Table of Contents
1. Standards and Procedures
The first of the basic compliance elements in industry guidance recommends that the organization establish standards and procedures to prevent and detect criminal conduct. The standards or code of conduct and the policies and procedures help to create the infrastructure for your compliance program.
The standards of conduct, first and foremost, demonstrate the organization’s overarching ethical attitude and its organization-wide emphasis on compliance with all applicable laws and regulations. The code is meant for all employees and all representatives of the organization. This includes management, vendors, suppliers, and those who are working on behalf of an organization, which are frequently overlooked groups. From the board of directors to volunteers, everyone must receive, read, understand, and agree to abide by the standards of the code of conduct. Having employees sign an annual attestation of receiving the code is a best practice and helps to elevate the importance of the document. The code should be written plainly and concisely in an accessible style. An easy-to-understand reading level is recommended. Plain and concise does not mean generic, however. The contents of the code of conduct will need to be tailored to the organization’s culture, business, and corporate identity. Also, institutions with a diverse constituency should consider providing the code of conduct in other languages, sign language, or even Braille as appropriate. When providing the code in different translations, the organization should “test” that the translation is accurate.
Establishing an organization-wide code of conduct is a key recommendation of the Organisation for Economic Cooperation and Development (OECD), which in 2010, established the “Good Practice Guidance on Internal Controls, Ethics and Compliance.” The OECD’s Working Group on Bribery, which authored the Guidance, urges companies to establish:
-
Strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programmes or measures for preventing and detecting foreign bribery;
-
A clearly articulated and visible corporate policy prohibiting foreign bribery….[1]
The OECD’s Guidance is contained in its 2009 Anti-Bribery Convention, an internationally recognized document that has been ratified by its 36 member countries and eight non-member countries.[2] While its primary focus is on preventing bribery, the convention supports compliance programs with a larger focus, stating that its recommendations “should be interconnected with a company’s overall compliance framework.”[3]
The code of conduct provides a process for proper decision-making, for doing the right thing. It elevates corporate performance in basic business relationships and confirms that the organization upholds and supports proper compliance conduct. Managers should be encouraged to refer to the code of conduct whenever possible, incorporating elements or standards into performance reviews. Compliance with the standards must be enforced through fair and consistent discipline when necessary. Disciplinary procedures should be clearly stated in the standards, and the penalty—up to and including dismissal—for serious violations of the standards of conduct must be mentioned to emphasize the organization’s commitment. (See Element Number 6 – Enforcement and Discipline.)
Code of Conduct—Content Checklist
-
Demonstrates an organizational emphasis on compliance with all applicable laws and regulations
-
Is written plainly and concisely so all employees can understand the standards and responsibility (no higher than the average 14-year-old can read)
-
Is translated into other languages, as appropriate
-
Includes frequently asked questions or scenarios based on high risk areas
-
Includes expectations for employees on interactions with other employees, suppliers and agents
-
Mentions organizational policies without completely restating them
-
Is consistent with company policies and procedures
-
Includes management’s responsibility to explain and enforce the code.
Code of Conduct—Communicating to Employees
-
All employees must receive and read the standards
-
A supervisor or qualified trainer should explain the standards and answer any questions
-
Employees should attest annually in writing that they have received, read, and understood the standards
-
Employee compliance with the standards must be enforced through fair and consistent discipline when necessary
-
Noncompliance with the standards will be disciplined and this should be clearly stated.
Code of Conduct—Purpose
-
To present overarching guidelines for employees to follow
-
To clearly state expectations for all employees to understand what is required of them
-
To provide a process for proper decision-making
-
To assure that employees put standards into everyday practice
-
To elevate the organization’s performance in basic business relationships
-
To confirm that the organization upholds and supports proper compliance conduct.
(See Appendix A.1, Sample Letter to Vendors.)
Policies and Procedures
Whereas a code of conduct provides guidelines for business decision-making and behavior, the compliance policies and procedures are specific and address identified areas of risk. Most organizations already have an employee manual that outlines all human resource-related policies and procedures, and they may have other operational policies and procedures specific to certain business practices or operations. Whenever possible, compliance policies and procedures should be integrated into existing policies, and all policies within an organization should be consistent with laws, regulations, industry requirements, and general compliance. In fact, as part of the implementation of a compliance program and while in the process of drafting compliance policies and procedures, all other policies within the organization should be reviewed and revised as necessary. While it is imperative that the organization have policies and procedures, it cannot be emphasized enough that the only thing worse than not having a policy is having a policy and not following it.
Develop your policies and procedures carefully. Take care that they are realistic and measurable. Be sure your goals are realistic. A non-retaliation policy is critical to the success of your program and should be communicated during annual education each year. It is one policy that every employee should know about.
Two types of compliance policies and procedures should be developed by every organization: structural and substantive. The structural policies create the basic framework of how the compliance program will operate. The substantive policies define the applicable regulations that apply to the organization and how to operate compliantly within those regulations. They also indicate the applicable risk areas to an organization and describe appropriate and inappropriate behaviors with regard to those risk areas. Both the structural and the substantive policies and procedures are essential to a compliance program so that the rules to which employees will be held and the method for enforcing the rules are clearly documented.
Structural policies and procedures should be developed to address:
-
Directives or mission of the compliance program
-
Revision of existing and creation of new policies and procedures (including distribution and updating requirements)
-
Role of the compliance officer
-
Role of the compliance committee
-
Educational requirements
-
Method for anonymous reporting and non-retaliation for reporting: It is important to have a clearly stated policy on non-retaliation and non-retribution in the organization. Let everyone know there will be no retaliation or retribution for bringing forth problems.
-
Auditing processes
-
Monitoring processes
-
Method for responding to reports of possible misconduct
-
Method for responding to internal and external requests for documents or other investigations
-
Disciplinary action plan which is consistent with HR processes and/or policy
-
Record retention/destruction.
