Let’s say you’ve put together a great compliance program, with policies in place to reduce business risk and curb corruption. But how do you know your program is actually working? If you know your program still needs to address a specific risk, how do you make your case for additional resources?
While some may see an audit as a disruption (or even a threat), it’s best to see audits as opportunities to improve the compliance program and the company. Audits provide an objective, unbiased tool for assessing your program, and can also prove valuable when you’re asking senior management for additional personnel or compliance management technology.
A good compliance program must identify specific risk areas for your business and address them in appropriate ways, such as vetting third parties and creating sensible rules for gift-giving and political contributions. In addition, the validity of those risks and methods must also be periodically tested.
From a high-level perspective, there are two basic ways to check your program’s effectiveness:
- Controls (financial and non-financial). These controls are built into the system, and could be thought of as hitting the pause button and taking a moment to prevent an action from becoming a huge problem.
- Audits (internal and external). An audit allows you to take a step back and examine the compliance program as a whole, including its built-in controls.
An audit team can assess your compliance program (and anti-corruption specifically) in terms of a broad range of issues, from legal and financial to IT. When used correctly, audits provide a risk-based review of your procedures, controls and systems, resulting in a “report card” of sorts.
An audit report on your anti-bribery program, for example, should assess it in terms of:
- Bribery or suspected bribery;
- Non-compliance with the policy or management system requirements;
- Failure of business associates to conform to the organization’s applicable requirements;
- Weaknesses in the anti-bribery management system; and
- Opportunities for improvement.
OPTIMIZING YOUR PROGRAM — AND THE COMPANY
As your business changes over time, your risk will also shift and change in various ways. If you set up a perfect compliance program but fail to adjust it alongside these changes, your system could soon be neither relevant nor effective. An audit helps an organization establish a baseline and identify emerging risks and potential problem areas — information that can then be used to optimize the compliance program and improve the company’s competitiveness.
When selecting sample projects, contracts, procedures, controls and systems for audit, that sample can be identified based on risk. For example, a high bribery risk project would be prioritized for auditing over a low-risk project.
While audit programs are mandated and defined by a variety of authorities, from FCPA guidance to ISO standards, they aren’t just a series of hurdles. An audit program is also a real benefit, as a way to periodically investigate and optimize aspects of your business.
Audit frequency depends on your organization’s requirements, and audits must normally be planned in advance so that the relevant parties can set aside time and have the necessary documents available. In some cases, however, organizations may find it useful to implement an audit that the parties being audited do not expect.
MAKING THE CASE FOR IMPROVING YOUR COMPLIANCE PROGRAM
When making your case to decision-makers, it’s not enough to say that your program would be stronger if you had more resources for additional personnel or compliance management technology. You need objective evidence, and that’s where audits can be particularly useful for compliance professionals.
Typically, an audit team reports to senior management (or even the board of directors) and their discoveries and recommendations carry great credibility. Armed with an audit report that identifies risk exposure, you can say, “This objective party has identified these risk areas; I know how to address these areas, and I’m going to need [XYZ resources] to do that.”
In this way, audits can actually bolster your argument for additional resources, in addition to the benefits that they provide in terms of strengthening your compliance program and reducing risk for the company.