and conducting compliance audits. Some of the suggestions may not apply to every type of organization and should be customized as appropriate to fit the specific needs of your organization.
|
Phase |
Suggested Actions |
Notes |
|
Planning Phase |
Consider developing a standardized compliance audit procedure document and standardized compliance audit report for use by employees serving as compliance auditors to explain the methodology used in conducting the compliance audit, and provide them with a standardized template for reporting audit results and recommendations. | |
|
Consider developing a standardized compliance audit notice for the departments and employees that will be audited describing the process, what will be required from them, and the timeline for the audit. | ||
|
Determine which compliance risk areas and processes within the organization will be audited during this cycle or time period and create a formal compliance audit schedule. How will specific risks be chosen for audit? Document the methodology used and reasoning behind choosing that methodology for selecting particular compliance risks and processes for audit. | ||
|
Consider who within the compliance function will be chosen as the compliance auditor responsible for conducting and running each compliance audit (e.g., a compliance officer, member of the compliance staff, compliance counsel). Ensure the chosen compliance auditor is a neutral and unbiased party with no conflict of interest relating to the topic, function, or group of employees involved in the audit. Consider whether the auditor should sign a confidentiality commitment and/or conflict of interest certification prior to beginning work on the audit. | ||
|
Pre-Work |
The selected compliance auditor creates a detailed written compliance audit plan. They determine which specific processes will be audited, the employees from which they will need responses and participation, and how each will be chosen. Document the reasoning behind the selection method used (e.g., Have functions/processes been selected based on overall risk, based on recent risk, based on other audit results, by assigning each area a number and using a random number generator to make selections?) | |
|
The compliance auditor develops a list of the types of resources and documents needed to complete the compliance audit (e.g., which employees will need to be interviewed, which kinds of documents will be needed, which systems will need to be accessed, which archives or records will need to be reviewed), and adds this information to the written compliance audit plan. | ||
|
The compliance auditor determines the methodology to select specific documents and resources to review (e.g., use of a random number generator, use of date ranges, use of a combination of both). | ||
|
Using the standardized form, the compliance auditor creates a detailed compliance audit notice for the function to be audited that includes the details about the specific compliance audit planned, the anticipated timeline for the compliance audit, a list of employees who will need to be interviewed, and a list of the specific resources and documents needed for the audit. | ||
|
The compliance auditor schedules an introductory meeting or call with leadership of the responding function as well as the employees participating in the compliance audit to review the compliance audit notice, the list of employees to be interviewed, the list of resources and documents requested, the timeline for the compliance audit, and to answer any questions/address any concerns. Agree upon a date by which all resources and documents will be ready for review. | ||
|
Audit Process |
Using the compliance audit procedure, on the agreed-upon date, the compliance auditor reviews all resources and documents, carefully documenting the results of each review. | |
|
The compliance auditor conducts all necessary interviews with employees involved in the compliance audit response and documents each interview. | ||
|
The compliance auditor drafts a written compliance audit report using the standardized compliance audit report template and includes an executive summary; a description of the methodology used; a description of the document, process, and system reviews; a list of persons interviewed; key findings and deficiencies identified with a root cause identified for each; and a description of mitigation/corrective action steps needed. These reports are sent to the chief compliance officer for review and approval prior to issuance. | ||
|
If the root cause of any issue relates to misconduct by an employee, the compliance auditor will notify the compliance investigations team so they can open an investigation and refer to the employee disciplinary committee for appropriate action. | ||
|
The chief compliance officer will consult with the compliance committee if the compliance audit reveals an issue on which outside expertise may be needed. The chief compliance officer will manage and supervise the work of any outside expert. | ||
|
The chief compliance officer will consult with the compliance committee and the audit committee of the board of directors if the compliance audit reveals an issue for which disclosure to a government regulator might be advisable or required. The chief compliance officer will manage any disclosure process. | ||
|
Once approved and finalized by the chief compliance officer, the compliance audit report is issued to the function that was audited along with the compliance committee. | ||
|
Post-Audit Work |
Consider scheduling a compliance audit closure meeting with leadership of the audited function to review the compliance audit report, findings, and any deficiencies. Identify who will be responsible for ensuring the completion of mitigation/correction activities and the reporting on the progress. | |
|
The compliance auditor will be responsible for follow-up with the function and the agreed-upon responsible parties to ensure completion of all mitigation/correction items and closure of all identified deficiencies. | ||
|
Schedule a follow-up compliance audit in the near future (suggested time period of six months) to ensure mitigation/correction steps have been fully implemented in practice and are working correctly. | ||
|
The chief compliance officer reports the findings of all compliance audits and the status of all mitigation/correction activities to the compliance committee and the audit committee of the board of directors no less than quarterly. |