Webinar: Auditing the Compliance Program, Part 2

August 26, 2022

For the first part of this webinar go to Auditing the Compliance Program, Part 1

Transcript for Auditing the Compliance Program, Part 2

Matt Kelly: Welcome back to this bonus session that we have about “Auditing the Compliance Program.” So, the other week, all of our panelists here, we had a masterclass on auditing the compliance program that was so popular with so many questions from the audience, we decided that we are going to cut a second take, answering some of the other questions we did not get to in our first session. So, I am Matt Kelly, the moderator here. Thank you all for joining us again.

And we have the same great panelists lineup. I’ll run through the lineup right now. We have Eric Young, who is from Guidepost Solutions, Kristy Grant-Hart, from Spark Compliance, Denis Jacob, who is the Chief Audit Executive at GE, and who works on auditing the compliance programs there. And Nick Gallo, from ComplianceLine, the Co-CEO, and sponsor of our sessions here today.

So, thank you all for joining us. Let me pull up our list of questions that we have here. And in fact, here’s a few questions, are kind of along the same lines, I’ll try and pose them, roll them all up into one. “Within our organization, various departments have their own specialized audits specific to federal states, local compliance issues. What is the role of the organization-wide, enterprise-wide compliance program with these departmental audits? And how is that information going to be aggregated together, so that the compliance officer can present that big picture compliance to the board?”

Denis, let me ask you first, since you are the resident auditor on the panel, but then Eric, and Kristy, and Nick, I’d love to hear your thoughts, too. But how do you make sure that people aren’t auditing on their own? And you know, what’s going on?

Denis Jacob: I think it goes back to the why, why you do what you do? Why you’re going through all this work? Why are you doing those audits? I think you need to be very clear the reasoning behind it. So, my preferred reason for doing this kind of audit is just like, how do you know your partner works or it doesn’t? How do you know where the areas for improvement? How do you know you’re still investing in the areas that are relevant and you’re not putting too much work on areas that are not so important?

I think it starts there, and then it goes into the coordination because I think the risk we have with all those multiple audits going on in parallel, we just overload your organization with auditors, and then everybody gets stressed. So, like, understanding risk in a more integrated manner, I think that helps a lot. So coordinating with legal, with compliance, regulatory and other functions within the company, and the business as well, of course, I think we can have a more coordinated approach, and respond to that initial question of why we’re doing what we do. And then when filing, the CCO can present on the status of the program. It’s a bigger picture. It’s not only like, “Well, I have all those elements, I have all those activities,” but how well and how much you how mature is my program?

Matt: Kristy, what do you think? What have you seen along these lines?

Kristy Grant-Hart: So I think it’s really important along the lines that Denis said about why. I think that people confuse program reviews and audits with risk assessments, and they’re not the same thing. So, if we’re doing a program audit, what we’re looking at is the effectiveness of the program, not the effectiveness of the gifts and hospitality program, or that, you know, whether or not we’re meeting GDPR requirements.

We’re looking at how well the policies are being handled, what the training is doing, what our monitoring is saying, right? And that doesn’t follow one law or one local idea, that is following a broader framework. And so, I think if we can see the difference between, I’m specifically looking to see if this one law is being complied with, then we can say this is programmatic, this is whole business.

And that feeds into these other smaller sub-audits, essentially, of compliance areas. But looking at it more holistically, I think that it can inform those other audits because they can teach us what maybe we need to do separately or differently with the specific areas of our seven elements program.

Matt: And, Eric, what do you think because financial services, certainly, I wouldn’t be surprised if there are sub audits going on at various large financial enterprises all the time. So, Eric, what have you seen?

Eric Young: You’re absolutely right. And with Denis and Kristy are absolutely right as well. What I would add is, ultimately, it’s about enterprise risk measurement, and reporting, and making sure that the findings, particularly the methodology, are consistent so that it can roll up apples to apples, so to speak. Second, as Kristy said, it’s measuring the effectiveness of the program because as I said last time, businesses may actually be executing the procedures very precisely, but they may be completely wrong policies not actually addressing the risks and therefore, having the wrong controls.

