Business Ethics.6

Ethics, Compliance Auditing, and Emerging Issues

To prepare for this assignment, review Chapter 9 in the course text, as well as the article on compliance program auditing by Usnick and Usnick (2013). In addition, read Chapter 10 in the course text. Review Table 10.3: Global Risks 2014, and select one of the risk areas: economic, environmental, geopolitical, societal, or technological.

For this assignment, imagine that you have been tasked with creating a proposal for the new CEO of your organization. You have been asked to create a proposal that establishes an ethics program, as well as develop a training plan, and develop a plan to conduct compliance auditing. Your proposal must include the following:

  • Describe an emerging global risk that is either economic, environmental, geopolitical, societal, or technological.
  • Identify all countries that might be associated with the risk.
  • Describe the effects of the risk on each country.
  • Evaluate the role of ethical decision-making in business organizations as the role pertains to your global risk.
  • Analyze the impact of business ethics on stakeholder relationships.
  • Analyze why it is necessary to create an ethics program, conduct training, and engage in compliance auditing.
  • Design a training plan for ethical considerations and social responsibility as it relates to the key risk area and the countries you have selected. The training plan must include the following:

    The goals of the training program
    The objectives of the training program
    The learning methods/activities of the training program
    How the training program will be evaluated

  • Describe how the training will be conducted
  • Describe how compliance auditing will be conducted.
  • Summarize the key findings

The assignment:

  • Must be eight to ten double-spaced pages in length (not including the title page and references page) and and formatted according to APA style as outlined in the Writing Center.
  • Must include a separate title page with the following

    Title of paper
    Student’s name
    Course name and number
    Instructor’s name
    Date submitted

  • Must use at least three scholarly and/or credible sources in addition to the course text and the Usnick and Usnick (2013) article.

    The Scholarly, Peer Reviewed, and Other Credible Sources table offers additional guidance on appropriate source types. If you have questions about whether a specific source is appropriate for this assignment, please contact your instructor. Your instructor has the final say about the appropriateness of a specific source for a particular assignment.

  • Must document all sources in APA style as outlined in the Writing Center.
  • Must include a separate references page that is formatted according to APA style as outlined in the Writing Center.

Must use headers. 

Chapter information attached. 

COMPLIANCE PROGRAM AUDITING: THE GROWING NEED TO INSURE THAT COMPLIANCE PROGRAMS THEMSELVES COMPLY

LEE USNICK* RUSSELL USNICK**

I. INTRODUCTION

Compliance with applicable laws and regulations has always been a concern of business ventures. Historically, internal or external legal counsel provided guidance, usually on a case by case basis. Over recent history, compliance efforts have become more structured and formal as the number and complexity of rules have increased, and as government has provided rewards for demonstrating efforts to comply and punishment for failing to demonstrate efforts to comply.1 As business entities and government have interacted over the years, a complex system of compliance management has evolved.

II. STRATEGIC CONSIDERATIONS

A. The Current Compliance Context

Today, compliance programs are commonplace. Many different professions are involved, including a new class of “compliance professionals” with their own certifying bodies.2 Compliance rules stretch across many federal rule areas, witnessed by the fact that more than a dozen agencies potentially have a say in how a U.S. financial institution operates abroad.3 Compliance concerns no longer stop with legal compliance, and now include industry protocols, licensing requirements, and an array of standards and ethical concerns.

* J.D., M.A., M.S.S.W., Associate Professor of Business Law, University of Houston- Downtown.
** J.D., Dr. Env. Des., M.A., Principal, Usnick and Associates, and Adjunct, Bauer College of Business, University of Houston.
1 Sentencing Reform Act of 1984, 18 USCA § 3551 et seq.
2 For example, see SOC’Y OF CORP. COMPLIANCE AND ETHICS, www.corporatecompliance.org; and HEALTH CARE COMPLIANCE ASS’N, www.hcca-info.org.
3 Gregory Husisian, U.S. Regulation of International Financial Institutions: It’s Time for an Integrated Approach to Compliance, 127 BANKING L. J. 195, 201 (2010).

312/Vol. XXIII/Southern Law Journal

Additionally, foreign compliance regimes now span the global business environment and do not necessarily match up with U.S. compliance rules as reflected, for example, by the fact that common U.S. compliance hotlines appear to conflict directly with EU and individual European nation data protection rights.4 Parts of Europe are opposed to anonymous reporting.5 Growing international protocols regarding foreign bribery are expanding compliance requirements for many companies.6

What began as voluntary efforts to mitigate corporate monetary penalties in the event of certain federal criminal prosecutions, have evolved into mandated or quasi-mandated compliance programs. Over time, these compliance programs have become increasingly complex and expansive, and the continuous layering of rule explanations has morphed into a maze of intricate requirements.7 Some contend that the annual cost of compliance programs in the United States exceeds $1.75 trillion.8

This paper focuses on a single aspect of this evolution, the growing need to adequately monitor and audit the compliance system itself. Certainly, for some time, the use of internal and external audits has been a part of compliance activities. This paper contends that more and more organizations will find it imperative to apply audit protocols to the compliance program itself. That is, compliance programs themselves need to be audited to insure that the compliance program is itself compliant.

