The compliance “world” is a relatively fluid environment. The combination of changing regulations and ever-evolving organizations means that your organization’s risk profile is never static. With that continuous shifting in mind, it is no wonder that compliance professionals remain focused on preventing and detecting compliance breakdowns, occurrences of fraud or other potential irregularities through rigorous attention to their compliance programs.
The concern is particularly timely now for two key reasons:
- The regulatory environment. Many regulators and enforcement officials are taking a closer look at back-end internal controls, monitoring and auditing as they have found some first- and second-generation compliance programs to be inadequate in certain respects
- Economic downturn. Equally challenging for compliance departments is that the recessionary economic environment continues to strain central staffs, including compliance and internal audit capacity. As a result, many companies are experiencing an increase in control weaknesses and compliance breakdowns.
The practical challenges, resources and management commitment required to design, implement, test and sustain an effective corporate compliance program should not be underestimated. But there are many techniques that can be employed to help effectively prevent, detect and remediate incidents of non-compliance. Following are 10, not necessarily obvious, stress-testing methodologies you may wish to consider and act on, depending on your particular program needs and maturity level.
- Formalize the employee exit interview processes to capture, categorize and quantify potential compliance risks that should get special focus.
- Provide helpline access to nonemployee third parties, such as vendors, customers and other stakeholders.
- In connection with mandatory employee compliance training, track completion rates, pass rates, geographical correlations and questions with high miss rates that may indicate compliance risks.
- Localize and tailor compliance training to the local cultures, languages and risks of business units operating in different locations around the world.
- Perform global trend analysis on comprehensive compliance issue reporting that consolidates all the sources of complaints and allegations (helpline, exit interview, etc.) to identify emerging issues by geography, business unit or risk area.
- Perform text analytics on disbursement descriptions using corruption-focused search terms to help identify potentially anomalous transactions.
- Assess compliance system detection capabilities and reliability using different types of tests that may involve intentionally processing a false or fraudulent expense or reimbursement claim with corruption red flags (could involve a cooperating employee or agent), or an international attempt at unauthorized access to confidential information or PII.
- Conduct employee cultural surveys to assess attitudes, awareness and willingness to comply and report, as well as identify emerging issues.
- Engage a third party to conduct an independent strategic assessment of the effectiveness of compliance program design and implementation, and to provide recommendations for gap remediation and continuous improvement.
- Implement a process for global business units to conduct internal control self-assessments or self-audits of the compliance program and compliance-related controls.
Highly effective compliance programs are not only good corporate governance practice and important in safeguarding reputation, they now are expected by regulators and law enforcement agencies around the world.
According to the U.S. sentencing guidelines, an “effective” corporate compliance program is one that is structured and includes the following elements: board and management oversight and governance; proper organizational structure and accountability; an ethical culture and tone at the top; periodic risk assessments and prioritization of legal, regulatory, ethical, tax and fraud risks; policies, procedures, internal controls, training and education; monitoring and assessment of programs and processes, incident response and investigatory mechanisms; and robust corrective actions and remediation. The ten actionable items listed in this column can help you assess how your program measures up to certain guidelines.
Constantly improving your compliance program means having it evolve right along with your company. Good compliance really is good business.
As used in this document, ‘Deloitte’ means Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, and Deloitte Tax LLP, which are separate subsidiaries of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.