For the next part of this webinar go to Auditing the Compliance Program, Part 2
Transcript for Auditing the Compliance Program, Part 1
Matt Kelly: So, Nick, you want me to kick things off, or do you wanna give everybody…?
Nick Gallo: Yeah, kick it off, kick it off. Let’s get the famous Matt Kelly kick-off here.
Matt: Well, I appreciate that. Thank you to everybody who is joining us today for this ComplianceLine Masterclass. I am your host for the hour, Matt Kelly, and we are here with some great panelists to talk about how to audit a compliance program. So first let me just tell you who is on our masterclass panel right now. We have Eric Young, who is a managing advisor at Guidepost Solutions. And Eric has been in compliance for many, many years. He previously worked in banking circles for a long time. He has done independent consulting. But, Eric, hello, and thank you for joining us today.
Eric Young: Thank you very much. Glad to be here. Looking forward to it.
Matt: Also joining us is Denis Jacob. He is the Chief Audit Executive at GE. And, you know, Denis, I know that you do work a lot on ESG issues. You work a lot on compliance issues. You have the internal audit expertise. I’m not sure where else within the GE empire you work on, but I know that you do have a lot of expertise specifically around internal audit and compliance, so we’re looking forward to that as well. And Denis, thank you.
Denis Jacob: Thank you. Thank you. Glad to be here.
Matt: We are missing one panelist for the time being who is running late, but that is…
Nick: Surprise, she’s here.
Matt: Oh, she is here?
Eric: She is here. Yes.
Kristy Grant-Hart: Hi.
Matt: Perfect. Kristy. Kristy Grant-Hart is joining us. Thank you, Kristy. You’re just on time. Kristy who is a longtime compliance officer in the U.S. and in London. And then for the last several years now has been running her own compliance consulting business, Spark Compliance. And Kristy, I know is one of the most passionate people about all of this as well. So, Kristy, thank you for being here.
Kristy: My pleasure. Thanks, Matt.
Matt: And then we have Nick Gallo, the co-CEO of ComplianceLine who is going to be also running point and chipping in with his thoughts and probably helping out with a lot of comments and questions that we might have because I know we have a large number of participants here today. We always encourage a lot of comments from the audience. So if you do have any comments you wanna make, you can chime right in with that comment function on your screen. If you have questions, you can submit those. We will set aside some time at the end for questions, but if anybody asks something that’s especially relevant and on point right away, we might just try and take those on the fly as well. So the more attendees want to chime in with your views and your questions and comments about audit and compliance programs the better. Please speak up.
But before we dive in, let me just give a rough outline of what we had wanted to talk about here. We had a couple of big themes that we’re gonna try and cover for you all. First is just how one gets started with auditing the compliance program. How do you set the scope for it? Who do you actually have do it? Is that something that the internal audit function does? What if you do not have an internal audit function, who else might do it? What can or cannot be done and how do you plan out a audit of the compliance program so that it’s done quickly and smartly?
Second, some talk about how you would actually do the audits. Okay, the scope has been set, how long does it take? What are the actual procedures that happen? Who talks to whom? Who gathers what evidence? And then third, wanted to talk a bit more about after the audit, what do you do with the findings? How do you present them to the board? Who presents them to the board? Is that the compliance officer? Is it somebody else? Is it an auditor? What if there is another external auditor who might be looking at your compliance program? How do you use your audit to talk to an external audit person? What else can you do to incorporate the findings and to remediate your program?
It’s funny that we are talking about this now because just earlier today, I was writing about a big speech from a senior justice department person talking about what they’re looking for in an effective compliance program. And he talked at length about testing the program, making sure that the program is being reviewed every now and then, you know, really a lot that is about the importance of audits. And that is what the justice department will be looking for. It’s what they’re gonna be asking for if you are in a resolution with them and they’ll want to see what is going on.
So we’re looking to cover all of that. I am going to chime in first with a question. I guess I’ll put it to Eric first, and then Kristy and Denis. Just refresh our memories here. Like, why is it so important to audit the compliance program? Because nobody doubts that we have to do it. Everybody is, “Oh, yeah, it’s super important. We’re all talking about it,” but like, Eric, why are we actually doing this? You know, how much is it regulatory demand? How much is it just good practice? What other motivations do we have? What do you think?
Eric: So all of the above. And it presumes that the Three Lines of Defense model still works and works well. It’s always important for the first-line businesses to self-identify, to follow the right procedures and policies. It’s always important for the second-line risk and compliance program to test that the businesses are, in fact, following the procedures, that they’re doing things right, so to speak. Assuming that the compliance program itself is effective, including the content of the policies, the training, the risk assessment process. But the third line of defense, the auditors, need to check to see whether the program itself makes sense.
So while the businesses are doing the right thing by doing things right by following procedures, are they the right procedures? And that’s where audit comes in. They need to look at compliance to make sure that the overall framework of the compliance program works. And last point, and Nick knows I’m a big visual metaphor person is if compliance is the fireplace of a house and the inspector looks at the fireplace to make sure it’s clean and strong, but the rest of the house burns down, oftentimes that’s all you see that’s left. So audit is critical to look at the plumbing, the wiring, the electrical, the foundation, if you will, to make sure that the overall controls including compliance are effective.
Matt: Okay. Kristy, what do you think?
Nick: Love that.
Matt: Oh, Nick, did you have a comment there?
Nick: Yeah. I just loved that metaphor of a burned-out house with this really kind of intact compliance program still standing there. It’s very great.
Matt: It is good. Kristy, what do you think about this? And then, Denis, what do you have to say as well?
Kristy: I would say blind spots. I think when we’re in the minutia of this all day, every day, looking at it, I think that we’re subject to blind spots that we can’t see. And I think the other thing is a lot of times people know what’s wrong with their program or what isn’t working, but acknowledging that and having to fix it is scary. So I think that audit findings can actually benefit the program in some ways, by saying, “Look, you know, this is where you can be better,” and that’s beneficial to everybody.
