Broadly understood, compliance with an organisation's policies and procedures is an important activity that helps make organisational governance effective. Monitoring and maintaining compliance is not just to keep the regulators happy; compliance with regulatory requirements and the organisation's policies and procedures is a critical component of an effective enterprise-wide risk management programme. It can also be one of the most important ways in which an organisation achieves its business goals, sustains its ethical health, works towards long-term prosperity, and preserves and promotes its values.
This article provides an overview of a typical compliance and ethics programme and discusses the challenges and processes involved in auditing an organisation's compliance and ethics efforts. The Open and Compliance Ethics Group (www.oceg.org) has recently published an internal audit guide (IAG) to support the planning, execution, and reporting of an internal audit of a compliance and ethics programme (C&E programme).
In many countries the use of a formal compliance and ethics office is not that common, whereas in North America due to the U.S. Federal Sentencing Guidelines and various governance regimes that are in place (e.g. the 2002 Sarbanes Oxley Act and Bill 198 in Canada) a C&E programme has become commonplace in supporting the improvement of governance practices within an organisation. A compliance and ethics programme is also very diverse, in some organisations it is strictly focused on code of conduct and the detection and prevention of ethical and criminal violations, whereas in other organisations, the C&E programme is also used to promote its values and even encourage 'operational excellence' in the organisation's business processes.
This article is intended to inform the reader on leading practices regarding compliance and ethics programmes including recently published guidance and other resources. It should be of interest to everyone charged with governance responsibilities, as well as, people tasked with completing an audit of the programme's effectiveness (in achieving results). Within every business environment ensuring effective governance processes is vital, but where a compliance and ethics programme is not typically 'operationalised', an organisation should consider the benefits of implementing a more formal compliance and ethics programme.
An effective compliance and ethics programme is best implemented as integrated processes that are owned by designated functions and managed by senior executives who have overall responsibility and accountability. Today, compliance is a daunting challenge, but it also provides a significant opportunity to establish and promote operational effectiveness throughout the entire organisation. Compliance can also create sustainable competitive advantage.
An internal audit is like a regular medical check up
The board and management periodically need to evaluate the design and operating effectiveness of the company's compliance and ethics programme, and to assess its overall performance. Such an evaluation supplements the ongoing, day-to-day monitoring of compliance and ethic programme activities. Not only do these audits provide for a more in-depth analysis of the programme's design, effectiveness, and its performance; it also provides an opportunity to consider new management practices and supporting technologies that could enhance the programme. An internal audit of an organisation's ethics and compliance efforts helps ensure its effectiveness.
Any audit has three phases: planning, fieldwork, and reporting; and an audit of a compliance and ethics programme is no different. During the planning phase, once the scope is agreed, the audit team should confirm that:
- all key risks and issues are identified and considered
- that the audit objectives will meet the organisation's assurance requirements
- and that the compliance and ethics programme is well understood.
Defining the objectives of the audit is one of the most critical steps in the audit because it defines the assurance the board and management will be provided and the purpose of the audit. Very early in the audit project, the internal audit staff should be holding discussions with management and the board (including members of the audit committee and legal counsel, as necessary) regarding the stakeholders' assurance needs to ensure the audit meets these needs of the organisation. These discussions need to be done prior to completing the audit planning efforts so the audit fieldwork and reporting are appropriate.
Compliance and ethics programmes cover a very broad span of activities which can include:
- implementing a code of conduct
- operating a whistle blowing hot line service
- managing an environmental management system
- maintaining a quality management system
- and many more, and the audit team needs to define the proper focus for the audit efforts.
The audit should also be based on a comprehensive audit risk assessment - that is, auditors should identify the key risks facing the company's compliance and ethics efforts and use these to decide where to concentrate the audit. The activities covered by the organisation's compliance and ethics programme, together with its aims, will determine the scope of the audit. If the organisation does not have a formal compliance and ethics programme the audit could begin with a gap analysis (comparing actual practice with what might be more desirable if the organisation already had operationalised a programme and what the auditor considers might be the critical missing areas).
The participation of inside legal counsel (the legal department or other available legal advice) in the audit is another critical factor to be considered during the audit planning (or subsequently if the plan's assumptions turn out to differ from the actual audit situation). Obtaining legal advice proactively is warranted in many C&E audits. If wrongdoing is identified during the internal audit, dialogue with legal counsel will be required - indeed, it's often vital to protect the organisation's best interests.
