This article is based on a presentation delivered in June 2007 at The Institute of Internal Auditors 2007 Financial Services Conference.

 

Anyone who has been involved in compliance management for the financial services industry over the last decade or more has seen expectations regarding the role and responsibilities of the Compliance function continue to evolve with increased responsibility. In the United States, within the last few years alone, we have seen new compliance requirements enacted for broker-dealers, investment companies and investment advisers. In addition, we have seen bank regulators continue to focus attention on the importance of compliance, particularly in the area of anti-money laundering compliance. For many other financial services companies, enhancing their compliance management capabilities has gone hand-in-hand with their overall focus on corporate governance.

 

This emphasis on compliance management is not restricted to the United States as regulators in many other jurisdictions and multi-national bodies, such as the Basel Committee, continue to advocate for strong Compliance functions. As the requirements and expectations for compliance management have changed, so too have the expectations for how Compliance should be audited. 

 

Any discussion about how to audit Compliance should begin with the premise that Compliance is, or should be, an auditable area. A lot of literature stresses the importance of an autonomous, empowered Compliance department. Yet, we still see audit plans for financial services companies that do not recognize Compliance as a discrete function within the organization. Admittedly, this occurs more often in smaller financial services companies where the Compliance and Internal Audit (IA) departments are not independent—an organizational structure that is not optimal and not likely to be acceptable to regulators as these companies grow in size and complexity.

 

Plan the audit

For those IA departments that have identified Compliance as an auditable area, the first order of business is planning the audit. Similar to planning an audit of any specialized function, there are a few extra steps that should go into planning a compliance audit. Since most internal auditors probably do not have the time to monitor regulatory developments on a real-time basis, the first step in the planning process is to make sure the audit team is current on the important financial services regulatory developments since the last audit. This would include understanding not only the potential impact on Compliance of new laws, regulations and regulatory pronouncements, but also the effect of changes in regulators’ expectations and/or priorities.

 

One way to assess the regulatory environment is to review public enforcement actions. Another way is to ask Compliance for its own identification and assessment of its risks. If Compliance cannot provide this information, IA may have its first audit finding. Internal auditors should also work directly with the company’s regulators to seek their insight on current areas of focus as well as to assess the regulators’ comfort level with Compliance’s process to identify and manage evolving compliance risks.

 

Use of Frameworks

Another aspect of the planning process requires deciding what framework IA will use to evaluate Compliance. In some instances (for example, Part 352 of the USA PATRIOT Act, NASD Rules 3012 and 3013, SEC Rule 38a-1), there are very specific regulatory guidelines that must be considered. There are, however, a number of more generic frameworks that internal auditors can use to determine the scope of the audit, including: the Federal Sentencing Guidelines, the COSO ERM Framework, the Basel Committee principles on compliance (as documented in its publication entitled The Compliance Function in Banks), in addition to general guidance published by financial services regulators. While none of these frameworks is identical, there is a high degree of commonality among them suggesting a number of key program elements that should be included in an effective Compliance department. Each of the following is a key area to address in an audit of Compliance.

 

• Board of director and senior management oversight
• Risk identification and assessment
• The Compliance organization itself
• Policies and procedures
• A system of internal controls
• Training
• Self-monitoring and remediation
• A customer complaint process
• Reporting and record keeping
• Board of directors and management reporting

 

Board of directors and senior management oversight

 

IA’s assessment of the role of the board of directors and senior management in overseeing a company’s compliance efforts should address objective considerations, such as:

 

• Whether or not the board of directors and senior management have reviewed and approved the company’s Compliance program
• Whether the chief compliance officer has access to senior management and board members
• Whether Compliance is included when new products and services are considered
• Whether the company has instituted communication channels, including a whistleblower hotline, to encourage reporting of compliance issues and concerns

 

More difficult, but perhaps even more important, however, is IA’s assessment of the company’s compliance culture. This assessment involves making subjective judgments about whether the necessary resources (people and otherwise) and tools have been dedicated to the compliance effort, and determining whether the board of directors and senior management, through their words and actions, are communicating the importance of Compliance to the company. In this regard, IA should evaluate the processes in place to establish and enforce accountability for compliance deficiencies. If evidence suggests that compliance standards are enforced less rigidly for more profitable lines of business or “star” employees, this should be a cause for concern. Internal auditors also should consider recent changes (and the basis for such changes) in the approved size of the Compliance department; the number of open and unstaffed positions in the department; and the reason for any significant turnover in the management of the department.

 

Risk identification and assessment

 

The audit also should examine whether the risk assessment prepared by Compliance, which IA may have already reviewed during the planning stage, is current; comprehensive (for example, it addresses all activities conducted by the company and includes all applicable regulatory requirements); and the methodology used to conduct the risk assessment is documented and understandable to someone who was not directly involved in the process. Additionally, internal auditors should look for the linkages between the risk assessment and other elements of the Compliance program, such as monitoring and training. The risk assessment process should not simply be an exercise conducted in a vacuum to fulfill a regulatory expectation. Rather, it should be clear that the results of the risk assessment have been objectively and actively used to shape the company’s Compliance program.

