SlideShare a Scribd company logo

COMPLIANCE PROGRAM AUDITING THE GROWING NEED TO INSURE

Download as DOCX, PDF
M
MargaritoWhitt221

This document discusses the growing need for organizations to audit their own compliance programs to ensure they are compliant. It notes that compliance programs have become increasingly complex with rules from multiple agencies. There is no agreed upon terminology for compliance program elements. The document argues that to effectively manage regulatory risk, organizations must take an integrated approach and audit their compliance programs to confirm the programs are functioning as intended and meeting their goals of preventing and detecting misconduct. Proper governance of compliance programs, including their relationship to legal and risk functions, is also an ongoing discussion.

Education
1 of 39
COMPLIANCE PROGRAM AUDITING: THE GROWING NEED TO INSURE THAT COMPLIANCE PROGRAMS THEMSELVES COMPLY LEE USNICK* RUSSELL USNICK** I. INTRODUCTION Compliance with applicable laws and regulations has always been a concern of business ventures. Historically, internal or external legal counsel provided guidance, usually on a case by case basis. Over recent history, compliance efforts have become more structured and formal as the number and complexity of rules have increased, and as government has provided rewards for demonstrating efforts to comply and punishment for failing to demonstrate efforts to comply.1 As business entities and government have interacted over the years, a complex system of compliance management has
evolved. II. STRATEGIC CONSIDERATIONS A. The Current Compliance Context Today, compliance programs are commonplace. Many different professions are involved, including a new class of “compliance professionals” with their own certifying bodies.2 Compliance rules stretch across many federal rule areas, witnessed by the fact that more than a dozen agencies potentially have a say in how a U.S. financial institution operates abroad.3 Compliance concerns no longer stop with legal compliance, and now include industry protocols, licensing requirements, and an array of standards and ethical concerns. * J.D., M.A., M.S.S.W., Associate Professor of Business Law, University of Houston- Downtown. ** J.D., Dr. Env. Des., M.A., Principal, Usnick and Associates, and Adjunct, Bauer College of Business, University of Houston. 1 Sentencing Reform Act of 1984, 18 USCA § 3551 et seq. 2 For example, see SOC’Y OF CORP. COMPLIANCE AND ETHICS, www.corporatecompliance.org; and HEALTH CARE COMPLIANCE ASS’N, www.hcca- info.org.
3 Gregory Husisian, U.S. Regulation of International Financial Institutions: It's Time for an Integrated Approach to Compliance, 127 BANKING L. J. 195, 201 (2010). 312/Vol. XXIII/Southern Law Journal Additionally, foreign compliance regimes now span the global business environment and do not necessarily match up with U.S. compliance rules as reflected, for example, by the fact that common U.S. compliance hotlines appear to conflict directly with EU and individual European nation data protection rights.4 Parts of Europe are opposed to anonymous reporting.5 Growing international protocols regarding foreign bribery are expanding compliance requirements for many companies.6 What began as voluntary efforts to mitigate corporate monetary penalties in the event of certain federal criminal prosecutions, have evolved into mandated or quasi-mandated compliance programs. Over time, these compliance programs have become increasingly complex and expansive, and the continuous layering of rule explanations has morphed into a maze of intricate requirements.7 Some contend that the annual cost of compliance
programs in the United States exceeds $1.75 trillion.8 This paper focuses on a single aspect of this evolution, the growing need to adequately monitor and audit the compliance system itself. Certainly, for some time, the use of internal and external audits has been a part of compliance activities. This paper contends that more and more organizations will find it imperative to apply audit protocols to the compliance program itself. That is, compliance programs themselves need to be audited to insure that the compliance program is itself compliant. B. Compliance Program Goals While compliance activities have a long history, most credit for their current scope is attributed to the growth of Federal Sentencing Guidelines in the 1990s which provided reduced corporate criminal sentences when the corporation had established a corporate compliance program.9 The idea was that successful compliance programs help with early detection and prompt correction of noncompliance with laws.10 Over the past two decades, there 4 Paul E. McGreal, Corporate Compliance Survey, 66 BUS.
LAW. 125, 151 (2010). 5 Id. at 151. 6 Joseph E. Murphy, Compliance & Ethics Program News From Paris: Have the “Global Sentencing Guidelines” Arrived?, SOC’Y OF CORP. COMPLIANCE AND ETHICS, 7 (2010). 7 Melany C. Birdsong, Reforming Regulation: No Time Like the Present, 32 HAMLINE J. PUB. L. & POL'Y 371, 373 (2011). 8 Nicole V. Crain & W. Mark Crain, The Impact of Regulatory Costs on Small Firms, SMALL BUS. ADMIN. OFF. OF ADVOC. (SEPT. 2010), http://www.sba.gov/sites/default/files/The%20Impact%20of%20 Regulatory%20Costs%20on% 20Small%20Firms%20(Full).pdf. 9 Federal Sentencing Guidelines, supra note 1. 10 Donald P. Vandegrift, The Privilege of Self-Critical Analysis: A Survey of the Law, 60 ALB. L. REV. 171, 172 (1996). Fall 2013/Usnick & Usnick/313 have been continued increases in government involvement in compliance, and it is reasonable to expect that increased enforcement is likely for the foreseeable future.11 As compliance efforts grow, new areas for concern are added to the mix. An example of the trend is the Department of Justice, in settlements with companies over alleged violations, gradually requiring the
company to include mandatory due diligence practices with all of their third- party business partners.12 One of the difficulties in discussing compliance program auditing is the less-than-agreed-upon language used to describe compliance in general, as well as particular compliance program elements. The terms used in the focus on compliance now include monitoring, auditing, enterprise risk management, internal controls, performance auditing, risk stratification, compliance programs, and many more.13 Regardless of the terminology, an integrated approach to compliance is becoming expected. There is a growing belief that all of the compliance elements, including audit, risk, and legal, do not work when they are isolated into narrow silos, but do work when integrated and coordinated.14 Today, the key to a good compliance program is mixing all of the diverse elements into an effective compliance program.15 The current economic environment has also affected the compliance environment. During periods of economic distress, entities and individuals are increasingly inclined to cut corners.16 The tough economy results in heightened regulatory scrutiny which leads to an increased need for compliance program effectiveness.17 Compliance is expensive,
but the cost is minor compared to dealing with investigations, fines or sanctions.18 In the current compliance environment, no prudent alternative exists to putting significant resources toward compliance.19 Tough economic times make it 11 Karen Kurti, Compliance Program Management and Oversight, 8 COMPLIANCE & ETHICS PROF.36, 37 (2011). 12 Ryan D. McConnell, Jay Martin & Charlotte Simon, Plan Now or Pay Later: The Role of Compliance in Criminal Cases, 33 HOUS. J. INT’L L. 509, 573 (2011). 13 Joseph Keen & Cliff Therrien, Is Your Program Equipped For Compliance Auditing? With Heightened Industry Focus Comes the Need for Heightened Awareness of What It Means for Your Organization, 13 J. HEALTH CARE COMPLIANCE 21 (2011). 14 Roy Snell, All the Elements of a Compliance Are Useless…On Their Own: Finding a Way to Coordinate Tools and Use Them Effectively Is the Real Secret, 13 J. HEALTH CARE COMPLIANCE 3 (2011). 15 Id. 16 Paul Belton, The Evolving Role of Compliance Officers During These Difficult Economic Times: Opportunities for Growth in Compliance Are Expanding -- Not Diminishing, 11 J. HEALTH CARE COMPLIANCE 11, 12 (2009). 17 Id. at 16. 18 Husisian, supra note 3, at 224. 19 Id.
314/Vol. XXIII/Southern Law Journal imperative for companies to find efficient, proactive ways to manage regulatory compliance risks.20 C. Compliance Program Scope The scope of the compliance effort should match the particular compliance issues facing a company. Clearly, the compliance programs should both prevent and detect misconduct, including conduct which is not just criminal.21 Often, compliance programs also address the potential for civil liabilities and various industry specific standards.22 Setting the proper scope for the compliance program is never easy. It is difficult to determine the true value of a compliance program to the organization.23 Unfortunately, the maze of rules and modifications requires both regulators and the regulated to develop a “minefield” mentality where one misstep can have catastrophic effects.24 Each compliance program will have a unique approach. Likewise, the resulting compliance
program work plan, which articulates annual goals, monitoring, and audit activities, will be unique to that company at that point in time.25 D. Role of Governance, Risk, and Compliance (GRC) The word compliance has evolved to have many different meanings.26 Amid this definitional broadening, there has been a melding of the concepts of governance, risk, and compliance (referred to as GRC).27 Additionally, among these various meanings there are overlaps, gaps, and conflicts.28 GRC usually includes corporate governance, enterprise risk management (ERM), and compliance with rules and regulations as well as ethical and other compliance issues.29 Originally, governance and risk were 20 Belton, supra note 16, at 14. 21 Patricia J. Villareal, Henry Klehm & Richard C. Rosalez, Compliance in The Dodd-Frank Era: The Case for Engaging Employees, 7 COMPLIANCE & ETHICS PROF. 32 (2010). 22 Id. 23 Belton, supra note 16. 24 Birdsong, supra note 7, at 375. 25 Catherine M. Boerner, When Was the Last Time You Reviewed Your Corporate Compliance
Plan? Final Rule on Medicaid RACs Defines Fraud and Abuse, Explains How Fees Are Paid, 13 J. HEALTH CARE COMPLIANCE 35 (2011). 26 Michael Brozzetti, Is Your Chief Watchdog an Esquire?, 8 COMPLIANCE & ETHICS PROF. 8 (2011). 27 Id. 28 Id. 29 Roy Snell, Risk Appetite? Can You Please Run That By Me Again? Compliance Professionals Must Be Concerned with the Facts Rather Than “Going Holistic”, 12 J. HEALTH CARE COMPLIANCE 3, 4 (2010). Fall 2013/Usnick & Usnick/315 little more than mere written principles, but over time they have become robust, integrated, management practices.30 In the process, however, the titles given to specific activities, such as audit, risk, compliance, ethics, legal, and various combinations of terms, have become less clear.31 GRC is a very broad concept that looks at issues, including risk.32 Some equate GRC with a compliance program.33 However, GRC is not primarily aimed at the traditional compliance activities of finding and fixing problems.34 Certainly, overseeing risk management is critical to legal
compliance.35 But monitoring and maintaining compliance is not just regulatory, it is a critical component of an effective ERM program.36 ERM is becoming a key process in the GRC framework, and its significance continues to grow.37 The lack of exact clarity in the terminology has not limited the importance of GRC overall, as GRC software, systems, and services are estimated to have a annual cost of $52 billion.38 E. The Role of the Compliance Program The location of “ownership” of compliance efforts within an organization is crucial. It is important that these efforts are not “owned” only by compliance staff, especially since many internal audit functions do not measure operational performance against specific regulatory requirements.39 In reality, compliance duties, responsibilities, and actors, spread throughout an enterprise in many varying ways.40 There is often a compliance committee, a compliance department, or both. A compliance department incorporates all of the compliance functions as opposed to a compliance committee.41 A compliance committee approach usually matches membership with the key compliance risk areas for the
30 Brozzetti, supra note 26. 31 Id. 32 Snell, supra note 29, at 3. 33 Id. 34 Id. 35 Kenneth A. Bamberger, Technologies of Compliance: Risk and Regulation in a Digital Age, 88 TEX. L. REV. 669, 693 (2010). 36 Dan Swanson & Jose Tabuena, Expert Corner: Auditing a Compliance and Ethics Program, ETHISPEHERE (May 29, 2007), http://ethisphere.com/expert- corner-1. 37 Steve McGraw, Third-Party Risk Management: Properly Managing Compliance of Outsourced Relationships, 8 COMPLIANCE & ETHICS PROF. 30 (2011). 38 Bamberger, supra note 35, at 669. 39 Keen & Therrien, supra note 13, at 23. 40 Brozzetti, supra note 26. 41 Kurti, supra note 11, at 36. 316/Vol. XXIII/Southern Law Journal organization.42 The general view is that the compliance committee benefits by having as members persons with varying responsibilities in the organization.43 When both a compliance committee and a compliance department exist, the compliance committee role is usually to
