No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Monitoring for Compliance

A Strategic Approach

by Jason Lunday
July 29, 2010
in Compliance
compliance monitoring illustrated with text and icons

While a little-understood element of process management, monitoring serves as a powerful tool to ensure that ethics and compliance processes continue to work and improve.

Ethics and compliance monitoring is a clear expectation but has not been well defined, leaving many companies at a disadvantage in understanding how to effectively incorporate it into their ethics and compliance management efforts.

Unlike other recommended ethics and compliance activities, monitoring (and auditing, as well) is less of a defined, discrete activity and more a part of a management process. It needs to be designed to fit and incorporated into each activity.  Without strong monitoring techniques, ethics and compliance processes are likely to fail or fall out of date as external changes antiquate a business process.

The Expectation of Monitoring – But a Lack of Guidance

Monitoring has become a basic expectation of ethics and compliance management. The U.S. Sentencing Guidelines include ‘monitoring and auditing’ among the principal components of a recommended compliance and ethics program.

The Guidelines state: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.”

The Guidelines continue: “The organization shall take reasonable steps…to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct,” including “monitoring through regular ‘walk-arounds’ or continuous observation while managing the organization.”

Want to know more about compliance monitoring? Browse CCI’s compliance monitoring library.

Along with the Guidelines, other ethics and compliance management frameworks include ‘monitoring.’ The U.S. Department of Health and Human Services’ model compliance programs for healthcare-related companies (PDF download) also include monitoring. This framework encourages “the use of audits and/or other evaluation techniques to monitor compliance and assist in the reduction of identified problem areas.”

The COSO risk management model places ‘monitoring’ as a critical management activity. It lists ‘monitoring’ as one of five principal components of good risk management and control practices. COSO looks to monitoring in its 2009 Guidance on Monitoring Internal Control Systems to help ensure “that internal control continues to operate effectively.” While the U.S. Department of Justice’ prosecutorial guidelines for organizations do not mention ‘monitoring’ specifically, their description of what may constitute an effective compliance program appears built on an organization’s ability to identify and take action regarding non-compliance with its standards – in short, monitoring.

Still, as addressed above, these expectations do not provide much detailed guidance as what makes for good ‘monitoring.’ In fact, in the recent BAE Systems plea agreement with the U.S. Department of Justice (DOJ), ‘monitoring’ as a term is not used at all.  In the agreement, what the DOJ does expect are “internal controls, policies and procedures,” “effective review and approval,” and “periodic testing of the compliance systems, policies, and procedures designed to evaluate their effectiveness.” These are expectations that monitoring may address. (See United States vs. BAE Systems plc, Plea Agreement, Appendix D, (letter from U.S. Department of Justice to Lawrence Bryne, Esq., Linklaters LLP, February 2, 2010).

Another well-known model provides a more expansive perspective on ‘monitoring.’ The Open Compliance and Ethics Group’s (OCEG) “Red Book”, a framework for ethics and compliance management, uses the term “monitoring” in a broader context that includes regular review of an organization’s external and internal changes that may impact a business process, in addition to review of a process’s activities to ensure compliance with its objectives. This OCEG framework on guidance about evaluating an organization’s external and internal factors helps to ensure that a process does not become victim to outside changes, leaving it ineffective. However, with regard to monitoring as part of a discrete process, the OCEG framework does not elaborate much.

Perhaps because of this lack of detailed guidance on ‘monitoring,’ companies continue to grapple with this issue and how to effectively address it. A 2009 PwC publication (PDF download) states that “few have had true success with establishing real-time, proactive monitoring programs that allow them to get ahead of issues and violations, reduce costs, and drive operational excellence to enhance compliance and create a competitive advantage.”

Want more? Subscribe to CCI’s free weekly GRC eBlast.  Top compliance news, view, jobs & events – delivered right to your inbox once a week.

One reason for this difficulty may be because the guidelines include monitoring among other discrete ethics and compliance activities, such as promulgation of standards of conduct, education of employees, development of a whistleblower channel – activities that are unique processes unto themselves. But monitoring is not intended to be a discrete business process; like auditing, ‘monitoring’ is intended to be an important part of an integrated business process, whether the process addresses an ethics and compliance activity or any other business activity. As COSO addresses it, monitoring is an integral part of process management and improvement.  Its purpose is to help provide the reasonable assurance that a process is effective.

Monitoring and Auditing

Because of the confusion between monitoring and auditing, it is helpful to distinguish between the two. Monitoring tends to occur within the activity’s operational structure and closer to the underlying activity’s occurrence. It may be conducted by operational management or involve an expert outside of the operational line where the expertise does not exist within the management structure.