Whatever the scope of the audit, audit objectives must be set. Three key goals that should be considered are:
- Determine whether the compliance and ethics programme provides reasonable assurance of compliance with organisational policies and applicable laws and regulations. Or, if the organisation does not yet have a compliance and ethics programme in place, what level of assurance can be gained, if any, on compliance and ethics efforts
- Determine if the programme's management framework is documented, in place, and appropriately resourced to meet the organisation's needs
- Determine whether the programme has been implemented effectively, and that its performance reporting system has been defined and accurately presents the results of the programme's effort
If a formal compliance and ethics programme is not in place the focus will obviously be less on auditing the programme system and be more on substantive audit work to determine whether the risks associated with the areas covered in the agreed scope are properly managed or whether significant untreated risks exist.
Some critical issues to explore during the audit include that there is:
- consistency and integration of compliance and ethics programmes among the different business units within the organisation
- coordination between the compliance and ethics officer or those responsible for overall ethical compliance and individual business units
- a clear and effective division of roles and responsibilities among the ethics office (where operational), compliance, human resources, legal, and other relevant business units; and finally
- that an effective tone at the top has been successfully communicated and implemented by the board and senior management.
It is vital that the audit focus is on evaluating the significant components of the compliance and ethics efforts - that is, that the audit team uses a risk-based approach to find the programme's elements most likely to cause problems for the organisation and/or in most need for confirming that they are operating properly. The planning phase is an opportunity for the audit team to confirm that the audit scope will be appropriate, and the audit cost won't give anyone a heart attack.
After planning, the audit moves into a phase of detailed fact gathering, testing and analysis called fieldwork. In the fieldwork phase, the team evaluates the compliance programme's various components, based on the goals and methodology finalised in the planning phase. Among some of the most important questions to answer are: 1) how the board sets its 'tone at the top' and communicates their values to employees; 2) how employees at all levels of the company perceive management's commitment to those values; and 3) how the company handles compliance or ethics issues that arise from compliance failures?
While audit programmes will be tailored for individual organisations audit tests could include reviewing training materials and training programme results, evaluating the organisation's responses to violations, checking electronic or paper files for a 'signed' Code of Conduct, conducting surveys and/or reviewing the results of the organisation's surveys, reviewing management's communications to employees for ethical content, and quantifying the organisational resources available for programme operation to determine whether they are 'reasonable'. The evaluation of the quality of the programme's data gathering, information systems and performance reporting is very important – if performance reporting is not robust the board will not be informed appropriately, management will be challenged to respond to issues on a timely basis, and the organisation could be 'flying blind'.
Determining what is sufficient audit testing and what is the appropriate evidence (for the audit findings and conclusions) involves extensive professional judgment. As discussed in the OCEG internal audit guide there is no right answer, it depends on the purpose of the audit (for what audit tests will be critical) and the intended client of the audit report and its conclusions (for the audit evidence 'requirements'). Certainly, an open two-way communications by the audit team with the organisation's management and staff is vital in completing an accurate audit assessment of the programme's performance. A variety of audit tests to 'cross confirm' audit conclusions is also highly recommended.
The reporting phase is where the internal audit the team communicates the audit results to all the stakeholders which include providing an unbiased assessment of whether the objectives of the ethics and compliance efforts are being met and outlining steps management plans to take to improve the compliance and ethics efforts. A well-planned and executed internal audit should make audit reporting straight forward: you tell them what you did, you tell them what you found, and finally you tell them what management plans to do about it. That's all there is to it. While this is an oversimplification of the many challenges involved with auditing a compliance and ethics programmeme it conveys the fundamentals involved in an audit process.
Internal auditing – some 'big picture' considerations
Auditors must always take a risk-based approach while planning an audit of the organisation's compliance and ethics efforts. With limited resources, auditors have to focus on the highest-risk areas and strive to add value to the organisation. Audit best practices also recommend that internal auditors be involved throughout the programmeme's life cycle and not just in post-implementation programmeme evaluations.
The audit of a compliance and ethics programmeme must be part of a larger overall, long-term audit plan that will meet the assurance requirements of the board and management. A series of internal audits of a compliance and ethics programmeme may be advisable where the programmeme has a large and/or complex scope as a compliance and ethics programmeme can be very information-intensive and cover many departments within the organisation.
Management should not be developing processes, procedures, reports, and the like during the actual audit - the audit team should be evaluating the established efforts of the compliance and ethics programmeme in meeting the organisation's requirements. It is also common that management to complete a 'self-assessment' of their compliance and ethics efforts prior to an internal audit.
The internal audit team and chief compliance and ethics officers should review the vast guidance available, and in particular review closely the comprehensive OCEG internal audit guide (IAG) for auditing compliance and ethics efforts. These references will also be of value to management and the board.