Substantive policies and procedures should be developed to address:
-
Process for preventing inappropriate actions in specific risk areas for which there are not already policies to address those areas; e.g., conflict of interest, privacy and security of information, intellectual property, export controls, etc.
-
Key risk areas where an organization may not have a defined policy and/or business owner; e.g., conflicts of interest, privacy and security of information, etc.
-
Documentation requirements.
Policies and procedures, like the code of conduct, must be living documents, not just a binder on a shelf. They must become integral to the day-to-day operation of the organization. That is what forms the basis for an effective compliance program. To determine if that goal is met, consider: How are the policies and procedures applied every day? Are they incorporated into performance reviews? Educational programs? Are they reviewed and updated according to a schedule and on time? Revising policies and procedures is a complex and ongoing process and requires periodic review and revisions to assure they are current. Assure that someone is accountable for every policy and procedure. Again, standards of conduct, policies, and procedures are the tools of compliance, but they must be used and sharpened to be effective.
2. Compliance Oversight
Industry standards recommend designation of a compliance officer to serve as the accountable role for compliance program activities. Whether the position is full time or part time will depend on the size, scope, and resources of the organization. In most cases, the position should be a full-time role and an organization will determine the feasibility and scalability of dedicating resources. Also, assigning the compliance officer appropriate authority is critical to the success of the program. On a specific level, for example, the compliance officer must have full authority to access any and all documents that are relevant to compliance activities. This includes documents such as financial statements and supporting documents, contracts with suppliers and agents, and other accounting records. In the big picture, however, “appropriate authority” comes from the unquestionable backing by the CEO and board of directors or its equivalent, the sources of ultimate authority and respect.
Appropriate authority and the full backing of the board of directors and management are consistent with industry practice. To carry out such operational responsibility, such individual(s) should be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority. This is logical because it is the board that supported the launch of the compliance initiative and approved the hiring of the compliance officer. Board members may even be actively involved in the interviewing of the compliance officer candidates. They also should be involved in the development of the compliance officer’s job description, and an important part of the compliance officer’s reporting structure.
There is concern and some risk involved in having the compliance officer report to general counsel or to the chief financial officer. This reporting arrangement creates real and/or potential appearance of conflict of interest due to their respective roles with management. Separation of compliance from legal and finance when possible, helps ensure that all aspects of the compliance officer’s role will be independent and objective (meaning there is no real or perceived vested interest in the outcome). There are different reporting structures for the compliance officer role and many variables should be considered by the organization for determining what works best for the individual organization. However, the dominant theme in industry on the reporting structure is for the compliance officer to report directly to the organization CEO and/or the internal governing body (e.g., oversight committee, supervisory board, administrative body, board of directors, audit committee) to maintain their real and/or perceived independence. To maintain independence the compliance officer should not be part of management. The size and setting of your organization will influence its reporting structure. It is recommended that the board or its liaison committee have, at minimum, a “dotted line” or indirect reporting relationship with the compliance officer. See below a snapshot view of compliance officer reporting structures, from a 2018 survey conducted by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association.
To Whom Compliance Officer Reports | For profit, publicly traded | For profit, privately held | Nonprofit | Other | Total for all organizations |
---|---|---|---|---|---|
Board | 53% | 62% | 53% | 58% | 56% |
Chief Executive Officer | 13% | 18% | 22% | 20% | 20% |
Chief Financial Officer | 2% | 7% | 6% | 3% | 5% |
General Counsel | 24% | 7% | 8% | 5% | 9% |
Human Resources | 0% | 0% | 2% | 0% | 1% |
Audit | 0% | 1% | 1% | 2% | 1% |
Other | 7% | 5% | 8% | 12% | 8% |
The compliance officer’s duties also will vary depending on size and scope of the program. The focus of the position should be the implementation, administration, and day-to-day oversight of the compliance program. Primary responsibilities should include the following:
-
Designing, implementing, overseeing, and monitoring the compliance program
-
Reporting on a regular basis to the organization’s governing body, CEO, and compliance committee
-
Revising the compliance program periodically as appropriate
-
Developing, coordinating, and participating in a multifaceted educational and training program
-
Ensuring that those we do business with are aware of the organization’s compliance program requirements
-
Serving as a source of compliance-related information for employees, management, suppliers, and the board
-
Ensuring that appropriate background checks are conducted according to country-specific regulations
-
Assisting with internal compliance monitoring and auditing activities
-
Assuring management has mechanisms in place to mitigate risks
-
Independently investigating and acting on matters related to compliance
-
Assuring management takes corrective action to resolve the problems identified
-
Assuring the organization has given employees a mechanism for reporting potential issues.
The compliance officer is a unique position requiring an individual who understands the nature of the business or industry, is capable of understanding and questioning practices in the organization, including financial areas, is knowledgeable of applicable legal requirements that may be imposed in the industry for wrongdoing, has strong written and verbal communication skills, and is firm yet approachable. Whatever the tenure or the educational level, the compliance officer, as “focal point” of the program, must be a figure respected and trusted throughout the organization. Strong interpersonal skills, good listening abilities, and discretion are mandatory. (See Appendix A.2, Sample Compliance Officer Job Description.)
As compliance has grown and matured as a profession, it has, like other professions, sought to identify and distinguish those in the field who have, with experience and education, achieved the necessary skill set to be an effective compliance officer.
Moreover, compliance officers are also stewards of a public trust, and therefore the services provided must be of the highest standards of professionalism, integrity, and competence. The Code of Ethics for Compliance Professionals (see Appendix B) addresses three principles, which are broad standards of an inspirational nature. They include:
Principle I: Obligations to the Public—Compliance and ethics professionals (CEPs) should abide by and promote compliance with the spirit and the letter of the law governing their employing organization’s conduct and exemplify the highest ethical standards in their professional conduct in order to contribute to the public good.
Principle II: Obligations to the Employing Organization—Compliance and ethics professionals (CEPs) should serve their employing organizations with the highest sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective compliance and ethics programs.