Denis: And not to repeat my colleagues, there are two things I wanted to add. I think the first one is to measure. How do you know the fact that you can never test, like, you just assume, and you know, in this area, assuming is very problematic? The second one I wanna mention, like, compliance program sometimes is developed as point in time. Like, but the business is not like that. We evolve. Things change. We acquire companies. We divest companies, job political situation changed. We launch new product service. We change commercial models. And if you assume that compliance program you put in place three years ago is still effective now and you don’t test it, you may be in trouble. So those are the two things I wanted to add.
Matt: And, you know, Denis, let me start with you again for the next question I had was, okay, we have good reason to audit the program and that is a message that compliance officers hear all the time. A company’s good at this. Like, do internal auditors know what they should be looking at for an effective compliance program, or do other parts of the enterprise, you know, do they struggle with what might be involved in an audit? In your experience, how painful of a process could this be, or what have you seen?
Denis: Oh, that’s a great question. Actually, it’s hard to say what is good and bad. Like, what I can tell based on my own experience, that’s probably the least mature element of an effective compliance program. So we’ve seen companies that has a lot of money in policies and procedures and training due diligence. When you get to monitoring auditing, there’s a lot of, like, “Well, we’re still working on it.” So we hear a lot of those things. I think that that’s how I would describe… And then who does it, right? Like, I think you got to the point, like, what kind of knowledge auditors have in compliance to be able to execute those audits? And that’s one of my key topics, like, I’m gonna keep talking about this, how much we need to train auditors not to be necessarily only financial auditors, but to expand their scope and to be aware of this.
Because one of my concerns about this is the particularly false sense of security that people go there and they say, we audit this, or we’re good, no rest there. And then you may have people auditing, let’s say accounts payable or, like, T&E or things like that. So, well, I saw there’s a PO, there’s a contract, there’s this, and then you just didn’t see… You just paid a bribe supported by documentation because the auditor’s not equipped to identify this kind of thing. So I think there’s a lot of work to be done. I think companies are still starting to invest on dedicated and specialized resource for this, but I think I’m optimistic. I think that the trend is going in the right direction, but there’s still work to be done.
Nick: And what I’ve seen is that a lot of internal auditors they’re really trained in, you know, audit principles and audit techniques, but they might not know… Right? If you’re kind of a utility player from an audit perspective, or maybe you came from, like, Big Four accounting as a financial statement auditor, and now you’re in this more procedural, operational audit internally within an organization, they many times don’t understand the real nuance of a compliance program. And what I would say is try to get some of that nuance, perhaps even from an outside third party or an S&E, from folks in the ethics and compliance community as an auditor coming in to not only make sure that, like, you have that independence, but also to help sell as an auditor that, okay, I understand you, person being audited compliance program, whatever what some of these nuances are. And I think some of that stuff can be pulled forward in the planning phase. It might seem like a little bit of extra effort, but I think it probably saves a ton of time over the long run and probably increases the effectiveness maybe tenfold.
Denis: Absolutely. Just that one comment, going back to what Eric mentioned at the beginning about the three lines of defense, I think to respond to your question as well, Matt, how good auditing is, like, we need to ask how good monitoring is on the second line.
Nick: It’s a great point.
Denis: Because those two things go hand in hand. Like, sometimes people ask me as well, “How big does it need to be my audit department to audit this?” And my question, normally is another question like, “How good is your second line of defense?” So I think those two things, they have to work hand in hand.
Eric: And I would just add if I may, sorry, Matt is…
Matt: Go right ahead, Eric. Yeah.
Eric: …most of my career’s been on the financial services side where the expectation is that front-to-end compliance program working particularly to Denis’ point around monitoring, testing, and reporting by compliance. But if audit does not check to see whether compliance is effectively monitoring, testing, and reporting, then that’s what gets all firms in all industries in trouble. Because oftentimes particularly in the industrial and non-bank side, they think they’re done when policies, procedures, and training is perfect, but they can’t prove that it’s actually working. And that’s, if you look at the… guidelines and evaluation corporate compliance programs, which will talk about later, the third question is, is it really working?
Matt: Kristy, what do you think about that? Because you do work with a lot of companies, you know, outside of financial services where I do kind of wonder whether financial services, at least they have a more sophisticated sense of things. It’s more challenging for them. They’re more regulated. But over in your neck of the woods, what do you see about how… like, are companies struggling with this? Are they good at it? Do they really understand what they should be doing here?
Kristy: So I was gonna immediately say financial services is such a different beast than corporate compliances. And I think our clients absolutely struggle with this. You know, when we do compliance program evaluations or audits, depending on the way that they wanna come at it, what we see is if we use the words monitoring and auditing frequently, they go, “I don’t even know what that is,” or, “Internal audit isn’t doing this,” or “Yeah, I don’t even understand what you’re talking about.” So I think that the sophistication certainly in the non-financial services market is very, very much lacking. And I know we’re gonna move on to scope here, and I would like to say, you know, auditing against what is the biggest, the number one problem. What are you auditing against when you’re looking at this? Are you auditing against the plan? Are you auditing against the 7 Elements? You know, what are you looking at?
And I think that internal audit is frequently ill-equipped for this. And I do believe that outside help, whether it’s training someone on what that should look like or whether it’s having an external expert come in, it’s really important because one of the things that we see all the time, we’re actually sometimes brought in to challenge internal audit findings because they’re not consistent with a risk-based approach. They’re not consistent. You know, we wanna stamp out all risk. We wanna stop, you know, this third party had a red flag and you approved it. Well, yeah, we looked at the risk-based approach, added mitigation, and said it was okay. And that doesn’t sit well with a lot of auditors. So I think that you really need that expertise in place in order to get valuable findings that can really be used by the business.
Nick: Well, I mean, so much time is spent talking about the what, and not getting down to the why, which is one of the first things. And I can say this because I’m a CPA, but that’s the first thing you learn as a CPA when you’re coming in to do a financial audit. Why is this business, you know, in the business that they’re in? What are the risk areas we should be looking for? Because you’re not just gonna check every single thing obviously, but it’s almost like sometimes, no offense to anybody, but, like, when somebody steps into a business and as an internal person coming to audit a program, as nuanced as an ethics and compliance program, they forget that why thing because it’s like, “Okay, I just have to start checking things.” But again, pausing for a second, understanding some of that nuance, whether it’s from outside help, it just helps you understand, well, why are we doing this? What are we actually looking for? And where are those risk areas that are gonna help explain why maybe a certain control I would expect to see from a blog I’ve read isn’t in place here? Maybe it’s not even, you know, applicable or something.
