It is imperative that companies assess the health of their compliance program on an ongoing basis. The primary output of your company’s annual compliance needs assessment is the prioritized list of activities and functions which are exposed to varying level of risk.
Areas falling into the high to moderate level of risk need to be audited to expose the breakdown in controls which lead to non-compliant actions.
Audits should include at least the following four components:
- Workplan Development
What is the scope and objectives of the audit? How should the audit be rolled out to ensure effectiveness without impeding upon daily business operations? What are the detailed tasks needed to complete the audit? What are the roles, responsibilities and deadlines of the team? What sampling methodology will be used for transaction testing? How will we ensure a risk based approach?
- Documentation Review
Do you have the right governance documentation in place? Is it complete?
- Systems/Process Review
What is the actual process that occurring and is it in line with internal policies and procedures as well as external guidelines?
- Transaction Testing
Do the requisite control documents exist for a sample set of reviewed activities? If so, are they being completed, processed, reviewed and approved appropriately?
Once executed, it can then be determined whether instances of non-compliant behavior are “one-off” violations or if there is a more systemic problem going on. This clarity allows companies to then put in place effective corrective action to curb the tide and get back on the right track.