Auditing generally describes activities that occur further after the fact by parties more independent of the respective operational management, such as an internal audit staffer or external auditors. While auditing may occur far after the fact to allow for the problem to be corrected, it may do better at ensuring that operational management effectively manages the business activity. Monitoring allows for early identification and correction before a problem festers and causes the company to be in non-compliance.

Examples of Monitoring

  • Pre-activity approvals
  • Transaction reviews, such as travel expense reports
  • Reviews of in-process quality checks and outcome data
  • Review of staff-completed checklists
  • Listening to or reviewing recorded customer service intake calls
  • Attending sales presentations

Monitoring and auditing are essential to verify that a business activity actually works and continues to do so. A process’s design should consider both monitoring and auditing in process design and improvement to ensure the most effective overall internal control solution, while still making certain of an independent, objective audit.

So, a distinction between monitoring and auditing is important to ensure that operational management cannot improperly bias or overrule the audit of an activity; in this regard, higher leadership provides an effective check to ensure that while the audit remains independent, monitoring and auditing function in tandem efficiently and effectively.

A Framework for Monitoring

The U.S. securities industry has developed a helpful framework that includes monitoring. FINRA, the financial regulatory authority, requires all of its member firms to maintain written supervisory procedures (WSPs) to ensure that business activities are regularly monitored for compliance with exchange rules. These WSPs are completed by supervisors, often with advanced supervisory credentials.

In addition, firms also must maintain supervisory control procedures (SCPs) that document how the WSPs will be reviewed and/or verified. This industry’s approach essentially establishes secondary and tertiary means to control and manage business activity. Slowly, other industries are building approaches similar to the securities industry that ensure that a business process is checked and double-checked to identify, assess and respond to errors and other variances that would otherwise thwart compliance with an activity’s procedures.

The following is an overall approach toward understanding what monitoring is, its value as part of a business process and how to integrate it into an activity.

Objectives

Monitoring serves numerous goals. At its most basic, it helps to ensure that a business activity is taking place and actually works – that the expected outcomes are occurring. In this regard, it is an effective tool to identify, review and determine how to handle variations to the expected outcomes that may not have been initially identified. Variations will always occur, and so any good process needs a way to capture and handle them.

Monitoring also identifies intentional deviations, such as when an employee purposely seeks to stray from a defined process for his or her own benefit. In doing this, monitoring reinforces that management is watching and taking action when problems occur.  Monitoring helps to improve the process’s accuracy, efficiency and effectiveness as it captures possible or actual failures. It also helps in documenting a process’s existence, operation and oversight – and in reporting on the process’s outcomes – so that the company can demonstrate the process works and is effective.

Finally, as addressed in the OCEG model, monitoring a process’s external environment (i.e., the organization’s external and internal changes) helps to ensure that the process can adjust to these changes.

Timing

Monitoring can occur prior to, during or after a business activity takes place. Common pre-activity monitoring includes, for example, a management approval, such as for high-risk activities like offering expensive gifts to customers.  After-the-event monitoring may be reserved for activities that are less risky and/or that occur frequently. While it cannot head off problems specific to a single transaction, such monitoring stresses that management is watching over the activity, especially when management regularly queries staff about how transactions were conducted.

Monitoring may occur during an activity, such as a complex set of procedures where management previews certain intended actions while it reviews just-completed ones. For instance, during a prospective consultant due diligence process, management may review the outcome of staff’s initial screening while previewing staff’s evaluation of the consultant’s response to a questionnaire. Or management may sit in on a sales presentation to ensure the accuracy of presented data.

Comprehensiveness

Monitoring includes some portion of an activity’s occurrences. For the most sensitive activities, monitoring may involve each transaction. Or it may act as a ‘spot check’ in looking only at randomly selected transactions. Management may determine to review process exceptions with the assumption that they pose the greatest risk. Or it may develop a more sophisticated way to evaluate higher-risk transactions, such as those that occur in certain demographies, by certain staff members or with other select parameters.

For example, management may decide to more closely monitor hotline calls from staff with a pattern of errors. A complex monitoring program may include a variety of these approaches.

Monitors

While operational management needs to assume accountability for an activity’s oversight, who actually conducts the monitoring can vary, largely based on the activity’s sensitivity and the staff’s requisite competence. For instance, management may delegate monitoring to staff not directly involved in an activity, who then report results back to the manager. This is more likely to occur for routine transactions with lesser risk and where staff can be appropriately trained. In the most sensitive situations, management will want to reserve monitoring for itself.

