Official expectations that companies will check to make sure that their compliance and ethics (“C&E”) standards are being followed have existed since the advent of the Federal Sentencing Guidelines for Organizations in 1991. Additionally, only a year later, a U.S. Department of Justice official emphasized the importance of auditing to antitrust compliance, which underscored that checking was expected not only regarding the overall compliance program (e.g., training, the hotline) but also substantive areas of risk. However, while checking expectations have been present from the beginning of the “Age of Compliance,” for many reasons they are more significant now than ever before.
Of course, not all companies have the same degree of need for C&E checking. Organizations that are global and/or highly dispersed, are in regulated industries or have significant cultural challenges should, as a general matter, do more checking than others. But it is hard to imagine that any organization would have reason to feel comfortable doing nothing in this regard.
In considering the options in this area, the relationships between relevant C&E categories can be confusing. Among other things:
- Auditing can overlap with both program assessment and risk assessment.
- The line between auditing and investigations is not always well marked.
- Monitoring can overlap with governance and management.
- The use of metrics are part of monitoring, but are sometimes discussed separately.
- Encouraging reports of suspected violations can be seen as a form of monitoring — but is generally treated as a different animal.
- Other types of internal controls (e.g., preapproval requirements) can also be viewed as a form of monitoring – but really serve a different function than checking.
Is this a problem? It can be — if people are talking past each other, which, in my experience, is pretty common.
In this post I hope to provide an overview of the world of compliance checking — in effect, a “map” of this neck of the compliance woods. Or, what follows could be considered a checklist for checking your checking – but note that, due to space/time limitations, it should be seen only as a “starter list,” and not a complete one.
Monitoring We begin with monitoring, which generally differs from auditing in that it is less independent but has the important advantage of occurring in “real time,” at least to some degree. This important and generally underutilized type of compliance function covers a lot of ground, but the two major areas of distinction within the realm of monitoring are:
- Who does the monitoring: business people or non-audit staff?
- What is the subject of the monitoring — discrete substantive risk areas or general program functions?
Monitoring by business people is often called “the first line of defense.” It is the most immediate — and least independent — form of C&E checking.
Risk-area examples of this sort of monitoring include requiring managers to conduct reviews of: subordinates’ T&E submissions for compliance violations of various kinds; invoices of third parties for any indicia of corruption (or violation of other rules); pricing, bidding and other related activities for any signs of antitrust/competition law violations; and monitoring COIs that have been allowed to continue subject to specified conditions. Challenges to risk area monitoring include making sure that it is actually happening, is informed and is documented. Note that this type of monitoring is often undertaken as part of larger business monitoring. For instance, monitoring high-risk agents should include making sure not only that they are acting properly but that they are performing the business functions expected of them.
General program monitoring by business personnel is often less important in a company than is risk area monitoring, but can still play a key role in an overall C&E program. Examples include managers ensuring that employees in their geographic, business or functional unit have taken required training and seeing how lower-level managers communicate about C&E to their subordinates.
Finally, there are three other potentially significant benefits to this “first line of defense” monitoring, which are worth knowing about so that one can take advantage of them:
- It can serve to educate business people (i.e., learn by doing).
- It can provide a predicate for C&E-based compensation/recognition (for who those perform their monitoring duties particularly well).
- Conversely, in the case of monitoring failures it can provide the basis for “supervisory liability” (meaning internal, not actual legal, accountability).
The “second line of defense” is monitoring by non-audit staff, such as Finance, Legal, HR, IS, EH&S, Security and C&E. It is less immediate than the first line but more independent — though not totally independent, since on some level such monitoring entails staff reviewing its own work.
Risk area monitoring by staff can includes the following:
- Anti-corruption: periodic internal controls reviews by Finance; C&E reviewing gift registers and third-party due diligence files.
- Competition law: Legal department reviewing sales files.
- Employment: HR (or others) looking for required postings, reviewing personnel files.
- Regulated areas: life sciences “ride-alongs” for fraud-and-abuse compliance; review of trading, execution and suitability issues at financial service firms; and many examples in the EH&S field.
General program monitoring by staff includes reviewing: dissemination of training and communications, including new or revised policies; concerns line reporting; investigations and discipline; hiring/due diligence; and incentives. Much of this is generally done by the C&E office but other departments (such as Internal Audit and HR) can have a role to play in it too.
Finally, it is worth nothing that there are two other forms of checking that are monitoring like: deploying C&E questions in employee engagement survey and in exit interviews. Making more of the opportunities afforded by these functions should be, for many C&E officers, “low hanging fruit.” And, looking to the future, using short targeted surveys in connection with C&E training might be a useful mechanism for some organizations – one which includes elements of both risk-area and general program checking.
Auditing Next, we come to the “third line of defense” — auditing, which is more independent and less frequent (or immediate) than either type of monitoring. The category includes both internal and external auditing.
C&E audits are sometimes conducted on a stand-alone basis. But more often they are part of broader audits.