Eric: And how? That’s where the monitoring comes in is how do you show that you’re actually doing it well?
Matt: Well, I still wanna get back to Kristy’s question there, your point you raised that, what are we auditing against? At least in financial services or in financial statement audit, you have accounting principles. That’s fine. We get that. But, so what would the answer be? Is it against the seven elements? Is it against a ISO standard, which I know some companies do, especially outside the U.S.? But, you know, the justice department never really is that clear on this is the thing that you can use and you can just go down this list for an audit. They don’t say that. So what’s the answer for that question? What do we audit against? Kristy, I’ll let you go first, and then Eric and Denis. But what’s the answer?
Kristy: I think that it depends on what the company is and what they’re looking for. I think that it’s sometimes beneficial to actually look at one part of it. So whether you’re looking at like the third-party due diligence program, are people who are supposed to be in scope going through it? You can test for that. Do we have all the documentation within your technology system that supports clearing red flags? Have we got a proper audit trail from those things? I think the more you can narrow to things you can actually test, the better. But that can be challenging if you’re talking about things like culture. Auditing culture, good luck with that. I don’t know how you do it other than to understand, you know, from the testing I suppose, is looking at, you know, one year compared to the next in surveys and things. But when you’re talking about things as loose as that, it’s really difficult. I think going toward things like gifts and hospitality policies and compliance with those, seeing documentation for those types of things is a lot easier than some of the other areas.
Matt: Yeah. Eric, what do you think?
Eric: So leveraging off of what Kristy is saying I’d like to say there’s two and a half reasons. One is having an inventory of laws and regulations in which the corporation, the division, the business, even at the product level, you need to know what the rules are to stay in compliance. And I always talk about a Rubik’s Cube because it really is that complex in a particularly a large corporation, but even a small corporation where, one, people have to know what the rules are. And in order to do that, there needs to be an inventory, a change management process as to the rules change all the time, just like Denis said, products change all the time internally, risks, therefore, change all the time. And that’s where the risk assessment for compliance comes into prioritize in a methodical, written way that not only regulators will look at, but so should the board. So should management and compliance as to what does good look like? What’s the most important risk in terms of severity and likelihood? And then do we have the controls? And it needs to be that methodical process. And then that way, at the corporate level, the division level, even at the product level, we know what’s high and what’s high risk residually and then what and how to allocate your budget to address them.
Denis: And I like the question because I think the question reflects a level of maturity of a young program. So a lot of people who ask those questions, they’re not familiar with compliance audits, because that’s more like a concept coming from, like, the traditional financial audits. They’re auditing against the control, against the policy. And that for me is more like when you’re auditing the execution of a program, but then you’re not auditing the design of the program. And that’s where we need to go back to the risk-based approach.
And as Eric mentioned, the risk assessment drives that conversation. But a lot of this conversation, well, what policy are you auditing is maybe you don’t have a policy and, like, maybe you don’t have a procedure in place. So, like, you need to go back all the way to why you’re auditing this…the scope, which Kristy mentioned, culture audits, more reputational audits, and more nuance as Nick mentioned as well. So this is not, like, a procedure 1, 2, 3 most probably they have to do A, B, C like that. That’s a different kind of audit that we’re talking here. Like, here, we need to talk about how do you address this risk more comprehensively.
Nick: And not to get too meta here, but, like, it’s always good to try to see around the curve and see what…you know, Matt, you alluded to something this morning, you know what’s kind of top of mind, you know what’s gonna likely be coming down down the pike. And, like, at a very high level, everybody’s talking about effectiveness now. So, like, our audits also need to be looking at overall effectiveness, right? So, you know, just getting the false sense of security by saying how many calls came into the hotline last year, that doesn’t matter. Right? What actually matters is, were those effectively handled? How were those cases closed? Just to use one sort of easily identifiable data point that people may hold onto without really looking, taking that next sort of effectiveness step forward to say like, well, why does that matter?
Matt: You know, Denis, you’ve brought up a great point there where you said companies might audit against execution. How many of these transactions match the policy, but that is not the same as auditing design. Does this policy actually make sense?
Nick: Great point.
Matt: And I keep thinking about that because the post I was writing earlier today and I’ll get it up later on this week was of the assistant attorney general talking about what makes for an effective compliance program and how they evaluate it. The very first thing he said was, “We want to see that it is reasonably designed.” Like, that’s where he focused. And when he made a lot of waves talking about, “I might have compliance officers certify that the program is effective and reasonably designed.” And that’s the part where I start to get a little skittish that, do we know how to look at these risks, take a risk-based approach? And then you say, therefore, this is the reasonable design, but that’s where you’re gonna live and die with the justice department, not necessarily the execution of it.
Nick: Interesting point.
Kristy: Okay. So this is why we need auditors that have specialized understanding because if I’m the compliance… So I come at this as a former chief compliance officer and somebody who deals with those people every day. If I’ve got audit second-guessing my design that’s really dangerous in my opinion. So we need to be very careful about how we are working with audit and making sure they have the expertise to evaluate that. Because that to me is where we really struggle. If they don’t have those expertise, second-guessing how my policy is created can be really problematic.
Matt: Yeah. We have one interesting comment from a listener here, “Compliance committees involving audit, legal, HR, operations, they can help to get teams aligned in terms of what to audit against and then embed that into the overall risk assessment process.” So, I mean, I think that’s very good that if you do have an in-house compliance or risk committee of some kind, they’ll certainly provide a lot of help there.
I did wanna move on also to another kind of nuts and bolts question here is so who does the audit? And especially if your company doesn’t have an internal audit function, should you absolutely outsource that? Do you really need to? Is there somebody else outside of compliance, but who isn’t an auditor, but who could actually pull that off? I don’t necessarily know. You know, Kristy, I’ll ask you first, you know, what do you see there about who does this? And then Eric and Denis, like, who should be the one who’s doing the work?