And then finally, the enterprise holistic view is important because there may be little brush fires that might actually be considered satisfactory rated. But systemic issues, lack of controls in one area might actually be impacting other areas, or maybe just a very common, fragmented systems issue, that might not be an issue today, but could be an emerging problem tomorrow. So, that’s why having the specialist audit and the holistic view is important to have.

Nick: And I would say look for opportunities where there’s overlap from these disparate audits that are happening, right? I mean, whether we like it or not, we’re fighting against this negative view that a lot of people have of ethics, of compliance, of a cost center, the Office of know all that kind of stuff. Well, what opportunities can we shave away? Or in what cases are the same questions being asked across audits where you can maybe collapse those things down to not only get that holistic view but also cut out some of the meaningless or the redundancy that can just, you know, gum up the works?

Matt: So, it’s funny that as I was listening to you all and thinking about this question, I had a very practical concern with this is, my first thought was, “Wow, that’s gonna be an awful lot of little spreadsheets somebody did that they might forget to tell the chief compliance officer.” And I was thinking about completeness and accuracy of the data and, lo and behold, our very next question. Kristy Grant-Hart had mentioned that it was important to have access to all of the data. What happens when that data is extensive and not easy to pull?

The individuals who pull the data use, say SQL or something like that. Should we get somebody with that expertise in the compliance team? Can we rely on IT to pull the data for us? Does compliance not have limitations on what we can ask for? So, that really does, I think, kind of lead into the previous discussion there about, how can you be sure that you, the compliance team, that you’re getting all of the data that you need when you might not have that data expertise in staff? So, what would you do? And Kristy, they flagged you as the person who raised that, so I’ll put it to you first. So what do you think?

Kristy: Excellent. Okay. So, the reason that that comment came out, was it straight from the DOJ statements, right? This isn’t my opinion, this is the prosecutorial opinion of how things will be rated and judged. So, I think that the number one thing is that that expectation is what’s driving this commentary but also how we expect we will be judged.

Now, I do think that there is perhaps a belief may be in the prosecutorial world that compliance officers have a lot more capacities with technology than they perhaps do and that the ability to get data should be kind of universal and beautiful, and we should have this beautiful data lake that we can all, you know, wade into and find the perfect flowers, right? That isn’t realistic. So to a certain degree, we absolutely have to believe in our colleagues and ask them for what we need.

But I think that there’s a really strong ask of the compliance team to know what you need or to at least, like, ask the right questions to get data that is meaningful, because if you don’t do that, they’re gonna get frustrated with you, and you’re gonna get a whole bunch of stuff that’s not meaningful or doesn’t matter.

So, I think the most important thing is to work collaboratively but also to be as lasered as you can on what’s gonna tell me about effectiveness. What can I test? What can I monitor effectively? Can we automate that? Once I’ve asked you for this, is there a report functionality that I can get so that I can see this without you having to do it every month? Trying to get that consistency I think can really help.

Matt: Sure. Denis, what do you think?

Denis: I think, first of all, on the capabilities side, right, I think it’s a must, both for compliance and audit. Like those days, like you have to have those capabilities. Like, you can rely on internal resource, external resource, there’s multiple ways to do it, but I think is a must. Even in my previous position in compliance, I did have a data scientist reporting to me. He got any work really well, particularly monitoring because I don’t code but I understand risk and he understand code.

So it was great partnership and worked really well to develop a number of internal tools. Same thing on the audit side. So I think the capabilities need to exist. Like, it’s coming from the regulator, but I think just how complex companies are today, like, the old methodology of monitoring, auditing with small samples, it doesn’t cut anymore.

Like, you really need to… Even if you’re gonna sample, we need to do smart samples, and that’s where understanding the data. And I think to kind of echo a little bit, like, in what you Kristy was just describing, so, okay, now we have access to the data, what do you do with this, right? Like, you need to understand the data because you may ask for all those things. IT is gonna go through all the work to get it to you.

Now you have it and it looks like it doesn’t mean anything to me. So you really need to be able to interpret what the data is trying to tell you, otherwise, it’s just busy work. So, for me, like, the key point there is the capability that you need to be data fluent in those days.

