Compliance is a top legal concern for companies in all industries. From adequately protecting customer and employee data to avoiding allegations of bribery and fraud, compliance can mean different things under different circumstances. But, in all cases, non-compliance can have the same consequence of exposing the company – and potentially its executives and board members – to potential liability and the risk of facing civil or criminal enforcement action.
With this in mind, maintaining compliance needs to be a top priority. Once a company has adopted and implemented a compliance program, the key to ensuring ongoing compliance is to conduct period corporate compliance audits. The purpose of these compliance audits is not to necessarily achieve one particular result (i.e. concluding that there are no issues), but rather to make an honest assessment of the sufficiency and efficacy of the company’s compliance efforts so that any issues can be remedied before they lead to trouble.
When is the Right Time to Conduct a Corporate Compliance Audit?
So, conducting corporate compliance audits is important; but, your company does not have unlimited resources. With this in mind, when should your company audit its compliance efforts?
In broad terms, there are two answers to this question: (i) Corporate compliance audits should be conducted systematically on a periodic basis; and, (ii) companies should also conduct an audit any time a potential compliance concern arises.
“Conducting thorough and timely compliance audits is an essential component of corporate risk mitigation. However, in order to be effective, a compliance audit must be appropriately targeted and structured, and the company must be prepared to take appropriate responsive action, whatever that may entail.” – Dr. Nick Oberheiden, Founding Attorney of Oberheiden P.C.
With regard to systematic periodic compliance audits, the frequency of a company’s compliance auditing should be determined based upon its scope of risk. The greater the risk of compliance failures, the more often compliance audits should be conducted. In this regard, it is also important to keep in mind that compliance auditing is not necessarily an all-or-nothing proposition. If certain areas of the business present greater risks than others, then it may make sense to conduct targeted compliance audits more frequently in the areas of higher concern.
With regard to ad hoc corporate compliance auditing, the types of events that should trigger an audit will also depend on the nature of the business, the scope of its operations, and the scope of its risk. The scope and nature of the potential triggering event are relevant as well. For example, while all complaints of employment discrimination should trigger at least some level of inquiry, a billing administrator’s one-off mistake might not necessarily warrant a full-blown billing compliance audit. On the other hand, if there are concerns about systemic issues due to inadequate training or possibly outdated billing guidance, then a comprehensive compliance audit may be warranted.
3 Keys for Conducting an Effective Corporate Compliance Audit
In order to serve its intended purpose, a corporate compliance audit needs to be effective in achieving its goal of identifying any and all potential compliance concerns (whether on a company-wide scale or in a particular area of the business). If a compliance audit is not effective in achieving this goal, then the audit could potentially have the opposite effect of giving the company’s leadership false security in an ineffective compliance program.
What does it take for a corporate compliance audit to be effective? While internal audit programs must be custom-tailored to each company’s specific risks and needs, here are three general keys for conducting an effective corporate compliance audit:
1. Fully and Accurately Assessing the Company’s Compliance Obligations
In order to conduct a compliance audit, it is first necessary to have a comprehensive understanding of the company’s compliance obligations. Companies’ obligations can vary widely depending on their size, industry, and operations. At the federal level, some of the key areas of compliance include:
- Advertising and commercial compliance. From false and unsubstantiated marketing claims to CAN-SPAM Act compliance, and from consumer finance and data protection to e-commerce practices, there are various aspects of advertising and commercial compliance. These issues largely fall within the jurisdiction of the Federal Trade Commission (FTC), and the FTC is active in enforcing companies’ legal obligations.
- Anti-corruption and bribery compliance. For companies that do business overseas and with foreign governments, compliance with the Foreign Corrupt Practices Act (FCPA) is essential. These companies must be prepared to demonstrate not only that they have FCPA compliance policies and procedures in place, but also that they are taking active measures to ensure anti-corruption and bribery compliance.
- Antitrust compliance. Antitrust violations can lead to civil litigation (under the Sherman Act’s private-right-of-action clause) and federal enforcement action.
- Consumer finance compliance. The Consumer Financial Protection Bureau (CFPB) enforces a multitude of federal laws and regulations that govern companies’ lending and collection practices. Companies that extend credit to their customers must ensure that they are consistently taking the necessary steps to avoid CFPB scrutiny.
