The compliance audit, like other audit activities, is intended to provide feedback to management and the audit committee about the control environment, ongoing compliance and conditions for potential risk. The compliance audit should evaluate the effectiveness of the compliance management program, including policies and procedures, training, monitoring and consumer complaint response. A financial institution’s audit committee should determine the scope of an audit and the frequency with which audits are conducted.
This topic is often a key component of regulatory compliance examination feedback, particularly when specific regulatory violations have occurred. We see examiners questioning institutions about their overall compliance program management and digging into the elements of policies and procedures, training, quality control assessment and the like. Overlying compliance program management is the role of internal audit. What was internal audit’s assessment of the institution’s compliance with individual regulations, and of the program overall?
Elements of a Compliance Management Program
Regulatory guidance and best practices have helped define which elements are necessary to help an organization mitigate risks associated with compliance.
Typically, the basic elements include:
- Designation of a compliance officer
- Procedures (internal processes and controls)
- Regulatory change management
- Quality control (monitoring)
- Consumer complaint response process
Historically, compliance has been viewed as an organizational stepchild rather than an essential core function of an organization. Integrating the compliance function into the culture of the business empowers those responsible for compliance with a framework to fulfill their mission. Successful integration encompasses shared communication and education about compliance-related responsibilities, which helps employees at all levels to understand their responsibilities.
The two elements of assessing the overall effectiveness of a compliance program are quality control and audit. Let’s expand more on those components.
1. QUALITY CONTROL
The end goal of a quality control function is to monitor how well departmental policies and procedures are being executed. Ultimately, the function should be risk-based, focusing the most resources on the areas of greatest risk. An effectively designed quality control program has an employee–such as a supervisor or other employee independent of the originator of the activity–review an ongoing risk-based sample of the work performed in an applicable area. A quality control program should be designed to assess certain areas based on the residual risk exposure of non-compliance.
Completed quality control reviews should be aggregated and reported to the compliance officer for review. The compliance officer should assess applicable areas for overall effectiveness to identify any increasing trends within departments. This oversight allows management to allocate resources on a risk-based, quantifiable basis.
Finally, the compliance officer should provide a consolidated report to the board of directors or designated compliance committee for final oversight. The consolidated report should provide a broad overview of the organization’s compliance posture so the board can continue to provide big-picture, strategic direction.
2. COMPLIANCE AUDIT
The compliance audit provides for an independent assessment of departmental policies and procedures as well as a review of compliance with rules and regulations. Like the quality control program, the compliance audit should be risk-based. Determining where to focus audit resources should be based on an initial risk assessment that considers various information, including (but not limited to) examination findings, changes to the regulatory landscape, errors or violations, problems in the past, employee turnover in the compliance department or line of business and results of the quality control reviews. The results of the risk assessment determine the scope of the coverage and testing of the compliance audit.
The compliance audit results should be provided in formal, detailed reports that outline findings and management’s action plan to resolve each finding. These audits should be conducted by an individual independent of the compliance management function and reported in the same format, manner, and protocol as the organization’s overall audit function. Auditing the compliance function should be conducted on a less frequent basis than the quality control program; timing of the audits can be on a rotational basis and supported by the results of the risk assessment process.
It should be noted that the compliance audit scope can and should cover all of the elements of the compliance management program, including training and quality control, and not be limited to detailed testing of compliance with regulations. The resulting audit reports should be presented directly to the audit committee, and all findings should be tracked for resolution.
Compliance Across the Board
The current regulatory environment requires a new business model for compliance that stretches to all facets of an organization. The role of internal audit can enhance the success of a compliance management program by providing informative feedback that enhances the program’s effectiveness and sustainability.