Eric: Yes, exactly. You don’t need all compliance officers to be data scientists. They need to be data comfortable, because ultimately, and increasingly, the DOJ and the regulators want compliance certifications, which means having the data integrity because how can you certify something if you don’t really know whether the numbers of the data have integrity?

Now, I’ve been trying to get management to invest in the technology now with AI capabilities so that there is a governance risk and compliance capability or tool, GRC. But that’s the Holy Grail, unfortunately, because you need the data from source systems, unstructured data, but now the technology is there. The question is, is the culture there to invest in these technologies?

And then finally, as Denis has pointed out, you need people that know how to govern and control the data going in so that the data coming out is not trash in and trash out. So, there needs to be governance and controls, like a financial statement. That’s really where we’re heading is compliance reporting becoming more, like, financial statements. Because, again, how can you certify if you don’t really know whether the models and the data output the valid information?

Matt: Sure. And, Nick, what do you think?

Nick: Well, I would just kind of dovetail on what Kristy was saying. And I would just add that, I think many times when you’re talking to the data people, if you have dialed in what you’re actually trying to, like, get at, many times they know the data structures better. And I think that collaboration, as Denis kind of alluded to, is really helpful versus you just saying, “Give me this report.”

Well, if you know what you’re trying to test, I’m gonna be able to, like, perhaps get you there quicker, or more efficiently, or save a query that you can update on an ongoing basis, so you can start to, you know, build that data lake or whatever people wanna call it to get a better kind of pulse of how things are moving.

Kristy: Okay, but I can actually hear the compliance officers in most parts screaming about the idea of getting a data scientist or having, you know, like the resources that financial services tend to have, compared to what the one-man band literally managing 150,000 employees with an Excel spreadsheet. Like, this is real, and I think it is a problem. But also, there’s capability gaps, right? And most of us came in out of the law, and there is not that education period.

So, I think perhaps that is like a gap in the market or something like that. But I think that, you know, expectation management in terms of what your average compliance officer at this point from a corporate perspective can do is really pretty limited. And we have to, you know, baby steps into this thing.

Nick: But what I’d like to add… Sorry, go ahead, Eric.

Eric: Sorry, Nick. Not reflecting what Kristy is saying, but she’s hit a critical point is, should compliance officers always be lawyers, and is that a skill set that needs to not necessarily change but evolve? So, we still need lawyers, particularly on the advisory side, but now that the DOJ is saying, “Prove to us that your controls are actually working.” And that’s not a legal skill set, that’s a data skill set. That’s a control skill set.

And that’s where it needs to be compulsory for management to understand that we need the budget as opposed to sticking to that narrow budget and sticking, therefore, with only that small number, because I feel for the non-banking world where it is incredibly small per 100,000 or more employees. That doesn’t work.

Nick: Yeah. And that data dexterity, to your point, is not sort of part and parcel with a lot of these inroads into compliance. And to your point, there’s data everywhere that we have to translate into information to prove efficacy or to, you know, find risks or whatever. And so, short of spending a summer as an investment banking, you know, intern or something, how are you gonna get those skills? Well, if you’re not going to build them yourself, which is probably not that viable, you know, the advice I would give folks is find the people in your organization who know that, right?

Like, there’s somebody in your organization who spent 40 hours a week living in Excel. They spend 40 hours a week for X amount of years, you know, like as a spreadsheet jockey. They’re probably gonna have some pretty quick tricks or some pretty quick things that if you have an actual relationship with them that they can actually help you set up a spreadsheet that’s easy to update, and so forth. But I think the fear of, like, spending some time in a spreadsheet, or, you know, the kind of fallacy that, “I have to know how to do all this stuff myself,” is what causes us to stay stuck in, like, these patterns that are not really that effective.

Eric: And with Robotics and AI, sorry Denis, that’s 40 hours of analytics and actionable steps that could be taken instead of the 40 hours of compiling to that.

Nick: Great point. Great point.

Denis: There was gonna be like one, sometimes people forgot in partnership that we can have with the business, the Brazen’s Agency do a lot of this already. And there’s a lot of, like, compliance and risk insights there. If we don’t have that partnership, we just lose this. And so, there’s a lot of space for us to partner with that group. And the other comment I was gonna make about AI and data as well, there’s a lot of talk about this. Everybody talks about this. And sometimes, a lot of companies used to forget the fundamentals. So, I heard more than one company say, “Well, we wanna have AI, we wanna have dashboard.”