B. Compliance Program Goals

While compliance activities have a long history, most credit for their current scope is attributed to the growth of Federal Sentencing Guidelines in the 1990s which provided reduced corporate criminal sentences when the corporation had established a corporate compliance program.9 The idea was that successful compliance programs help with early detection and prompt correction of noncompliance with laws.10 Over the past two decades, there

4 Paul E. McGreal, Corporate Compliance Survey, 66 BUS. LAW. 125, 151 (2010).
5 Id. at 151.
6 Joseph E. Murphy, Compliance & Ethics Program News From Paris: Have the “Global Sentencing Guidelines” Arrived?, SOC’Y OF CORP. COMPLIANCE AND ETHICS, 7 (2010).
7 Melany C. Birdsong, Reforming Regulation: No Time Like the Present, 32 HAMLINE J. PUB. L. & POL’Y 371, 373 (2011).
8 Nicole V. Crain & W. Mark Crain, The Impact of Regulatory Costs on Small Firms, SMALL BUS. ADMIN. OFF. OF ADVOC. (SEPT. 2010), http://www.sba.gov/sites/default/files/The%20Impact%20of%20Regulatory%20Costs%20on% 20Small%20Firms%20(Full) .
9 Federal Sentencing Guidelines, supra note 1.
10 Donald P. Vandegrift, The Privilege of Self-Critical Analysis: A Survey of the Law, 60 ALB. L. REV. 171, 172 (1996).

have been continued increases in government involvement in compliance, and it is reasonable to expect that increased enforcement is likely for the foreseeable future.11 As compliance efforts grow, new areas for concern are added to the mix. An example of the trend is the Department of Justice, in settlements with companies over alleged violations, gradually requiring the company to include mandatory due diligence practices with all of their third- party business partners.12

One of the difficulties in discussing compliance program auditing is the less-than-agreed-upon language used to describe compliance in general, as well as particular compliance program elements. The terms used in the focus on compliance now include monitoring, auditing, enterprise risk management, internal controls, performance auditing, risk stratification, compliance programs, and many more.13

Regardless of the terminology, an integrated approach to compliance is becoming expected. There is a growing belief that all of the compliance elements, including audit, risk, and legal, do not work when they are isolated into narrow silos, but do work when integrated and coordinated.14 Today, the key to a good compliance program is mixing all of the diverse elements into an effective compliance program.15

The current economic environment has also affected the compliance environment. During periods of economic distress, entities and individuals are increasingly inclined to cut corners.16 The tough economy results in heightened regulatory scrutiny which leads to an increased need for compliance program effectiveness.17 Compliance is expensive, but the cost is minor compared to dealing with investigations, fines or sanctions.18 In the current compliance environment, no prudent alternative exists to putting significant resources toward compliance.19 Tough economic times make it

11 Karen Kurti, Compliance Program Management and Oversight, 8 COMPLIANCE & ETHICS PROF.36, 37 (2011).
12 Ryan D. McConnell, Jay Martin & Charlotte Simon, Plan Now or Pay Later: The Role of Compliance in Criminal Cases, 33 HOUS. J. INT’L L. 509, 573 (2011).

13 Joseph Keen & Cliff Therrien, Is Your Program Equipped For Compliance Auditing? With Heightened Industry Focus Comes the Need for Heightened Awareness of What It Means for Your Organization, 13 J. HEALTH CARE COMPLIANCE 21 (2011).
14 Roy Snell, All the Elements of a Compliance Are Useless…On Their Own: Finding a Way to Coordinate Tools and Use Them Effectively Is the Real Secret, 13 J. HEALTH CARE COMPLIANCE 3 (2011).

15 Id.
16 Paul Belton, The Evolving Role of Compliance Officers During These Difficult Economic Times: Opportunities for Growth in Compliance Are Expanding — Not Diminishing, 11 J. HEALTH CARE COMPLIANCE 11, 12 (2009).
17 Id. at 16.
18 Husisian, supra note 3, at 224.
19 Id.

Fall 2013/Usnick & Usnick/313

314/Vol. XXIII/Southern Law Journal

imperative for companies to find efficient, proactive ways to manage regulatory compliance risks.20

C. Compliance Program Scope

The scope of the compliance effort should match the particular compliance issues facing a company. Clearly, the compliance programs should both prevent and detect misconduct, including conduct which is not just criminal.21 Often, compliance programs also address the potential for civil liabilities and various industry specific standards.22

Setting the proper scope for the compliance program is never easy. It is difficult to determine the true value of a compliance program to the organization.23 Unfortunately, the maze of rules and modifications requires both regulators and the regulated to develop a “minefield” mentality where one misstep can have catastrophic effects.24 Each compliance program will have a unique approach. Likewise, the resulting compliance program work plan, which articulates annual goals, monitoring, and audit activities, will be unique to that company at that point in time.25

D. Role of Governance, Risk, and Compliance (GRC)

The word compliance has evolved to have many different meanings.26 Amid this definitional broadening, there has been a melding of the concepts of governance, risk, and compliance (referred to as GRC).27 Additionally, among these various meanings there are overlaps, gaps, and conflicts.28