What is important is ensuring that the choice of who monitors still provides effective oversight of the activity.  COSO indicates (PDF download) that good process management includes “an effective organizational structure that assigns monitoring roles to people with appropriate capabilities, objectivity and authority.”

Metrics

Metrics are an important part of any business process and critical to monitoring.  The monitor must be able to determine whether an activity meets, comes close to or fails to meet its goals, and the responsible staff should be able to do the same. If an activity fails, the monitor needs to know the extent of the failure and, if possible, the reason why.

Also, metrics help the monitor to know whether an activity is improving when the metrics improve (or visa versa). Even results that achieve (but come close to missing) objectives still provide value. Monitoring these metrics ensures that management can take appropriate action.

Outcomes

Monitoring helps management to affect changes when an activity does not meet, or is at risk of not meeting, its intended results. This step is pivotal in process management. Unaddressed failures or other deficiencies not only weaken a process, they also can create unexpected liability if regulators or others determine that the company did not take reasonable measures to achieve compliance.

This means that the outcome of monitoring must be more than identifying actual or potential non-compliance; it must lead to management taking actions that correct the non-compliance risks. Knowing that it will report results of monitoring its activity also encourages a company to both monitor and make appropriate changes.

A monitoring outcome also may include identifying changes to the underlying activity or external environment, which might require changes to the activity to ensure continued compliance. Take the situation where the number of calls to a company’s hotline quickly decreases in a given month. This change may signal a shift in demographics, employee opinions or other issues that may require a change in the hotline communication or call intake process.

Factors

What monitoring steps should be included and how they should be designed and conducted depend on various determinants, including:

  • The number of an activity’s transactions – Fewer transactions make monitoring activity easier and faster.
  • The cost of monitoring – This applies per transaction in money, staffing and other resources.
  • The ease of monitoring – For example, where management can employ technology to automate and expedite monitoring, this bodes well for the overall process.
  • The risk of non-compliance – both its seriousness and likelihood. Serious consequences of non-compliance may encourage pre-transaction approval; non-compliance that is more likely to occur can suggest a need for monitoring of more transactions.
  • Motives for operating staff not to comply – Where staff may benefit from non-compliance, it behooves management to consider more stringent monitoring. For example, if sales staff can earn more commission from increased product sales by bypassing important paperwork, it may be important to monitor to ensure the paperwork’s timely and accurate completion.

Other determinants may also be appropriate depending on the underlying activity.

Finally, monitoring should work hand in hand with auditing. It should benefit from the outcome of internal or external audits. Audit findings are intended to correct or improve a process, and part of this correction can include a process’s monitoring steps. Just as monitoring provides a valuable benefit to an activity’s correction and improvement, process audits provide the same benefits to monitoring steps.

Putting it All Together

Given all of this information, the challenge then is for management to implement monitoring steps that best meet an activity’s needs. The intent is to develop, implement, maintain and improve monitoring practices so that they provide effective oversight of an activity as efficiently as possible. For starters, a process may not need a sophisticated monitoring plan at the beginning; it likely can start with basic monitoring steps as the process gets underway.  In fact, a new process may be best served by very basic but active monitoring in the early stages to ensure that the basic process steps are followed and to identify glaring variations.  Management also can simplify development of monitoring steps by using standardized templates and other materials that can then be customized to a process to train employees, serve as reporting tools and invoke correction actions.

Other Monitoring Techniques

Some ways that monitoring may be modified include the following:

Self-Monitoring

This is a means by which a responsible individual or group – such as operations staff – monitors and reports on its own performance. Self-monitoring seeks to create greater accountability among the responsible parties and, in turn, reduce the need for monitoring by others, like management.  Auditing can be used as a check to ensure that the self-monitoring actions are performed as expected and not otherwise compromised.  Still, even with self-monitoring, it is reasonable that management will want to perform some monitoring to provide greater assurance that the self-monitoring efforts are working, or for high-risk activities.

Continuous Monitoring

This is a means by which monitoring is made an ongoing activity versus a periodic, discrete one. According to KPMG (PDF download), “Continuous monitoring (CM) is a feedback mechanism used by management to ensure that controls operate as designed and transactions are processed as prescribed. This monitoring method is the responsibility of management and can form an important component of the internal control structure.”