And then you ask a basic question, “Do you have a risk assessment? Do you know what are your top risks?” Because you’re coming in with solution, looking for problems that have, like, a look at what’s the problem you’re trying to address. So, I agree 100% that technology is amazing, and it can do amazing things as long as you know what you need. But a lot of people, they’re just here to buzzword, and they just go for it, but you need to walk those steps before you get to the solution.

Nick: Great point.

Matt: So, we have a couple of questions we got about how the internal audit team can work with the compliance team. So, Denis, again, I’ll put them to you first, and then Eric, and then Kristy. But, for example, one person asking, “Should compliance conducts its own audits if we have an internal audit department?” And then somebody else saying, “If my internal audit department spends most of its time on Sarbanes-Oxley compliance, and most IT internal audit teams, that’s what they have to do to? And if they’re busy with SOX compliance, and say, “This isn’t a key control, I’m not gonna do it.” How do I handle that?”

And yet another question, talking about how internal audit focuses more on operations rather than policies and procedures. But clearly, there’s a lot of people still struggling with how do internal audit and compliance maintain good diplomatic relations as we go through an audit like this. So, Denis, what would you say to these issues? And then Eric, and then Kristy.

Denis: You started with the compliance side, and I think we discussed a little bit earlier about what you’re auditing, right? Are you auditing the program? So, particularly to that question, like, you need to have somebody outside the compliance department, because you have a compliance officer designing a program, it’s easy to have blind spots. And so, you really need to have that audit function helping you to see what you’re not seeing.

So, I think for that, I think internal audit can be a great partner. But internal audit needs to be ready for that. And, unfortunately, most internal audit departments are not there yet. Very few companies invest in dedicated compliance resources today. And if you don’t make those investments, you either are not able to do those audits, and you see in situations, like you just described, either too focused on the operational audits or Sarbanes-Oxley, or other things, because you’re not making those intentional investments in compliance audits.

Or even if you do and you don’t have any investment, the capability, the results are gonna be not great because you have unqualified people trying to audit compliance, which would best create frustration with the compliance officer. So, the way I see it, there’s a need for, like, have this independent function internal audit has a great role to play, but internally, it needs to be equipped to do that in a proper way. You should not go there just by, like, “Well, we’re gonna have great intentions, we’re gonna do it.” But you really need to have the right people able to do those audits, and I think that’s where you can contribute and have that partnership with the CCO.

Matt: Okay. Eric, what do you think?

Eric: Just as I mentioned last time, the dialogue between audit and compliance should be continuous throughout the year, whether there’s an actual field audit or not. Second, the beginning of the year, there should be an understanding of the audit priorities and, therefore, the audit schedule of compliance of that way, not necessarily a Dawn Raid, but instead, a coordinated audit that’s not an open book test, but at the same time, not a surprise because then compliance needs to stay on its toes, do its work.

And then audit and compliance trust each other so that the compliance testing that’s done, which is specialized, focusing less on financial or operational, but regulatory and legal fits hand in glove with the broader audits that audit does. Final point is, audit itself has a limit in size and budget. So, the more there’s coordination, the more of a three-dimensional look at the risks that audit and compliance is looking at. Because oftentimes, audit might not look at a particular area or risk for two or three years, and during those times, compliance could be looking at those risks. So then it’s less of a gap, more of a coordination.

Matt: All right. Eric, I do wanna say I think the idea of internal audit doing a Dawn Raid on compliance would be thrilling. Kristy, what do you say?

Kristy: Okay. Yeah, I heard that internal audit in that company, a couple of those companies are too busy, don’t have the expertise, and are unable to prioritize this, to which I say, they get it, put it in your budget for external. That’s just the answer to this question in those cases, because if they’re all focused on, you know, SOX requirements, and they’re not considering the sort of larger compliance program, you need to have outside experts that come in and do this for you. It’s gonna save you the time of getting your internal auditors up to speed if that’s not really in their bailiwick, and it also will give you better results, frankly.

