// By Dan Swanson and Jose Tabuena

Broadly understood, assuring compliance with an organization’s policies and procedures, as well as legal and regulatory requirements, is an important activity that supports the functioning and reputation of successful organizations. Monitoring and maintaining compliance is not just to keep the regulators happy; compliance with regulatory requirements and the organization’s policies and procedures is also a critical component of an effective enterprise-wide risk management program and is a sign of good corporate governance. It is an important way in which an organization achieves its business goals, sustains its ethical health, works towards long-term prosperity, and preserves and promotes its values.

This article focuses on leading practices regarding auditing compliance and ethics
programs. References are included for those who are charged with governance responsibilities and professionals tasked with completing an audit of a compliance and ethics (C&E) program. An “audit” of the program can provide an independent and objective assessment on the appropriateness and adequacy of the C&E program structure and the operating effectiveness of specific program C&E activities.

Auditing the C&E program can further provide a basis for identifying areas to improve and enhance the program. As such, the audit can serve as a technique to support assessing the performance and the effectiveness of the program.

An effective C&E program is best implemented as integrated processes that are owned by designated functions and managed by a senior executive who has overall responsibility and accountability. Compliance has proven to be a significant implementation and change management challenge, but it provides an opportunity to establish and promote “operational effectiveness” throughout the organization. The trend toward increased integration of governance, risk management, and compliance efforts¹ (referred to as a “GRC”) is another emerging development. A well conducted C&E audit can serve as a catalyst for change to assist the organization in linking these critical and related areas while supporting operational effectiveness.

The measurement challenge
As with the testing and evaluation of entity-level controls under Sarbanes-Oxley §4042, the audit challenge with C&E programs is how to assess and measure the performance and overall impact of the program – including making any assertions on “effectiveness.” This has been an elusive challenge for compliance professionals since the U.S. Organizational Sentencing Guidelines became effective in 1991.

Although the 2004 amendments to the Sentencing Guidelines provide more rigorous criteria for defining an effective C&E program, it does not specify how to measure or otherwise determine if a particular program element is indeed operating effectively. One can agree with the case made in the amended Sentencing

Guidelines that to have an effective program
it should “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law”; but there is not yet a commonly accepted measurement technique to evaluate an organizations’ ethical climate or other features of the C&E program.

Still, some form of program evaluation should be undertaken to at least determine if program features are in place and to identify opportunities for improvement. The government itself will make an assessment of the C&E program in determining whether to indict an organization3 or when applying the credit under the Sentencing Guidelines for an organization that is charged (and they have retained independent experts to assist in the assessment).

Given the lack of the standard measurement technique, how should a C&E audit be approached? There are several considerations given that auditing C&E (and other governance processes) requires the examination of intangibles (such as the management philosophy and operating style of senior management) and where even tangible areas (such as policies and rules and employee perceptions) do not lend themselves to obvious measurement.

For example, substantive and process oriented audits can be viewed as evaluating whether employees are actually complying with the law and are following corporate procedures (or controls) that have been put in place to foster law-compliant conduct. One could conduct a process audit to determine if an employee is adhering to required protocols and then perform a substantive audit to determine if the resulting work product meets regulatory requirements.

In auditing a program, one must have a basis for making an evaluative assessment. One consideration is viewing a C&E program as effective compared to what? In addition to testing compliance with standards (e.g., transactions in the area had a 5% error rate), an organization can compare its practices to the Sentencing Guidelines criteria and other indicators- such as the COSO control environment framework, industry specific standards, etc.

Another perspective is considering effectiveness compared to whom? An organization can look at its practices and benchmark to its peers, recognizing that others can appropriately approach program design with varying levels of rigor, each likely seeking to meet the spirit of a guideline, framework, model, standard, criteria, etc., in light of their actual business risks.

More likely a C&E program audit is conducted to assess whether key features of the C&E program itself (e.g., distribution of the Code of Conduct, attendance at ethics training, hotline operations) have been implemented and are operating as intended. This type of audit may not ultimately answer the question as to whether C&E program activities are actually reducing incidences of non-compliance but it can tell you if the design is in place and the program operating as intended.