Kristy: So we see a couple of things. If you don’t have an internal audit department, obviously this is challenging. We have our practice. So we’re brought in all the time to do this kind of work. And I see a lot of program essentially self-assessments where they do use the DOJ guidelines in particular to say, which of these things do we have in place, which do we not to try to get granularity there. And there are some things that you can test, especially things like, you know, do I have access to all data is a question that I can ask myself and see if I don’t. And if there’s a gap there, then I can essentially create a finding that I need to have that potential. But you’re grading your own homework at that point, which is, of course, against audit principles. Right? So I think that having an external-facing person with some expertise is actually really beneficial in that case if you don’t have an internal audit function or one that is well-equipped to do this kind of review.
Nick: Great point.
Matt: Eric, Denis, any thought about, you know, who else can do this or who should do it?
Eric: I would add that it depends on the size and maturity of the particular company, a startup versus medium versus the multinational. That’s one. Second is, it’s okay depending on the maturity to outsource, but as the company grows, then it should be evolutionary as well in terms of co-sourcing because the internal audit function, the compliance function should also be growing, not only in terms of size, but also skill sets exactly as Kristy said because otherwise, you lose that knowledge every time the consultant or the outside firm leaves, but more importantly, you lose that consistency as well. And finally, the question is why is the audit department small? Why is compliance small? And it boils down to budget, culture of the organization. So these are all questions that need to be answered as a firm grows.
Denis: And alternatively, like, you can always get creative, right? You can always use some people from finance and other internal departments.
Denis: Not the ideal situation, but there’s always ways to work in a mix. Like, you can rely on some of those internal resources under the guidance of external expert that can help you to drive you in the right direction. There’s a lot of way to mix this. And I think I really like what Eric just mentioned about the evolution of your program, your audit, the function because not only, like, the expertise in the business acumen you develop, but the possibility for integrated audits. Like, it is so hard to operate on silo and to operate on a standalone base. So, like, we do audits, like, with cyber folks, we do audits with finance, like, and we see a lot of benefit. Like, especially when we’re dealing with topics like privacy, so hard for compliance not to work with cyber. So that’s a perfect combination. We do some orders, like, account improper payments where finance is our great partner. So there’s a lot of benefits of having this in-house capability, but I think still in the early days of that, and hopefully, we’re gonna see more companies emphasizing on this topic.
Nick: Can I just add one thing, sorry? To that point, like, we have to get creative. Like, you probably audit your own, I get the independence thing and all of that, and you need an outside party, or you need an independent party to come in and audit something, but, like, you audit your own credit card statement every month to make sure that there’s not, like, some bad things going on there. If we’re trying to solve for effectiveness to Denis’s point, you can either put on your own independence hat and just start auditing some things and making sure that things are going the way that you expect. Don’t let the lack of internal resources or the lack of budget to get an external firm to come in to prevent you from checking your oil, so to speak. You know what I’m saying?
Matt: Denis, let me put this question to you since you’re the auditor on the panel. What would you recommend to make sure that there are good diplomatic relations between audit and the compliance function either while you’re setting the scope? I don’t know if disagreements about the scope ever come up, and even when the audit begins when it’s happening.
Nick: Great question. It’s a great question.
Matt: How do you make sure that… you know, I get that audit must be independent, but that doesn’t necessarily mean people have to be ready to clobber each other. How do you ensure that things are clear and things are gonna move forward productively?
Denis: Wow. Start with not easy, right? Like, that’s not easy answer to that. I would say communication transparency is probably the key topics here, like, on both sides. Like, audit cannot do a decent job if compliance is not upfront about, like, where we may, or may not be working. And also a starting point, that’s always, oh, I always mention monitoring. We don’t start out of the loop. Like, the planning of an audit, we wanna know what you’re doing now. What kind of control do you have in place? So all that communication has to happen. And in the course of the audit, like, how do we frame the audit? How do you scope the audit? How do you execute the audit? But, like, we don’t forget the independence because it could be quite uncomfortable for CCOs when you have, like, a compliance auditor asking questions about the program design, like, and you really have to have a very strong base to be able to do this.
So it’s a relationship that’s new. So I think, like, a CFO is way more used to this than a CCO because we’ve been in the last maybe 10, 12 years developing, implementing programs. Now we’re talking about effectiveness and checking those programs work for real. So the CCOs for the first time are getting those questions, like, “Wait a second, is this the right design for this? Are you missing things here?” So there’s gonna be some awkwardness there, some tension which is natural, but I think credibility, it’s very important about that transparency and that agreement about, look, I’m not gonna go like behind your back. I’m not trying to actually have a gotcha kind of audit here, really trying to improve the process. If we’re gonna work together, how do we improve our risk environment for the company together and not, like, a one against the other?
So we try to remove this. It’s easier said than done to be very honest. Like, there’s always, like, the personal styles and things like that. But, like, that’s where at least we work on and typically work well. But there’s a journey, right? Like, once people start getting more used to it, the tension reduces naturally.
Eric: It’s kind of…
Denis: And the CCO is not the only one, like, to just, like, to finish, have the CCO, but you have the general counsel, you have finance as well because you’ll raise an audit observation, compliance audit, you’re touching all this. Like, you may be talking about compliance process, but maybe talking about a financial process or maybe the legal process or even HR process. So there’s a lot of coordination and the CCO is a very important one, but not the only one.
Matt: Eric, what do you think, and then Kristy? You know, but how would you assure that the relations between compliance and audit are productive throughout this experience?
Eric: It’s a continuous dialogue throughout the year. So this way it’s not a surprise, even the scheduling of an audit shouldn’t be a surprise because audit often comes to the CCO and other functions to help plan the audit. As a CCO, I used to also design my program comparable to an audit program because same attributes, risk assessment, prioritizing, coming up with a compliance plan as opposed to an audit plan, and bouncing it off audit. And then finally, I would encourage really tough audits because that’s good for us, good for the firm so long as audit is fair. So tough but fair. Because then with that continuous dialogue, we know the issues are real. They’ll validate the facts with us before it ends up in writing or an audit report, but that’s where that trust through continuous dialogue is important.