 

The Compliance organization itself

 

During this part of the evaluation, it is important to consider the qualifications and experience of key Compliance personnel and the plan these individuals have developed for directing the company’s Compliance effort. This plan, which in most cases would be expected to be updated on an annual basis, should set forth the goals of Compliance and its tactics, including monitoring, training, policy and procedure review and updating, for realizing these goals. One measure of the effectiveness of such plans is how well they anticipate and proactively address important regulatory issues. If a company is continually blindsided by regulators’ criticisms of its Compliance program, it may be time to revisit the compliance planning process and the capabilities of those responsible. However, since an effective Compliance program does not depend solely on those individuals with “compliance” in their titles, it is important that IA assess compliance governance overall—the way that Compliance roles and responsibilities have been defined throughout the organization.

 

Policies and procedures

 

IA’s assessment of Compliance policies and procedures should focus on the company’s process for ensuring that policies and procedures are comprehensive, reviewed and updated on a periodic and reasonably frequent basis as well as accessible and understandable. IA also should verify that the company has a process in place for communicating important changes between periodic updates. In forming this assessment, internal auditors can test the process by selecting a significant and relatively new regulatory requirement and determining how effectively and efficiently the requirement was incorporated into policies and procedures and communicated to affected personnel.

 

The system of internal controls

 

Consideration of whether or not there is a system of adequate internal controls around compliance management should be second nature to any internal auditor. The considerations are much the same as they would be in any other auditable area: separation of duties, access limitations, second review processes and proper documentation of review and approval, etc. As with other areas, IA also would want to consider whether controls are manual or automated; manual controls, of course, are more prone to error. Where technology does support the compliance effort—and this is certainly a growing trend—internal auditors need to confirm that Compliance personnel understand the technology and are involved in any decisions to modify it. These auditors themselves also are expected to understand how the technology is being used and, as appropriate, challenge whether the technology is appropriately serving the company’s needs.

 

Training

 

In assessing a company’s Compliance training, internal auditors need to see the big picture and consider the effectiveness of the training effort. This means looking beyond whether the company has identified the trainees and implemented a process for tracking training attendance. It is important for IA to assess the quality of training materials, whether such materials have been appropriately customized for the audience, and the extent to which the company undertakes awareness initiatives (i.e., an article about compliance in the company newsletter, posters in the lunchroom) to reinforce the training message.
 

As compliance requirements continue to become more subjective and complex, the “traditional” method of spending a few of hours a year presenting the same high-level summary of all applicable laws and regulations to all company employees has been, for most companies, replaced with a more thoughtful approach of identifying the specific requirements applicable to each department’s activities (and in some cases, the activities of individual job functions). The goal is to present detailed training that provides employees with a clear understanding of not only the applicable regulatory requirements, but also and more importantly, how to satisfy those requirements as a part of their day-to-day responsibilities. 

 

Self-monitoring and remediation

 

IA’s evaluation of a company’s self-monitoring and remediation activities should begin with verifying that the monitoring program incorporates any requirements specifically mandated by laws or regulations and that it is appropriately aligned with Compliance’s risk assessment. Adherence to monitoring schedules, quality of supporting documentation, effectiveness of the process to report monitoring findings (and escalate them, as necessary), and timeliness of remediation efforts also should be considered.

 

The IA team should re-perform a sample of monitoring activities to validate the conclusions. IA or regulator findings that identify problems not uncovered by self-monitoring require close examination of the root causes of these differences. Similarly, the audit team should be alert for monitoring procedures that identify the same deficiencies repeatedly without improvement in exception rates. This may signal an ineffective process for identifying and remediating the root cause of such deficiencies.

 

Separately, IA should ensure that an effective tracking and remediation process is in place to resolve issues raised during regulatory examinations. A common theme in most enforcement actions is the existence of issues noted by the regulators during successive exams.

 

The customer complaint process

 

The review of the company’s process for tracking and handling customer complaints should consider whether complaints receive a timely and appropriate resolution. Also, are there escalation procedures in place to ensure potentially significant issues are brought to senior management’s attention? It is important that Compliance adequately monitors the substance of the complaints received to determine whether there are any “red flags” that may point to significant compliance problems.

 

Reporting and record keeping

 

IA should also review how the company manages the myriad of reporting and record keeping requirements faced by financial services companies.  This requires validating that all such applicable requirements have been identified, responsibilities are assigned, and controls are put into place to ensure required information is retained for prescribed periods, and, in some instances, is retrievable within mandated timeframes.

 

Board of directors and management reporting

 

Finally, the audit of compliance should assess the frequency and quality of compliance information provided to senior management and the board of directors. Such information should include: results of self-monitoring and compliance audits; status of identified exceptions; briefings on new legislative and regulatory requirements and their potential effect on the company; and periodic reporting on the “state of compliance.”
 

Effective Compliance departments avoid regulator consequences

As the foregoing steps suggest, the team charged with auditing Compliance must supplement basic audit training and experience with strong knowledge of the applicable laws and regulations; an understanding of compliance technologies; and the confidence to challenge experts and question senior management and the board of directors’ commitment, as necessary. This audit may not be the assignment of choice for the faint of heart, but the importance of conducting an effective audit of the Compliance department in a financial services company cannot be overemphasized. Failure to maintain an effective compliance management program subjects a financial services company to potential regulatory enforcement actions, civil and criminal penalties, restrictions on growth and expansion, and reputation risk.

 

The bottom line is: IA needs to play its part in making sure Compliance is effective.