This article is the second in a ten part series to help compliance officers better manage the growing demand for audits.
The first article shared, 4 Tips To Help Compliance Officers Get Audit Management Support, if you missed it click here to read.
The purpose of this article is to help compliance officers get the structure and workflows set up correctly for efficient audit management and reporting. Structure is key to any compliance program.
Below are the 4 steps to help compliance officers set up the right structure and workflows:
1. IDENTIFY LEGAL OBLIGATIONS AND TRANSLATE THESE INTO SPECIFIC COMPLIANCE REQUIREMENTS
First, accurately identify all your compliance obligations, and how they impact the business. Then, translate these obligations into clear, requirement statements.
Organise these requirements according to the underlying regulations, standards, and codes, as well as common requirements, like; the requirement for management commitment, policy development requirements or monitoring requirements. This will provide you the opportunity to amalgamate several of the common or similar requirements, and ensure they are all addressed in a single audit question or group of questions.
It will also pay to identify online resource materials for each of the requirements, and also the corporate documents (policies, procedures, guidelines, codes, etc.) which set out the means by which the organisation assures compliance.
You will need to be very clear on:
- The evidence that auditors will need to verify that compliance obligations have been met.
- The internal or external processes that must be adhered to in order to achieve compliant outcomes.
- The key dates, both static and recurring, on or by which compliance activities must be completed.
This list of compliance obligations, both internal and external, will form the foundation of your compliance checklists and the audit questions needed to verify compliance. The right audit questions will almost “fall out” of these requirements, and you can get very specific, for example:
- Has the board of directors reviewed the anti-corruption policy in the last 12 months?
- Has the review included the following risk areas: 1, 2, 3, etc.
- Has the review been recorded in board minutes, approved by the chair?
- Have all changes initiated by the review been assigned to individuals to implement with prescribed completion dates?
Note that questions such as these are closed and specific, which will greatly assist your audit team to seek the appropriate evidence (eg board minutes) when making an assessment.
2. KNOW WHO, OR WHAT, WILL BE SUBJECT TO AUDITS
Now, list all the people, processes, sites, vendors and 3rd parties that will be held responsible for meeting compliance obligations, or who will be subject to compliance monitoring.
The list, which is likely to be comprehensive, should be organised into folders with each folder representing the business structure. For example, you might arrange the list into domestic and international operations, then into countries, states or other regional groupings. You could also arrange the list along divisional lines, then into manufacturing and service business units – or into departmental groupings.
Sometimes an entity may belong to several groups, in which case you can set other categorisation attributes for each entity. For example, a vendor may be a supplier to several business units, and in addition, may be part of a supply chain.
One you have organised all your compliance monitoring subjects into a logical framework, you will be in a good position to slice and dice your audit results along divisional, or regional lines, and will be able to provide consolidated reports which “roll up” results for a selected part of the business.
3. DETERMINE RISK
You are unlikely to ever have the resources you need to monitor every possible aspect of your business, and one way of logically concentrating your efforts where they are most needed, is to segment your list of auditees (step 2) according to risk.
You will need to formulate the criteria that you will use to evaluate the level of risk in each case, and the events that will trigger a change to the risk level. For example, a vendor who frequently scores badly in an audit would represent a higher risk than one who is clearly diligent. An agent that refuses to be audited, or who routinely finds reasons to delay an audit would also represent a potentially higher risk. Similarly, an auditee who racks up a lot of Corrective Actions (ie deficiencies) represents a higher risk too.
The end goal is to define “compliance” risks to the business, and to rate each auditee as low, medium, high and very high.
The identification of these risks is a critical component of your compliance program, and it is not a once-off task.
4. ESTABLISH AUDIT FREQUENCIES BASED ON RISK PROFILE
The risk level will determine the level of attention you will give to each entity. High risk =high attention by compliance!
Your system needs to be set up so that any risk level changes are quickly and dynamically incorporated into your audit program, so that you are able to respond rapidly to emerging red flags.
And finally, risk assessments should be conducted at regular intervals, taking into account a wide range of changing circumstances. The risk assessment system needs clear definitions of various risk types, and should provide a scoring basis for evaluating risk levels.
These four steps will set your compliance system up for success. This is where much of the groundwork takes place but the effort you put into this foundation will serve you well in the future.
If you have any questions about any or all of these steps please include your question in the comments section below.
In the next article in this ten part series, we’ll have a look at audit scope and what to include, and what to exclude. To make sure you receive articles when they’re published please subscribe by email or RSS, options to do so are at the top of this page.