Evaluating Effectiveness Companywide
Regulatory authorities don’t expect perfection in a compliance program, but they do expect a concerted effort on all fronts, from the C-suite to the front-line employees. Internal controls are an essential part of a robust compliance program, but ensuring compliance with internal policies and procedures takes ongoing analysis.
Let’s start with some basics: a public company is required to implement a set of internal controls. A compliance program is a critical part of a company’s internal controls.
A company’s compliance program is only as effective as the degree to which its board, executives, managers and employees adhere to the compliance policies and procedures. If a company’s constituents do not comply with the compliance program and policies, then the company’s compliance program controls are ineffective.
Ask yourself an important question: what is my company’s compliance rate with its internal compliance controls?
For example, if your company has implemented a revised due diligence program to review and approve new third-party intermediaries, it is unreasonable to expect that everyone in your company has complied with this new policy. Somewhere in the company, a third-party intermediary is likely to be hired without going through the due diligence process.
Take another example: what is your company’s compliance rate with gifts, meals and entertainment authorizations and reimbursements? Again, no one should expect perfection in this area. We all have witnessed situations when corporate executives, managers and employees have failed to comply with the respective approval process.
To promote compliance with company policies and procedures, a company must dedicate time and resources to ensuring compliance by communication, training and enforcement. In fairness to a company’s directors, executives, managers and employees, a company has to communicate internally about the new policy and explain the new policy and its requirements. Depending on the importance of the new policy, the company should enlist the support and communications contributions from the CEO and other senior executives. To reinforce this new policy and procedure, the company should conduct training on the new policy so that everyone understands its requirements and new procedures.
After there are sufficient efforts to communicate and train on the new policy requirements, the chief compliance officer should devote time to monitor compliance with the new policy. The CCO will have to conduct limited audits or enlist the support of internal audit to examine the compliance rate with the new policy. The CCO would have to examine financial records to determine if any new third parties have been signed up and paid and compare the list of new parties to the list of parties subjected to due diligence. Depending on the number of third parties, a CCO can start with a single country to determine compliance rates.
If the CCO identifies violations of the company’s procedures, the CCO has to initiate an internal investigation to confirm the violation and the circumstances surrounding the violation. Given the importance of compliance with these new policies, the CCO has to ensure the company balances the importance of strict punishment for such violations, while balancing the individual reasons for the violation.
A CCO cannot ignore the importance of compliance with its policies and procedures as a basic requirement for an effective program.
This article was republished with permission from Michael Volkov’s blog, Corruption, Crime & Compliance.