Risk areas often included in such audits are: anti-corruption, fraud, privacy, IP/confidential information and trade controls. Of course, and similar to the case with monitoring, there are also many industry-specific compliance requirements that are the subject of audits. For instance, healthcare/life science and financial services related compliance audits can — and often should — be very extensive.
Here, too, there is a general program dimension to C&E checking. Most important, in my view, is auditing C&E reporting channels and investigations. Among other things, such auditing may help a board of directors fulfill its fiduciary duties under the Caremark and Stone v Ritter cases.
But there are other types of general program auditing that a company should consider as well. Among these are a) auditing employee knowledge of key program expectations; and b) auditing against internal governance requirements, such as the operation of regional compliance committees.
Compliance auditing can be key to program efficacy, but it is not without its challenges. One of these is ensuring sufficient domain knowledge by auditors. Another is the risk of insufficient follow up to audit findings.
Finally, one cannot always have a “Caesar’s wife” approach to independence here, as a) auditors may want to involve the C&E function in their audit prioritization discussions — which can be important to promoting efficacy in auditing; and b) the C&E office may want to enlist Audit in various types of non-audit work — such as delivering training during the course of audits conducted in far-flung locations (which the C&E officer herself may not visit regularly). Finding the right balance within a company to these and similar issues is part of what’s needed to have an effective C&E checking regime. Here is a recent post on the Conflict of Interest Blog exploring this topic further.
Assessments — Program, Risk and Culture Finally, we come to the realm of assessments, which tend to be more qualitative than are monitoring and auditing measures and are generally conducted by those with real domain expertise. Assessments fall into three types — each of which overlaps somewhat with the others: program, risk and culture.
Program assessments come in various shapes and sizes. Typically they include review of C&E program tools/elements about which many employees are likely have information/views — such as C&E training and the helpline. Most program assessments include these areas, but how much a company should focus on them depends on various factors. For instance, getting a wide array of feedback on training will make sense if one is considering overhauling one’s training. And, helpline/investigation assessments can be particularly important for public companies and their boards.
However, program assessments should also include review of program tools/elements that relatively few employees have information/views about, such as monitoring approaches, pre-hiring due diligence and board oversight. These typically need to be assessed too, but the relevant volume of inputs can be smaller than with assessments of training and the helpline.
Also, not infrequently an assessment is limited to a given risk area, such as corruption. This is sometimes called a “deep dive,” though a deep dive will often have more transaction testing than one typically sees in general program assessments. Indeed, a deep drive will also include some element of risk and culture assessment.
Risk assessments are a very different animal from program assessments, and in some ways really fall outside of the world of checking — at least in theory. But in practice they do tend to overlap with program assessments, and so it makes sense to discuss them here. However, different types of risks should be assessed to different degrees, depending on factors specific to the organization in question.
The first set of risks to consider in this regard are those that are the primary responsibility of the C&E office and that are both broad (meaning that they touch many employees) and deep (meaning they have a potentially high impact). Included here are corruption, competition law and possibly fraud, as well as various industry-specific compliance mandates. For these one typically should have a robust and well-documented process.
A second set concerns risk areas that are the primary responsibility of the C&E office but are not so broad (e.g., insider trading) and/or deep (conflicts of interest, at least in some companies). One should generally cover these risks in assessments — but not necessarily to the same degree as corruption, competition law and fraud.
Third are risk areas that may be broad and deep, but may also be the primary responsibility of another function besides C&E at the company (e.g., trade compliance or employment law). For these, one might use a narrower gauge of inquiry in the assessment interviews/document reviews, at least if such functions have themselves already conducted some form of targeted assessment(s) regarding these risks. Among other things, this may be a good area for using awareness questions as a way of supplementing assessments that have already occurred.
The final type of assessment is the culture assessment, which is relevant to both program and risk assessment — as culture can impact both the degree/nature of risk and the efficacy of the program. But for planning purposes generally a culture assessment should be viewed as its own effort. Examples of what should be assessed include tone at the top, accountability, openness of communication, alignment of rewards with stated C&E values, alignment of the workforce with the interests of the company and its shareholders and the extent of pressure within the organization (meaning not whether pressure exists at all but whether it approaches or passes the “breaking point”). And, a practice pointer: one should assess the C&E impact not just organizational cultures but geographic and industry ones too.
So, the world of checking is pretty vast — and again, this post is not offered as a comprehensive map of this territory. (Among the other areas I didn’t cover that are important are the role of the board of directors and senior management in monitoring C&E program measures and the ways in which technology can enhance various forms of C&E checking.) But, I’ve got to stop somewhere, and hopefully this will help some organizations that are looking for where to start.
Jeff Kaplan, a partner in the Princeton New Jersey office of Kaplan & Walker LLP, has practiced compliance-program related law since the early 1990’s. He created and writes the popular Conflict of Interest Blog. He can be reached here.