GRC usually includes corporate governance, enterprise risk management (ERM), and compliance with rules and regulations as well as ethical and other compliance issues.29 Originally, governance and risk were

20 Belton, supra note 16, at 14.
21 Patricia J. Villareal, Henry Klehm & Richard C. Rosalez, Compliance in The Dodd-Frank Era: The Case for Engaging Employees, 7 COMPLIANCE & ETHICS PROF. 32 (2010).
22 Id.
23 Belton, supra note 16.
24 Birdsong, supra note 7, at 375.
25 Catherine M. Boerner, When Was the Last Time You Reviewed Your Corporate Compliance Plan? Final Rule on Medicaid RACs Defines Fraud and Abuse, Explains How Fees Are Paid, 13 J. HEALTH CARE COMPLIANCE 35 (2011).
26 Michael Brozzetti, Is Your Chief Watchdog an Esquire?, 8 COMPLIANCE & ETHICS PROF. 8 (2011).
27 Id.
28 Id.
29 Roy Snell, Risk Appetite? Can You Please Run That By Me Again? Compliance Professionals Must Be Concerned with the Facts Rather Than “Going Holistic”, 12 J. HEALTH CARE COMPLIANCE 3, 4 (2010).

little more than mere written principles, but over time they have become robust, integrated, management practices.30 In the process, however, the titles given to specific activities, such as audit, risk, compliance, ethics, legal, and various combinations of terms, have become less clear.31

GRC is a very broad concept that looks at issues, including risk.32 Some equate GRC with a compliance program.33 However, GRC is not primarily aimed at the traditional compliance activities of finding and fixing problems.34 Certainly, overseeing risk management is critical to legal compliance.35 But monitoring and maintaining compliance is not just regulatory, it is a critical component of an effective ERM program.36 ERM is becoming a key process in the GRC framework, and its significance continues to grow.37 The lack of exact clarity in the terminology has not limited the importance of GRC overall, as GRC software, systems, and services are estimated to have a annual cost of $52 billion.38

E. The Role of the Compliance Program

The location of “ownership” of compliance efforts within an organization is crucial. It is important that these efforts are not “owned” only by compliance staff, especially since many internal audit functions do not measure operational performance against specific regulatory requirements.39 In reality, compliance duties, responsibilities, and actors, spread throughout an enterprise in many varying ways.40

There is often a compliance committee, a compliance department, or both. A compliance department incorporates all of the compliance functions as opposed to a compliance committee.41 A compliance committee approach usually matches membership with the key compliance risk areas for the

30 Brozzetti, supra note 26. 31 Id.
32 Snell, supra note 29, at 3. 33 Id.

34 Id.
35 Kenneth A. Bamberger, Technologies of Compliance: Risk and Regulation in a Digital Age, 88 TEX. L. REV. 669, 693 (2010).
36 Dan Swanson & Jose Tabuena, Expert Corner: Auditing a Compliance and Ethics Program, ETHISPEHERE (May 29, 2007), http://ethisphere.com/expert-corner-1.
37 Steve McGraw, Third-Party Risk Management: Properly Managing Compliance of Outsourced Relationships, 8 COMPLIANCE & ETHICS PROF. 30 (2011).
38 Bamberger, supra note 35, at 669.
39 Keen & Therrien, supra note 13, at 23.
40 Brozzetti, supra note 26.
41 Kurti, supra note 11, at 36.

Fall 2013/Usnick & Usnick/315

316/Vol. XXIII/Southern Law Journal

organization.42 The general view is that the compliance committee benefits by having as members persons with varying responsibilities in the organization.43 When both a compliance committee and a compliance department exist, the compliance committee role is usually to support the compliance officer.44

There is a continuing debate as to the roles of different enterprise functions with regard to compliance. Early compliance efforts emanated heavily from the legal and financial functions. Some now argue that different corporate roles such as general counsel, chief internal auditor, or chief compliance officer in fact conflict with one another.45 Some discussions of current best practices suggest that, ideally, neither legal nor financial should be merged with compliance.46 One strain of the argument is that both financial and legal functions have risk assessment aspects, and that the organization’s appetite for risk should not be part of the compliance professionals’ activity.47

The discussion has become more focused with regard to the relationship between the legal department and the compliance function. Sometimes the compliance officer is in the legal department and reports to the general counsel.48 It is a tough decision whether compliance belongs in or out of the legal department and at present there seems to be no clear answer.49

A common argument is that the general counsel role and compliance chief role have actual and potential conflicts, and as a result, it should be viewed as very questionable when they are not separated.50 Additionally, under certain circumstances, the attorney-client privilege may be weaker for in-house counsel when dealing with internal auditing than for external counsel.51 While on the topic of attorney-client privilege, it is interesting to note here that some argue that even attorney-client privilege between inside counsel and executives should not block the authority and reach of an internal audit.52 The scope of this question is not limited to narrow legal or

42 Jim Passey, Facilitating an Effective and Productive Compliance Committee: How to Structure, Maintain, and Springboard Your Compliance Committee’s Effectiveness, 13 J. HEALTH CARE COMPLIANCE 5, 6 (2011).
43 Id.

44 Kurti, supra note 11, at 36.
45 Brozzetti, supra note 26.
46 Kurti, supra note 11, at 37.
47 Snell, supra note 29, at 3.
48 Ryan McConnell, Daniel Trujillo & Katherine Southard, Take It To The Board: There’s No Perfect Org Chart- But Compliance Officers Need a Direct Line to Directors, COMPLIANCE 14, 15 (ALM Supplement Winter 2012).

49 Id.
50 Kurti, supra note 11, at 37.
51 Brozzetti, supra note 26, at 10. 52 Id.

compliance issues, as one writer argued that compliance should not be part of the legal function, because the organization should not give the responsibility for compliance to the group that, in the writer’s opinion, has failed to get the compliance job done correctly for the last one hundred years.53

III. DESIGN AND IMPLEMENTATION

A. Determining Compliance Adequacy through Monitoring and Auditing

At regular intervals, an organization’s compliance program should be asked a number of probing questions. The following are some of the questions that must be addressed:

1. What have we already said that we are going to do for compliance?

2. Are we doing what we said we would do?

3. Are we doing it in a consistent manner?

4. Is what we are doing achieving what it is supposed to accomplish?

5. Is what we said we will do what we are really required to do?

6. How do we determine that our compliance program complies with all applicable rules?

7. Are there appropriate processes for reviewing the maintenance of the program?

8. Is there adequate compliance program oversight?

9. Can we document processes in place to effectively deal with the discovery of non-compliance?

10. Can we document processes for evaluating preparedness for changes which occur in the future?

11. Are we able to adequately document the basis upon which our compliance program operates?

12. Can we document that we appropriately evaluate the entire compliance program?

These and other questions all assess the overall effectiveness of a compliance program. Part of any assessment involves broad questions

Fall 2013/Usnick & Usnick/317

53 Snell, supra note 14, at 66.

318/Vol. XXIII/Southern Law Journal

concerning levels of organizational risk tolerance, the extent of organizational compliance buy-in, and compliance culture in general. These are all important parts of monitoring a compliance program. Under the sentencing guidelines, monitoring and auditing are linked,54 and many organizations use the terms auditing and monitoring interchangeably, but many argue they are not interchangeable.55 Sometimes the audit function owns the monitoring process; other times there may be a dedicated monitoring team independent of the audit process.56 Whatever the case, a key element of a good compliance program includes consistent monitoring and auditing.57

There is no road map or textbook on effective implementation of compliance programs in a particular organization.58 Monitoring is defined as measuring operational performance so as to insure that regulatory and other standards are met.59 Auditing focuses on testing, spot checking, and inspections, done at a point in time, and is both independent and objective.60 Any discussion of compliance program auditing, such as this paper, presupposes an effective monitoring system to which audit results flow. It is important to view the compliance program audit as another layer in a good compliance program and not as something separate.61

B. The Compliance Program Audit

The compliance program audit is an essential part of an effective compliance program for several important reasons. Most significantly, recent U.S. Department of Justice (DOJ) settlements include an audit to show that compliance is not just a paper program.62 Put simply, an organization should audit its compliance program because that is the first thing the government

54 Keen & Therrien, supra note 13, at 22.
55 Id.
56 Id. at 24.
57 M. Richard Schroeder, International White Collar Enforcement, 2012 Edition, Leading Lawyers on Cooperating With Enforcement Agencies, Understanding New Laws, and Constructing Compliance Programs: New Compliance Challenges and Requirements in the International Business Arena 2011 WL 6740789 (ASPATORE), 6.

58 Keen & Therrien, supra note 13, at 23.
59 Id. at 22.
60 Cornelia M. Dorfschmid & Paulo B. Macedo, Statistics –Friend or Foe? The Compliance Officer’s Perspective: A General Understanding of the Basics Is Prudent, 14 J. HEALTH CARE COMPLIANCE 23, 30 (2012).
61 Practising Law Institute, Kicking the Tires and Taking Her Out For a Spin – How to Audit a Compliance Program, 4 PRACTISING L. INST’S COMPLIANCE COUNS. 1 (2007).
62 McConnell, et al., supra note 12.

will do before making any decision on whether or not to prosecute and the level of penalties that will be sought if they do prosecute.63

A key a part of a compliance program is systematically looking for problems through means like auditing.64 Ten years ago the compliance department was often never audited,65 while today many regulations require regular testing of the effectiveness of controls.66 Auditing the compliance program is best viewed as an important part of an overall comprehensive evaluation.67

The audit plays an assurance function.68 The primary compliance audit report purpose is communication to management and stakeholders.69 An audit typically looks for independent verification of risk control mechanisms.70 Auditing does not fix problems because that is not its charge.71

Many internal audit functions do not measure operational performance against specific regulatory requirements.72 An overall compliance monitoring plan should be formally written and clearly identify both purpose and objectives.73 If the compliance effort is not measurable, it cannot determine if efforts are driving better compliance outcomes.74

Auditing a compliance program can provide an independent determination of appropriateness and effectiveness.75 Also, auditing the compliance program supports assessing performance and effectiveness.76 A compliance program audit tests systems, and in turn, helps get the full benefit of sentencing guidelines when needed.77

Auditing the compliance framework itself enables early identification of systemic issues,78 and can identify areas for improvement.79 Existing compliance processes need to be continually reassessed.80

63 Swanson & Tabuena, supra note 36.
64 Snell, supra note 29, at 65.
65 Karen Stensgaard, Have You Audited Your Compliance Department Lately?, INTERNAL AUDITOR 45, 46 (Apr. 2002).
66 Bamberger, supra note 35.
67 Swanson & Tabuena, supra note 36.
68 Catherine Finamore Henry, Too Close For Comfort, INTERNAL AUDITOR 2, (Feb. 2011). 69 Keen & Therrien, supra note 13, at 24.
70 Id. at 22.
71 Snell, supra note 14, at 67.
72 Keen & Therrien, supra note 13, at 23.
73 Id.
74 Id.
75 Swanson & Tabuena, supra note 36.
76 Id.
77 PRACTISING L. INST., supra note 61.
78 Susan Burch, Auditing for Compliance, INTERNAL AUDITOR 53, 59 (Dec. 2008).
79 Swanson & Tabuena, supra note 36.
80 Chong Ee, Overcoming Checkbox Compliance, INTERNAL AUDITOR 55, 56 (Dec. 2010).

Fall 2013/Usnick & Usnick/319

320/Vol. XXIII/Southern Law Journal

On a larger scale, auditing compliance programs can increase integration of governance, risk, and compliance.81 Additionally, auditing of the compliance program can be a catalyst for changes in GRC to support improved operational effectiveness.82 By assuring after the fact that risk is being properly managed, compliance is able to proactively mitigate future risk.83

C. Role of Compliance Program Audits

A company needs to assume that, at some point, an employee or business associate will engage in illegal activity.84 While criminal violations are central to compliance programs, risk issues for compliance program audit can include regulations, culture, reputation, and the like.85 The most common thread is the focus on utilization of non-compliance as the evaluation starting point. Often a transaction’s review points to the need for a systems review which looks at patterns and processes as a whole.86

Auditing typically looks for independent verification of risk control mechanisms87 This is achieved in a number of ways. Compliance program audit issues include consistency across the organization,88 the clearness of lines of authority,89 appropriate segregation of compliance program duties,90 and the relationship between the compliance program and others in the organization are all expected. The audit looks at the sufficiency of the process in and of itself, and also at the effects and outcomes of the process.91 Directly or indirectly, this occurs under two broad headings: process audits and substantive audits.

81 Swanson & Tabuena, supra note 36.
82 Id.
83 Roy Snell, Audit and Compliance: Two Closely Linked Professions with Very Distinct Roles:Urton Anderson Discusses the Differences, and Similarities, and Why Both Must Work Together, 13 J. HEALTH CARE COMPLIANCE 29, 32 (2011).
84 Schroeder, supra note 57, at 7.
85 Swanson & Tabuena supra note 36.
86 Cornelia M. Dorfschmid, Systems Reviews verses Transaction Reviews –A Closer Look at a New Era of Mandatory Compliance: Use of Both Review Types May Be the Best Preparation for Effectiveness Certification in Coming Years, 12 J. HEALTH CARE COMPLIANCE 41, 43 (2010).
87 Keen, & Therrien, supra note 13, at 22.
88 Burch, supra note 78, at 54.
89 Swanson & Tabuena, supra note 36.
90 Burch, supra note 78, at 59.
91 Dorfschmid, supra note 86.

Fall 2013/Usnick & Usnick/321 D. Process Audits and Substantive Audits

The process audit addresses the “are we doing what we said we would do” question. The audit first asks if key features of the compliance plan have been implemented.92 This leads to audit inquiries as to whether the program components are operating as intended.93 In the simplest form, a process audit determines if the protocols are implemented and whether the employees are following the protocols.94

A substantive audit determines if the resulting work product meets regulatory requirements.95 A key problem in the monitoring and auditing of compliance programs is that a substantive audit must check for alignment of the overriding compliance program requirements with the many internal audit functions which often do not measure operational performance against specific regulatory requirements.96 That is to say, the audit process needs to be designed to evaluate whether the program is substantively addressing the specific compliance concerns.

E. The Compliance Program Audit Process

A very important aspect of audit design is to understand the audit objectives given the level of assurance sought by the board.97 In the audit planning phase, all of the important issues and risks need to be identified.98 Very often, the compliance program audit will use a risk-based approach to identify important issues.99 In compliance programs, auditing for internal controls is different from auditing for compliance effectiveness.100

Compliance program auditing needs to understand existing compliance program strengths and weaknesses.101 This can often take the form of some kind of mapping of the compliance environment. The design of the process first audits for overall compliance, then looks to the remediation of identified issues, inquires if there are root causes for the problems, and finally addresses the compliance program within that context.102

92 Swanson & Tabuena, supra note 36. 93 Id.
94 Id.
95 Id.

96 Keen & Therrien, supra note 13, at 23. 97 Swanson & Tabuena, supra note 36.
98 Id.
99 Id.

100 Keen & Therrien, supra note 13, at 24. 101 Id.
102 Ee, supra note 80, at 57.

322/Vol. XXIII/Southern Law Journal
F. The Compliance Program Audit Plan

Assessing compliance risk should be part of the overall risk assessment and specifically incorporate compliance auditing into audit plans.103 There needs to be a clear compliance-auditing plan.104 The audit plan should include a statement of auditing standards which spell out compliance audit particulars.105 Additionally, there should be a clear delineation of the basic strategy of the compliance program audit, the scope of the audit program, audit objectives, time frame, personnel, methodology, and reporting.106 While specificity is important, overly strict audit process standardization should be avoided.107 Flexibility sufficient to pursue unexpected results is important.

The compliance-auditing plan must focus audit related activity on both operational compliance performance and overall compliance effectiveness.108 It is impossible to develop a good compliance plan without a thorough understanding of the operations and how they relate to regulations affecting those operations.109 On a large scale, the compliance program audit components include the program design structure, the selected processes, the implementation process, and finally the actual audit for compliance using the designated standards.110 At the more operational level, the compliance program audit plan articulates the compliance audits to be conducted for the specified time period.111

Each compliance program audit will require careful planning.112 Auditing a compliance program is much like any other audit in structure, planning, fieldwork, and reporting.113 In the audit planning stage identification of audit objectives is a crucial step.114 Part of compliance program audit includes documented policies and procedures for conducting

103 Burch, supra note 78, at 54.
104 Keen & Therrien, supra note 13, at 23.
105 American Institute of Certified Public Accountants, Statement on Auditing Standards No. 117, Compliance Audits, J. OF ACCOUNTANCY 71, (Feb. 2010), available at www.journalofaccountancy.com.
106 Practising Law Institute, supra note 61.
107 Keen & Therrien, supra note 13, at 24.
108 Id.
109 Jeffrey R. Porter, Environmental Law Enforcement and Compliance; Leading Lawyers on Communicating with Enforcement Agencies, Overcoming Compliance Challenges, and Developing Response Strategies: Surviving the Enforcement First Culture, 2011 WL 44522051 (ASPATORE 2011), 10.
110 Swanson & Tabuena, supra note 36.
111 Boerner, supra note 25.
112 Keen & Therrien, supra note 13, at 24.
113 Swanson & Tabuena, supra note 36.
114 Id.

Fall 2013/Usnick & Usnick/323

inquiries and investigations.115 The planning phase of the audit results in confirming the scope of the audit and getting sign-off to proceed.116

IV. TACTICAL CONSIDERATIONS

A. Conducting the Audit

Compliance program audits also raise questions regarding conflicts of interest. International standards for professional internal auditors say that they should not be participating in activities they also audit.117 The compliance auditing plan needs independent, disciplined, audit protocols.118 Utilizing the already established audit avenues for the organization can have difficulties because a typical audit unit often favors financial audits and often they do little in other areas of regulatory noncompliance.119

B. Establishing the Basis for Audit Evaluations

A self-assessment prior to the audit can be valuable.120 Determining the sufficiency of the level of audit testing is left to an individual’s professional determination.121 The audit should be based on comprehensive audit risk assessment, that is, focused on key compliance risks.122 Because compliance and ethics efforts cover a very broad span of activities, the audit process must carefully define the proper focus.123 Auditing the compliance program may not answer whether the program actually reduced non-compliance.124 In fact, auditing the compliance program alone is likely not sufficient to demonstrate the program effectiveness.125 Compliance monitoring needs data, metrics, reporting systems, and the ability to take into account that internal audit functions do not directly measure operational performance against specific regulatory requirements.126

115 Burch, supra note 78, at 59.
116 Swanson & Tabuena, supra note 36. 117 Henry, supra note 68, at 29.
118 Keen & Therrien, supra note 13, at 23. 119 Snell, supra note 14.
120 Swanson & Tabuena, supra note 36. 121 Id.
122 Id.
123 Id.
124 Id.
125 Id.
126 Keen & Therrien, supra note 13, at 23.

324/Vol. XXIII/Southern Law Journal

The evaluation phase starts with asking if absolute minimum regulatory requirements have been met (referred to as a baseline evaluation).127 As it unfolds, the evaluation phase of an audit looks at specific data, information systems, and performance reporting measures.128 Ironically, although the government often demands the implementation of an effective compliance program, it generally offers little guidance as to what that is or how to measure it.129

Benchmarks and other measurement tools are useful. The auditing of compliance programs evaluates effectiveness compared to both internal and external measures.130 There are no standard measurement techniques for auditing for compliance. In some areas of compliance, the regulatory regime suggests that one method of internal measurement is a “snapshot” of the compliance program for use as a future benchmark.131 In some settings, benchmarks are an essential part of a compliance program.132 Even then, there are few metrics and standards for defining an effective program.133

In the evaluation stage of an audit, where it is essential to look beyond minimum practices, a common practice model looks at the practices of leading peers in the industry.134 This can be in the form of looking at leading peer practices through organizations such as the Ethics and Compliance Officer Association or the Open Compliance and Ethics Group.135 It is also useful to look further into more leading-edge practices.136 Finally, benchmarks need to be regularly monitored for evolving trends.137

C. Actual Audit Tactics Vary

Compliance program auditing can include teams of cross-trained peer reviewers conducting quarterly case record reviews in every program area to match documentation to requirements.138 Often, compliance program auditing will include a monthly review of case records.139 Compliance

127 Swanson & Tabuena, supra note 36.
128 Id.
129 Miriam Hechler Baer, Governing Corporate Compliance, 50 B.C.L. Rev. 949, 954 (2009). 130 Swanson & Tabuena, supra note 36.
131 Jillian Bower, Use of Surveys to Evidence Compliance Program Effectiveness: When Deciding Which Survey to Use, Keep in Mind It Must Be Credible to an Outside Third Party, 13 J. HEALTH CARE COMPLIANCE 43, 44 (2011).
132 Id.
133 Dorfschmid, supra note 86, at 42.
134 Swanson & Tabuena, supra note 36.
135 Id.
136 Id.
137 Bower, supra note 131, at 64.
138 Paul E. McGreal, Corporate Compliance Survey, 67 BUS. LAW. 227, 251 (2011).
139 Id.

program auditing can also include month to month tracking and analysis of identified risk areas.140 Many transaction reviews can use statistical auditing and extrapolation tools as part of the compliance program audit.141 An example would be the variety of ways coding in healthcare settings are tested for compliance.142 Another way of compliance auditing is by examining company emails.143 Any email, utilizing a company email address, is company property and contains significant amounts of information for review.144 Email compliance program audits can be aided by key word searches.145

Compliance program audits have begun using statistical concepts.146 A lot of auditing employs state of the art technology. Reporting that is required for compliance is often created technologically.147 Technological compliance solutions “interpret” hundreds of rules.148 Compliance is going hi-tech using a wide array of technology compliance tools.149 Technological compliance activities are heavily involved in modern risk regulation.150 A large amount of compliance system auditing is automated.151 Technology profoundly affects the auditing of all risk management issues including compliance.152 Much compliance program auditing is reported in dashboard form.153 Some compliance program auditing happens in real time.154 Technological compliance activities are used widely from bank capitalization to Sarbanes to information privacy.155 At the same time, some argue that technological compliance activities can hinder the compliance decision process.156 One of the arguments is that technological compliance activities frequently lack transparency.157

140 Id.
141 Dorfschmid, supra note 86, at 70.
142 Belton, supra note 16, at 15.
143 Catie Heindel, Auditing Emails: A Useful Method for Testing Compliance Program Effectiveness: Five Important Steps to Help Organizations Evaluate Their Program’s Effectiveness, 14 J. HEALTH CARE COMPLIANCE 47 (2012).
144 Id. at 48.
145 Id. at 70.
146 Dorfschmid & Macedo, supra note 60, at 24.
147 Bamberger, supra note 35, at 701.

148 Id.
149 Id.
150 Id.
151 Id.
152 Id.
153 Id.
154 Id.
155 Id.
156 Id.
157 Id. at 676.

at 669.

at 673. at 694. at 693. at 695.

at 670.

Fall 2013/Usnick & Usnick/325

326/Vol. XXIII/Southern Law Journal
D. Audit Documentation Sufficiency

A major compliance audit issue is whether the documentation for the compliance program is sufficient and in place.158 A key requirement is that program audit results are accurately presented to appropriate parties.159 It is vital to document all of the implementation, updating, and evaluation of compliance programs.160 Compliance program effectiveness review is a huge documentation gathering function.161

One source argues that an entity should be able to describe the compliance program in detail without saying one word, since if the investigator has to ask questions to understand the program, then the documentation is insufficient.162 While that may be a difficult standard, if investigated, there is an immediate need to be able to produce a binder that lays out the compliance program in detail with policies, guidelines, and supporting records.163

V. CONCLUSIONS

A. Compliance Program Audits in the Larger Organizational Setting

Compliance program audits need to be based in trust and cooperation. Additionally, stakeholders need to understand the importance of transparency in audit processes.164 The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Audits standard 2110 stresses the importance of effectively communicating information with board members, external and internal auditors, and management.165

The compliance culture is often more important than the rules themselves in compliance programs.166 With the passage of time, it has become ever more important that compliance professionals report directly to an internal governing authority like the audit committee of the board of directors.167 The organization should have at least an annual report from the compliance officer to the board directly.168

158 Swanson & Tabuena, supra note 36.
159 Id.
160 Thomas McSorley, Foreign Corrupt Practices Act, 48 AM. CRIM. L. REV. 749, 776 (2011). 161 Boerner, supra note 25.
162 Schroeder, supra note 57, at 6.
163 Id.
164 Brozzetti, supra note 26.
165 Brozzetti, supra note 26.
166 Brozzetti, supra note 26, at 10.
167 McConnell, et al., supra note 48, at 14.
168 Id.

In some areas such as healthcare, the regulatory compliance burdens are massive and are passed on to consumers.169 Another drawback of compliance programs is the reality that they create a record of misdeeds.170 The government leaves very little room for discretion when compliance plans uncover violations of law.171 The Dodd Frank Act puts companies into the dilemma of choosing between early self-reporting with sketchy information and the prospect of losing the benefits of self-reporting when a whistleblower goes to the agency first.172 The government’s strategy of “enforcement first” presents a serious challenge to the regulated community.173 It is no insignificant problem that self-reporting almost alw

Chapter 10. Table 10.3

Management should consider how the global trends in the economic, geopolitical, social, and technological environment affect existing or futurestakeholders of the organization. The World Economic Forum, a global think tank located in Geneva, Switzerland, provides a comprehensiveoverview of economic, environmental, geopolitical, societal, and technological risks that have the potential for “significant negative impact for severalcountries and industries” (World Economic Forum, 2014b, p. 12). A complete listing from the Global Risks 2014 report is included in Table 10.3,along with the ranking of the top 10 global risks of highest concern. The report identifies three trends that industries should consider:

1. Demands on governments for reform may negatively affect industries such as healthcare, financial services, and energy;

2.

The generation entering the workforce in the 2010s faces high unemployment, unfulfilling economic potential, and are full of ambition toimprove the world;

3. A dynamic online world allows for cyber attacks that destroy trust in the Internet for communication or commerce (World Economic Forum,2014b).

Table 10.3: Global risks 2014

ECONOMIC

Shocks to economic infrastructure
Fiscal crises in key economies [1]
Failure of a major financial mechanism or institution [9]
Liquidity crises
Structurally high unemployment/underemployment [2]
Oil-price shock to the global economy
Failure/shortfall of critical infrastructure
Decline of importance of the US dollar as a major currency

ENVIRONMENTAL

Natural disasters and man-made risks of depletion of natural resources
Greater incidence of extreme weather events (e.g. floods, storms, fires) [6]
Greater incidence of natural catastrophes (e.g. earthquakes, tsunamis, volcanic eruptions, geomagnetic storms)
Greater incidence of man-made environmental catastrophes (e.g. oil spills, nuclear accidents)
Major biodiversity loss and ecosystem collapse (land and ocean)
Water crises [3]
Failure of climate change mitigation and adaptation [5]

GEOPOLITICAL

Areas of politics, diplomacy, conflict, crime, and global governance (corruption)
Global governance failure [7]
Political collapse of a nation of geopolitical importance
Increasing corruption
Major escalation in organized crime and illicit trade
Large-scale terrorist attacks
Deployment of weapons of mass destruction
Violent inter-state conflict with regional consequences
Escalation of economic and resource nationalization

SOCIETAL

Risk relating to social stability and public health
Food crises [8]
Pandemic outbreak
Unmanageable burden of chronic disease
Severe income disparity [4]
Antibiotic-resistant bacteria
Mismanaged urbanization (e.g. planning failures, inadequate infrastructure and supply chains)
Profound political and social instability [10]

TECHNOLOGICAL

Risks relating to growing centrality of information and communication technologies
Breakdown of critical information infrastructure and networks
Escalation in large-scale cyber attacks
Massive incident of data fraud/theft

Note: Brackets [ ] denote ranking in top 10 global risks of highest concern.

Sources: Table 1.1 & Table 1.2, p. 13 in World Economic Forum. (2014). Global risks 2014 (Ninth ed., pp. 60). Switzerland. Reprinted with permission.

The potential global risks have ethical dimensions. Using the categorization of ethical issues from Chapter 3, many of the global risks to businessinvolve employee misuse of company resources, honest and truthful communication that demonstrates respect and fairness toward companystakeholders, and workplace issues, such as lying to employees, discrimination leading to improper hiring practices, abusive behavior and harassment,health or safety violations, and employee privacy breaches. Future risks and opportunities for a business organization can lead to new ethical issuesthat may require managers to adopt a different way of interacting with stakeholders.

Calculate your order
275 words
Total price: $0.00

Top-quality papers guaranteed

54

100% original papers

We sell only unique pieces of writing completed according to your demands.

54

Confidential service

We use security encryption to keep your personal data protected.

54

Money-back guarantee

We can give your money back if something goes wrong with your order.

Enjoy the free features we offer to everyone

  1. Title page

    Get a free title page formatted according to the specifics of your particular style.

  2. Custom formatting

    Request us to use APA, MLA, Harvard, Chicago, or any other style for your essay.

  3. Bibliography page

    Don’t pay extra for a list of references that perfectly fits your academic needs.

  4. 24/7 support assistance

    Ask us a question anytime you need to—we don’t charge extra for supporting you!

Calculate how much your essay costs

Type of paper
Academic level
Deadline
550 words

How to place an order

  • Choose the number of pages, your academic level, and deadline
  • Push the orange button
  • Give instructions for your paper
  • Pay with PayPal or a credit card
  • Track the progress of your order
  • Approve and enjoy your custom paper

Ask experts to write you a cheap essay of excellent quality

Place an order