- Data security and privacy compliance. Protecting data privacy is simultaneously becoming more important and more difficult than ever. Companies of all sizes have data security and privacy compliance obligations, while larger companies can face substantial compliance burdens.
- Government contract and program compliance. For government contractors and companies that rely on government benefit programs (i.e. Medicare and Medicaid), maintaining strict compliance is essential for avoiding fraud investigations and the potential for civil or criminal enforcement action. Government contract compliance and program compliance are two entirely different realms, and each requires a very specific approach to compliance.
- Employment law compliance. State and federal employment laws impose a host of compliance obligations for employers. Employers must adopt custom-tailored policies and procedures that are designed to ensure compliance, they must monitor for compliance on an ongoing basis, and they must be prepared to investigate promptly when issues (or potential issues) arise.
- Environmental compliance. From energy usage to hazardous waste disposal, companies’ environmental compliance obligations can impact various aspects of their operations. These obligations exist at the state and federal levels, and the Environmental Protection Agency (EPA) and its state equivalents vigorously enforce companies’ duties.
- Import and export compliance. Import and export compliance is another area where companies can get into trouble—in many cases unexpectedly. Importing and exporting are both subject to various controls at the federal level, and companies that fail to implement the necessary protocols can face issues ranging from customs and duties enforcement to allegations of compromising national security.
- Industry-specific compliance. From transportation to healthcare, companies in various industries face comprehensive and complex industry-specific compliance obligations.
- Securities compliance. Securities compliance is another area where companies of all sizes (both public and private) can face compliance obligations, and where non-compliance can lead to swift and aggressive enforcement action at the state and federal levels.
- Tax compliance. Federal, state, and local tax compliance is another area of concern for all companies. Non-compliance with regard to income, employment, sales, and other taxes can lead to investigations, enforcement action, and substantial penalties.
2. Taking the Necessary Steps to Conduct an Effective Audit
Once you have a clear understanding of the compliance concerns that your corporate compliance audit should address, then your efforts can shift toward conducting the internal audit itself.
- Assemble the audit team. A corporate compliance audit team should consist of appropriate internal personnel and the company’s outside legal counsel. When choosing internal personnel to assist with the audit, it is imperative to ensure that those who are involved in the process are entirely unbiased—and thus their employment-related activities should generally fall outside of the scope of the compliance audit. The effort should be led by outside counsel, with clearly established communication channels and a chain of command.
- Collect all relevant files. In order to be comprehensive, a compliance audit needs to examine all relevant files—without exception. Once the scope (including subject matter and time period) has been established, then appropriate efforts should be undertaken to retrieve all pertinent files from both on-site and off-site storage.
- Conduct employee interviews. In addition to reviewing files, it may also be necessary to interview selected employees. These interviews need to be conducted carefully, and the timing, the questions asked, and the information shared with the interviewee all need to be strategically selected.
- Assess all information gathered. Once all pertinent information has been gathered, then it is time to thoroughly and systematically review the information. As shortcomings at this stage can frustrate the purpose of compliance audits, it is imperative to ensure that no information goes overlooked.
- Evaluate compliance risks and deficiencies. After assessing the information gathered, the final step is to evaluate the company’s compliance risks and deficiencies. Does the audit confirm that the company’s compliance efforts are sufficient? Or, does it reveal that there is work that needs to be done?
3. Thoroughly Examining the Corporation’s Compliance and Response Efforts in All Areas
The final key to conducting an effective corporate compliance audit is to ensure that the efforts undertaken do not go to waste. Here, too, failing to take appropriate action can potentially be more harmful than a simple compliance failure, as authorities expect companies to address compliance deficiencies once they have been identified.
If the audit identified an issue, what is the issue’s root cause? Does the company’s compliance documentation need to be updated? Do employees need better training? Has a particular employee undertaken acts that fall outside the scope of his or her employment? Is the company pursuing a new business opportunity for which no compliance policies or procedures are in place? These are all very different scenarios, and each requires a specific and targeted approach in order to mitigate the company’s risk exposure.