Matt: All right. And, Nick, do you have any thoughts here?

Nick: Yeah, I mean, just to add on to that, like, who says the internal audit resources that your company has are the appropriate resources for all the auditing activities in the organization? Like, it has nothing to do with… You know, we have to get in the habit of solving for outcome. And to Kristy’s point, you know, use those folks if you can, and if you can’t, there’s a thousand other people out there that can help you get the answers you need that you can use to drive your program forward.

Denis: And we work a lot of recode source. There’s a lot of space to work when you don’t have those capabilities, which could be otters, like, limitations, and geographies, language, and you have emerging risks. Like, we’re talking about the more traditional compliance that a lot of my time is spent on ESG audits as well, which is just emergent. And like…

Nick: They have time for that. You’re saying like that was even around two years ago.

Denis: Not only that time is the kind of like they’re pulling us into it. Like, the requirement of Belgrade holds its closure. So it’s not much of a choice, you have to do it, because if not, you’re just exposing the company to a number of risks that are not the traditional legal risks, adding to Eric’s point about the CCO qualification. We’re going through reputational risk, environment risks, and other things are coming down the pipe, which is just like very, I’m not gonna say unusual, but very new, in both compliance and non, a need to be ready to adjust their risk assessment value.

Nick: The company always has time for the things that are important and they always have money for the things that are important. And we have the ability to raise the importance level of things that are on our to-do list or in our purview, or whatever. But it’s just kind of funny that ESG is such a priority all of a sudden. I’m not saying that it shouldn’t be. I’m just saying that it didn’t even exist X amount of years ago.

Matt: So, we have one more group of questions here that I wanted to put to you all. Actually, I had one question in our original webinar that I never got to was that, if your company acquires a subsidiary, you then go and you audit their compliance program, what would you do with the results if you want to bring that subsidiary’s compliance up to your enterprise-level code? That was my original question.

And now, lo and behold, we have somebody else here asking something very similar. “I’m in an organization that is newly developing an enterprise-wide compliance program. There are existing departmental compliance programs around what are the best practices for integrating those departmental programs into one organizational enterprise-wide compliance program?” Kristy, let me start with you, and then Eric, and Denis. But, you know, if you’ve got a particular program, a subset that needs some extra love and attention and oomph to bring it up, what would you recommend there?

Kristy: So, I think that an audit or program review of some sort is absolutely required, because you can really, really see where those gaps are. We find that most compliance programs where there is a group-wide approach to it are more successful than those that have very independent, allowing for too much differentiation. So, I think coming at it with, “We are looking at this as to how to bring you into the greater group fold, even if there’s resistance to that, I think that ultimately, it’s for the efficacy of the program and for the efficiency of running it.”

So, looking at that from a gap analysis perspective, and perhaps a risk assessment perspective as to where to focus your attention as you do that integration, I think that those two activities together can be really helpful in creating a joint plan where you say, “Look, this is where we see your risk. This is what the vision is. Can we get you on board with that vision? And here, can we co-plan how to get there together?” I think that can be pretty effective.

Matt: Eric, what do you think?

Eric: Ultimately, it always boils down to people’s process and systems. And I like the way you’ve positioned the questions because part of it is external M&A, let’s call it over the DOJ. And the SEC certainly have a lot of focus to make sure that whatever is bought or merged is ultimately integrated into the broader enterprise perfectly for the higher risk issues like FCPA, privacy, etc.

Second, whether it’s internal integration or external integration, it boils down to the culture of the organization. I’ve been in organizations where the acquired entity or the acquired division, and sub-driving the culture, the wrong culture, and it stays federated, as opposed to enterprise-wide. So, if it’s an M&A, the due diligence before the close, and the deal is critical to understand these types of cultures, and the people, and the technology, and the processes, but to look at this in a three-dimensional way.

On the internal, it’s understanding how things work in an organization, especially if it’s federated. Is that the model that you want, and where do you have duplication? And therefore, often gaps in people processes and technologies. That exercise is so important, and ultimately, you’ll probably end up with less people, or more skilled people, ultimately, better systems and processes. So, it’s the hybrid, but ultimately, you need to have the best of both combined organizations.

Matt: You know, Eric, one thought that comes to mind, something you had mentioned earlier, the Justice Department’s relatively new idea that maybe they will have compliance officers start certifying the effectiveness of their compliance programs. I’ve remained skeptical that that is a practical thing. I don’t know that it’s going to happen but if it does, and you have to start certifying to a federated program, that seems like a highly risky proposition for a chief compliance officer.

Eric: Absolutely.

Nick: A lot of chief compliance officer jobs may be opening up soon.

Matt: You can have a webinar just on that idea.

Nick: Totally. It’s a good idea.

Matt: Eric, what do you think there about how to unify some of the compliance programs, subsets that you might be looking at, or you found an errant area that needs to be brought up to code? You know, what have you seen that works? Well, what have you not seen, Denis?

Eric: So, from a compliance point of view, it’s centralizing the budget, having singular authority over what was federated compliance officers. Now, that’s the end still, it will take time, culturally, and otherwise, to get to that point, but that’s why understanding who does what, and then streamlining, and ending up with less, but better skills, definitely, we’ll get there.

But the budget being centralized, and on the financial side, it’s pretty explicit that that’s expected by the regulators to ensure compliance and less conflicts. And then, finally, whoever is in the business that does compliance-like roles, we’ve changed titles so that they no longer have that compliance but instead a control liaison title, because it eliminates the confusion as to who’s really a “real compliance officer” as opposed to a control person that helps compliance.

Matt: Interesting. And Denis, what do you say? And then, Nick, I’ll let you have the last word.

Denis: So the previous topic on the M&A topic are the potential M&A, I think that’s where audit can be used as a great diagnostic tool, right? So, you’d have those two different cultures. You can use audit. You don’t necessarily have to do a traditional audit but you can be on the advisory side of audit, which with all the independence and needs to be, but you can work on that and create a roadmap of what needs to be improved to be actually a harmonized program there.

And the other thing that based on my experience on those M&A situations, is not forget like the broader integration activities, because sometimes we look into the compliance programs, but the business is also integrating. So, like, the other coordination we need to have, like, how this is gonna look like? Are we gonna merge those entities? In what way? What happens in the geographies?

How leadership is gonna be organized? How all those things are gonna be addressed through employee’s standpoint, because to Eric’s point, you have, like, culture is like mixing now, and you can understand how this is gonna be navigated. You may think you’re gonna make some decisions, they’re not gonna be applicable in the near future. Like, it’s not uncommon to see M&As that company acquires the otter and takes part in divesting to other parts.

So there’s a lot of those moving parts, you need to know, particularly on a more transactional level, are you gonna run due diligence in all those third parties that you just acquire? Or maybe we’re gonna get rid of some of them. Like, are you gonna spend all that money and time? Maybe you decide how to prioritize your work. Or maybe an entire section of that organization is not gonna stay. And then maybe you don’t have to spend as much time there and you focus in somewhere else. So I think that’s kind of like one of the uses for internal audit on that context of compliance integration.

Eric: If I may add one real example. Because what we’re describing in many ways, has been theoretical, which is important. And if you can imagine an acquisition of a company in the middle of the Russia-Ukraine sanctions, you have got supply chain and culture, an international company can’t afford to make any mistakes in whatever stage of the integration or acquisition because that will haunt the company later. So, it’s just to drive home the reality of what we’re describing here.

Matt: And, Nick, any other final thoughts about this issue?

Nick: I don’t really have much to add here. So, sorry about that. We’ll cut this short. We’ll cut this part out.

Matt: Those were all of the questions that we had, although there were one or two extras about the ROI of compliance programs. And those of you who are interested in that, stay tuned because our masterclass on Thursday, April 28th, will in fact be about demonstrating the ROI of compliance. So, if you are interested…

Nick: I love it. Take my favorite topic. Yeah.

Matt: …be sure to tune in. Yes, Nick is already ready to go for that. But we will have that coming up at the end of this month in April. So, everybody who has come back for extra duty here, Kristy Grant-Hart, Eric Young, Denis Jacob, thank you all very much, Nick Gallo, for sponsoring it. And that’s all we have for you. So thank you all for listening again.

Kristy: Thank you so much. Bye.