Ed. Note-We welcome back Troy McAlister with another guest post. Troy brings 20 years of experience at both public and private companies, in public accounting and in a variety of industries.  Troy has experience in establishing and managing multiple corporate compliance and internal control programs including working directly with and resolving a DOJ appointed monitor.  Troy lives in the greater Houston area, has his MS and BBA from Texas A&M University and a CCEP certification. 

There are certain topics in compliance that are well known yet cause great angst amongst in-house compliance practitioners due to a lack of detailed and practical guidance on how to approach a large and seemingly daunting task.  Risk assessments come to mind.  So does the recent focus on data analytics.  In this submission, I would like to focus on another topic in this category… the compliance program assessment.  Assessing the effectiveness of your program is a fairly simple statement, but in my conversations with colleagues, there is always a concern about how you really gain such comfort.  You can’t just stick your thumb in the air and say “Yeah, everything looks good from here.”  It’s also impossible (or at least highly cost ineffective) to get complete assurance on every aspect of your program.  So I’d like to put forward an approach which received praise during my time working with a DOJ monitor that may particularly be useful for the small to medium sized programs that don’t have extensive compliance departments, structures or systems to rely upon.

Define Your Program Attributes

Let us assume you’ve picked a framework such as the Elements of an Effective Compliance Program, the U.S. Federal Sentencing Guidelines or created your own hybrid framework to use.  Let us also assume you’ve conducted a risk assessment and identified your primary areas of risk.  From these you can map out what the specific aspects of your compliance program are (“attributes”) such as governance committees, policies, procedures, approvals, etc.  You should define your attributes to a level of detail that allows you to verify their existence and effectiveness.  For example, just saying you have a hotline and investigation program is not detailed enough.  You should split that out into attributes such as 1) existence of an updated investigations policy, 2) communication of the existence of the hotline via your code of conduct, fliers, intranet postings, etc. 3) use of a third-party hotline system to allow confidentiality and anonymity, 4) use of a case management or tracking system, 5) review of metrics such as report volume by location and category, average days to close, resolution, etc. and 6) presentation of metrics to management and/or a committee of the board of directors.

Determine How You Will Assess Each Attribute

This granularity allows you to design appropriate methods to assess each attribute.  Please note, one assessment method such as a survey may apply to multiple attributes.  Now let us talk about assessment methods.  There are several ways you can obtain comfort for your attributes. The nature of the assessment should correlate with the nature of the attribute and its evaluated risk.  Some options:

-Surveys – These are useful for areas that do not have a piece of paper, an electronic file or something tangible to verify.  Assessing culture, willingness to report concerns, fear of retaliation, awareness of policies or resources, knowledge of certain topics… these are all areas where surveys can provide feedback.

-Direct Involvement – I considered any process that compliance was directly involved as a method of assessment.  For example, compliance was a required participant in the project bidding processes for jobs outside of the United States and would provide assessment of compliance risks for the particular job and location.  What better way to know if compliance is part of the company’s culture?  Similarly, compliance was a required approver for suppliers that met certain risk thresholds.  Our interactions with the business and supply chain function in that process provided invaluable feedback to gauge knowledge and understanding of corruption risk.  Our compliance department also performed annual evaluations of individuals or functions that were delegated compliance authority to determine if they were effective or had areas for improvement.

-Metrics and/or Data Analytics – Use of data metrics or analytics is a must for areas where simply seeing a process occur is not sufficient to determine its effectiveness.  Hotline metrics area a great example.  Comparing your metrics to annual benchmarking reports provides necessary context to evaluate your program.  Training metrics (number of courses, enrollments, completions, past due) is another area where this is valuable.

-Audits and Self-Assessments – I think most default to use of internal audit when they think of program assessments.  Internal audit should be used on your highest risks assuming they produce a sufficient audit trail such a third-party due diligence or gifts and entertainment.  It is helpful to have a policy or procedure for them to audit against as well.  You could also have internal audit design and execute audit programs for specific high-risk locations covering a number of different topics.  Don’t just assume they’re up to the task though.  Your internal audit team needs to have sufficient understanding of compliance and the areas being audited to be effective.  If not, you should consider third-party specialists.  Use of self-assessment procedures carried out by the process owners or by the compliance department itself is another consideration.

-Third-Party Program Assessments – Use of external firms or consultants to do a partial or full program assessment are extremely information but also very expensive. If you operate in multiple high-risk jurisdictions or have a number of high-risk topics, you should strongly consider engaging an outside firm on a periodic basis.  Otherwise, it may not be practical.

Planning and Execution

Once you have lined your program out from framework to assessment, it is time to plan and execute.  Unlike SOX testing, there is no formal requirement that everything must be done at year end.  Balance your schedule and company resources so you are obtaining continual feedback.  It is also not necessary to perform the procedures every year.  Look at your risk and volume for each attribute… it may be more appropriate to conduct specific assessments every other year or rotate audits.

There’s no perfect formula or absolute assurance here so adjust as you.  As the FBI has stated at various conferences… if your program is identifying gaps, failures and issues that you can act upon… that is a sign your program is actually working.  Developing a calculated and documented approach will provide you with continual feedback and a reasonable level of comfort that your program is in place and operating as intended.

Key Takeaways:

  • The scope and scale of program assessments can be daunting and a challenge to design.
  • Breaking down your program to its individual attributes allows you to identify appropriate methods to assess their effectiveness.
  • Compliance programs are an iterative process… customize your process as necessary to address the risks identified and adjust as you go.