support the compliance officer.44 There is a continuing debate as to the roles of different enterprise functions with regard to compliance. Early compliance efforts emanated heavily from the legal and financial functions. Some now argue that different corporate roles such as general counsel, chief internal auditor, or chief compliance officer in fact conflict with one another.45 Some discussions of current best practices suggest that, ideally, neither legal nor financial should be merged with compliance.46 One strain of the argument is that both financial and legal functions have risk assessment aspects, and that the organization’s appetite for risk should not be part of the compliance professionals’ activity.47 The discussion has become more focused with regard to the relationship between the legal department and the compliance function. Sometimes the compliance officer is in the legal department and reports to the general counsel.48 It is a tough decision whether compliance belongs in or out of the legal department and at present there seems to be no clear answer.49 A common argument is that the general counsel role and compliance
chief role have actual and potential conflicts, and as a result, it should be viewed as very questionable when they are not separated.50 Additionally, under certain circumstances, the attorney-client privilege may be weaker for in-house counsel when dealing with internal auditing than for external counsel.51 While on the topic of attorney-client privilege, it is interesting to note here that some argue that even attorney-client privilege between inside counsel and executives should not block the authority and reach of an internal audit.52 The scope of this question is not limited to narrow legal or 42 Jim Passey, Facilitating an Effective and Productive Compliance Committee: How to Structure, Maintain, and Springboard Your Compliance Committee's Effectiveness, 13 J. HEALTH CARE COMPLIANCE 5, 6 (2011). 43 Id. 44 Kurti, supra note 11, at 36. 45 Brozzetti, supra note 26. 46 Kurti, supra note 11, at 37. 47 Snell, supra note 29, at 3. 48 Ryan McConnell, Daniel Trujillo & Katherine Southard, Take It To The Board: There’s No Perfect Org Chart- But Compliance Officers Need a Direct Line to Directors, COMPLIANCE 14, 15 (ALM Supplement Winter 2012). 49 Id. 50 Kurti, supra note 11, at 37. 51 Brozzetti, supra note 26, at 10.
52 Id. Fall 2013/Usnick & Usnick/317 compliance issues, as one writer argued that compliance should not be part of the legal function, because the organization should not give the responsibility for compliance to the group that, in the writer’s opinion, has failed to get the compliance job done correctly for the last one hundred years.53 III. DESIGN AND IMPLEMENTATION A. Determining Compliance Adequacy through Monitoring and Auditing At regular intervals, an organization’s compliance program should be asked a number of probing questions. The following are some of the questions that must be addressed: 1. What have we already said that we are going to do for compliance? 2. Are we doing what we said we would do?
3. Are we doing it in a consistent manner? 4. Is what we are doing achieving what it is supposed to accomplish? 5. Is what we said we will do what we are really required to do? 6. How do we determine that our compliance program complies with all applicable rules? 7. Are there appropriate processes for reviewing the maintenance of the program? 8. Is there adequate compliance program oversight? 9. Can we document processes in place to effectively deal with the discovery of non-compliance? 10. Can we document processes for evaluating preparedness for changes which occur in the future? 11. Are we able to adequately document the basis upon which our compliance program operates? 12. Can we document that we appropriately evaluate the entire compliance program? These and other questions all assess the overall effectiveness of a
compliance program. Part of any assessment involves broad questions 53 Snell, supra note 14, at 66. 318/Vol. XXIII/Southern Law Journal concerning levels of organizational risk tolerance, the extent of organizational compliance buy-in, and compliance culture in general. These are all important parts of monitoring a compliance program. Under the sentencing guidelines, monitoring and auditing are linked,54 and many organizations use the terms auditing and monitoring interchangeably, but many argue they are not interchangeable.55 Sometimes the audit function owns the monitoring process; other times there may be a dedicated monitoring team independent of the audit process.56 Whatever the case, a key element of a good compliance program includes consistent monitoring and auditing.57 There is no road map or textbook on effective implementation of compliance programs in a particular organization.58 Monitoring is defined as
measuring operational performance so as to insure that regulatory and other standards are met.59 Auditing focuses on testing, spot checking, and inspections, done at a point in time, and is both independent and objective.60 Any discussion of compliance program auditing, such as this paper, presupposes an effective monitoring system to which audit results flow. It is important to view the compliance program audit as another layer in a good compliance program and not as something separate.61 B. The Compliance Program Audit The compliance program audit is an essential part of an effective compliance program for several important reasons. Most significantly, recent U.S. Department of Justice (DOJ) settlements include an audit to show that compliance is not just a paper program.62 Put simply, an organization should audit its compliance program because that is the first thing the government 54 Keen & Therrien, supra note 13, at 22. 55 Id. 56 Id. at 24. 57 M. Richard Schroeder, International White Collar Enforcement, 2012 Edition, Leading
Lawyers on Cooperating With Enforcement Agencies, Understanding New Laws, and Constructing Compliance Programs: New Compliance Challenges and Requirements in the International Business Arena 2011 WL 6740789 (ASPATORE), 6. 58 Keen & Therrien, supra note 13, at 23. 59 Id. at 22. 60 Cornelia M. Dorfschmid & Paulo B. Macedo, Statistics – Friend or Foe? The Compliance Officer’s Perspective: A General Understanding of the Basics Is Prudent, 14 J. HEALTH CARE COMPLIANCE 23, 30 (2012). 61 Practising Law Institute, Kicking the Tires and Taking Her Out For a Spin – How to Audit a Compliance Program, 4 PRACTISING L. INST’S COMPLIANCE COUNS. 1 (2007). 62 McConnell, et al., supra note 12. Fall 2013/Usnick & Usnick/319 will do before making any decision on whether or not to prosecute and the level of penalties that will be sought if they do prosecute.63 A key a part of a compliance program is systematically looking for problems through means like auditing.64 Ten years ago the compliance department was often never audited,65 while today many regulations require regular testing of the effectiveness of controls.66 Auditing the
compliance program is best viewed as an important part of an overall comprehensive evaluation.67 The audit plays an assurance function.68 The primary compliance audit report purpose is communication to management and stakeholders.69 An audit typically looks for independent verification of risk control mechanisms.70 Auditing does not fix problems because that is not its charge.71 Many internal audit functions do not measure operational performance against specific regulatory requirements.72 An overall compliance monitoring plan should be formally written and clearly identify both purpose and objectives.73 If the compliance effort is not measurable, it cannot determine if efforts are driving better compliance outcomes.74 Auditing a compliance program can provide an independent determination of appropriateness and effectiveness.75 Also, auditing the compliance program supports assessing performance and effectiveness.76 A compliance program audit tests systems, and in turn, helps get the full benefit of sentencing guidelines when needed.77 Auditing the compliance framework itself enables early identification of systemic issues,78 and can identify areas for improvement.79
Existing compliance processes need to be continually reassessed.80 63 Swanson & Tabuena, supra note 36. 64 Snell, supra note 29, at 65. 65 Karen Stensgaard, Have You Audited Your Compliance Department Lately?, INTERNAL AUDITOR 45, 46 (Apr. 2002). 66 Bamberger, supra note 35. 67 Swanson & Tabuena, supra note 36. 68 Catherine Finamore Henry, Too Close For Comfort, INTERNAL AUDITOR 2, (Feb. 2011). 69 Keen & Therrien, supra note 13, at 24. 70 Id. at 22. 71 Snell, supra note 14, at 67. 72 Keen & Therrien, supra note 13, at 23. 73 Id. 74 Id. 75 Swanson & Tabuena, supra note 36. 76 Id. 77 PRACTISING L. INST., supra note 61. 78 Susan Burch, Auditing for Compliance, INTERNAL AUDITOR 53, 59 (Dec. 2008). 79 Swanson & Tabuena, supra note 36. 80 Chong Ee, Overcoming Checkbox Compliance, INTERNAL AUDITOR 55, 56 (Dec. 2010). 320/Vol. XXIII/Southern Law Journal On a larger scale, auditing compliance programs can increase integration of governance, risk, and compliance.81
Additionally, auditing of the compliance program can be a catalyst for changes in GRC to support improved operational effectiveness.82 By assuring after the fact that risk is being properly managed, compliance is able to proactively mitigate future risk.83 C. Role of Compliance Program Audits A company needs to assume that, at some point, an employee or business associate will engage in illegal activity.84 While criminal violations are central to compliance programs, risk issues for compliance program audit can include regulations, culture, reputation, and the like.85 The most common thread is the focus on utilization of non-compliance as the evaluation starting point. Often a transaction’s review points to the need for a systems review which looks at patterns and processes as a whole.86 Auditing typically looks for independent verification of risk control mechanisms87 This is achieved in a number of ways. Compliance program audit issues include consistency across the organization,88 the clearness of lines of authority,89 appropriate segregation of compliance program duties,90 and the relationship between the compliance program and others
in the organization are all expected. The audit looks at the sufficiency of the process in and of itself, and also at the effects and outcomes of the process.91 Directly or indirectly, this occurs under two broad headings: process audits and substantive audits. 81 Swanson & Tabuena, supra note 36. 82 Id. 83 Roy Snell, Audit and Compliance: Two Closely Linked Professions with Very Distinct Roles:Urton Anderson Discusses the Differences, and Similarities, and Why Both Must Work Together, 13 J. HEALTH CARE COMPLIANCE 29, 32 (2011). 84 Schroeder, supra note 57, at 7. 85 Swanson & Tabuena supra note 36. 86 Cornelia M. Dorfschmid, Systems Reviews verses Transaction Reviews –A Closer Look at a New Era of Mandatory Compliance: Use of Both Review Types May Be the Best Preparation for Effectiveness Certification in Coming Years, 12 J. HEALTH CARE COMPLIANCE 41, 43 (2010). 87 Keen, & Therrien, supra note 13, at 22. 88 Burch, supra note 78, at 54. 89 Swanson & Tabuena, supra note 36. 90 Burch, supra note 78, at 59. 91 Dorfschmid, supra note 86. Fall 2013/Usnick & Usnick/321
D. Process Audits and Substantive Audits The process audit addresses the “are we doing what we said we would do” question. The audit first asks if key features of the compliance plan have been implemented.92 This leads to audit inquiries as to whether the program components are operating as intended.93 In the simplest form, a process audit determines if the protocols are implemented and whether the employees are following the protocols.94 A substantive audit determines if the resulting work product meets regulatory requirements.95 A key problem in the monitoring and auditing of compliance programs is that a substantive audit must check for alignment of the overriding compliance program requirements with the many internal audit functions which often do not measure operational performance against specific regulatory requirements.96 That is to say, the audit process needs to be designed to evaluate whether the program is substantively addressing the specific compliance concerns. E. The Compliance Program Audit Process
A very important aspect of audit design is to understand the audit objectives given the level of assurance sought by the board.97 In the audit planning phase, all of the important issues and risks need to be identified.98 Very often, the compliance program audit will use a risk-based approach to identify important issues.99 In compliance programs, auditing for internal controls is different from auditing for compliance effectiveness.100 Compliance program auditing needs to understand existing compliance program strengths and weaknesses.101 This can often take the form of some kind of mapping of the compliance environment. The design of the process first audits for overall compliance, then looks to the remediation of identified issues, inquires if there are root causes for the problems, and finally addresses the compliance program within that context.102 92 Swanson & Tabuena, supra note 36. 93 Id. 94 Id. 95 Id. 96 Keen & Therrien, supra note 13, at 23. 97 Swanson & Tabuena, supra note 36.