Continuous monitoring is likely to employ automated technology in order to simplify and mechanize it. Continuous monitoring is a concept that is perhaps most helpful to those companies that conduct only occasional process monitoring.  KPMG also discussed how continuous monitoring seeks to review disparate data from multiple processes to weave together an otherwise unknown perspective on potential risk to the business activity.

Conclusion

Next to the existence of a regimented process itself, monitoring is perhaps the best tool to ensure that an activity meets its objectives.  So, it is wise to use monitoring to a process’s strategic advantage.  In this regard, it is important to adjust monitoring steps as the process evolves and apply risk-based methodology to monitoring so that it is both efficient and effective and does not lead to ‘overkill.’

In short, ensure that monitoring remains as dynamic to the process itself to get the greatest value from it.

Editor’s Note: This is the seventh post in an ongoing series on Codes of Conduct by Jason Lunday. Follow this link to view all of Mr. Lunday’s articles in his Codes of Conduct featured column series.


Tags: Monitoring
Previous Post

Typical Weaknesses of Codes of Conduct

Next Post

Coffee Break: My 5 Favorite Dilbert Strips of All Time

Jason Lunday

Jason Lunday

Jason Lunday is principal consultant with The Ethical ElementTM, a professional services firm based in Washington, DC. Jason has worked in the ethics and compliance field for over twenty years, both inside companies and as a consultant to them.  His work has involved supporting corporate values initiatives, developing and revising codes of conduct and related policies, conducting organizational risk, culture and program assessments, developing and delivering live training, building monitoring systems and auditing compliance systems and activities. He has worked in or consulted with companies in a broad range of industries, including banking and insurance, manufacturing, industrial and consumer products, utilities and energy, healthcare and telecommunications. Noteworthy experience includes:

  • Held significant roles in corporate culture and ethics and compliance risk assessments and ethics and compliance program evaluations for companies in financial services, telecommunications, healthcare, life sciences and industrial manufacturing and involving document review, executive interviews, employee focus group and enterprise surveys.
  • Led development and of a consulting practice’s service line focused on written codes of conduct development and revision, and managed all client engagements.
  • Co-managed development and delivery of the corporate trust division of a large financial institution’s initial ethics and compliance global training initiative involving training needs assessment, program development and delivery of over 100 classroom workshops.
  • Developed a corporate ethics and compliance self-monitoring program designed to increase business line compliance responsibility and oversight and minimize corporate compliance work processes while ensuring adherence to the company’s ethics and compliance standards.
Jason’s past experience includes director of ethics and compliance at Premier, Inc., consultant in Arthur Andersen’s Ethics and Responsible Business Practices Consulting group, compliance analyst at Goldman, Sachs & Co., senior consultant in the Ethics Resource Center’s Advisory Services group and knowledge leader at LRN Corp. In addition, he has authored/co-authored numerous articles and papers on business ethics issues. Jason holds an MBA from the University of Virginia’s Darden Graduate Business School, with a focus in business ethics and organizational behavior, a BA also from the University of Virginia and additional business coursework at the New York Institute of Finance. Jason can be contacted via email at: jason.lunday [at] ethicalelement [dot] com. Follow the link to view Jason’s Code of Conduct featured column on CCI.

Related Posts

DOJ increasing monitorships

DOJ Signals Expanded Use of Independent Monitors for Corporate Criminal Enforcement

by Womble Bond Dickinson
June 8, 2022

The DOJ indicates that it will increase the use of monitors in corporate criminal enforcement; what does that mean for...

Demonstrators protest outside amazon investment firm

Employee Surveillance Can Turn Your Office Dystopian If You Don’t Reciprocate Transparency and Security

by Rob Shavell
December 7, 2021

Demonstrators protest outside amazon investment firm Remote employee monitoring is ubiquitous — and likely here to stay. However, using monitoring...

high-voltage power lines with sunset in the background

IPKeys Power Partners Announces New Grid Cybersecurity Breakthrough

by Corporate Compliance Insights
September 8, 2021

Addresses multibillion-dollar cybersecurity convergence challenges of Critical Infrastructure Protection (CIP) & compliance facing utilities & grid operators Tinton Falls, NJ...

sparkles grey background with a winners cup

Eventus Systems Wins Trade Surveillance Product of the Year in 2021 Risk Technology Awards

by Corporate Compliance Insights
July 27, 2021

AUSTIN, Texas and LONDON (July 27, 2021) – Eventus Systems, Inc., a leading global provider of multi-asset class trade surveillance and...

Next Post
Coffee Break: My 5 Favorite Dilbert Strips of All Time

Coffee Break: My 5 Favorite Dilbert Strips of All Time

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT