Compliance Officers Face Uphill Climb on Audits – Here’s the Way Forward
In the age of the current pandemic, compliance officers have enough on their plates without worrying about audits.
Yet that’s exactly where decision-makers stand these days, as a new study points out how far companies have fallen behind the curve on successful audit programs.
According to the Bonadio Group, a CPA firm based in Rochester, N.Y., companies have a long way to go to shore up their compliance and auditing functions.
This from the survey:
“57 percent of respondents feel they do not have the resources to adequately carry out the compliance function, compared to 54 percent in the firm’s 2014 and 2016 surveys,” Bonadio found.
“In related data points, one in five respondents indicated that their organization does not perform an annual organization-wide risk assessment and 31 percent said their auditing and monitoring process is insufficient for an effective compliance program.”
Without a doubt, compliance audits matter, especially as company information shifts into digital mode and risks of non-compliance grow exponentially.
“Non-compliance costs may start with fines, but losses from eroded consumer trust, employee morale and competitive advantage can be substantial,” noted PWC in its 2019 “State of Compliance Study". These, in turn, may further erode investor confidence and share prices.”
Getting a Grip of Audits as a Compliance Measuring Tool
In an environment where the risk is so high and confidence among compliance officers so low, what can companies do to turn the tide and run the successful audit programs needed to curb compliance threats and costs?
No matter what compliance frameworks your company faces, these audit process actions steps can lead the way:
Self-audit – and do it often. In the auditing realm, you really don’t know where you stand until you know where you stand. Thus the need to regularly perform your own self-compliance audits and self- audits fit the bill there.
Start your self-audit program by creating an internal team, led by the company compliance officer. Or, at the very least, appoint an independent auditing firm, if internal resources can’t handle the task. Task your audit team to create a guide that includes the following steps and goals:
--- Explains the self-audit’s objective
--- Explains what controls will be used and how they’ll be used to meet your audit goals
--- Explains the exact steps needed to successfully self-audit
The goal with any self-audit program is to establish a solid platform for conducting in-house audits on a regular basis – all additional steps will begin from that program.
Know your “high risk” areas. As you build a self-audit team, establish program goals around areas of high company compliance risk. For a healthcare company, those risks might come from Medicare contracts; from a technology firm, those risks may derive from fraud alerts; and, from a financial services firm, those risks might come from aggressive trading practices.
The goal here is to target the risk, identify it, and steer your company-wide audit priorities toward testing and mitigating risks in the areas most likely to harm your company.
It’s a good idea to task company department heads to identify their own areas of compliance risk and estimate the total liabilities and penalties that await, if those areas are found in non-compliance.
Additionally, make your company information technology team or your IT vendor a big part of your audit team – IT is a huge help in accumulating, analyzing, and presenting key auditing and compliance data.
Then, take the risks to your audit team and C-level executives, rank them in terms of probability exposure, and test those risk areas more aggressively. Simultaneously, ensure that those higher-risk areas have policies in place to mitigate compliance concerns, and that policy steps are in place to remedy any compliance issues that arise.
Be transparent about your audit program results. Once you have policies in place, and your audits start yielding results, be as transparent as possible so your company really does know where it stands, compliance-wise.
For example, share audit results with company managers and your firm’s board of directors. Make those results a specific agenda item at regular meetings and shape compliance policies out of the resulting discussions. Have your in-house compliance team (or independent auditor) on hand at management and board meetings to discuss your audit policies and procedures, and that your company’s highest compliance risk areas remain a priority.
The Takeaway on Building a Better Auditing Process
Achieving better audit outcomes is all about creating a company-wide environment where auditing becomes a top-level priority.
By building an accountable audit team, testing compliance areas regularly, and focusing on high-risk compliance, and sharing results among company decision-makers, you’re taking the major steps needed to audit properly and reduce or even eliminate the compliance threat inside your company – for the short term and for the long term.