98 Id. 99 Id. 100 Keen & Therrien, supra note 13, at 24. 101 Id. 102 Ee, supra note 80, at 57. 322/Vol. XXIII/Southern Law Journal F. The Compliance Program Audit Plan Assessing compliance risk should be part of the overall risk assessment and specifically incorporate compliance auditing into audit plans.103 There needs to be a clear compliance-auditing plan.104 The audit plan should include a statement of auditing standards which spell out compliance audit particulars.105 Additionally, there should be a clear delineation of the basic strategy of the compliance program audit, the scope of the audit program, audit objectives, time frame, personnel, methodology, and reporting.106 While specificity is important, overly strict audit process standardization should be avoided.107 Flexibility sufficient to pursue unexpected results is important. The compliance-auditing plan must focus audit related activity on both
operational compliance performance and overall compliance effectiveness.108 It is impossible to develop a good compliance plan without a thorough understanding of the operations and how they relate to regulations affecting those operations.109 On a large scale, the compliance program audit components include the program design structure, the selected processes, the implementation process, and finally the actual audit for compliance using the designated standards.110 At the more operational level, the compliance program audit plan articulates the compliance audits to be conducted for the specified time period.111 Each compliance program audit will require careful planning.112 Auditing a compliance program is much like any other audit in structure, planning, fieldwork, and reporting.113 In the audit planning stage identification of audit objectives is a crucial step.114 Part of compliance program audit includes documented policies and procedures for conducting 103 Burch, supra note 78, at 54. 104 Keen & Therrien, supra note 13, at 23. 105 American Institute of Certified Public Accountants, Statement on Auditing Standards No. 117, Compliance Audits, J. OF ACCOUNTANCY 71, (Feb. 2010), available at
www.journalofaccountancy.com. 106 Practising Law Institute, supra note 61. 107 Keen & Therrien, supra note 13, at 24. 108 Id. 109 Jeffrey R. Porter, Environmental Law Enforcement and Compliance; Leading Lawyers on Communicating with Enforcement Agencies, Overcoming Compliance Challenges, and Developing Response Strategies: Surviving the Enforcement First Culture, 2011 WL 44522051 (ASPATORE 2011), 10. 110 Swanson & Tabuena, supra note 36. 111 Boerner, supra note 25. 112 Keen & Therrien, supra note 13, at 24. 113 Swanson & Tabuena, supra note 36. 114 Id. Fall 2013/Usnick & Usnick/323 inquiries and investigations.115 The planning phase of the audit results in confirming the scope of the audit and getting sign-off to proceed.116 IV. TACTICAL CONSIDERATIONS A. Conducting the Audit Compliance program audits also raise questions regarding
conflicts of interest. International standards for professional internal auditors say that they should not be participating in activities they also audit.117 The compliance auditing plan needs independent, disciplined, audit protocols.118 Utilizing the already established audit avenues for the organization can have difficulties because a typical audit unit often favors financial audits and often they do little in other areas of regulatory noncompliance.119 B. Establishing the Basis for Audit Evaluations A self-assessment prior to the audit can be valuable.120 Determining the sufficiency of the level of audit testing is left to an individual’s professional determination.121 The audit should be based on comprehensive audit risk assessment, that is, focused on key compliance risks.122 Because compliance and ethics efforts cover a very broad span of activities, the audit process must carefully define the proper focus.123 Auditing the compliance program may not answer whether the program actually reduced non- compliance.124 In fact, auditing the compliance program alone is likely not sufficient to demonstrate the program effectiveness.125 Compliance monitoring needs
data, metrics, reporting systems, and the ability to take into account that internal audit functions do not directly measure operational performance against specific regulatory requirements.126 115 Burch, supra note 78, at 59. 116 Swanson & Tabuena, supra note 36. 117 Henry, supra note 68, at 29. 118 Keen & Therrien, supra note 13, at 23. 119 Snell, supra note 14. 120 Swanson & Tabuena, supra note 36. 121 Id. 122 Id. 123 Id. 124 Id. 125 Id. 126 Keen & Therrien, supra note 13, at 23. 324/Vol. XXIII/Southern Law Journal The evaluation phase starts with asking if absolute minimum regulatory requirements have been met (referred to as a baseline evaluation).127 As it unfolds, the evaluation phase of an audit looks at specific data, information systems, and performance reporting measures.128 Ironical ly, although the government often demands the implementation of an effective
compliance program, it generally offers little guidance as to what that is or how to measure it.129 Benchmarks and other measurement tools are useful. The auditing of compliance programs evaluates effectiveness compared to both internal and external measures.130 There are no standard measurement techniques for auditing for compliance. In some areas of compliance, the regulatory regime suggests that one method of internal measurement is a “snapshot” of the compliance program for use as a future benchmark.131 In some settings, benchmarks are an essential part of a compliance program.132 Even then, there are few metrics and standards for defining an effective program.133 In the evaluation stage of an audit, where it is essential to look beyond minimum practices, a common practice model looks at the practices of leading peers in the industry.134 This can be in the form of looking at leading peer practices through organizations such as the Ethics and Compliance Officer Association or the Open Compliance and Ethics Group.135 It is also useful to look further into more leading-edge practices.136 Finally, benchmarks need to be regularly monitored for evolving trends.137
C. Actual Audit Tactics Vary Compliance program auditing can include teams of cross-trained peer reviewers conducting quarterly case record reviews in every program area to match documentation to requirements.138 Often, compliance program auditing will include a monthly review of case records.139 Compliance 127 Swanson & Tabuena, supra note 36. 128 Id. 129 Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C.L. Rev. 949, 954 (2009). 130 Swanson & Tabuena, supra note 36. 131 Jillian Bower, Use of Surveys to Evidence Compliance Program Effectiveness: When Deciding Which Survey to Use, Keep in Mind It Must Be Credible to an Outside Third Party, 13 J. HEALTH CARE COMPLIANCE 43, 44 (2011). 132 Id. 133 Dorfschmid, supra note 86, at 42. 134 Swanson & Tabuena, supra note 36. 135 Id. 136 Id. 137 Bower, supra note 131, at 64. 138 Paul E. McGreal, Corporate Compliance Survey, 67 BUS. LAW. 227, 251 (2011). 139 Id.
Fall 2013/Usnick & Usnick/325 program auditing can also include month to month tracking and analysis of identified risk areas.140 Many transaction reviews can use statistical auditing and extrapolation tools as part of the compliance program audit.141 An example would be the variety of ways coding in healthcare settings are tested for compliance.142 Another way of compliance auditing is by examining company emails.143 Any email, utilizing a company email address, is company property and contains significant amounts of information for review.144 Email compliance program audits can be aided by key word searches.145 Compliance program audits have begun using statistical concepts.146 A lot of auditing employs state of the art technology. Reporting that is required for compliance is often created technologically.147 Technological compliance solutions "interpret" hundreds of rules.148 Compliance is going hi-tech using a wide array of technology compliance tools.149 Technological compliance activities are heavily involved in modern risk regulation.150 A large amount
of compliance system auditing is automated.151 Technology profoundly affects the auditing of all risk management issues including compliance.152 Much compliance program auditing is reported in dashboard form.153 Some compliance program auditing happens in real time.154 Technological compliance activities are used widely from bank capitalization to Sarbanes to information privacy.155 At the same time, some argue that technological compliance activities can hinder the compliance decision process.156 One of the arguments is that technological compliance activities frequently lack transparency.157 140 Id. 141 Dorfschmid, supra note 86, at 70. 142 Belton, supra note 16, at 15. 143 Catie Heindel, Auditing Emails: A Useful Method for Testing Compliance Program Effectiveness: Five Important Steps to Help Organizations Evaluate Their Program's Effectiveness, 14 J. HEALTH CARE COMPLIANCE 47 (2012). 144 Id. at 48. 145 Id. at 70. 146 Dorfschmid & Macedo, supra note 60, at 24. 147 Bamberger, supra note 35, at 701. 148 Id. at 669. 149 Id. 150 Id. at 673. 151 Id. at 694.
152 Id. at 693. 153 Id. at 695. 154 Id. 155 Id. at 670. 156 Id. 157 Id. at 676. 326/Vol. XXIII/Southern Law Journal D. Audit Documentation Sufficiency A major compliance audit issue is whether the documentation for the compliance program is sufficient and in place.158 A key requirement is that program audit results are accurately presented to appropriate parties.159 It is vital to document all of the implementation, updating, and evaluation of compliance programs.160 Compliance program effectiveness review is a huge documentation gathering function.161 One source argues that an entity should be able to describe the compliance program in detail without saying one word, since if the investigator has to ask questions to understand the program, then the documentation is insufficient.162 While that may be a difficult standard, if investigated, there is an immediate need to be able to produce a
binder that lays out the compliance program in detail with policies, guidelines, and supporting records.163 V. CONCLUSIONS A. Compliance Program Audits in the Larger Organizational Setting Compliance program audits need to be based in trust and cooperation. Additionally, stakeholders need to understand the importance of transparency in audit processes.164 The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Audits standard 2110 stresses the importance of effectively communicating information with board members, external and internal auditors, and management.165 The compliance culture is often more important than the rules themselves in compliance programs.166 With the passage of time, it has become ever more important that compliance professionals report directly to an internal governing authority like the audit committee of the board of directors.167 The organization should have at least an annual report from the compliance officer to the board directly.168
158 Swanson & Tabuena, supra note 36. 159 Id. 160 Thomas McSorley, Foreign Corrupt Practices Act, 48 AM. CRIM. L. REV. 749, 776 (2011). 161 Boerner, supra note 25. 162 Schroeder, supra note 57, at 6. 163 Id. 164 Brozzetti, supra note 26. 165 Brozzetti, supra note 26. 166 Brozzetti, supra note 26, at 10. 167 McConnell, et al., supra note 48, at 14. 168 Id. Fall 2013/Usnick & Usnick/327 In some areas such as healthcare, the regulatory compliance burdens are massive and are passed on to consumers.169 Another drawback of compliance programs is the reality that they create a record of misdeeds.170 The government leaves very little room for discretion when compliance plans uncover violations of law.171 The Dodd Frank Act puts companies into the dilemma of choosing between early self-reporting with sketchy information and the prospect of losing the benefits of self-reporting when a whistleblower goes to the agency first.172 The government’s strategy of
“enforcement first” presents a serious challenge to the regulated community.173 It is no insignificant problem that self-reporting almost always guarantees penalties or conviction.174 B. The Need for Proactive Compliance Program Auditing Compliance auditing needs to look beyond identified high risk areas to see if there are unexpected risk issues.175 A compliance auditing plan needs to be able to evolve and mature.176 The compliance program audit should be seeking potential problem areas that have not yet been noticed as problem areas.177 At the same time, the current compliance environment leaves little room for experimentation.178 The entire compliance program, including an audit which asks whether the compliance program is itself in compliance, must be vigorously proactive. 169 Birdsong, supra note 7, at 377. 170 Vandergrift, supra note 10, at 173. 171 Baer, supra note 129. 172 Villareal, supra note 21, at 34. 173 Porter, supra note 109, at 1. 174 Jennifer Arlen, The Failure of the Organizational
Sentencing Guidelines, 66 U. MIAMI L. REV. 321, 349 (2012). 175 Keen & Therrien, supra note 13, at 24. 176 Id. 177 Husisian, supra note 3, at 215. 178 Baer, supra note 129. Copyright of Southern Law Journal is the property of Southern Academy of Legal Studies in Business and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

Recommended

Chavez Beyond the Smoke-Filled Room
Chavez Beyond the Smoke-Filled RoomChavez Beyond the Smoke-Filled Room
Chavez Beyond the Smoke-Filled RoomJ. Anthony Chavez
 
Yorkshire Branch Meeting 28 June 2017
Yorkshire Branch Meeting 28 June 2017Yorkshire Branch Meeting 28 June 2017
Yorkshire Branch Meeting 28 June 2017Institute of Chartered Secretaries and Administrators
 
WLJ_ATR_2202_Commentary_Nelson
WLJ_ATR_2202_Commentary_NelsonWLJ_ATR_2202_Commentary_Nelson
WLJ_ATR_2202_Commentary_NelsonJames (Jim) Nelson
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Security Services
 
MTBiz Jan-Mar 2013
MTBiz Jan-Mar 2013MTBiz Jan-Mar 2013
MTBiz Jan-Mar 2013Mutual Trust Bank Ltd.
 
Global Enforcement Review 2017
Global Enforcement Review 2017Global Enforcement Review 2017
Global Enforcement Review 2017Duff & Phelps
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
ct-2015-12-turteltaub-lansford[1]
ct-2015-12-turteltaub-lansford[1]ct-2015-12-turteltaub-lansford[1]
ct-2015-12-turteltaub-lansford[1]Kim Lansford
 

Recommended

Chavez Beyond the Smoke-Filled Room
Chavez Beyond the Smoke-Filled RoomChavez Beyond the Smoke-Filled Room
Chavez Beyond the Smoke-Filled RoomJ. Anthony Chavez
 
Yorkshire Branch Meeting 28 June 2017
Yorkshire Branch Meeting 28 June 2017Yorkshire Branch Meeting 28 June 2017
Yorkshire Branch Meeting 28 June 2017Institute of Chartered Secretaries and Administrators
 
WLJ_ATR_2202_Commentary_Nelson
WLJ_ATR_2202_Commentary_NelsonWLJ_ATR_2202_Commentary_Nelson
WLJ_ATR_2202_Commentary_NelsonJames (Jim) Nelson
 
NEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Compliance Automation
NEMEA Compliance AutomationNEMEA Security Services
 
MTBiz Jan-Mar 2013
MTBiz Jan-Mar 2013MTBiz Jan-Mar 2013
MTBiz Jan-Mar 2013Mutual Trust Bank Ltd.
 
Global Enforcement Review 2017
Global Enforcement Review 2017Global Enforcement Review 2017
Global Enforcement Review 2017Duff & Phelps
 
Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Compliance in Manufacturing: A Very Personal Affair (2013)
Compliance in Manufacturing: A Very Personal Affair (2013)Melih ÖZCANLI
 
ct-2015-12-turteltaub-lansford[1]
ct-2015-12-turteltaub-lansford[1]ct-2015-12-turteltaub-lansford[1]
ct-2015-12-turteltaub-lansford[1]Kim Lansford
 
Adding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activitiesAdding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activitiesGrant Thornton LLP
 
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...Michele DeStefano
 
State of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - NimonikState of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - NimonikNimonik
 
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...EY
 
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...Deloitte Canada
 
Dr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servantsDr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servantsHaluk Ferden Gursel
 
Legal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in KurdistanLegal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in KurdistanAI Publications
 
Life Sciences 2016 (3)
Life Sciences 2016 (3)Life Sciences 2016 (3)
Life Sciences 2016 (3)hldorfman
 
Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...Crystal Alvarez
 
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...Center for Communication Compliance
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveJames D. Meacham, CCEP, CRISC
 
CORPORATE GOVERNANCE AND ETHICS
CORPORATE GOVERNANCE AND ETHICSCORPORATE GOVERNANCE AND ETHICS
CORPORATE GOVERNANCE AND ETHICSSUNIL KUMAR KOHLI, IDAS ndc
 
Advantage series regulatory convergence study
Advantage series regulatory convergence studyAdvantage series regulatory convergence study
Advantage series regulatory convergence studyGrayling
 
Van de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiepVan de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiepphuongthao6689
 
A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...Allison Koehn
 
Disruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industryDisruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industryFrenchWeb.fr
 
Anti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesAnti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesDun & Bradstreet
 
Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)shomudrokotha
 
Building-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdfBuilding-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdfL. S.
 
Your supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docxYour supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docxMargaritoWhitt221
 
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docxYour selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docxMargaritoWhitt221
 
Your project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docxYour project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docxMargaritoWhitt221
 

More Related Content

Similar to COMPLIANCE PROGRAM AUDITING THE GROWING NEED TO INSURE

Adding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activitiesAdding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activitiesGrant Thornton LLP
 
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...Michele DeStefano
 
State of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - NimonikState of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - NimonikNimonik
 
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...EY
 
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...Deloitte Canada
 
Dr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servantsDr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servantsHaluk Ferden Gursel
 
Legal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in KurdistanLegal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in KurdistanAI Publications
 
Life Sciences 2016 (3)
Life Sciences 2016 (3)Life Sciences 2016 (3)
Life Sciences 2016 (3)hldorfman
 
Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...Crystal Alvarez
 
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...Center for Communication Compliance
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveJames D. Meacham, CCEP, CRISC
 
Advantage series regulatory convergence study
Advantage series regulatory convergence studyAdvantage series regulatory convergence study
Advantage series regulatory convergence studyGrayling
 
Van de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiepVan de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiepphuongthao6689
 
A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...Allison Koehn
 
Disruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industryDisruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industryFrenchWeb.fr
 
Anti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesAnti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesDun & Bradstreet
 
Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)shomudrokotha
 
Building-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdfBuilding-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdfL. S.
 

Similar to COMPLIANCE PROGRAM AUDITING THE GROWING NEED TO INSURE (19)

Adding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activitiesAdding internal audit value: Strategically leveraging compliance activities
Adding internal audit value: Strategically leveraging compliance activities
 
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
DeStefano, Compliance, Transparency, Visibility: A U.S. Perspective: Cloudy A...
 
State of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - NimonikState of Compliance 2021 at Mid-Market Firms - Nimonik
State of Compliance 2021 at Mid-Market Firms - Nimonik
 
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
Overcoming compliance fatigue - Reinforcing the commitment to ethical growth ...
 
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
Seizing the regulatory opportunity: A Deloitte perspective on how financial i...
 
Dr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servantsDr haluk f gursel, verifying the accountability of public servants
Dr haluk f gursel, verifying the accountability of public servants
 
Legal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in KurdistanLegal Factors affecting Business Law in Kurdistan
Legal Factors affecting Business Law in Kurdistan
 
Life Sciences 2016 (3)
Life Sciences 2016 (3)Life Sciences 2016 (3)
Life Sciences 2016 (3)
 
Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...Generally, In A Political Science, The Notion Of...
Generally, In A Political Science, The Notion Of...
 
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
Slide Notes From CCC Presentation At Zinc Forum - PRT Efficiency - Turbo-Char...
 
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curveSAI-GLOBAL-whitepaper-program-assessment-maturity-curve
SAI-GLOBAL-whitepaper-program-assessment-maturity-curve
 
CORPORATE GOVERNANCE AND ETHICS
CORPORATE GOVERNANCE AND ETHICSCORPORATE GOVERNANCE AND ETHICS
CORPORATE GOVERNANCE AND ETHICS
 
Advantage series regulatory convergence study
Advantage series regulatory convergence studyAdvantage series regulatory convergence study
Advantage series regulatory convergence study
 
Van de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiepVan de trong quan tri doanh nghiep
Van de trong quan tri doanh nghiep
 
A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...A Synopsis On -Corporate Governance And Performance Around The World What We...
A Synopsis On -Corporate Governance And Performance Around The World What We...
 
Disruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industryDisruption, a seismic shift in the private equity industry
Disruption, a seismic shift in the private equity industry
 
Anti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third PartiesAnti-Bribery and Corruption Compliance for Third Parties
Anti-Bribery and Corruption Compliance for Third Parties
 
Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)Corporate reporting in the usa and canada (2018)
Corporate reporting in the usa and canada (2018)
 
Building-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdfBuilding-world-class-ethics-and-compliance-programs.pdf
Building-world-class-ethics-and-compliance-programs.pdf
 

More from MargaritoWhitt221

Your supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docxYour supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docxMargaritoWhitt221
 
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docxYour selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docxMargaritoWhitt221
 
Your project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docxYour project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docxMargaritoWhitt221
 
Your initial post should use APA formatted in-text citations whe.docx
Your initial post should use APA formatted in-text citations whe.docxYour initial post should use APA formatted in-text citations whe.docx
Your initial post should use APA formatted in-text citations whe.docxMargaritoWhitt221
 
Your life is somewhere in a databaseContains unread posts.docx
Your life is somewhere in a databaseContains unread posts.docxYour life is somewhere in a databaseContains unread posts.docx
Your life is somewhere in a databaseContains unread posts.docxMargaritoWhitt221
 
Your original initial post should be between 200-300 words and 2 pee.docx
Your original initial post should be between 200-300 words and 2 pee.docxYour original initial post should be between 200-300 words and 2 pee.docx
Your original initial post should be between 200-300 words and 2 pee.docxMargaritoWhitt221
 
Your assignment is to research and report about an archaeological fi.docx
Your assignment is to research and report about an archaeological fi.docxYour assignment is to research and report about an archaeological fi.docx
Your assignment is to research and report about an archaeological fi.docxMargaritoWhitt221
 
Your assignment for Physical Science I is to write a paper on.docx
Your assignment for Physical Science I is to write a paper on.docxYour assignment for Physical Science I is to write a paper on.docx
Your assignment for Physical Science I is to write a paper on.docxMargaritoWhitt221
 
Your charge is to develop a program using comparative research, anal.docx
Your charge is to develop a program using comparative research, anal.docxYour charge is to develop a program using comparative research, anal.docx
Your charge is to develop a program using comparative research, anal.docxMargaritoWhitt221
 
Young consumers’ insights on brand equity Effects of bra.docx
Young consumers’ insights on brand equity Effects of bra.docxYoung consumers’ insights on brand equity Effects of bra.docx
Young consumers’ insights on brand equity Effects of bra.docxMargaritoWhitt221
 
You will examine a scenario that includes an inter-group conflict. I.docx
You will examine a scenario that includes an inter-group conflict. I.docxYou will examine a scenario that includes an inter-group conflict. I.docx
You will examine a scenario that includes an inter-group conflict. I.docxMargaritoWhitt221
 
You will perform a history of a head, ear, or eye problem that y.docx
You will perform a history of a head, ear, or eye problem that y.docxYou will perform a history of a head, ear, or eye problem that y.docx
You will perform a history of a head, ear, or eye problem that y.docxMargaritoWhitt221
 
You need to enable JavaScript to run this app. .docx
You need to enable JavaScript to run this app. .docxYou need to enable JavaScript to run this app. .docx
You need to enable JavaScript to run this app. .docxMargaritoWhitt221
 
You will act as a critic for some of the main subjects covered i.docx
You will act as a critic for some of the main subjects covered i.docxYou will act as a critic for some of the main subjects covered i.docx
You will act as a critic for some of the main subjects covered i.docxMargaritoWhitt221
 
You will research and prepare a presentation about image.  Your rese.docx
You will research and prepare a presentation about image.  Your rese.docxYou will research and prepare a presentation about image.  Your rese.docx
You will research and prepare a presentation about image.  Your rese.docxMargaritoWhitt221
 
You will be asked to respond to five different scenarios. Answer eac.docx
You will be asked to respond to five different scenarios. Answer eac.docxYou will be asked to respond to five different scenarios. Answer eac.docx
You will be asked to respond to five different scenarios. Answer eac.docxMargaritoWhitt221
 
You might find that using analysis tools to analyze internal .docx
You might find that using analysis tools to analyze internal .docxYou might find that using analysis tools to analyze internal .docx
You might find that using analysis tools to analyze internal .docxMargaritoWhitt221
 
You will conduct a professional interview with a staff nurse and a s.docx
You will conduct a professional interview with a staff nurse and a s.docxYou will conduct a professional interview with a staff nurse and a s.docx
You will conduct a professional interview with a staff nurse and a s.docxMargaritoWhitt221
 
You have chosen the topic of Computer Forensics for your researc.docx
You have chosen the topic of Computer Forensics for your researc.docxYou have chosen the topic of Computer Forensics for your researc.docx
You have chosen the topic of Computer Forensics for your researc.docxMargaritoWhitt221
 
1.Describe some of the landmark Supreme Court decisions that h.docx
1.Describe some of the landmark Supreme Court decisions that h.docx1.Describe some of the landmark Supreme Court decisions that h.docx
1.Describe some of the landmark Supreme Court decisions that h.docxMargaritoWhitt221
 

More from MargaritoWhitt221 (20)

Your supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docxYour supervisor, Sophia, Ballot Online director of information t.docx
Your supervisor, Sophia, Ballot Online director of information t.docx
 
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docxYour selected IEP. (Rudy)Descriptions of appropriate instructi.docx
Your selected IEP. (Rudy)Descriptions of appropriate instructi.docx
 
Your project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docxYour project sponsor and customer are impressed with your project .docx
Your project sponsor and customer are impressed with your project .docx
 
Your initial post should use APA formatted in-text citations whe.docx
Your initial post should use APA formatted in-text citations whe.docxYour initial post should use APA formatted in-text citations whe.docx
Your initial post should use APA formatted in-text citations whe.docx
 
Your life is somewhere in a databaseContains unread posts.docx
Your life is somewhere in a databaseContains unread posts.docxYour life is somewhere in a databaseContains unread posts.docx
Your life is somewhere in a databaseContains unread posts.docx
 
Your original initial post should be between 200-300 words and 2 pee.docx
Your original initial post should be between 200-300 words and 2 pee.docxYour original initial post should be between 200-300 words and 2 pee.docx
Your original initial post should be between 200-300 words and 2 pee.docx
 
Your assignment is to research and report about an archaeological fi.docx
Your assignment is to research and report about an archaeological fi.docxYour assignment is to research and report about an archaeological fi.docx
Your assignment is to research and report about an archaeological fi.docx
 
Your assignment for Physical Science I is to write a paper on.docx
Your assignment for Physical Science I is to write a paper on.docxYour assignment for Physical Science I is to write a paper on.docx
Your assignment for Physical Science I is to write a paper on.docx
 
Your charge is to develop a program using comparative research, anal.docx
Your charge is to develop a program using comparative research, anal.docxYour charge is to develop a program using comparative research, anal.docx
Your charge is to develop a program using comparative research, anal.docx
 
Young consumers’ insights on brand equity Effects of bra.docx
Young consumers’ insights on brand equity Effects of bra.docxYoung consumers’ insights on brand equity Effects of bra.docx
Young consumers’ insights on brand equity Effects of bra.docx
 
You will examine a scenario that includes an inter-group conflict. I.docx
You will examine a scenario that includes an inter-group conflict. I.docxYou will examine a scenario that includes an inter-group conflict. I.docx
You will examine a scenario that includes an inter-group conflict. I.docx
 
You will perform a history of a head, ear, or eye problem that y.docx
You will perform a history of a head, ear, or eye problem that y.docxYou will perform a history of a head, ear, or eye problem that y.docx
You will perform a history of a head, ear, or eye problem that y.docx
 
You need to enable JavaScript to run this app. .docx
You need to enable JavaScript to run this app. .docxYou need to enable JavaScript to run this app. .docx
You need to enable JavaScript to run this app. .docx
 
You will act as a critic for some of the main subjects covered i.docx
You will act as a critic for some of the main subjects covered i.docxYou will act as a critic for some of the main subjects covered i.docx
You will act as a critic for some of the main subjects covered i.docx
 
You will research and prepare a presentation about image.  Your rese.docx
You will research and prepare a presentation about image.  Your rese.docxYou will research and prepare a presentation about image.  Your rese.docx
You will research and prepare a presentation about image.  Your rese.docx
 
You will be asked to respond to five different scenarios. Answer eac.docx
You will be asked to respond to five different scenarios. Answer eac.docxYou will be asked to respond to five different scenarios. Answer eac.docx
You will be asked to respond to five different scenarios. Answer eac.docx
 
You might find that using analysis tools to analyze internal .docx
You might find that using analysis tools to analyze internal .docxYou might find that using analysis tools to analyze internal .docx
You might find that using analysis tools to analyze internal .docx
 
You will conduct a professional interview with a staff nurse and a s.docx
You will conduct a professional interview with a staff nurse and a s.docxYou will conduct a professional interview with a staff nurse and a s.docx
You will conduct a professional interview with a staff nurse and a s.docx
 
You have chosen the topic of Computer Forensics for your researc.docx
You have chosen the topic of Computer Forensics for your researc.docxYou have chosen the topic of Computer Forensics for your researc.docx
You have chosen the topic of Computer Forensics for your researc.docx
 
1.Describe some of the landmark Supreme Court decisions that h.docx
1.Describe some of the landmark Supreme Court decisions that h.docx1.Describe some of the landmark Supreme Court decisions that h.docx
1.Describe some of the landmark Supreme Court decisions that h.docx
 

Recently uploaded

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...christianmathematics
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024Janet Corral
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhikauryashika82
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfchloefrazer622
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...PsychoTech Services
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 

Recently uploaded (20)

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 

COMPLIANCE PROGRAM AUDITING THE GROWING NEED TO INSURE

  • 1. COMPLIANCE PROGRAM AUDITING: THE GROWING NEED TO INSURE THAT COMPLIANCE PROGRAMS THEMSELVES COMPLY LEE USNICK* RUSSELL USNICK** I. INTRODUCTION Compliance with applicable laws and regulations has always been a concern of business ventures. Historically, internal or external legal counsel provided guidance, usually on a case by case basis. Over recent history, compliance efforts have become more structured and formal as the number and complexity of rules have increased, and as government has provided rewards for demonstrating efforts to comply and punishment for failing to demonstrate efforts to comply.1 As business entities and government have interacted over the years, a complex system of compliance management has
  • 2. evolved. II. STRATEGIC CONSIDERATIONS A. The Current Compliance Context Today, compliance programs are commonplace. Many different professions are involved, including a new class of “compliance professionals” with their own certifying bodies.2 Compliance rules stretch across many federal rule areas, witnessed by the fact that more than a dozen agencies potentially have a say in how a U.S. financial institution operates abroad.3 Compliance concerns no longer stop with legal compliance, and now include industry protocols, licensing requirements, and an array of standards and ethical concerns. * J.D., M.A., M.S.S.W., Associate Professor of Business Law, University of Houston- Downtown. ** J.D., Dr. Env. Des., M.A., Principal, Usnick and Associates, and Adjunct, Bauer College of Business, University of Houston. 1 Sentencing Reform Act of 1984, 18 USCA § 3551 et seq. 2 For example, see SOC’Y OF CORP. COMPLIANCE AND ETHICS, www.corporatecompliance.org; and HEALTH CARE COMPLIANCE ASS’N, www.hcca- info.org.
  • 3. 3 Gregory Husisian, U.S. Regulation of International Financial Institutions: It's Time for an Integrated Approach to Compliance, 127 BANKING L. J. 195, 201 (2010). 312/Vol. XXIII/Southern Law Journal Additionally, foreign compliance regimes now span the global business environment and do not necessarily match up with U.S. compliance rules as reflected, for example, by the fact that common U.S. compliance hotlines appear to conflict directly with EU and individual European nation data protection rights.4 Parts of Europe are opposed to anonymous reporting.5 Growing international protocols regarding foreign bribery are expanding compliance requirements for many companies.6 What began as voluntary efforts to mitigate corporate monetary penalties in the event of certain federal criminal prosecutions, have evolved into mandated or quasi-mandated compliance programs. Over time, these compliance programs have become increasingly complex and expansive, and the continuous layering of rule explanations has morphed into a maze of intricate requirements.7 Some contend that the annual cost of compliance
  • 4. programs in the United States exceeds $1.75 trillion.8 This paper focuses on a single aspect of this evolution, the growing need to adequately monitor and audit the compliance system itself. Certainly, for some time, the use of internal and external audits has been a part of compliance activities. This paper contends that more and more organizations will find it imperative to apply audit protocols to the compliance program itself. That is, compliance programs themselves need to be audited to insure that the compliance program is itself compliant. B. Compliance Program Goals While compliance activities have a long history, most credit for their current scope is attributed to the growth of Federal Sentencing Guidelines in the 1990s which provided reduced corporate criminal sentences when the corporation had established a corporate compliance program.9 The idea was that successful compliance programs help with early detection and prompt correction of noncompliance with laws.10 Over the past two decades, there 4 Paul E. McGreal, Corporate Compliance Survey, 66 BUS.
  • 5. LAW. 125, 151 (2010). 5 Id. at 151. 6 Joseph E. Murphy, Compliance & Ethics Program News From Paris: Have the “Global Sentencing Guidelines” Arrived?, SOC’Y OF CORP. COMPLIANCE AND ETHICS, 7 (2010). 7 Melany C. Birdsong, Reforming Regulation: No Time Like the Present, 32 HAMLINE J. PUB. L. & POL'Y 371, 373 (2011). 8 Nicole V. Crain & W. Mark Crain, The Impact of Regulatory Costs on Small Firms, SMALL BUS. ADMIN. OFF. OF ADVOC. (SEPT. 2010), http://www.sba.gov/sites/default/files/The%20Impact%20of%20 Regulatory%20Costs%20on% 20Small%20Firms%20(Full).pdf. 9 Federal Sentencing Guidelines, supra note 1. 10 Donald P. Vandegrift, The Privilege of Self-Critical Analysis: A Survey of the Law, 60 ALB. L. REV. 171, 172 (1996). Fall 2013/Usnick & Usnick/313 have been continued increases in government involvement in compliance, and it is reasonable to expect that increased enforcement is likely for the foreseeable future.11 As compliance efforts grow, new areas for concern are added to the mix. An example of the trend is the Department of Justice, in settlements with companies over alleged violations, gradually requiring the
  • 6. company to include mandatory due diligence practices with all of their third- party business partners.12 One of the difficulties in discussing compliance program auditing is the less-than-agreed-upon language used to describe compliance in general, as well as particular compliance program elements. The terms used in the focus on compliance now include monitoring, auditing, enterprise risk management, internal controls, performance auditing, risk stratification, compliance programs, and many more.13 Regardless of the terminology, an integrated approach to compliance is becoming expected. There is a growing belief that all of the compliance elements, including audit, risk, and legal, do not work when they are isolated into narrow silos, but do work when integrated and coordinated.14 Today, the key to a good compliance program is mixing all of the diverse elements into an effective compliance program.15 The current economic environment has also affected the compliance environment. During periods of economic distress, entities and individuals are increasingly inclined to cut corners.16 The tough economy results in heightened regulatory scrutiny which leads to an increased need for compliance program effectiveness.17 Compliance is expensive,
  • 7. but the cost is minor compared to dealing with investigations, fines or sanctions.18 In the current compliance environment, no prudent alternative exists to putting significant resources toward compliance.19 Tough economic times make it 11 Karen Kurti, Compliance Program Management and Oversight, 8 COMPLIANCE & ETHICS PROF.36, 37 (2011). 12 Ryan D. McConnell, Jay Martin & Charlotte Simon, Plan Now or Pay Later: The Role of Compliance in Criminal Cases, 33 HOUS. J. INT’L L. 509, 573 (2011). 13 Joseph Keen & Cliff Therrien, Is Your Program Equipped For Compliance Auditing? With Heightened Industry Focus Comes the Need for Heightened Awareness of What It Means for Your Organization, 13 J. HEALTH CARE COMPLIANCE 21 (2011). 14 Roy Snell, All the Elements of a Compliance Are Useless…On Their Own: Finding a Way to Coordinate Tools and Use Them Effectively Is the Real Secret, 13 J. HEALTH CARE COMPLIANCE 3 (2011). 15 Id. 16 Paul Belton, The Evolving Role of Compliance Officers During These Difficult Economic Times: Opportunities for Growth in Compliance Are Expanding -- Not Diminishing, 11 J. HEALTH CARE COMPLIANCE 11, 12 (2009). 17 Id. at 16. 18 Husisian, supra note 3, at 224. 19 Id.
  • 8. 314/Vol. XXIII/Southern Law Journal imperative for companies to find efficient, proactive ways to manage regulatory compliance risks.20 C. Compliance Program Scope The scope of the compliance effort should match the particular compliance issues facing a company. Clearly, the compliance programs should both prevent and detect misconduct, including conduct which is not just criminal.21 Often, compliance programs also address the potential for civil liabilities and various industry specific standards.22 Setting the proper scope for the compliance program is never easy. It is difficult to determine the true value of a compliance program to the organization.23 Unfortunately, the maze of rules and modifications requires both regulators and the regulated to develop a “minefield” mentality where one misstep can have catastrophic effects.24 Each compliance program will have a unique approach. Likewise, the resulting compliance
  • 9. program work plan, which articulates annual goals, monitoring, and audit activities, will be unique to that company at that point in time.25 D. Role of Governance, Risk, and Compliance (GRC) The word compliance has evolved to have many different meanings.26 Amid this definitional broadening, there has been a melding of the concepts of governance, risk, and compliance (referred to as GRC).27 Additionally, among these various meanings there are overlaps, gaps, and conflicts.28 GRC usually includes corporate governance, enterprise risk management (ERM), and compliance with rules and regulations as well as ethical and other compliance issues.29 Originally, governance and risk were 20 Belton, supra note 16, at 14. 21 Patricia J. Villareal, Henry Klehm & Richard C. Rosalez, Compliance in The Dodd-Frank Era: The Case for Engaging Employees, 7 COMPLIANCE & ETHICS PROF. 32 (2010). 22 Id. 23 Belton, supra note 16. 24 Birdsong, supra note 7, at 375. 25 Catherine M. Boerner, When Was the Last Time You Reviewed Your Corporate Compliance
  • 10. Plan? Final Rule on Medicaid RACs Defines Fraud and Abuse, Explains How Fees Are Paid, 13 J. HEALTH CARE COMPLIANCE 35 (2011). 26 Michael Brozzetti, Is Your Chief Watchdog an Esquire?, 8 COMPLIANCE & ETHICS PROF. 8 (2011). 27 Id. 28 Id. 29 Roy Snell, Risk Appetite? Can You Please Run That By Me Again? Compliance Professionals Must Be Concerned with the Facts Rather Than “Going Holistic”, 12 J. HEALTH CARE COMPLIANCE 3, 4 (2010). Fall 2013/Usnick & Usnick/315 little more than mere written principles, but over time they have become robust, integrated, management practices.30 In the process, however, the titles given to specific activities, such as audit, risk, compliance, ethics, legal, and various combinations of terms, have become less clear.31 GRC is a very broad concept that looks at issues, including risk.32 Some equate GRC with a compliance program.33 However, GRC is not primarily aimed at the traditional compliance activities of finding and fixing problems.34 Certainly, overseeing risk management is critical to legal
  • 11. compliance.35 But monitoring and maintaining compliance is not just regulatory, it is a critical component of an effective ERM program.36 ERM is becoming a key process in the GRC framework, and its significance continues to grow.37 The lack of exact clarity in the terminology has not limited the importance of GRC overall, as GRC software, systems, and services are estimated to have a annual cost of $52 billion.38 E. The Role of the Compliance Program The location of “ownership” of compliance efforts within an organization is crucial. It is important that these efforts are not “owned” only by compliance staff, especially since many internal audit functions do not measure operational performance against specific regulatory requirements.39 In reality, compliance duties, responsibilities, and actors, spread throughout an enterprise in many varying ways.40 There is often a compliance committee, a compliance department, or both. A compliance department incorporates all of the compliance functions as opposed to a compliance committee.41 A compliance committee approach usually matches membership with the key compliance risk areas for the
  • 12. 30 Brozzetti, supra note 26. 31 Id. 32 Snell, supra note 29, at 3. 33 Id. 34 Id. 35 Kenneth A. Bamberger, Technologies of Compliance: Risk and Regulation in a Digital Age, 88 TEX. L. REV. 669, 693 (2010). 36 Dan Swanson & Jose Tabuena, Expert Corner: Auditing a Compliance and Ethics Program, ETHISPEHERE (May 29, 2007), http://ethisphere.com/expert- corner-1. 37 Steve McGraw, Third-Party Risk Management: Properly Managing Compliance of Outsourced Relationships, 8 COMPLIANCE & ETHICS PROF. 30 (2011). 38 Bamberger, supra note 35, at 669. 39 Keen & Therrien, supra note 13, at 23. 40 Brozzetti, supra note 26. 41 Kurti, supra note 11, at 36. 316/Vol. XXIII/Southern Law Journal organization.42 The general view is that the compliance committee benefits by having as members persons with varying responsibilities in the organization.43 When both a compliance committee and a compliance department exist, the compliance committee role is usually to
  • 13. support the compliance officer.44 There is a continuing debate as to the roles of different enterprise functions with regard to compliance. Early compliance efforts emanated heavily from the legal and financial functions. Some now argue that different corporate roles such as general counsel, chief internal auditor, or chief compliance officer in fact conflict with one another.45 Some discussions of current best practices suggest that, ideally, neither legal nor financial should be merged with compliance.46 One strain of the argument is that both financial and legal functions have risk assessment aspects, and that the organization’s appetite for risk should not be part of the compliance professionals’ activity.47 The discussion has become more focused with regard to the relationship between the legal department and the compliance function. Sometimes the compliance officer is in the legal department and reports to the general counsel.48 It is a tough decision whether compliance belongs in or out of the legal department and at present there seems to be no clear answer.49 A common argument is that the general counsel role and compliance
  • 14. chief role have actual and potential conflicts, and as a result, it should be viewed as very questionable when they are not separated.50 Additionally, under certain circumstances, the attorney-client privilege may be weaker for in-house counsel when dealing with internal auditing than for external counsel.51 While on the topic of attorney-client privilege, it is interesting to note here that some argue that even attorney-client privilege between inside counsel and executives should not block the authority and reach of an internal audit.52 The scope of this question is not limited to narrow legal or 42 Jim Passey, Facilitating an Effective and Productive Compliance Committee: How to Structure, Maintain, and Springboard Your Compliance Committee's Effectiveness, 13 J. HEALTH CARE COMPLIANCE 5, 6 (2011). 43 Id. 44 Kurti, supra note 11, at 36. 45 Brozzetti, supra note 26. 46 Kurti, supra note 11, at 37. 47 Snell, supra note 29, at 3. 48 Ryan McConnell, Daniel Trujillo & Katherine Southard, Take It To The Board: There’s No Perfect Org Chart- But Compliance Officers Need a Direct Line to Directors, COMPLIANCE 14, 15 (ALM Supplement Winter 2012). 49 Id. 50 Kurti, supra note 11, at 37. 51 Brozzetti, supra note 26, at 10.
  • 15. 52 Id. Fall 2013/Usnick & Usnick/317 compliance issues, as one writer argued that compliance should not be part of the legal function, because the organization should not give the responsibility for compliance to the group that, in the writer’s opinion, has failed to get the compliance job done correctly for the last one hundred years.53 III. DESIGN AND IMPLEMENTATION A. Determining Compliance Adequacy through Monitoring and Auditing At regular intervals, an organization’s compliance program should be asked a number of probing questions. The following are some of the questions that must be addressed: 1. What have we already said that we are going to do for compliance? 2. Are we doing what we said we would do?
  • 16. 3. Are we doing it in a consistent manner? 4. Is what we are doing achieving what it is supposed to accomplish? 5. Is what we said we will do what we are really required to do? 6. How do we determine that our compliance program complies with all applicable rules? 7. Are there appropriate processes for reviewing the maintenance of the program? 8. Is there adequate compliance program oversight? 9. Can we document processes in place to effectively deal with the discovery of non-compliance? 10. Can we document processes for evaluating preparedness for changes which occur in the future? 11. Are we able to adequately document the basis upon which our compliance program operates? 12. Can we document that we appropriately evaluate the entire compliance program? These and other questions all assess the overall effectiveness of a
  • 17. compliance program. Part of any assessment involves broad questions 53 Snell, supra note 14, at 66. 318/Vol. XXIII/Southern Law Journal concerning levels of organizational risk tolerance, the extent of organizational compliance buy-in, and compliance culture in general. These are all important parts of monitoring a compliance program. Under the sentencing guidelines, monitoring and auditing are linked,54 and many organizations use the terms auditing and monitoring interchangeably, but many argue they are not interchangeable.55 Sometimes the audit function owns the monitoring process; other times there may be a dedicated monitoring team independent of the audit process.56 Whatever the case, a key element of a good compliance program includes consistent monitoring and auditing.57 There is no road map or textbook on effective implementation of compliance programs in a particular organization.58 Monitoring is defined as
  • 18. measuring operational performance so as to insure that regulatory and other standards are met.59 Auditing focuses on testing, spot checking, and inspections, done at a point in time, and is both independent and objective.60 Any discussion of compliance program auditing, such as this paper, presupposes an effective monitoring system to which audit results flow. It is important to view the compliance program audit as another layer in a good compliance program and not as something separate.61 B. The Compliance Program Audit The compliance program audit is an essential part of an effective compliance program for several important reasons. Most significantly, recent U.S. Department of Justice (DOJ) settlements include an audit to show that compliance is not just a paper program.62 Put simply, an organization should audit its compliance program because that is the first thing the government 54 Keen & Therrien, supra note 13, at 22. 55 Id. 56 Id. at 24. 57 M. Richard Schroeder, International White Collar Enforcement, 2012 Edition, Leading
  • 19. Lawyers on Cooperating With Enforcement Agencies, Understanding New Laws, and Constructing Compliance Programs: New Compliance Challenges and Requirements in the International Business Arena 2011 WL 6740789 (ASPATORE), 6. 58 Keen & Therrien, supra note 13, at 23. 59 Id. at 22. 60 Cornelia M. Dorfschmid & Paulo B. Macedo, Statistics – Friend or Foe? The Compliance Officer’s Perspective: A General Understanding of the Basics Is Prudent, 14 J. HEALTH CARE COMPLIANCE 23, 30 (2012). 61 Practising Law Institute, Kicking the Tires and Taking Her Out For a Spin – How to Audit a Compliance Program, 4 PRACTISING L. INST’S COMPLIANCE COUNS. 1 (2007). 62 McConnell, et al., supra note 12. Fall 2013/Usnick & Usnick/319 will do before making any decision on whether or not to prosecute and the level of penalties that will be sought if they do prosecute.63 A key a part of a compliance program is systematically looking for problems through means like auditing.64 Ten years ago the compliance department was often never audited,65 while today many regulations require regular testing of the effectiveness of controls.66 Auditing the
  • 20. compliance program is best viewed as an important part of an overall comprehensive evaluation.67 The audit plays an assurance function.68 The primary compliance audit report purpose is communication to management and stakeholders.69 An audit typically looks for independent verification of risk control mechanisms.70 Auditing does not fix problems because that is not its charge.71 Many internal audit functions do not measure operational performance against specific regulatory requirements.72 An overall compliance monitoring plan should be formally written and clearly identify both purpose and objectives.73 If the compliance effort is not measurable, it cannot determine if efforts are driving better compliance outcomes.74 Auditing a compliance program can provide an independent determination of appropriateness and effectiveness.75 Also, auditing the compliance program supports assessing performance and effectiveness.76 A compliance program audit tests systems, and in turn, helps get the full benefit of sentencing guidelines when needed.77 Auditing the compliance framework itself enables early identification of systemic issues,78 and can identify areas for improvement.79
  • 21. Existing compliance processes need to be continually reassessed.80 63 Swanson & Tabuena, supra note 36. 64 Snell, supra note 29, at 65. 65 Karen Stensgaard, Have You Audited Your Compliance Department Lately?, INTERNAL AUDITOR 45, 46 (Apr. 2002). 66 Bamberger, supra note 35. 67 Swanson & Tabuena, supra note 36. 68 Catherine Finamore Henry, Too Close For Comfort, INTERNAL AUDITOR 2, (Feb. 2011). 69 Keen & Therrien, supra note 13, at 24. 70 Id. at 22. 71 Snell, supra note 14, at 67. 72 Keen & Therrien, supra note 13, at 23. 73 Id. 74 Id. 75 Swanson & Tabuena, supra note 36. 76 Id. 77 PRACTISING L. INST., supra note 61. 78 Susan Burch, Auditing for Compliance, INTERNAL AUDITOR 53, 59 (Dec. 2008). 79 Swanson & Tabuena, supra note 36. 80 Chong Ee, Overcoming Checkbox Compliance, INTERNAL AUDITOR 55, 56 (Dec. 2010). 320/Vol. XXIII/Southern Law Journal On a larger scale, auditing compliance programs can increase integration of governance, risk, and compliance.81
  • 22. Additionally, auditing of the compliance program can be a catalyst for changes in GRC to support improved operational effectiveness.82 By assuring after the fact that risk is being properly managed, compliance is able to proactively mitigate future risk.83 C. Role of Compliance Program Audits A company needs to assume that, at some point, an employee or business associate will engage in illegal activity.84 While criminal violations are central to compliance programs, risk issues for compliance program audit can include regulations, culture, reputation, and the like.85 The most common thread is the focus on utilization of non-compliance as the evaluation starting point. Often a transaction’s review points to the need for a systems review which looks at patterns and processes as a whole.86 Auditing typically looks for independent verification of risk control mechanisms87 This is achieved in a number of ways. Compliance program audit issues include consistency across the organization,88 the clearness of lines of authority,89 appropriate segregation of compliance program duties,90 and the relationship between the compliance program and others
  • 23. in the organization are all expected. The audit looks at the sufficiency of the process in and of itself, and also at the effects and outcomes of the process.91 Directly or indirectly, this occurs under two broad headings: process audits and substantive audits. 81 Swanson & Tabuena, supra note 36. 82 Id. 83 Roy Snell, Audit and Compliance: Two Closely Linked Professions with Very Distinct Roles:Urton Anderson Discusses the Differences, and Similarities, and Why Both Must Work Together, 13 J. HEALTH CARE COMPLIANCE 29, 32 (2011). 84 Schroeder, supra note 57, at 7. 85 Swanson & Tabuena supra note 36. 86 Cornelia M. Dorfschmid, Systems Reviews verses Transaction Reviews –A Closer Look at a New Era of Mandatory Compliance: Use of Both Review Types May Be the Best Preparation for Effectiveness Certification in Coming Years, 12 J. HEALTH CARE COMPLIANCE 41, 43 (2010). 87 Keen, & Therrien, supra note 13, at 22. 88 Burch, supra note 78, at 54. 89 Swanson & Tabuena, supra note 36. 90 Burch, supra note 78, at 59. 91 Dorfschmid, supra note 86. Fall 2013/Usnick & Usnick/321
  • 24. D. Process Audits and Substantive Audits The process audit addresses the “are we doing what we said we would do” question. The audit first asks if key features of the compliance plan have been implemented.92 This leads to audit inquiries as to whether the program components are operating as intended.93 In the simplest form, a process audit determines if the protocols are implemented and whether the employees are following the protocols.94 A substantive audit determines if the resulting work product meets regulatory requirements.95 A key problem in the monitoring and auditing of compliance programs is that a substantive audit must check for alignment of the overriding compliance program requirements with the many internal audit functions which often do not measure operational performance against specific regulatory requirements.96 That is to say, the audit process needs to be designed to evaluate whether the program is substantively addressing the specific compliance concerns. E. The Compliance Program Audit Process
  • 25. A very important aspect of audit design is to understand the audit objectives given the level of assurance sought by the board.97 In the audit planning phase, all of the important issues and risks need to be identified.98 Very often, the compliance program audit will use a risk-based approach to identify important issues.99 In compliance programs, auditing for internal controls is different from auditing for compliance effectiveness.100 Compliance program auditing needs to understand existing compliance program strengths and weaknesses.101 This can often take the form of some kind of mapping of the compliance environment. The design of the process first audits for overall compliance, then looks to the remediation of identified issues, inquires if there are root causes for the problems, and finally addresses the compliance program within that context.102 92 Swanson & Tabuena, supra note 36. 93 Id. 94 Id. 95 Id. 96 Keen & Therrien, supra note 13, at 23. 97 Swanson & Tabuena, supra note 36.
  • 26. 98 Id. 99 Id. 100 Keen & Therrien, supra note 13, at 24. 101 Id. 102 Ee, supra note 80, at 57. 322/Vol. XXIII/Southern Law Journal F. The Compliance Program Audit Plan Assessing compliance risk should be part of the overall risk assessment and specifically incorporate compliance auditing into audit plans.103 There needs to be a clear compliance-auditing plan.104 The audit plan should include a statement of auditing standards which spell out compliance audit particulars.105 Additionally, there should be a clear delineation of the basic strategy of the compliance program audit, the scope of the audit program, audit objectives, time frame, personnel, methodology, and reporting.106 While specificity is important, overly strict audit process standardization should be avoided.107 Flexibility sufficient to pursue unexpected results is important. The compliance-auditing plan must focus audit related activity on both
  • 27. operational compliance performance and overall compliance effectiveness.108 It is impossible to develop a good compliance plan without a thorough understanding of the operations and how they relate to regulations affecting those operations.109 On a large scale, the compliance program audit components include the program design structure, the selected processes, the implementation process, and finally the actual audit for compliance using the designated standards.110 At the more operational level, the compliance program audit plan articulates the compliance audits to be conducted for the specified time period.111 Each compliance program audit will require careful planning.112 Auditing a compliance program is much like any other audit in structure, planning, fieldwork, and reporting.113 In the audit planning stage identification of audit objectives is a crucial step.114 Part of compliance program audit includes documented policies and procedures for conducting 103 Burch, supra note 78, at 54. 104 Keen & Therrien, supra note 13, at 23. 105 American Institute of Certified Public Accountants, Statement on Auditing Standards No. 117, Compliance Audits, J. OF ACCOUNTANCY 71, (Feb. 2010), available at
  • 28. www.journalofaccountancy.com. 106 Practising Law Institute, supra note 61. 107 Keen & Therrien, supra note 13, at 24. 108 Id. 109 Jeffrey R. Porter, Environmental Law Enforcement and Compliance; Leading Lawyers on Communicating with Enforcement Agencies, Overcoming Compliance Challenges, and Developing Response Strategies: Surviving the Enforcement First Culture, 2011 WL 44522051 (ASPATORE 2011), 10. 110 Swanson & Tabuena, supra note 36. 111 Boerner, supra note 25. 112 Keen & Therrien, supra note 13, at 24. 113 Swanson & Tabuena, supra note 36. 114 Id. Fall 2013/Usnick & Usnick/323 inquiries and investigations.115 The planning phase of the audit results in confirming the scope of the audit and getting sign-off to proceed.116 IV. TACTICAL CONSIDERATIONS A. Conducting the Audit Compliance program audits also raise questions regarding
  • 29. conflicts of interest. International standards for professional internal auditors say that they should not be participating in activities they also audit.117 The compliance auditing plan needs independent, disciplined, audit protocols.118 Utilizing the already established audit avenues for the organization can have difficulties because a typical audit unit often favors financial audits and often they do little in other areas of regulatory noncompliance.119 B. Establishing the Basis for Audit Evaluations A self-assessment prior to the audit can be valuable.120 Determining the sufficiency of the level of audit testing is left to an individual’s professional determination.121 The audit should be based on comprehensive audit risk assessment, that is, focused on key compliance risks.122 Because compliance and ethics efforts cover a very broad span of activities, the audit process must carefully define the proper focus.123 Auditing the compliance program may not answer whether the program actually reduced non- compliance.124 In fact, auditing the compliance program alone is likely not sufficient to demonstrate the program effectiveness.125 Compliance monitoring needs
  • 30. data, metrics, reporting systems, and the ability to take into account that internal audit functions do not directly measure operational performance against specific regulatory requirements.126 115 Burch, supra note 78, at 59. 116 Swanson & Tabuena, supra note 36. 117 Henry, supra note 68, at 29. 118 Keen & Therrien, supra note 13, at 23. 119 Snell, supra note 14. 120 Swanson & Tabuena, supra note 36. 121 Id. 122 Id. 123 Id. 124 Id. 125 Id. 126 Keen & Therrien, supra note 13, at 23. 324/Vol. XXIII/Southern Law Journal The evaluation phase starts with asking if absolute minimum regulatory requirements have been met (referred to as a baseline evaluation).127 As it unfolds, the evaluation phase of an audit looks at specific data, information systems, and performance reporting measures.128 Ironical ly, although the government often demands the implementation of an effective
  • 31. compliance program, it generally offers little guidance as to what that is or how to measure it.129 Benchmarks and other measurement tools are useful. The auditing of compliance programs evaluates effectiveness compared to both internal and external measures.130 There are no standard measurement techniques for auditing for compliance. In some areas of compliance, the regulatory regime suggests that one method of internal measurement is a “snapshot” of the compliance program for use as a future benchmark.131 In some settings, benchmarks are an essential part of a compliance program.132 Even then, there are few metrics and standards for defining an effective program.133 In the evaluation stage of an audit, where it is essential to look beyond minimum practices, a common practice model looks at the practices of leading peers in the industry.134 This can be in the form of looking at leading peer practices through organizations such as the Ethics and Compliance Officer Association or the Open Compliance and Ethics Group.135 It is also useful to look further into more leading-edge practices.136 Finally, benchmarks need to be regularly monitored for evolving trends.137
  • 32. C. Actual Audit Tactics Vary Compliance program auditing can include teams of cross-trained peer reviewers conducting quarterly case record reviews in every program area to match documentation to requirements.138 Often, compliance program auditing will include a monthly review of case records.139 Compliance 127 Swanson & Tabuena, supra note 36. 128 Id. 129 Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C.L. Rev. 949, 954 (2009). 130 Swanson & Tabuena, supra note 36. 131 Jillian Bower, Use of Surveys to Evidence Compliance Program Effectiveness: When Deciding Which Survey to Use, Keep in Mind It Must Be Credible to an Outside Third Party, 13 J. HEALTH CARE COMPLIANCE 43, 44 (2011). 132 Id. 133 Dorfschmid, supra note 86, at 42. 134 Swanson & Tabuena, supra note 36. 135 Id. 136 Id. 137 Bower, supra note 131, at 64. 138 Paul E. McGreal, Corporate Compliance Survey, 67 BUS. LAW. 227, 251 (2011). 139 Id.
  • 33. Fall 2013/Usnick & Usnick/325 program auditing can also include month to month tracking and analysis of identified risk areas.140 Many transaction reviews can use statistical auditing and extrapolation tools as part of the compliance program audit.141 An example would be the variety of ways coding in healthcare settings are tested for compliance.142 Another way of compliance auditing is by examining company emails.143 Any email, utilizing a company email address, is company property and contains significant amounts of information for review.144 Email compliance program audits can be aided by key word searches.145 Compliance program audits have begun using statistical concepts.146 A lot of auditing employs state of the art technology. Reporting that is required for compliance is often created technologically.147 Technological compliance solutions "interpret" hundreds of rules.148 Compliance is going hi-tech using a wide array of technology compliance tools.149 Technological compliance activities are heavily involved in modern risk regulation.150 A large amount
  • 34. of compliance system auditing is automated.151 Technology profoundly affects the auditing of all risk management issues including compliance.152 Much compliance program auditing is reported in dashboard form.153 Some compliance program auditing happens in real time.154 Technological compliance activities are used widely from bank capitalization to Sarbanes to information privacy.155 At the same time, some argue that technological compliance activities can hinder the compliance decision process.156 One of the arguments is that technological compliance activities frequently lack transparency.157 140 Id. 141 Dorfschmid, supra note 86, at 70. 142 Belton, supra note 16, at 15. 143 Catie Heindel, Auditing Emails: A Useful Method for Testing Compliance Program Effectiveness: Five Important Steps to Help Organizations Evaluate Their Program's Effectiveness, 14 J. HEALTH CARE COMPLIANCE 47 (2012). 144 Id. at 48. 145 Id. at 70. 146 Dorfschmid & Macedo, supra note 60, at 24. 147 Bamberger, supra note 35, at 701. 148 Id. at 669. 149 Id. 150 Id. at 673. 151 Id. at 694.
  • 35. 152 Id. at 693. 153 Id. at 695. 154 Id. 155 Id. at 670. 156 Id. 157 Id. at 676. 326/Vol. XXIII/Southern Law Journal D. Audit Documentation Sufficiency A major compliance audit issue is whether the documentation for the compliance program is sufficient and in place.158 A key requirement is that program audit results are accurately presented to appropriate parties.159 It is vital to document all of the implementation, updating, and evaluation of compliance programs.160 Compliance program effectiveness review is a huge documentation gathering function.161 One source argues that an entity should be able to describe the compliance program in detail without saying one word, since if the investigator has to ask questions to understand the program, then the documentation is insufficient.162 While that may be a difficult standard, if investigated, there is an immediate need to be able to produce a
  • 36. binder that lays out the compliance program in detail with policies, guidelines, and supporting records.163 V. CONCLUSIONS A. Compliance Program Audits in the Larger Organizational Setting Compliance program audits need to be based in trust and cooperation. Additionally, stakeholders need to understand the importance of transparency in audit processes.164 The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Audits standard 2110 stresses the importance of effectively communicating information with board members, external and internal auditors, and management.165 The compliance culture is often more important than the rules themselves in compliance programs.166 With the passage of time, it has become ever more important that compliance professionals report directly to an internal governing authority like the audit committee of the board of directors.167 The organization should have at least an annual report from the compliance officer to the board directly.168
  • 37. 158 Swanson & Tabuena, supra note 36. 159 Id. 160 Thomas McSorley, Foreign Corrupt Practices Act, 48 AM. CRIM. L. REV. 749, 776 (2011). 161 Boerner, supra note 25. 162 Schroeder, supra note 57, at 6. 163 Id. 164 Brozzetti, supra note 26. 165 Brozzetti, supra note 26. 166 Brozzetti, supra note 26, at 10. 167 McConnell, et al., supra note 48, at 14. 168 Id. Fall 2013/Usnick & Usnick/327 In some areas such as healthcare, the regulatory compliance burdens are massive and are passed on to consumers.169 Another drawback of compliance programs is the reality that they create a record of misdeeds.170 The government leaves very little room for discretion when compliance plans uncover violations of law.171 The Dodd Frank Act puts companies into the dilemma of choosing between early self-reporting with sketchy information and the prospect of losing the benefits of self-reporting when a whistleblower goes to the agency first.172 The government’s strategy of
  • 38. “enforcement first” presents a serious challenge to the regulated community.173 It is no insignificant problem that self-reporting almost always guarantees penalties or conviction.174 B. The Need for Proactive Compliance Program Auditing Compliance auditing needs to look beyond identified high risk areas to see if there are unexpected risk issues.175 A compliance auditing plan needs to be able to evolve and mature.176 The compliance program audit should be seeking potential problem areas that have not yet been noticed as problem areas.177 At the same time, the current compliance environment leaves little room for experimentation.178 The entire compliance program, including an audit which asks whether the compliance program is itself in compliance, must be vigorously proactive. 169 Birdsong, supra note 7, at 377. 170 Vandergrift, supra note 10, at 173. 171 Baer, supra note 129. 172 Villareal, supra note 21, at 34. 173 Porter, supra note 109, at 1. 174 Jennifer Arlen, The Failure of the Organizational
  • 39. Sentencing Guidelines, 66 U. MIAMI L. REV. 321, 349 (2012). 175 Keen & Therrien, supra note 13, at 24. 176 Id. 177 Husisian, supra note 3, at 215. 178 Baer, supra note 129. Copyright of Southern Law Journal is the property of Southern Academy of Legal Studies in Business and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.