Passing audits is one of the three fundamental goals of any corporate compliance program. The other two are protecting
the company from liability and mitigating the company’s strategic governance risks. Of these three goals, passing audits is perhaps the easiest to control if you design your corporate compliance program properly. Like with any test, it’s easier to know the answers before the test is issued. This is why I espouse building your corporate compliance program from the end and working your way back -- what I call audit-driven compliance.
Audit-driven compliance is an approach to building a corporate compliance program specifically to pass audits. This is done by creating your audit kit first, before compiling your compliance procedures. It’s quite different from the traditional approach, in which you start with compliance policies, then build compliance procedures, then build audit plans and audit procedures. Flipping the process around has a number of benefits.
Why start your compliance program at the end?
The first and most obvious benefit of building a compliance program this way is it increases your chances of passing audits. When the audit processes and artifacts are left for last or not considered at all, you run the risk that your compliance procedures miss something that auditors need. Your operation may still be in compliance, but if you can’t demonstrate this fact to an auditor, guess what: A friendly audit can turn into a hostile investigation.
Guide to implementing audit-driven compliance
To make audit-driven compliance happen, first you have to create a good team. The team should be small and compact (no more than a dozen people), and should include a compliance expert, internal auditor, process developer, IT or data systems developer, business analyst and project coach/manager. You also have to make absolutely sure there is high-level executive support and protection for this team.
Take some initial time for group-building and getting people familiar with each other and the environment. There should be easy ways for the team to change direction and/or revamp the direction in which it’s going. Leverage IT skills to build in version control, not only for the data system but also for the policies, procedures and other components of the corporate compliance program.
Finally, build the system in small releases, and strive for small wins. Take a section or specific category of the overall compliance program, and always start with the question, “How would I audit this?” Work closely with your internal auditors and compliance experts to design your audit artifacts. Start with your scorecard, then build a section of your audit plan, then build some self-assessment artifacts. Then and only then do you start building your procedures and compliance data system.
Also, use your audit artifacts to test your system. Once you have a good set of policies, procedures, a compliance data system, scorecard, audit plan, self-assessments and anything else required for your program, start the process over again with another small portion of your compliance program. Continue building in this way until your compliance program is complete. -- J.W.
Second, starting at the end forces you to clarify your own understanding of the corporate compliance policy. If you cannot articulate how you would audit something, you probably don’t have a firm grip on exactly what the policy is. You could end up developing elaborate programs are built around unclear policies that don’t get tested until the first real audit. That’s not the time to find out you need clarification on a compliance policy.
Finally, having this kind of focus truly galvanizes the implementation team, which makes everything go easier and faster. For you, this means utilizing fewer resources, putting less stress on the resources that are being utilized and increasing your chances of success.
Elements of a good audit kit
Let’s review what a good audit kit looks like, since it’s where you’ll start. This will vary depending on internal auditor guidance and practical experience from external audits. I would suggest a scorecard, an audit plan and a set of self-assessments. The scorecard and plan are necessary for the audit, and the self-assessments are a good practice to ensure that your organization has the ability to catch things early. Of course, these are just the audit artifacts. Your compliance program will contain other important elements to support the audit, such as policies, procedures and a compliance data system.
The scorecard usually contains a series of questions that elicit a pass or fail response. Longer scorecards can be segmented by category. During an audit, auditors will systematically run down their list of questions, which your team will respond to with the help of your compliance data system. Depending on the results and quality of the response, the auditor will give the area a score of pass or fail. In the actual audit, the auditor may only use a sample of questions, but your scorecard should be comprehensive to ensure proper coverage.
The audit plan contains the details of how you will work through the audit. It may seem odd that you are telling the auditor how to proceed, but you would be surprised at how well something like this is received -- especially if you’re on good terms with your auditors. They may eventually create their own audit plan, but isn’t it terrific if they model their audit plan against yours?
At a minimum, it will communicate that your compliance program is well-organized and well-run. Like the scorecard, your auditor will probably not execute the whole plan, but your version of the plan needs to be comprehensive and flexible enough to go where the auditors want.
Self-assessments are less formal internal audits and should be scaled down to the point where your internal team can perform a quick assessment. You’ll want to run these periodically to check on things, and catch exceptions early so they don’t become a problem in the real audit. It’s good to focus on higher-risk elements of your corporate compliance program, and/or areas that have failed in the past.
Audit-driven compliance is a good approach for designing a portion of your compliance program, but it shouldn’t be the only approach. There are other fundamental goals of your compliance program that aren’t suited for this type of development. That said, auditing is one of the three goals, and it shouldn’t be overlooked. Audit-driven compliance is the best way to ensure that you pass audits. Just make sure you have a strong vision, strong support and a clear idea of what your goal is.