Auditing the C&E program should thus be viewed as part of an overall evaluation process that alone is likely not sufficient to demonstrate effectiveness unless it is approached in a comprehensive manner.

A summary of potential audit and related evaluative approaches are as follows:

• Review compliance program design, structure and processes
• Identify effectiveness indicators
• Perform gap analysis- how do your C&E program features compare to established criteria and leading edge practices?
• Benchmarking- how do your program features compare to your peers?
• Audit the program- assess implementation
• Validate operational features of the C&E program
• Gauge awareness and perceptions on the C&E program and assess organizational culture (conduct cultural assessment surveys, focus groups, etc.)
• Audit compliance with standards
• outcome/impact analysis
• Test whether transactions and activities meet legal requirements and company policies and standards
• Perform other analysis to evaluate whether C&E program activities are reducing the risks of misconduct

Periodic program evaluation
At a minimum, the board and management need to evaluate the design and operating effectiveness of the company’s C&E program on a regular basis. Under the Federal Sentencing Guidelines for Organizations, one of the criteria of an effective program is for an organization to take reasonable steps, “to evaluate periodically the effectiveness of the organization’s compliance and ethics program”4. A regular program evaluation supplements the ongoing, day-to-day monitoring of C&E related activities. An internal audit provides one means for an in-depth analysis of the C&E program, including its design, effectiveness, and possibly overall performance. (Other effectiveness techniques and auditing and monitoring methods, such as a self-assessment or management review of its C&E efforts are beyond the scope of this article, although many concepts are relevant and could be considered by management).

Every audit has three general phases: planning, fieldwork, and reporting; and an audit of a C&E program is no different.

During the planning phase, after the scope is agreed upon, the audit team should confirm that all key risks and issues are identified and considered, that the audit objectives will meet the organization’s assurance requirements, and that the C&E program is well understood.

Defining the objectives of the audit is one of the most critical steps, because it defines the level of assurance the board and management will be provided and the objectives must support the purpose of the audit. Early in the audit project, the internal audit team should hold discussions with management and the board to assess the stakeholders’ assurance needs and ensure the audit will meet these needs.

Compliance and ethics efforts cover a very broad span of activities, which can include such things as implementing a code of conduct, operating a whistle-blowing hotline service, and maintaining a quality management system. The audit team must define a proper focus for their efforts.

Risk assessment
The audit should be based on a comprehensive audit risk assessment- that is, the auditors must identify the key risks facing the company’s C&E program efforts and use them to help decide where to concentrate the audit. Key risks to the organization include: reputation, ensuring compliance with multiple and complex regulations, establishing a culture of trust and excellence, and many more.

Three key audit goals that should be determined for a C&E program audit are:

• Whether the C&E program provides reasonable assurance of compliance with organizational policies and applicable laws and regulations.
• Whether the compliance and ethics program is documented, in place, and appropriately resourced to meet the organization’s needs.
• Whether the C&E program has been implemented effectively, and that its performance reporting system has been defined and accurately presents the results of the program.

Some critical program structure and process issues to explore during the audit include: the consistency and integration of C&E program among the different business units within the organization; coordination between the compliance and ethics officer(s) and the individual business units; a clear and effective division of roles and responsibilities among the many parties involved; and most importantly, that an effective “tone at the top” has been successfully communicated and implemented across all levels of the organization.

It is vital that the audit focus is on evaluating the significant components of the C&E program- that is, that the audit team uses a risk-based approach to find the key elements most likely to cause problems for the organization and/or in most need for confirming that they are operating properly. The planning phase is an opportunity for the audit team to confirm that the audit scope will be appropriate and that management and the board agree (at least in principle) with the audit plans.

Evaluating the components
In the fieldwork phase, the team evaluates the C&E program’s various components, based on the goals and methodology finalized in the planning phase. Three key questions to answer are: 1) how the board sets its “tone at the top” and communicates their values to employees; 2) how employees at all levels of the company perceive management’s commitment to those values; and 3) how the company handles compliance or ethics issues that arise from compliance failures.