Principle III: Obligation to the Profession—Compliance and ethics professionals (CEPs) should strive, through their actions, to uphold the integrity and dignity of the profession, to advance the effectiveness of compliance and ethics programs, and to promote professionalism in compliance and ethics.
These principles and the accompanying rules of conduct should be reviewed and studied—and adhered to—by all compliance officers.
The compliance officer may be the focal point of a compliance program, but he or she cannot be the only point, nor does this role “assure” compliance for the organization. Industry has demonstrated that the formation of a compliance committee can be an effective addition to the program, although the specific composition of the committee may vary according to the organization. The committee will benefit from having varying perspectives such as operations, finance, audit, human resources, and legal, as well as employees and managers of key operating units. This committee will assist the compliance officer in ensuring effective mechanisms are in place to mitigate risk areas, real and/or potential.
The compliance officer’s role with the compliance committee can also vary. In some organizations the compliance officer sits ex officio. In others, the compliance officer may even chair the committee. We are finding that as the compliance profession matures and compliance programs evolve, the compliance officer usually chairs the compliance committee. In some organizations you will find two compliance committees, one, a high-level board committee and then a working committee. The working committee usually reports to the board level committee. Regardless of who chairs the committee, the compliance department commonly is responsible for scheduling meetings, preparing the agenda, taking and distributing minutes, and coordinating follow-up.
Compliance committee functions, in addition to aiding and supporting the compliance officer, can include the following:
-
Offering advice to the compliance officer
-
Assisting with evaluating the compliance program
-
Reviewing statistics and trends of audit results, reports of non-compliance, etc.
-
Assisting with the development of standards of conduct
-
Reviewing industry guidance and new information regularly and integrating it into the compliance program
-
Determining the appropriate strategy to promote compliance
-
Assisting with the compliance risk assessment
-
Developing a system to solicit, evaluate, and respond to complaints and problems.
The importance and potential influence of the compliance committee cannot be overstated. Look for committed individuals who will be strong, visible, and vocal advocates for the compliance program. Furthermore, the committee should be composed of individuals representative of each unique department in the organization so that they can communicate to the rest of the committee and the compliance officer the compliance activities and risk areas within their department. The members are also important in providing communication back to their respective departments on the organization’s compliance requirements. The committee is a vital source of information both to the compliance officer and the rest of the organization.
3. Education and Training
Education and training are the first and possibly the most important lines of defense for a compliance program. In a time where there are strong enforcement initiatives governing industry and business practices, education is the best strategy for prevention. It is suggested that the training be separated into two types: the first, an annual general session on compliance for all employees and the second, focused on more specific information for appropriate personnel.
Ten Things to Include in Your Basic Compliance Course (these are suggestions which could be included but not limited to):
-
The body of legal and regulatory knowledge guiding all compliance activity
-
Your organization’s Code of Conduct
-
How compliance violations are defined and how they should be reported
-
Information on the non-retaliation policy
-
Policies regarding confidentiality
-
Policies regarding data privacy and security
-
Third-party relationships and relevant regulatory guidances
-
Steps for discipline of employees involved in compliance violations
-
Proper preparation of required filings
-
Proper retention of documents.
General training sessions are meant to heighten awareness among all employees and communicate and emphasize (and then update and reiterate) the organization’s commitment to ethical business behavior, which affects all employees. An organization may be required to conduct training due to a contractual requirement or third-party mandate, but regardless, employees should be required to have a specific number of educational hours per year, as appropriate. For a frame of reference, a minimum of one hour annually for basic training in compliance areas should be required for any compliance program. As noted earlier, all employees should receive a copy of the standards of conduct and the key compliance policies and procedures. These, plus basic information about the organization’s compliance program and how it operates, and how issues can be brought forward, are the core of general training.
Specific training in high-risk areas is critical for affected personnel. These employees should be given specific training regarding how to properly perform their job functions as well as general compliance training with an emphasis on compliance risk areas specific to these employees’ job functions. This specific training, above and beyond the general compliance training, may be more appropriate to provide in the form of one-on-one or on-the-job training to ensure that compliance is integrated into the employee’s daily activities and doesn’t remain a theoretical concept. It is not as effective to discuss and learn complex compliance risk areas through a computer-based program. The internal governing board should be trained on their role in oversight of the compliance program and compliance-related risks. Clarifying and emphasizing these areas of concern through training and educational programs are particularly relevant to specific roles in the organization; i.e., marketing, finance, sales, etc. The pressure to meet business goals may render these employees vulnerable to engaging in prohibited practices.
In person compliance education if possible should be provided to new employees during the onboarding process, when there are new and/or complicated regulations and also for remedial education.
A written annual education plan should outline individual department content needs, timing, methods, and duration of training, and a strategy for securing managerial buy-in. Managers will need specific training on their role in the compliance program and the value of their support and participation. “Tone in the middle” cannot be overlooked.
An uncooperative manager can, directly or indirectly, consciously or unconsciously, deter staff from attending. The manager must emphasize the importance of training by encouraging and facilitating employee attendance. Adult learning styles vary. Some learn through listening, others through seeing, and many by doing. So, to keep education vital and engaging to a diversified staff, the key is to develop a variety of educational formats—videos, lectures, brown bag lunches, roundtable discussions. “Lunch and Learn” sessions and roundtable discussion can be especially effective in targeting a specific training need, and they can provide education regarding the reality of what is going on in the departments to the trainers and ultimately to compliance personnel. Your organization may already have various forums you can tap into, such as department meetings or all-staff meetings for targeted education. Use of web training applications that can provide practice solving “virtual” scenarios has also become popular. Look for ways compliance education can fit into the ways staff are being educated on other issues; integrate compliance into what you’re doing now so that it integrates into the everyday business of the organization.