Nick: Well, and you slipped something really smart into there by saying, and I bounced that against audit. So if they can get a look at what they’re gonna be auditing and they can “weigh in” on it, I mean, at some level, this is a persuasion game, right? You wanna keep that good collaborative dialogue going. And if you can do some pre-work for that to help ensure that it doesn’t get super contentious when they’re in there. And also you don’t feel like you’re getting, like, judged, so to speak, any of that prework you can do always ends up paying dividends in the long run.
Eric: Not only does that compromise their independence either.
Nick: Of course, yes. Right.
Denis: But not only prework, there’s areas outside the audit project we collaborate. Like, data analytics is a good one. So, like, we fish from the same pond. So, like, we develop analytics together and then we use this for different reasons. So that collaboration needs to exist, is not only in the audio project but outside as well as two risk management functions.
Kristy: Okay. Thanks. So I think that I’m gonna take this from the CCO perspective that there’s a couple of mental things you need to do. And the first one is to decide against defensiveness in the very beginning because here’s the benefit, you need to think about your benefits. There’s a couple of them. The first one is remembering the why is to make it better, but from a very selfish perspective, if I come up with a nasty, like, you need more…essentially, if I come up with nasty audit findings, well, guess what? We have a problem. I need more resources, right? My technology isn’t what it needs to be. I need better resources for that. I’m overwhelmed and don’t have enough people to manage all of these controls. I need more resources.
And I think sometimes, you know, for many of our clients, audit findings are driving their engagement with us because they can’t do everything the auditor says in-house, or they’re getting technology because the audit finding was this is a major control failure. We need better controls. And I say, “Right, good. I totally agree with you. Here’s my software solution.” Right? So I think if you can come at it with what the benefit can be and to choose not to be defensive, which is a choice, then it can be really beneficial.
Matt: I think that’s an excellent point. And I know, Kristy, you’ve talked often about how compliance officers, you go off the rails when you get pulled into so many small little detail fires, and then you never get a chance to sit back and say, “This is the big goal and, board, this is why we need to be able to, you know, have more money. I need more staff to achieve this.” And I mean, you’ve literally written a book about how people can accidentally sideline themselves on that. So I think it’s an excellent point. Let me ask, how long would an audit of the compliance program take? And I know that’s a very open-end ended question. Denis, how would you define that, or how would you get a sense of how long an audit would take, and how do you communicate that to the auditees, the recipients of the audit?
Denis: Well, I’m not a lawyer, but a lawyer and it depends. Right?
Matt: A good lawyer allegiance.
Nick: You’re on your way. Yeah, you’re on your way.
Denis: So I’ve been surrounded by lawyers enough, like, so if you’re gonna do a full audit program, that’s gonna be a long one. And it depends. If you wanna do a full assessment of your program, that’s a more than a month-long kind of project. What I do and what I’d like to do as part of, like, the regular compliance audits, I like to do, like, a shorter engagement. We’re talking about, like, on the fieldwork, like, two to three weeks, but like on the scope that is well-defined, with a geography that’s well-defined, but that’s one kind of audit. You can do larger ones. Like, it depends on the size of your organization, but, like, if we’re a multimillion-dollar organization, if you say I’m gonna audit your third-party program globally, that may take over a year because, like, you have so many geographies and so many differences and nuance.
So I like to break this into smaller pieces because you have more actionable results out of this. You always tie back to the larger program. And one thing that I was gonna comment as well, sometimes you need to extrapolate those findings. And that’s where the work with the CCO is very helpful because you may be auditing a certain geography and you realize that finding is not related to the geography itself is the program design or the problem on that geography, maybe the same in others. So that’s some of that that’s helpful.
But I really don’t have a precise answer to how long, because it depends on the scope. But, like, I would not recommend doing audits that are way too long because, like, you become this never-ending project, you never really improve. So, like. I prefer, like, a smaller, more well-defined scope and geographies where you can improve and move on to the next and you keep improving it almost like as a cycle. So, like, a month, two months. Like, more than that starts to become a little bit of a problem.
Eric: And again, it’s driven by the audits risk assessment of the particular department in which there’s high-compliance risk. It can be more efficient also depending on the principle of alliance in which audit can rely on the first lines and the second lines, including compliances, self-identified issues. Now sometimes audit ends up making them their findings, which is a whole different discussion.
Denis: It doesn’t help for credibility, right?
Eric: Right. But that can make it more efficient. The last point is audits are continuous. So there may be component audits and audit reports, but depending on the risk, they should be one-year cycles, two-year cycles, three-year cycles.
Matt: You know, Denis brought up a good point that Eric, I’ll ask your thoughts and then Kristy as well about extrapolating some of the findings. We were looking at this small thing here, but now that we found this, maybe it has implications across all of this. I guess number one, how often do you see that happen and how do you as a compliance officer handle it? When I guess maybe, you know, you’ve got a very specific and precise audit, but you get a result back where you’re like, “Oh crap. That means A, B, C, D, and E are also gonna happen. Now I’ve gotta communicate that with the board, the general counsel.” Like, how often does it happen? How do you handle it? Eric, I’ll start with you, and then, Kristy, I’d love to hear your thoughts as well.
Eric: Sure. Hopefully, audit doesn’t find the tip of the iceberg before we do or before the business does. And that’s where the three lines are important, including self-identification. Second, it’s absolutely important to ask, could it happen elsewhere, whether it’s an event that happened outside the company or an issue that should be looked at as a potential symptomatic issue? So we need to look at root causes. And so by the time audit looks at it and regulators look at it including justice because they ask those very same questions. What’s the lesson learned? Two, could it happen elsewhere, even if it’s a different region, product, client base? But those questions need to be asked and in writing hopefully answered in some form or another.
Matt: All right.
Nick: Yeah. And then hopefully, you know, drafts of the reports are shared either to legal or to compliance before some legal conclusion is sort of etched in stone or something like that because maybe there’s an explanation about it or maybe there’s… We don’t wanna open up, like, undue liability for the organization when something is popping out. You know what I mean?
Matt: Kristy, what do you think? Or what have you seen with audits that suddenly suggest there’s more auditing or more testing or more issues that have to be explored?
