The Compliance and Audit Partnership: Top 3 Risks and Audit Responses

more+
less-

A few days ago, I presented at the 2013 Governance, Risk, and Control Conference in Phoenix, Arizona, and am excited to highlight the growing force Internal Audit plays in partnering with Compliance to establish and implement an effective compliance program.

We continue to see several trends crop up in the compliance world, and would be remiss to discount their importance. New employees and younger stakeholders have grown up in an era where information technology has created an increasing level of corporate transparency. Technology has made it possible for instant access to business ethics scandals and this access has deepened public skepticism for corporations and their leaders.

Increased public scrutiny has led to stricter enforcement, which has in turn led to stronger cross-functional support and responsibility. For the most effective compliance program, the DOJ and SEC encourage Internal Audit to take on a greater partnership with Compliance and increase participation in risk assessment and strategy.  Here are my three major predictions for how this will influence compliance in the near future and the role of Internal Audit:

1.       Third Party Risk: The Achilles Heel

The Issues:

  • Complex, multi-level supply chains and distribution networks that
    span the globe
  • The public – including investors but also employees and consumers - are increasingly demanding transparency and corporate social responsibility throughout the manufacturing and distribution process
  • Companies face reputational harm from revelations of abuses and lapses in the supply chain
  • Expect more of the same and look for cases to include distribution networks as well as suppliers

My Recommendations:

  • Create a supplier code of conduct and update all relevant policies
  • Clearly assign managers within your organization with the responsibility to ensure that third parties are aware of their responsibilities and your expectations
  • Be specific in contracts regarding ethics and compliance requirements and ensure that your contracts allow you to periodically audit these third parties on a schedule of your choosing
  • Hold third parties accountable if they do not meet their responsibilities
  • Ensure that you are using a rigorous and defensible third party due diligence process and if necessary create a system to determine the risk level – legal and reputational – of your business partners
  • Offer to share your ethics and compliance best practices with your business partners

Audit’s Role:

  • Review the process for and the implementation of third party due diligence
  • Audit third party onboarding and contract execution
  • Audit select major transactions or payments and reimbursements to 3Ps or from 3Ps

2.       Damage Control: Scandals Go Viral

The Issues:

  • Few companies are prepared for a fast moving crisis requiring a coordinated response from various corporate functions. If you want to lose sleep, think how easy it would be for:
    • A video depicting what appear to be poor working conditions in one of your manufacturing plants to go viral
    • For employees to post a YouTube spoof about your customer service
    • For revelations to surface in chat rooms or cable news about a senior executive who falsified his or her credentials
    • Before you know what happened, your reputation – and your sales – is in a free fall

 My Recommendations:

  • Ensure that your internal reporting processes require prompt internal escalation of allegations involving senior executives or which could cause serious financial or reputational harm
  • Conduct an annual crisis management drill. Ensure that the Board, senior leadership, investor relations, public affairs, communications and ethics and compliance are included. Use the drill to test preparedness and identify gaps
  • Make sure that your employees and business partners know what to do if they come across on-line posts that could be damaging. Who do they need to alert? Should they respond with posts of their own? (hint: the answer is ‘No’)

Audit’s Role:

  • Conduct ad hoc audits of the annual crisis management table top exercise
  • Business Process Improvement (BPI) analysis of ways to improve the response process

3.       The Globalization of Ethics and Compliance

The Issues:

  • The ethics and compliance world has shrunk
  • Increasingly, we all play by the same rules
  • One consequence of this is the internationalization of ethics scandals. Not too long ago a list of top business ethics scandals would be dominated by US-based companies. But in recent years, we’ve added to the list:
    • Siemens, NewsCorp, BAE Systems, Barings Bank, Standard Chartered, Olympus, Societe Generale, , Technip, JGC Corporation, Daimler AG, Alcatel-Lucent, Magyar Telekom and Panalpina, to name just a few

My Recommendations:

  • Watch your language. Review your Code, policies and training for any U.S.-centric language including idiomatic expressions and unnecessary references to US-specific regulations
  • Broaden your benchmarking internationally
  • Identify high risk employees and train them on topics such as import and export controls, trade restrictions, technology transfers and of course, bribery and corruption

Audit’s Role:

  • Audit training plans and curriculum mapping to ensure international awareness and training are occurring and can be documented                                                                                    

While cross-functional support is important in nearly every aspect of business, the role of Internal Audit and its partnership with Compliance continues to see growth as it relates to an overall effective compliance program. The U.S Federal Sentencing Guidelines for Organizations Guidance (Nov. 2012) suggests that the due diligence of an organizational culture that encourages ethical conduct and a commitment to compliance with the law, at minimum, includes monitoring and auditing to detect criminal conduct.