The evaluation of the quality of the program’s data gathering, information systems, and performance reporting is also very important. If performance reporting is not robust, the board may not be informed appropriately, management will be challenged to respond to issues on a timely basis, and the organization could be “out of control.”

Determining what is sufficient audit testing and what is the appropriate evidence (for the audit findings and conclusions) involves extensive professional judgment. As discussed in the OCEG Internal Audit Guide, there is no right answer. It depends on the purpose of the audit (for which audit tests will be critical), the intended client of the audit report, and its conclusions (for the audit evidence requirements).

Evaluating the information
In evaluating collected data from the audit, a starting point is assessing whether the C&E program covers the bare minimum requirements that an organization must meet, such as having qualifying program elements under the Federal Sentencing Guidelines. The inquiry in this instance seeks to determine whether the program’s design incorporates criteria that are either
explicitly delineated in the Sentencing Guidelines or considered fundamental to their plain meaning. Thus, for example, questions to determine whether a company has met these minimal requirements might include: Has a compliance officer been designated? Is that person, or does that person report to, someone who is high-level? Does the organization have a code of conduct, or is there a helpline employees can call to report misconduct or seek guidance?

Clearly a baseline evaluation is insufficient. Merely looking to the guidelines has the potential effect of screening out criteria that arguably many practitioners have come to believe are associated with effectiveness. Further, some guidelines expressly caution that their standards should be viewed only as minimum requirements. Thus an organization that considers only baseline practices may not, in fact, have a compliance program that would be deemed creditworthy under the Sentencing Guidelines.

For these reasons, organizations should go beyond minimum requirements and assess their program based on another level of design analysis; that of established or common practices- namely those features that, while not explicitly stated in the elements of effectiveness, may significantly contribute to a program’s performance. Here, the analysis considers whether the compliance program is consistent with practices that companies with relatively mature programs have found to correlate with effective compliance management.

A common practice model, which should provide the basis for these evaluative questions, can be derived from primary sources. The company can create a model itself by comparing its systems against identified leading peers. In the field of organizational compliance, this can be facilitated through membership in such organizations as the Ethics and Compliance Officer Association or OCEG, and supplemented by published commentary on best practices. The audit team can then synthesize this information using a gap analysis model. For instance, sample questions to determine whether a compliance program incorporates common practice features may include:

• Does the helpline have a publicized non-retaliation policy?
• Is the board of directors systematically briefed on compliance issues?
• Was the code of conduct vetted with employees prior to its publication?

A third category of design analysis seeks to determine whether the C&E program is informed by what might be called leading-edge practices, i.e., practices that are likely to be found in only a small percentage of programs, but which companies with especially well-regarded programs have found to correlate with effectiveness. Arguably, a company establishing that its C&E program meets a high percentage of leading-edge criteria will be more likely to make the case that its program is effective, should it ever have occasion to do so. However, because leading-edge criteria go beyond what is undertaken by many companies, a company could decide not to adopt leading-edge design criteria and still have what would be regarded as a credit worthy compliance program under the Sentencing Guidelines. But, because leading-edge practices often correlate with effectiveness, it is worth at least considering them as part of the design component of the audit review.

Example questions to determine whether a compliance program incorporates leading- edge design features may include:

• Does the company take affirmative, follow-through actions to ensure that retaliation does not occur?
• Is the compliance officer involved in the company’s strategic decision-making process?
• Is the compliance program periodically and comprehensively evaluated for effectiveness?

Ultimately what was once considered leading-edge may eventually evolve into the realm of common, best, or expected practices.

In the reporting phase, the internal audit team communicates the audit results to all the stakeholders. This includes providing an unbiased assessment of whether the objectives of the C&E efforts are beingmet and outlining steps that management plans to take to improve C&E efforts. A well-planned and executed internal audit should make audit reporting straight forward: you tell them what you did, you tell them what you found, and finally you tell them what management plans to do about it. That’s all there is to it.

Are governance efforts having an impact?
The audit of a C&E program must also be part of a larger overall, long-term audit plan that will meet the assurance requirements of the board and management. A series of internal audits or assessments of C&E efforts may be advisable when the program has a large and/or complex scope.