Training Adult Learners
-
Acknowledge “life learning”
-
Acknowledge self-worth
-
Associate the unfamiliar with the familiar
-
Recognize individual resourcefulness
-
Treat others with respect
-
Teach to all types of adult learning styles
-
Auditory learners (use active repetition, songs, skits, et cetera)
-
Visual learners (use handouts, videos, PowerPoint presentations, et cetera)
-
Kinesthetic learners (use hands-on projects, role playing, et cetera)
-
-
Use resources wisely
-
Live training may be most effective but unrealistic for very large organizations
-
Online training courses may not be perfectly tailored to an organization but may still convey the general compliance concepts appropriately, track who has and has not been trained, and use resources more efficiently—consider interactive scenarios for online training
-
Provide longer, more intensive training sessions to employees in certain areas of responsibility and more general compliance training to all other employees
-
Sample Attestation/Acknowledgement Form
This is to acknowledge that I have received and reviewed Our Organization’s Code of Conduct. I agree to comply with the standards contained in the code and all related policies and procedures as is expected as part of my continued employment or association with the organization. I acknowledge that the code is only a statement of principles for individual and business conduct and does not constitute an employment contract. I will report any potential violation of which I become aware promptly to my supervisor or the compliance officer. I understand that any violation of the code of conduct or any organization policy or procedure is grounds for disciplinary action, up to and including discharge from employment (or language similar regarding country-specific laws).
Date
Name (Please Print) / Signature
Use real-life examples from employees’ own work—you may want to not refer to specific people or identifying remarks so as not to embarrass anyone, but using examples from employees’ actual work will provide for more practical learning and will be more effective. Of course, the more practical and applicable the examples are to the organization’s environment, the better.
Should compliance education be voluntary, or mandatory? For general training, every employee, or those who do work on behalf of the organizations, e.g., brokers, contractors, distributors, etc., should be required to sign and date a statement that confirms his or her knowledge of and commitment to the standards of conduct. This attestation should be retained, where appropriate.
It should be clear by now that compliance cannot be a one-time educational event. Your compliance committee can help in assessing the best approach on such issues as whether to make education mandatory or voluntary and how to structure education and training options within the organization. Again, your organization’s culture is the driving force. Education and training are your best strategies for prevention. Remember to attend to your own educational needs as well. The more you know, the better you can identify and meet the educational needs of staff.
4. Monitoring and Auditing
Before you begin the auditing and monitoring process, you must understand the difference between auditing and monitoring. Auditing is viewed as a formalized method for the audit process (define review scope, develop review criteria, identify sampling methodology and select sample, conduct review, document findings, and follow up on management action plans to assure observations are resolved). Auditing is independent of management, without any real and/or potential vested interest in the outcome.
Monitoring is a day-to-day process and commonly used by management to assist them to identify how operational aspects of compliance might be occurring. Monitoring does not have to be independent, but can be. Independence is an important concept in auditing because it is key for the compliance function in providing objective assurance to the board/and others. It is an effective way to ensure that management has resolved issues identified and has implemented appropriate systems and controls to mitigate and/or eliminate risks and to prevent reoccurrence of the risk.
To develop an auditing and monitoring plan, the compliance officer must conduct a risk assessment to identify, analyze and prioritize the risks that should be included in the plan. The plan should be dynamic and constantly evaluated to assure that it is meeting the priorities of the organization related to compliance risks. If the compliance department is covering only a single area of compliance, e.g., financial, FCPA, etc., then it is important that communication and integration of all compliance risks be integrated into a comprehensive, enterprise-wide compliance risk-based plan. This will allow an organization to view, at a glance, its overall compliance auditing and monitoring plan, and to identify whether the plan is duplicative and available resources are utilized efficiently and effectively. This type of focus will also assist in assuring the most appropriate subject matter experts are available for these activities, which will increase credibility and outcomes. Auditing and monitoring usually evolves with the compliance program’s maturity. No one can expect 100 percent compliance from the first day. The key is to strive for and demonstrate a process for continually improving upon compliance activities. The goal of evaluation is to assess, at least annually, the priority risks of the organization.
Best practice is for the compliance audit and monitoring plan to focus on the prioritized risks of the organization; i.e., to develop a risk-based plan. There are certain functions common to all types of organizations that should be reviewed:
-
Third party relationships and contracts
-
Conflicts of interest
-
Intellectual property
-
Data privacy and security
-
Anti-corruption and bribery (Foreign Corrupt Practices Act & UK Bribery Act)
-
Antitrust
-
Contract management, i.e., appropriateness and compliance with contract terms
-
Travel and entertainment
-
Compliance program processes and effectiveness
-
Other high-risk areas (this will depend on the type of organization).
For example, publicly traded companies should have their financial statements and supporting worksheets audited regularly. Compliance may assist as an interval audit function or be the primary auditor for this area if that department is responsible for compliance with laws such as, in the United States or US-based companies, the Sarbanes-Oxley Act and Securities Exchange Commission requirements. Not-for-profit organizations are also accountable for aspects similar to those of publicly traded companies. They must demonstrate accountability and responsibility for accuracy of funds and disclosures of material weaknesses in controls or material financial losses. In the United States, these requirements are identified through different state and federal requirements. Efforts in the auditing of financial statements again would be most effective when integrated into an overall comprehensive compliance risk plan for the organization. Any areas of concern previously identified either internally or by an outside agency should be looked at carefully and regularly.
There are at least two ways to approach auditing, the concurrent or the retrospective method. Every organization is unique, and, again, you must do what is best for your organization and what is more appropriate for the specific situation. Regardless of the method, it is important to understand the pros and cons of each. For instance, retrospective is often utilized because information is more easily obtained for the sampling process. Forensic capabilities are enhanced with retrospective sampling because the sample usually is more complete. However, it is important to develop a milestone as to the timeframe to which you go back; i.e., new process was developed, new system or new product added, change in policy or law, etc. This will assist in defining the “why” of that chosen timeframe if you should have to defend your approach with any internal or external inquiry.
