A compliance programme is a broad control and evaluation programme. Its elements are technical expertise, e.g.fraud controls/compliance specialists when evaluating a compliance programme. A robust review of a compliance programme and processes will not guarantee that the organisation will prevent, deter, or detect all violations. It should result in more efficient oversight of management and operations.
To ensure a compliance programme is effective, it is critical to:
- Develop a culture of accountability from the top levels of the organisation.
- Hire a credible compliance officer and ensure he or she has adequate resources and direct access to the board and executive team.
- Require that concerns be reported.
- Build compliance into operations, including active monitoring and internal auditing -and consider using predictive modelling techniques, particularly in high-risk areas.
- Address issues and document all information, including inquiries, complaints and repayments.
- Evaluate all efforts – a process audit can help ensure your processes remain efficient, which of your current processes are working and which aren’t? – evaluate their effectiveness.
Integrating a strong compliance programme into daily business activities and strategic planning helps to ensure that compliant conduct forms an integral part of everyday behaviour and decision making.
Compliance process controls
In the three lines of defense model, each line of business owns the risk inherent in its operations and is accountable for maintaining effective internal controls to safeguard the organisation. Risk control functions (the second line of defense), including compliance, support the ongoing monitoring of the design and operation of controls in the first line of defense. Compliance provides advice and facilitates risk management activities in the second line including monitoring specific risks such as compliance with applicable laws and regulations. Internal audit in the third line evaluates the internal control framework, which includes the control environment (such as compliance programme) and the effectiveness of oversight over compliance with the laws, regulations, policies, and procedures.
Internal auditors should maintain professional judgment and not go overboard on recommending process controls. Procedures to mitigate risk should be proportionate to the level of risk posed by the product or service. Adopting proportionality criteria allows the risks posed by a particular product or service to be addressed while maintaining the functionality which is aimed at customer convenience and ease of use. Risk managers should be adding value to the organisation by ensuring not only that risk is managed in a prudent manner, but that they provide guidance and advice with regards to proactively better the organisation. Without having in place proper operational risk mitigation strategies and controls, it will have an adverse impact on the development and implementation of new strategies.
Management override of internal controls
Delegation of duties, policies and authorisation rules can prevent fraud or other violations by requiring higher levels of management approval for larger expenditures – e.g. ability to create a vendor. Even well-developed and effective internal controls can be overridden by management. The auditor should consider control assertions made by management – (maintaining skepticism). Strengthening the understanding of the business – understanding the business inside out and solid knowledge of the industry and business forms the foundation for effective oversight. A deep understanding of business processes and relevant control aids in analysing whether it works or not. Ensure that there are effective lines of communication and collaboration in place. Brainstorming to identify fraud risks (scenario planning). Using the code of conduct to assess culture – “tone at the top” and management actions required to maintain the highest level of integrity under pressure and opportunity for misconduct. The code also facilitates the reporting of inappropriate conduct by delineating the types of conduct the organisation deems unacceptable.
Cultivating a Whistle – Blower programme
The audit committee can assist in creating strong anti-fraud controls by encouraging the development of a culture in which employees show whistleblowing as a valuable contribution to a workplace of integrity.
Communicating with the compensation/remuneration committee
It is important for the audit committee (and management) to understand the performance incentives and possible unintended consequences that could lead to fraudulent conduct and violations.