Does it work: testing and assurance of compliance programmes

“The DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they [ask] three basic questions: Is the company’s compliance program well designed? Is it being applied in good faith? Does it work?” (DOJ/SEC Resource Guide to the FCPA)

Multinational companies have invested heavily in ethics and compliance programmes in recent years, in response to accelerating regulatory enforcement and high-profile investigations: Petrobras, FIFA, VW and so on. While US and UK regulators have given clear guidance – supported by consistent guidance from the United Nations, World Bank, Transparency International and others – most corporates have largely neglected the requirement that, to be effective, compliance programmes must periodically be tested. Companies new to modern ethics and compliance programmes rightly focus on developing policies, procedures and training, but in short order those measures should be assessed and tested.

Why test?

Ethics and compliance programmes have two primary purposes:

• first, to actually reduce the risk that improper behaviour may occur and,
• second, to provide a serious and credible response (to regulators, to shareholders, to customers and business partners and to the public) if improper behaviour occurs, notwithstanding the company’s best efforts.

A failure to test the effectiveness of a compliance programme guarantees that neither goal will be fully realised. Failing to test or monitor the programme means that weaknesses in its design or implementation are unlikely to be identified and remediated until it is too late. A failure to test or monitor the programme also devalues it in the eyes of regulators, particularly where an issue arises in an area of weakness that could have been previously identified and remediated. This can have serious implications: prosecutors will be more likely to pursue a case, and less likely to give the company credit for their compliance programme. Under the UK Bribery Act, that means potentially not qualifying for the s.7 “adequate procedures” defence: “monitoring and review”, encompassing both internal and external verification, is one of six principles set out by the Ministry of Justice in its “outcome focussed” assessment of a corporate’s compliance programme. Similarly, US Federal Sentencing Guidelines make clear that, along with self-reporting and cooperation, the key factor “that mitigate[s] the ultimate punishment of an organization [is] the existence of an effective compliance and ethics program… including monitoring and auditing to detect criminal conduct [and evaluating]… periodically the effectiveness of the organization’s compliance and ethics program”.

Done right, systematic and periodic testing, monitoring and reinforcement processes not only mitigate risk, but also have major benefits in driving the effectiveness and efficiency of a compliance programme. Testing and monitoring helps to identify areas for improvement before more costly issues arise and helps to root out inefficiencies or inconsistencies. Testing can also drive effective implementation and provide a significant deterrent: if, for example, employees know that a sample of expenses or gifts and entertainment records will be reviewed, it is likely to encourage them to abide by company policy and follow proscribed procedures and controls. Testing and monitoring also provides valuable management information that senior personnel can assess in discharging their responsibilities to ensure that compliance risks are properly managed.

Done wrong, “certification” can be dangerous. Many companies have sought “certification” from external consultants that they have in place a compliance programme. Such certification is of limited value because what needs to be tested – and what regulators are interested in – is whether the programme is effective, not whether it exists.

“A good compliance program should constantly evolve…. compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale… An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” DOJ/SEC Resource Guide to the FCPA

How?

“Commercial organisations will…wish to consider how to monitor and evaluate the effectiveness of their procedures and adapt them where necessary…Organisations could…consider formal periodic reviews and reports for top-level management… [and] seeking some form of external verification or assurance of the effectiveness of procedures” Ministry of Justice UK Bribery Act Adequate Procedures Guidance

Monitoring and testing should follow a systematic and risk-based methodology. It should be conducted periodically by individuals independent from the matters reviewed. A hybrid team of company personnel (from audit, legal and/or compliance, and possibly with representatives from the business) and outside advisors ensures that the company’s internal team benefits by learning the review process, whilst receiving the outside perspective of experts who have experience across a range of companies and sectors. Such an approach also leverages the company’s existing resources, helping to control external costs.

The scope, methodology and results of the review should be carefully recorded. The exact nature of the monitoring will vary depending on the company’s structure and the risks relevant to it, but reviews can include some or all of the elements set out below.

First, the framework, content and ownership of policies and associated training should be reviewed on a periodic basis. This review provides a systematic check that policies and training are up-to-date with legal requirements, properly owned by an appropriate individual or team, and ensures consistency as between various policies.

Second, a sample set of recent transactions should be tested. This is likely to involve a combined review of accounts, supporting documentation and interviews. This is not primarily a matter of auditing compliance with internal procedures, but rather a substantive review to identify strengths and weaknesses of existing processes and controls, deficiencies in comprehension and to detect broader issues for remediation. Such an assessment adds rigour to and supplements the company’s ongoing risk assessment process. This is particularly suitable for higher-risk third parties, markets and transactions and/or as a periodic in-depth review on a rolling market-by-market basis.

Third, comprehension of legal requirements, risk factors and ethical responses should be tested. For the general employee population, this usually means evaluating the uptake from your existing training programme and making improvements where appropriate. For senior managers, more sophisticated exercises can be used to assess whether proper “tone from the top” is being set, which can inform broader strategy discussions.

Testing and assurance is not an optional bolt-on, a “nice to have”: it is a fundamental requirement for an effective ethics and compliance programme that meets regulatory expectations. It is also not merely a matter of determining whether processes are being followed: it is ensuring that policies and standards are understood and being met on a daily basis, and that employees are well-equipped to make the right decisions. Put another way, testing ensures that the company’s ethics and compliance programme really works, and that it continues to work as its business changes and grows.