A retrospective audit will provide a baseline risk assessment, or a snapshot of where you are—in a specific risk process area. It is, at best, optimistic to think that one can identify in some finite period of time everything that could possibly be wrong and then try to set up a realistic timeframe for addressing those problems. Moreover, any problems identified in a retrospective audit will require not only corrective actions to ensure the problem does not reoccur, but also remedies to any third parties who may have been affected. It is an organization’s duty as part of its compliance program to remediate any problems identified. Thus, they cannot merely “go forward” after a retrospective audit has identified past improprieties, which again is why a milestone for a timeframe of the audit is critical.
A concurrent audit will identify and address potential problems individually as they arise and before they cause harm to another party. If a problem does indeed exist, then steps can be taken to correct the related process and any policies or procedures that reflect the process. Once the change has been communicated to all affected parties, then those in charge of the audit can go back in a predetermined amount of time (e.g., three months and perhaps again in six months) to review the process and resulting documents to ensure that the problem has been resolved. It may be determined upon repeated review that further corrective actions may be necessary, including disciplinary action against employees who continually fail to correct the problem after repeated retraining. Concurrent auditing is the preferred method for helping to change behavior, as the individual is in “real time” and can quickly make changes to be compliant. Retrospective observations (in the past), are harder to use for reinforcing behavior changes, because by the time it is communicated to the appropriate party, the information is “old.”
It is possible to be effective in auditing and monitoring by using both approaches—a retrospective audit to get a baseline comparison, as well as to identify risks developed due to changes in the systems, regulations, etc.; and a concurrent audit to get a “real time” comparison.
There are various approaches to sampling for auditing and monitoring. Considerations include the overall purpose of the auditing and monitoring activity, where the results will ultimately be reported (internal or external), and the approach (retrospective or concurrent). Statistically valid sampling is the most credible for identifying the risk problem. However, this approach is resource intensive and requires expertise in defining the statistically valid sample. Other types of sampling that are not statistically valid are also available and tend to be more commonly utilized due to resource limitations and other variables. It is important to note that statistically valid sampling is the only method that allows the findings to be applied to the whole population being looked at and not just the sample population. Whereas, any other type of sampling will only apply to the sample itself, not the whole population.
Monitoring, or regular review, is also necessary to determine whether compliance elements, such as dissemination of standards, training, and disciplinary action, have been satisfied. This method also will target potential deficiencies and areas where modifications might be in order. A good place to begin an internal assessment is by interviewing employees. Employees have a wealth of knowledge, and perhaps surprisingly, they often enjoy participating in the process of improving the organization for which they work. Thus, they will offer an unexpected amount of information. Ask them openly about risk, about their daily activities, the processes, procedures, and the soundness of each. Ask if the policies and procedures are followed. Periodically send out questionnaires to staff for feedback, or conduct focus groups. Remember to always reassure employees that the organization maintains a strict non-retaliation policy—that employees will not be retaliated against for reporting suspected misconduct.
Set up systems for regular and sometimes random review of records, both final documents (e.g., invoices, financial statements) and supporting documents (e.g., invoices, worksheets, notes, legal opinions, financial analyses, schedules, budgets, expenses). Data collection and tracking are the heart and soul of review because they provide trend analysis and a measure of progress. The compliance officer or reviewer should consider the following techniques:
-
Onsite visits
-
Interviews with personnel involved in management, operations, legal, procurement, marketing, finance, and other related activities
-
Questionnaires developed to solicit impressions of a broad cross-section of the organization’s employees and staff
-
Reviews of written materials and documentation prepared by the different business units of the organization
-
Trend analyses or longitudinal studies that seek deviations, positive or negative, in specific areas over a given period
-
Review of internal and external complaints filed
-
At performance review time, interviews should question if there are any areas of potential wrongdoing or noncompliance to be aware of. This approach provides another avenue for employees to raise an issue.
-
Pose compliance-related questions in exit interviews to identify potential risks.
Sample Compliance-Related Exit Interview Questions
Responses to these questions should be reported to the compliance officer:
-
How do you think the organization lives up to its code of conduct?
-
Does your supervisor listen to your concerns?
-
Did you have any concerns about ethical issues or compliance-related practices? If so, please explain.
-
Did you have any hesitation in raising any issues – in your chain of command?
-
Would you go around your chain of command if there were areas you felt weren’t being addressed?
(See Appendix A.3, Sample Audit Review Form.)
Who is responsible for coordinating the monitoring, for conducting the internal audit? Is this an internal auditor’s responsibility, the compliance office’s responsibility, or perhaps a combination of the two? First, to avoid duplication or overlap, consider if there are other departments in your organization performing audits. Quality improvement activities are usually underway at all levels of the organization. Additionally, the nomenclature for these activities may have a different definition for their “auditing and monitoring” activity than for those done by the compliance department. It will be important organization-wide that your definitions are in sync and that you can leverage these departments’ activities for your compliance auditing and monitoring plan. They will work together with the monitoring and auditing elements of an effective compliance program. Auditors will need experience in the area they are observing. Consider internal ad hoc groups—compliance swat teams that include subject matter experts—to monitor specific issues or review potential problem areas. References should be carefully checked for any outside auditors employed by the organization.
An important concept for the auditing and monitoring plan is that it is dynamic and should be periodically reviewed with senior leadership to determine if the priorities identified are still the priorities of the organization. Examples of plan templates are provided in Appendix A.4, Audit Review Plan Templates.
Any questions posed to, or communications with, government, regulatory agencies, or industry associations will be taken into account in an audit or a monitoring effort. The larger your organization, the greater the difficulty will be in documenting such contacts. Be sure to take notes when you have a telephone conversation with an agency regulator, ask for written confirmation of the information provided, but always keep your own notes of the conversation, including the date, time, and contact name as well as the specifics of the conversation. As a preventive measure, in some instances, it might be useful to meet periodically with a regulatory representative to discuss industry issues as well as specific questions you may have. Such meetings build better communication lines and enhance understanding of expectations and requirements.
Auditing and monitoring activity must be documented to demonstrate overall attention to real and/or potential compliance risks. The plan, observations, action plans and resolution of issues should be regularly reported to senior company officers as appropriate. Additionally, results from an ongoing evaluation of the compliance program should be reported to the senior leader (e.g. CEO, president), governing body, and members of the compliance committee no less than annually. Monitoring and auditing activities should be a key feature of any annual review.
Reports to management, the governing body, and the compliance committee should include findings or suspicions of misconduct with an action plan to address and resolve the potential problem.
5. Reporting, Investigation, Background Checks
A positive cultural tone is critical for being successful in encouraging employees to voluntarily report issues. There are a variety of methods for employees to report potential problems or to raise concerns. Some of these will be dependent on country-specific laws for establishing reporting mechanisms; i.e., the French data protection laws, etc. Communication is very important in the compliance process. The most important reporting system is an open door, and the best reporting system is one where the employee feels comfortable approaching his or her supervisor and openly discussing any potential problem.
For any reporting method to be effective, employees must accept that there will be no retaliation or retribution for coming forward. Again, emphasis in the cultural tone will help an employee be encouraged to report, or it may actually have a negative influence on reporting if the tone is one of subtle or overt retaliation being supported. The concept of non-retaliation is fundamental to the compliance program, and a clearly stated policy regarding non-retribution is the first step. (See Appendix A.5 Sample Non-retaliation/Non-retribution Policy.) The dangers are real. If employees suspect there could be retaliation, no one will come forward, creating fertile ground for whistleblowers and exposing the organization to unchecked risk.
Confidentiality is also key. Policies and procedures should assure confidentiality and anonymity to the extent possible in all reporting processes. (See Appendix A.6, Sample Confidentiality Statement.) Confidentiality is, of course, closely tied with non-retaliation. For example, the decision-making process regarding a promotion can be tainted if the supervisor has been informed of an employee-candidate’s report of a problem. Policies and procedures need to offer assurances to the employee but also must note that resolution of a problem, which could include legal action, may in certain circumstances require disclosure of identity. Legal counsel should review both the non-retaliation and confidentiality policies to be sure unrealistic promises are not made.
One common reporting method recommended is the hotline or helpline. Again, some countries have limitations, or do not allow the use of this method. There are various arguments for whether to handle a hotline internally or externally. The size and setting of the organization must factor into the decision. A large organization may need 24-hour coverage. For a smaller organization, 24-hour coverage may not be needed or may only be feasible through outsourcing. Either way, cost and/or resources are a consideration here. If you decide to outsource, the contract should include the following:
-
the right to move the toll-free number to another vendor or bring it in-house
-
assurances that security of the vendor’s computer system equals the security provided for the data within your own system
-
the ability for case management of the calls
-
the ability for analytics and reports to assist you in identifying trends, outliers, etc.
Whether you handle your hotline internally or whether you outsource, anonymity must be promised to the extent possible. Keep in mind though, anonymity cannot be guaranteed. All country-specific laws should be taken into consideration. Hotline numbers and procedures must be clearly and readily communicated to staff, preferably not solely through a page in the employee policies and procedures manual. Requirements to post the number may exist for certain rules/laws in some countries. Ongoing communication, regardless of the reporting method, should include encouraging and instilling the responsibility of each individual employee to report any issues, and to understand how to report a problem or a question.
Once you have established how to report issues, how do you assess effectiveness? Does frequency of issues reported necessarily indicate that employees know and understand their duty to report issues or that your method of reporting is working? Not necessarily. If you have been able to create an environment and culture where issues are raised through appropriate channels, where staff trusts they can report problems without fear of retaliation, you may not get a lot of calls. Industry, generally, has identified that approximately 80 percent of hotline calls in the first year are human resources or employer-employee relations issues—complaints about a supervisor’s behavior or a colleague’s allegedly insulting remark, or disagreements with the organization’s policy on work hours for example. Over time, these types of calls may decrease, but the trend tends to be that 40% to 60% of calls remain that way after the initial period of implementation. Here again, consider your organization’s culture. The number of calls alone, however, is not an indicator of effectiveness.
In addition to a reporting mechanism like a hotline, some organizations have in-house email systems. Email can be configured so that problems can be reported, but the compliance officer cannot determine who is sending the email. In today’s work environment, computers are commonplace, but they are not ubiquitous. Some jobs do not require a desk with access to a computer, and a centrally located general-access terminal could compromise confidentiality. For these reasons, email probably shouldn’t be the only reporting system. If adopting this sort of system as part of your reporting options, however, remember to emphasize in your procedures that anyone who does want to hear back will need to include his or her name in the body of the email since there will be no way for the compliance officer to know who sent the email.
Another reporting option is a drop box, a variation on the old suggestion box. Regular and frequent pick-ups will be important, and multiple locations are encouraged—although be sure not to position any in an area of the institution with a security camera.
Reporting works both ways, of course, and the compliance officer should take every opportunity to keep in touch with all levels of staff. Regular ongoing communication is another form of education that reiterates commitment and can facilitate prevention of problems. Compliance communication can be incorporated into existing systems—a compliance column of frequently asked questions in the organization’s in-house newsletter, posters on bulletin boards and periodic compliance blasts through news flashes. Good channels for communication must be in place and effective when changes to policy, special alerts or settlements occur that you want to make known quickly to a select employee population. Whatever communication you choose to use, be sure to keep copies in a binder or file so you can document what you are communicating, how, to whom, and when. All-staff emails, articles in the in-house newsletter, a page on the company Intranet, brief presentations at all staff meetings—all these methods of communication will reinforce the visibility of the compliance department and its availability to staff.
Once a complaint is received or a question is raised, what should happen next must be pre-determined. The process for handling complaints or questions should be defined so that the caller will know at a high level what to expect. There should be a method of determining if the matter needs a simple answer by management, needs further investigation, or lacks enough information to identify next steps. Sometimes issues come forward without enough information; your process should have a way to reach out to the complainant to ask further questions; e.g., web access, e-mail, etc. The process for how calls or input to the reporting mechanism will be addressed should be written in your policy and procedures. Specific steps for an investigation should be enumerated, and such a policy must limit distribution of information to protect confidentiality and non-retaliation commitments. Formal reporting mechanisms can seem like a sizeable expense, but in many if not most organizations, they are a practical investment. The employee’s options shouldn’t be limited to regulator-sponsored hotlines.
While carrying out an investigation, documentation is everything. All complaints must be logged and tracked. Many organizations assign a unique number to each call so that the caller can check on the status of the complaint by calling back and giving the assigned number. How the complaint was handled, by whom, and when should all be included in the documentation. (See Appendix A.7, Sample Complaint Information Sheet.) The detail of the concern needs to be documented but may reside in another file, department, etc. Documentation of the specifics of the issue, the departments involved, findings, and actions taken is necessary. (See Appendix A.8, Sample Compliance Issue Follow-Up Form.) You also need a clearly stated procedure outlining the disposition of these forms; specifically, who gets copies and how information is incorporated into written reports. All written reports of investigations should be consistent in format and in procedures for how and to whom the report will be disseminated.
It is important to note that workplace investigations require a specific skill set. If an investigations team is selected, make sure they get the proper training on how to conduct investigations and how to determine appropriate subject matter experts to include. Where appropriate, legal should be consulted in regards to process and documentation. In addition, where applicable, procedures should detail how to determine whether an attorney-directed investigation would result in a better outcome.
6. Enforcement and Discipline
Fair, equitable, and consistent are the watchwords for enforcing the standards of conduct and the policies and procedures. The place to start with enforcement is back at the beginning with the standards of conduct and the policies and procedures. The organization’s compliance and ethics program should be promoted and enforced consistently throughout the organization. To accomplish this goal, enforcement and discipline should include appropriate incentives to perform in accordance with the compliance and ethics program, and appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct. These disciplinary measures should be spelled out in a written progressive discipline policy statement and consistent with any other policies and procedures on discipline that might exist in the organization. Country specific laws/regulations, i.e., work council, labor laws, union, etc. should be considered in this element. The policy’s content may cover areas such as:
-
Noncompliance will be punished
-
Failure to report noncompliance will be punished
-
Retaliation will not be tolerated
-
An outlined set of disciplinary procedures will be followed (unless defined in another policy, in which case that should be referenced)
-
The parties responsible for appropriate action
-
A promise that discipline will be fair and consistent.
It is important to emphasize that “sins of omission” as well as “sins of commission” will be subject to discipline. Failure to detect or report an offense is a serious act of noncompliance and equally as deserving of discipline as the actual misconduct. Compliance is an active, ongoing process that is everyone’s responsibility.
In this area, consultations with the organization’s human resources (HR) department would be important. There are no doubt disciplinary policies and procedures already in place with which you will need to be consistent, and which can serve as a model. One important piece of advice your HR colleagues will probably give you is that you cannot discipline without having properly informed all employees of the rules. Although stated earlier, it bears reiteration here too—the policies and procedures must be clear, and they must be appropriately communicated to all staff. It is much more difficult to penalize someone for violating a policy he or she did not know about. Hence, the first step toward enforcement is distributing standards of conduct and policies and procedures and educating staff about them, including the consequences of noncompliance.
Written standards of conduct are important, so that you can address the procedures for handling disciplinary problems and those who will be responsible for taking appropriate action. Depending on the country you work in, intentional or reckless noncompliance may be punishable with significant sanctions, which can range from oral warnings to suspension, privilege revocation (subject to any applicable peer review procedures), termination, or financial penalties as appropriate. Many organizations use progressive discipline. As the name implies, this is a multi-step process where the penalties become increasingly more severe. The first step in this process may be defined by specific country labor laws, but minimally, the supervisor should meet with the employee to secure the employee’s understanding of the problem and a commitment to correcting the inappropriate behavior. Depending on the situation, the next step may again be defined by country-specific labor laws, which is why any discipline should be done by management in consultation with HR. Subsequent steps might include suspension without pay or infliction of a probationary period where the employee is advised to correct the behavior within a certain time period, say 30 days, or face termination. The final step is termination once all other options have been exhausted. The severity of the infraction will determine the steps. Certainly, this discussion can assist the supervisor in identifying employee understanding of the issue. The basic supervisor’s discussion does not require an excessive process. Documentation of the process and discussion will be essential.
If there are no other requirements defined, then a typical disciplinary action chain would include the following (the steps may be repeated more than once or skipped depending on level and intentionality of offense):
-
Verbal warning
-
Written warning
-
Suspension
-
Fine(s)
-
Termination.
Punishment should be commensurate with the offense. There are offenses, such as blatant acts of fraud, that warrant immediate termination, but most infractions will be relatively minor and most likely unintentional. These may best be handled with education or additional training. Education should never be labeled as “punishment.” When put in a positive and supportive context, it can efficiently correct noncompliant behavior. Be sure your policies and procedures include remedial steps such as additional training.
Background checks including references are encouraged, where possible, for all new employees. If there are no legal and/or regulatory restraints on conducting background checks, an organization should consider when and how to periodically do background checks on current employees; i.e., at promotion, regularly required because of the type of business, etc.
This proactive strategy can prevent hiring a sanctioned individual (which itself may be prohibited by a government entity). Such cautions apply to contracts with outside vendors as well. All are acting as agents of your organization, and due diligence is needed to assure you have “good faith citizens” working for the organization.
Enforcement is not just about discipline, of course. Goals and objectives for individuals and departments can include specific references to compliance. Achievement of those goals, especially when celebrated, is a positive reinforcement that encourages support for and enforcement of the compliance program. Performance appraisals need not focus solely on issues of noncompliance. They can, for example, make note of favorable or improved audit or monitoring outcomes. Your compliance program can be better enforced if you also find ways to reinforce with positive feedback.
7. Response and Prevention
If there should ever be reason to believe that misconduct or wrongdoing has actually occurred, the organization must respond appropriately. Failure to respond or to engage in lengthy delay can have serious consequences. Violations of the compliance program and other types of misconduct threaten an organization’s status as reliable, honest, and trustworthy. Detected but uncorrected misconduct can seriously endanger the mission, reputation, and legal status of the organization. Ignoring a legitimate report of wrongdoing also will alienate staff, especially the person who reported the problem, and hence encourage whistleblower action. Cover-ups usually cause more problems than they solve. In the event of misconduct, face the problem and fix it. However daunting it may feel to be faced with the possibility of misconduct, remember that one of the goals of a compliance program is detection. Having found a problem is an indication your program is effective.
The first logical step is to meet with your in-house or external legal counsel. Together you can determine how serious the misconduct or wrongdoing is and develop an appropriate plan of action. It is recommended that an investigation be done any time a potential violation is identified. Therefore, your plan of action will likely begin with a thorough internal investigation. Depending on the extent and seriousness of the alleged infraction, outside counsel or content experts may be needed. Your counsel will help decide what protections, if any, can be used in the investigation. While an internal investigation is the first step, also be sure to take the necessary steps immediately to stop or modify the procedures that are the alleged source of wrongdoing.
The internal investigation must be handled carefully and documented meticulously. When choosing an investigative team, look for those who are knowledgeable about the area in question but who are also capable of being objective. The compliance officer obviously should be a part of the team, but to emphasize commitment, participation by a member of the senior staff is desirable when possible. If outside consultants are used, the compliance office still must be represented on the team. Handing the problem off to someone else is not a solution. Outside consultants will need to be directed, overseen, and evaluated just as closely as an internal investigation team. The team should meet together as a group in the beginning to delineate the problem, decide on an approach or strategy, and get the guidance and support of senior management. Instructions on timeframe, process, and the need for documentation are also in order. At minimum, the team should meet together again as a group at the end of the investigative process to discuss findings and plan the final report. Time is of the essence. Prompt reporting of misconduct to the appropriate regulatory authority within a reasonable period needs to occur, when applicable, after determining that there is credible evidence of a violation. Timely reporting may help to avoid or lessen fines and penalties.
As noted above, detailed documentation is critical. If it should be necessary to discuss with a regulator, a clear paper trail will make the process much easier. Thorough documentation will include the following:
-
Description of the potential misconduct and how it was reported
-
Description of the investigative process
-
List of relevant documents reviewed
-
List of employees interviewed
-
Employee interview questions and notes as determined by the organization
-
Changes to policies and procedures, if appropriate
-
Documentation of any disciplinary actions—if appropriate; sometimes these actions are documented separately
-
Investigation final report with recommended remedial actions
-
The final report and any attached documentation are sensitive materials and should be distributed in limited quantities.
If the investigation finds that there was no violation, it should be documented that the allegation was unsubstantiated. However, if, after the internal investigation, there is reason to believe the organization’s misconduct constituted a material violation of the law, then the organization must take steps to disclose the violation to the appropriate regulatory agency.
After discussion with legal counsel, voluntary disclosure to a regulatory agency should be a consideration to demonstrate the organization’s willingness to be transparent in areas within which they have had wrongdoing. It may also provide certain financial advantages, if disclosure results in fines being reduced, or certain administrative advantages, if a good faith effort to comply creates a more pleasant working relationship between the organization and the investigators.
Organizations are expected to police themselves and work with external regulatory agencies to correct problems. Sometimes, by self-reporting, the organization may have the option of conducting a self-audit (following regulatory guidelines) rather than an imposed regulatory audit. Such a self-audit would communicate the scope of the problem in the following ways:
-
What is the origin of the issue? An accounting concern may be the result of a systematic practice, a third-party inquiry, or misconduct by individuals. A systematic noncompliant accounting practice may have been tied to a new system implementation or the result of faulty advice received from a consultant, for example.
-
When did the issue originate? A systematic accounting practice may warrant internal inquiry into the origin of the practice and the extent of its impact on the organization. Improper accounting methods by one individual may require scrutiny of his or her entire employment history as well as a review of directions that person may have received from management.
-
How far back should the investigation go? Investigation standards for one organization may not apply to another. Some will begin by reviewing the past year’s accounting records. Others may start with a month of prior records. Regardless of the methods used, key stakeholders must determine the parameters of its investigation based on a reasonable approach that is justified under the circumstances.
-
Can extrapolation of a statistical sample be used? Statistical sampling and extrapolation may be warranted for some investigations. Caution should be used in that the sample may not accurately represent an organization’s entire population of the factor being investigated.
Understood, of course, is that any identified problem must be corrected immediately. Restitution if applicable, should be prompt, and when the problem is rectified, the issue should be added to the list of topics to be addressed with regular internal monitoring.
It is also possible that a regulatory agency could approach the organization with information about an alleged violation; investigating a charge of fraud related to business contracted with a branch of government, for example. In such an instance the agency may send official representatives to the organization to conduct the internal investigation. If this happens, rumors and speculations will run rampant. It will be especially important to keep staff informed about what is going on. To get the message to employees, consider different options for the appropriate method of communication. For example,
-
The president or high-ranking administrator should send an all-staff memo or email
-
Hold an all-staff meeting to get the word out and answer questions
-
Keep managers and department heads updated so they can “drill down” the message
-
Provide opportunities for feedback and more questions from staff.
Most important, the organization’s policies and procedures should include instructions for employees on what to expect and how to handle contact from an outside regulatory agency about an investigation. Legal counsel must be actively involved in the drafting of these policies. In the event of an onsite regulatory agency investigation, legal counsel must be notified immediately. Any documents presented by the outside agency should be reviewed carefully to ensure only identified documents are provided for the investigation matter they have defined. Also, the compliance officer should be present during the investigation, keeping a detailed, written account of all activities and an itemized inventory of documents inspected or removed from the premises.