One clear best practices to gauge the compliance culture and evaluate the strength of controls, is to conduct periodic audits to ensure that controls are functioning well. Interestingly, compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in U.S. corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program. Indeed, audits were specifically delineated as far back as the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: 1) an effective audit program which specifies all necessary activities for the audit; 2) having competent auditors in place; and 3) an organization that is committed to being audited.
Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.
Three key takeaways:
- Auditing takes a deep dive into your high-risk compliance areas.
- Internal audit should test your key compliance risk areas as a part of their regular auditor rotation.
- The findings uncovered in an audit must be used in your compliance regime going forward.