10 Techniques for Stress-Testing a Compliance Program

The compliance “world” is a relatively fluid environment. The combination of changing regulations and ever-evolving organizations means that your organization’s risk profile is never static. With that continuous shifting in mind, it is no wonder that compliance professionals remain focused on preventing and detecting compliance breakdowns, occurrences of fraud or other potential irregularities through rigorous attention to their compliance programs.

The concern is particularly timely now for two key reasons:

• The regulatory environment. Many regulators and enforcement officials are taking a closer look at back-end internal controls, monitoring and auditing as they have found some first- and second-generation compliance programs to be inadequate in certain respects

• Economic downturn. Equally challenging for compliance departments is that the recessionary economic environment continues to strain central staffs, including compliance and internal audit capacity. As a result, many companies are experiencing an increase in control weaknesses and compliance breakdowns.

The practical challenges, resources and management commitment required to design, implement, test and sustain an effective corporate compliance program should not be underestimated. But there are many techniques that can be employed to help effectively prevent, detect and remediate incidents of non-compliance. Following are 10, not necessarily obvious, stress-testing methodologies you may wish to consider and act on, depending on your particular program needs and maturity level.

1. Formalize the employee exit interview processes to capture, categorize and quantify potential compliance risks that should get special focus.
2. Provide helpline access to nonemployee third parties, such as vendors, customers and other stakeholders.
3. In connection with mandatory employee compliance training, track completion rates, pass rates, geographical correlations and questions with high miss rates that may indicate compliance risks.
4. Localize and tailor compliance training to the local cultures, languages and risks of business units operating in different locations around the world.
5. Perform global trend analysis on comprehensive compliance issue reporting that consolidates all the sources of complaints and allegations (helpline, exit interview, etc.) to identify emerging issues by geography, business unit or risk area.
6. Perform text analytics on disbursement descriptions using corruption-focused search terms to help identify potentially anomalous transactions.
7. Assess compliance system detection capabilities and reliability using different types of tests that may involve intentionally processing a false or fraudulent expense or reimbursement claim with corruption red flags (could involve a cooperating employee or agent), or an international attempt at unauthorized access to confidential information or PII.
8. Conduct employee cultural surveys to assess attitudes, awareness and willingness to comply and report, as well as identify emerging issues.
9. Engage a third party to conduct an independent strategic assessment of the effectiveness of compliance program design and implementation, and to provide recommendations for gap remediation and continuous improvement.
10. Implement a process for global business units to conduct internal control self-assessments or self-audits of the compliance program and compliance-related controls.

Highly effective compliance programs are not only good corporate governance practice and important in safeguarding reputation, they now are expected by regulators and law enforcement agencies around the world.

According to the U.S. sentencing guidelines, an “effective” corporate compliance program is one that is structured and includes the following elements: board and management oversight and governance; proper organizational structure and accountability; an ethical culture and tone at the top; periodic risk assessments and prioritization of legal, regulatory, ethical, tax and fraud risks; policies, procedures, internal controls, training and education; monitoring and assessment of programs and processes, incident response and investigatory mechanisms; and robust corrective actions and remediation. The ten actionable items listed in this column can help you assess how your program measures up to certain guidelines.

Constantly improving your compliance program means having it evolve right along with your company. Good compliance really is good business.

Rob Biskup brings 25 years of in-depth experience in both professional services and the corporate sector to his current role as a director in Deloitte Financial Advisory Services LLP. His responsibilities comprise service as a regional leader of Corporate Compliance, Corporate Investigations and Forensic Accounting, and Foreign Corrupt Practices Act (FCPA) practice areas. In addition, he serves as the national automotive sector leader for Deloitte Financial Advisory Services. Rob came to Deloitte from Ford Motor Company, where he was the global head of compliance, with responsibility for compliance related activities at the parent company and 10 affiliates in 44 countries worldwide, and also served as Assistant General Counsel and Assistant Secretary. These roles in a Fortune 10 public company provided Rob with broad knowledge and experience associated with managing the complexities of crucial regulatory compliance and policy issues affecting large, international corporations. Prior to Ford, Rob practiced law with the international law firm of Sidley Austin LLP. To his columns in Corporate Compliance Insights, Rob brings extensive experience in developing and implementing corporate compliance programs and related governance structures, internal controls, monitoring, and auditing mechanisms. He also contributes deep experience with handling sensitive regulatory matters and internal investigations on behalf of management and boards, including investigations involving financial fraud and corruption. He has direct experience handling Foreign Corrupt Practices Act investigations and transactional due diligence reviews in high-risk countries around the world. Rob received a B.A. from Michigan’s University and a J.D. from Wayne State University. Rob can be contacted via email at rbiskup@deloitte.com. Rob wrote Stronger Spotlights, Larger Stages: The Expanding Role of the Chief Compliance Officer before beginning contributions to the regular column Your Risk Intelligent Enterprise™ for CCI with Henry Ristuccia and Donna Epps.

As used in this document, ‘Deloitte’ means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, and Deloitte Tax LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.