Kristy: Right. So I think that the first thing is looking at what the structure of your program is. So we’ve seen clients that have very, what they describe as federated programs or where there’s a lot of local control and a lot of local variation. And I think you need to look at your program and say, okay, if there is a lot of local variation and we allow for the leaders in the different organizations to really manage themselves or manage their program, I think we have a lot better sense of whether or not we need to do a broader investigation because if you found something in Thailand that’s a mess, that’s a control problem, if you know that everybody’s doing it their own way, you really need to go ask everybody what they’re doing, how they’re doing it. Can I see your policy? Can we do some testing on this? Whereas if you have more of a global program or one that has a lot more control, center control, I think that you’re less likely to find something like that. So I think it’s really checking on how you’re structured and what that would mean.
Matt: Now, we’ve only got about 20 more minutes and I wanted to save times for some questions, which we have a ton, but also talk a bit more about what one should do with the results of an audit. And Kristy, I’ll keep going with you first is just the audit report is there, findings have to be presented to the board. How would you normally like that to unfold if you were queen of the whole process here? Would the CCO do it? Would you be in the room while the auditor does it, or what would you recommend?
Kristy: So, in an ideal world, I think that the auditor should absolutely deliver the results because they’re the person who did the testing and they’re the people who came up with the findings. I think that the CCO should be there and prepared not only to respond in defense of the program potentially, but in a collaborative way to say, “You know what, I think that there’s some real truth to this,” or “You’re right, and here’s what I think we should do about it. So can you support me in helping to make these changes?” So I think it’s really that spin on it that, this is beneficial to everybody here. Here’s how I need you, board, to support me in making this better. That’s the way I would approach it.
Nick: Totally utilize whether it’s a bad hand or a good hand, there’s a way to win that pot that you need to, to Kristy’s point. If it’s proving something and it’s even better, right? If you’ve been, you know, seeing from the rooftops for the last two years that I need this tool, or I need extra budget, and then this audit comes back from an independent source, proving everything you say, not only does that give you credibility, but it probably gives you some tailwinds to get that budget you need, or that tool you’re looking for.
Matt: Sure. Denis, what do you say about how the findings should be presented to the board, and who’s involved in that? What gets said, and either rebutted or built upon or whatnot?
Denis: Very similar to what Kristy described. I think the only thing I would add to that is that the whole coordination between CCO and CAE has to happen way before the board, right?
Denis: So normally you have, like, leadership decisions that happened before. So that’s not the first time we present. So my preference, like, for the chief auditor to present because as Kristy described, like, the auditor did the audit, we don’t necessarily need the CCO in the room because hopefully, we already agreed on those responses and those findings before you got there. So there should be no surprises getting there. If there’s any question about what’s being done to resolve this, the response should be ready for that to happen. But to get to the board, like, before you have to get to leadership. And, of course, the CCO is the first, like, person who has to agree to those findings.
Like, and normally as just a matter of, like, good practice, we check also with legal, because we don’t know what we don’t know. We may have some sort of, like, investigation and some open matter that we’re not aware of. So I think as somebody mentioned, we don’t wanna cause another problem just by putting this thing in a different direction in writing. So there’s a lot of checks and balances before it goes to the board, but once we go there, typically we present, but we come there with also, like, what’s being done to fix it and do that coordination with the CCO.
Matt: Yeah. Eric?
Eric: I don’t think…
Matt: Go ahead.
Eric: Two things, one, I don’t think compliance should be in the same room with audit when they’re in the in-camera session because they should be without first and second line. That’s one. Second, more importantly, compliance should be reporting its progress, its findings to the board itself. Now, they can always be asked to report its progress, but compliance should be at the table with its own agenda slot with the board of directors, the audit committee, the risk committee, whichever committee could highlight and dive a little bit deeper into its overall program from its perspective. And then it’ll hear alone, the chief auditor’s perspective.
Matt: And, Eric, could you talk to me also a little bit more about what a compliance officer should do between the audit being done and presented to the board? Because there is a lot that, you know, you could, I don’t know, look at the performance improvement plan or anything like that, but you can provide feedback. I’m always struck by something that one chief audit executive said to me, says, “If I and the audit subject are arguing about conclusions in front of the board, we’ve already screwed it up. It’s us two who have screwed it up.”
Matt: But so how does it go from when the audit is newly complete to presenting to the board? Eric, what would you say the compliance officer could do with that?
Eric: So weeks may have elapsed between the time the audit report is issued and getting to the audit committee or board because it might not be told quarterly, there better be progress in terms of the correct point of action.
Nick: Great point.
Eric: There better be, to Kristy’s point, the right spirit of wanting to grab the bull by the horns to address these issues and also be ready for questions that where could it happen elsewhere? And they should be asking those questions because it always goes back to the effectiveness of the program, the budget, the skill sets, the size, and then ultimately the independence of the company.
Matt: Yeah. Kristy, what have you seen happen here about how to take an audit and use it well or, you know, also what do people get wrong or how do they mishandle these audits?
Kristy: Getting it wrong is fighting. And it’s not just fighting in front of the board, getting it wrong is fighting about what the conclusions are as opposed to, for me, I always want to align with the solution so that my auditor, especially if I’m not gonna be in that room, that my auditor is presenting my ideal solution and making it so that I can win. The worst thing to have it happen is for them to go in there and be like, “This is terrible. She’s awful. Like, basically the conclusion is you are a terrible compliance officer, your program sucks, and you need to just start over with somebody else preferably.”
So you really wanna get them to work together toward those solutions, but for them, from a selfish perspective, I want them to be presenting the solutions that I want so that I can get them to succeed. Like, I’m set up to succeed so this finding doesn’t keep coming back in my face that, “You haven’t fixed this yet.” And it’s, well, I didn’t have a way to fix it properly. So I think getting that alignment with the presentation of what we’re gonna do about it and getting, you know, the response that I can reach that solution is really important.
Matt: I think that is an excellent point that you raised about not just why didn’t we fix this, but to communicate, I didn’t have the way to fix it. Because it gets right back to the point that I made earlier about your book that you wrote a while ago, people get bogged down in the details and they never step back to say, “I don’t have the mechanism.” And that’s an excellent point to the opportunity to communicate that point to the board would be right.
Eric: Can I plug my book too?