Management should not be developing processes, procedures, and the like during the actual audit. The audit team should be evaluating whether the “established” processes
of the C&E program are meeting the organization’s requirements. It is also recommended that management complete a “self-assessment” of their C&E program prior to an internal audit. The OCEG 20 Questions guidance that is available in the OCEG Internal Audit Guide’s Appendix is an excellent tool to help complete a management self-assessment.

Sarbanes-related efforts have been focused on ensuring the accuracy and integrity of financial reporting and disclosure. The board should now be given an internal audit opinion on the organization’s broader organizational governance and control environment activities- and in particular the C&E program efforts and results.

Compliance and Audit Resources
Auditing compliance and ethics efforts is not for the uninformed. The internal audit team and chief compliance and ethics officers should study all the various guidance that is available, and in particular, review closely the OCEG Internal Audit Guide for auditing a C&E program.

1. The OCEG Internal Audit Guide (IAG) for the audit of a compliance and ethics program and OCEG Framework and Foundation-level and Domain-level guidelines (The OCEG Red Book: www.oceg.org).
2. The Ethics & Compliance Officer Association (ECOA) has resources for individuals who are responsible for their company’s ethics, compliance, and business conduct programs: www.theecoa.org/
3. The Society of Corporate Compliance & Ethics (SCCE) strives to champion ethical practice and compliance standards and to provide the necessary resources for compliance professionals and others who share these principles: www.corporatecompliance.org
4. Although focused on the healthcare industries, the guide Evaluating and Improving a Compliance Program, A Resource for Health Care Board Members, Health Care Executives and Compliance Officers is a useful source of information and best practices regarding the operation and evaluation of compliance and programs: www.hcca-info.org/Content/NavigationMenu/ComplianceResources/EvaluationImprovement/default.htm
5. Surveys and benchmarking of C&E program practices can be found at OCEG and other various sources, including the following: The Conference Board and the ECOA: Resisting Corruption: An Ethics & Compliance Benchmarking Survey (2006) at www.conference-board.org; and Corpedia’s various Compliance Program and Risk Assessment Benchmarking Surveys at welcome.corpedia.com
6. Some thought provoking presentations on ethics and ethical self-assessments from PDK Control Consulting International Ltd.: www.csa-pdk.com
7. The National Association of Corporate Directors series of Blue Ribbon Reports: www.nacdonline.org
8. The Institute of Internal Auditor’s “Expressing Opinions on Internal Control” resource repository. www.theiia.org/index.cfm?doc_id=5317
9. Organizational Governance: Guidance for Internal Auditors (and useful for others involved in corporate governance processes and oversight) from the Institute of Internal Auditors: www.theiia.org/?doc_id=126
10. An excellent ethics and philosophy repository: www.ethicsquality.com/philosophy.htm
    
11. Ask the Auditor: Business Risk vs. Audit Risk: www.itcinstitute.com/ display.aspx?id=1673
12. IT Compliance Institute IT Audit Checklist: Risk Management. This document supports an internal audit of the organization’s risk management program and processes and provides guidance to improve your risk management program and to assess the robustness of your risk management efforts: www.itcinstitute.com/wp/WPContent.aspx?pID=137
    1. A general description of GRC processes is provided by the Open Compliance and Ethics Group (OCEG), at www.oceg.org
    2. And commensurately evaluating the points of focus and components under the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.
    3. Applying the McNulty Memorandum (U.S. Department of Justice) or the Seabord Report (Securities and Exchange Commission).
    4. United States Sentencing Commission Federal Sentencing Guidelines, §8B2.1(b) (5)(B): www.ussc.gov/2005guid/8b2_1.htm

---

Editor’s Note: Dan Swanson, CIA, CMA, CISA, CISSP, CAP is President and CEO, Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors (IIA) As an independent audit consultant Dan has completed audit projects for many government, federal and private sector organizations. Presently, Dan is a Compliance Week columnist and has a monthly column with IT Compliance Institute.

Jose Tabuena is with the Center for Corporate Governance at Deloitte & Touche USA LLP and has previously served as a compliance officer and in-house counsel. He is a member of the Advisory Board for Compliance & Ethics.