Nick: That’s another way. Plug them all. We should do a book giveaway. Let’s give away some of Kristy’s books and Eric’s books and some of these great comments. I should have said that at the start of this, but that makes this very fun. Yeah, please talk about your book because I love it. It’s like required reading for new folks at our… Actually, both of yours are, but please, Eric, go ahead. Plug it.
Eric: Well, I was semi-kidding, but it goes…
Nick: But go ahead.
Eric: …auditing independence and reporting to the board, and the relationships including with audit. I think we’re all on the same page here.
Matt: Denis, give me your views on, like I had mentioned, that period between the audit is done, we’re going to present a unified front to the board about what we wanna do, but, you know, what happens there or what have you seen that is not helpful there about, I don’t know, quibbling over findings or not being able to agree on what the right corrective step is? Like, how often does that happen, or how do you make sure it doesn’t happen?
Denis: Well, the worst of finding more challenge you’re gonna have on that agreement, right?
Denis: Like, it happens quite often, but, like, it’s very unusual. It never happened to me at least to get to the board without an agreement because I wouldn’t do that. Like, that’s something you really have to avoid. The other thing, which for me is the worst thing that can ever happen because the noise in front of the board is terrible, but it’s just like doing nothing. Like, you have the finding and you sit on it, like, because then you’re gonna have a terrible question in front of the board, “What are you doing about it?” And if the answer is, “Nothing…” because there’s a time, like not only between the report to the board, typically we finish fieldwork and between fieldwork and report, there’s some time there as well. So from fieldwork to the board, that’s where something has to happen. Like, especially for someone that’s very serious, I would expect, like, some actions to at least some directions to be taken very quickly. So that’s where like norm as well, let’s work to get this fixed. We don’t need to jump the gun here just because it’s critical, but going in front of the board just saying, “Well, we have a problem. We don’t know what to do with this.” That’s not very helpful.
Eric: And the board has to have confidence in the audit too. It goes back to the skill sets because what they find needs to be credible.
Denis: That’s a great point, Eric. Like, that’s the challenge for as an auditor, like, where always challenge, whoever works with me to avoid this so what effect because auditors get excited by writing things and you start reading the finding if you have this reaction, like, doesn’t say anything to me, where’s the risk here? Like, a lot of times auditors are trained for procedures and say, “Well, they don’t comply with procedure A, B, C,” and I say, “Well, and what’s the problem? What can go wrong if they don’t do it?” So making that finding, like, a risk-based and clear about what’s the problem there, that’s critical to have to avoid that effect in front of the board and people looking at your findings like, “Well, that’s a waste of time, a waste of real estate on our calendar. So let’s maybe move on to the next topic.” And your credibility starts to erode from there.
Nick: Great. That’s a phenomenal, phenomenal point. And we have an opportunity to influence that, especially to the extent that somebody doesn’t understand what they’re auditing and what they’re looking at. So pushing some of that risk-based approach that you’re naturally looking at your entire program or the landscape that you’re managing into that mind get, again, I keep kind of coming back to this the same theme that early work or those early conversations or those early collaborations or that early relationship building ends up leading to such a better outcome in the boardroom when these results are being presented with or without you.
Matt: So let me ask this question. I don’t know if anybody here could answer this if you’ve had industry expert relevant to experience or not, but is there any occasion where an external audit that has to be performed on your program? I’m thinking more like maybe healthcare where health and human services comes in to audit your program. But could you use the findings of your internal audit to sort of combat whatever external audit findings might be coming along or to somehow, I don’t know, cover your bases or something like that? Is that a feasible use for some of the audits of the compliance program in case outsiders are auditing it and you can push back against them and whatever they might find?
Denis: I wanna start with combating their findings. So I will start with maybe alleviating the workload because if they trust what you’ve done already, so it can reduce a lot of workload on internal teams and also some fees, which is always helpful, right?
Denis: And also if they start from that point where they trust what you’ve done, that’s a great place because they already trust the company in a better way. So you may reduce the amount they’re gonna be testing and they may give you some credit for the work that you’re already done, even if they have findings. So I wouldn’t be so, like, adversarial on that, but, like, they use it more like, look, we’re done all those things, so you can trust more in our internal controls environment. So that’s something I see happening more often.
Matt: All right.
Eric: I agree.
Eric: If regulators don’t trust audit, it’s game over. And I’ve been in institutions and work with institutions where they didn’t trust audit, they had full confidence in compliance, weren’t sure about the business. And that was very worrisome because the third line is weak or is not credible in the eyes of the auditors, then how can they rely on them for their findings? Because regulators will say, “We can’t be everywhere all the time.” And that’s where audit comes in. That’s why audit also relies on compliance and compliance works with business. So it’s a house card…lot.
Matt: All right. I’m gonna throw in a few questions from the audience now. And Kristy, let me put this one to you. It sounds like it’s something that might be up your alley. Have you considered other more nimble options for lighter touch assurance of certain risks or emerging risks or targeted areas? For example, using surveys paired with manager or employee discussions. I’m not sure if that’s compliance testing or risk assessment or an audit or some, you know, more nimble option of any of that, but, Kristy, what do you think of those, the utility of that kind of approach to things?
Kristy: I don’t think that’s an audit. I think it’s very important though. I think that getting feedback either on your program or on risk. So, you know, two of the things we do is compliance program assessments or risk assessments. They’re two different ideas. So trying to make sure that why are you doing that. But in terms of nimbleness, I think that actually targeting certain parts of your program can be really beneficial instead of doing the program. Let’s look at our third-party defense. Let’s look at our policy management, let’s look at our procedure control. You know, let’s pick a control, let’s pick an area, or if we’re doing risk area, let’s please pick privacy instead of trying to do and modern slavery and trade compliance, and, and, and. So I think actually that targeted approach can be really beneficial because you get specific findings, whereas the whole program, it can get very muddy.
Matt: Here’s another question. Can somebody tell me what area of compliance we are supposed to be covering here? I guess they mean, like, what are we supposed to be auditing? Am I missing something here? Is this for the DOJ? Is it for financial and banking? I do trade in import/export and that’s what I’m looking for. So, Eric, I know that the answer really is we’re talking about how to audit any part of the program, but give me some background or some color about the regulatory push for, we have to do audits. I mean the justice department and others have said it, but, you know, what’s the outsider’s impetus to, like, get these audits done from time to time?
Eric: So pages 11 and 15 about DOJ evaluation compliance programs explicitly says, “Thou shall audit compliance programs.” And there’s many other regulatory. Second, it depends on the institution and where the highest risks are. So it might be one area including trade compliance. Guidepost does a lot of work with firms to upgrade their trade compliance programs. But it really depends on the institution, again where the risk assessment results are, audit findings historically, particularly if they’re repeat findings. So very good question. The answer really is dependent on where the highest risks are and the type of business the company is in.
Matt: Well, that kind of leads into another question where maybe I’ll ask Kristy first and then Denis, but somebody writing in, I’m just starting with compliance and I feel like I’m drinking from a fire hose. Any suggestions on what I should do? And Kristy, you had mentioned before that it’s so important to get the risk-based approach right and to understand how to do it. So talk to me a bit about how to make sure that that’s what you’re doing. So this woman who wrote in, where are you going to start? You’re gonna start with the biggest problem you think you have. Kristy, how do you make sure that you’re doing that correctly? And then, Denis, how would you work with a compliance officer who’s just trying to start there and figure out how to work with them?
Kristy: So thing number one, try to push off an audit. If you haven’t got a program yet, what are you auditing? Right?
Kristy: So if the question really for me is the fire hose, is it that she isn’t knowledge…that she’s trying to learn compliance and doesn’t have it yet understood, or is it, oh shoot, I’m starting a program from scratch? I’ve seen with one of our clients is actually facing an audit of part of their program and it’s not developed enough to audit against. Right? It’s still being created. It’s not in place. You can’t test it because it’s not there yet. So part of that I think is educating and working with your auditor to say, we need something mature enough that the controls are reasonable to test because these findings aren’t useful when we’re not even finished yet.
So I would start with trying to frame, like, what are we auditing? Are we ready for this yet? And the second part is, yeah, you go to your risk assessment. Start there. I think a lot of compliance officers, frankly, avoid risk assessment because it feels scary. They’d rather hit the thing. Like, I need my training done, right, let’s just do that as opposed to actually taking that look and say risk-based approach, this is what I’m working on and then trying to get audit to work on the most mature pieces because that’s where you’re gonna get the best information in sometimes.
Matt: Denis, what do you say?
Denis: One thing, typically people forget about audit, we also do advisory work in a small capacity. Like, of course, we work independently, but whenever it makes sense, like, and to Kristy’s point, like, the risk assessment, right, that’s the starting point. So that’s where you can use audit to work with you to develop a risk assessment process for compliance, not the one that for something else, like, for financials, don’t… Sometimes people say risk assessment means different things, but get to know what are your top risks and where you’re gonna invest the limited dollars that you have because a lot of people jump into other things. They try to do everything at once and nothing really works well. So start with a nice risk assessment.
Use internal audit now not to check what’s there because you know it, there’s nothing there. So use internal audit to help you develop at least those basic, like, elements like risk assessment and then walk your internal auditor through your journey. So that’s how I’m gonna plan to go there. So I’m gonna start here, then I’m gonna put some policies and procedures and training. I’m gonna go here. And by the end of the year, I expect to be there. So the auditor can help you along the way to check the implementation of your plan, so.
Eric: That’s where the continuous dialogue comes in.
Denis: Use your auditor to your benefit. Not only as, like, well, they’re gonna come here once a year to say, “What’s not working,” especially on the case where you’re developing your program or establishing like that, use that expertise on auditing and process review of that, that can be very helpful to supplement, especially on an environment. Everybody has limited resources.
Eric: Having said that…
Kristy: I will say a few… Sorry.
Eric: I’m sorry. I was just gonna quickly say now the CCO, there’s expectations of that CCO and they should have ultimately a vision and a 90-day report, if you will, as here’s my vision. And communicating that with management and audit, I think would be very important.
Kristy: And here’s the thing, if you do that then. Denis, if you work together and they help you develop it, then they’re actually going to feel more ownership of it and probably be much happier not to say that your whole thing sucks because they helped to develop it, so that helps.
Nick: Well, there’s two games. To your point, there’s two games we’re playing. We want our programs to actually be good. And we also want them to be perceived as good. And we wanna be actually effective at our job, and we also wanna be perceived by the people in power that we are effective in our job. And you can do a lot to influence both of those things and use this audit function as a tool to help create some leverage and some sort of tailwinds to achieving what you know.
Eric: The only caution is, Denis, you can’t test what you helped design either, so.
Denis: Exactly. There’s limitations there. Like, there’s only so much we can do, but to the extent where we can, like, happy to give, like, at least some indications, some leads, some directions. Like, we can partner together on, like, risk assessment interviews to collect that information. But absolutely, the design is something we can all go there because we’re gonna be auditing that. But to the extent we can help, we’re always have happy to do it. Like, we don’t feel any happier, like, writing bad reports.
Matt: All right. Well…
Nick: It’s an important point you just made by the way.
Matt: We’re out of time here. So Denis Jacob, Eric Young, Kristy Grant-Hart, thank you all very much. It’s been great. We’ve had a ton of comments and questions. I’m sorry we couldn’t get to them all. Maybe we’ll try and see if we can reach them in some other format or cover them in a blog or something. But thank you everybody for listening. And, Nick, if you have any other final thoughts or farewell that you want to take it home for everybody.
Nick: Yeah. I just wanna thank… thank you all for, you know, coming on today. I love that idea of doing… maybe we can do a follow-up session in the next week or so where we can edit together a bunch of responses to… I mean, there were so many questions. And the thing I always say on these things, I think our greatest asset is each other and this ethics and compliance community is something that’s really special. It’s not common in every other organization or every other department in our companies and the best thing you can do for your career, the best thing you can do for your effectiveness is to take advantage of this community. There’s a ton of great people out there that are willing to help. Denis just talked about that audit heart that’s willing to help folks out, but it starts with you having the confidence and the initiative to reach across the aisle, so to speak, or reach across LinkedIn and start building some relationships. So love your work, everybody. We’re gonna do a book giveaway to some people that were particularly active here. And can’t wait to see you guys on the next webinar.
Matt: All right. Thank you.
Eric: Thank you.