Designing Testing and Monitoring Components for Strong Ethics and Compliance
As organizations seek to create world-class ethics and compliance programs, effective testing and monitoring are essential elements. Without testing, it is difficult or impossible to understand what is working and what needs enhancement. Similarly, without monitoring programs, compliance professionals don’t have an early warning system to help them identify, sooner rather than later, potential compliance issues. Yet, as important as testing and monitoring are, they are often misunderstood and undervalued.
Implementing effective testing and monitoring programs continues to challenge many organizations for a variety of reasons. “Challenges include the lack of skilled resources, the difficulty of design across the enterprise and the reliance on others in the organization for both the programs’ data and, in many cases, its execution,” says Nicole Sandford, a Deloitte Advisory partner and a national practice leader in Deloitte & Touche LLP’s Regulatory and Compliance Services. “In addition, emphasis on other compliance program elements, such as risk assessments, training or policies and procedures, has sometimes led to the under-resourcing the testing and monitoring functions,” Ms. Sandford adds.
Benefits of an Effective Testing and Monitoring Program
As compliance programs mature, the testing and monitoring functions can yield information about deviations in expected behavior that might lead to potential material or systemic compliance risks. For example, while companies might say that implementing new laws and regulations presents risk, this is an area that is often not tested—or is tested insufficiently—to determine whether the organization is complying with the requirements.
The lack of effective testing and monitoring can have a ripple effect on other areas of the compliance program. In recent studies and surveys,* compliance professionals consistently indicate frustration with the quality of metrics used to measure the effectiveness of their compliance programs.
“The outcome of ongoing testing and monitoring programs—especially when considered over time—drives metrics that can point not only to the effectiveness of the program design, but also to the effectiveness of its operations,” says Keith Darcy, an independent senior advisor to Deloitte & Touche LLP. “Some industries, particularly financial services, already have well-established compliance metrics or even mandated ones,” Mr. Darcy adds. “For industries that don’t, testing and monitoring can provide their compliance professionals new and more insightful metrics on program performance. In addition, in the event of an enforcement investigation, the quality of an organization’s testing and monitoring may be a critical test of the overall effectiveness of a compliance program.
Testing and Monitoring Contrasted
Although many ethics and compliance professionals use the terms “testing” and “monitoring” interchangeably, their design and desired outcomes are quite different. A testing program is a dynamic, risk-based, independent compliance oversight process designed to periodically select and review a sample of business products, services, communications and other areas to gauge and report on the operating effectiveness of compliance controls and/or adherence to stated policies and procedures.
A monitoring program involves the ongoing surveillance, review and analysis of key business performance and risk indicators and allows the organization to identify potential compliance violations. Monitoring programs and activities can be either automated or manual.
Components of Effective Testing Programs
Testing programs have a number of common attributes. Compliance is tested at the level of accountability, and in a strong testing program, compliance testing is executed at each level of the organization. In this model, weak controls are identified in the business where they are most likely to be remediated quickly:
—The first line of defense: At this level, the business unit leadership—which is primarily accountable for the development of controls and activities to prevent compliance failures—invests the time and resources to determine that such controls and activities are adequately designed and operating effectively.
—The second line of defense: Within the second-line testing program, the individuals who perform the testing must not be the same individuals who are responsible for the execution of the controls. Here, the compliance function—whether the “centralized” compliance function at headquarters, the compliance team within the business unit or a combination of the two—should also invest time and resources to execute independent compliance control testing. For the purposes of executing the testing programs, these individuals are accountable to the independent compliance function, regardless of whether that function resides at “corporate” or within the business unit, under a federated compliance model.
—The third line of defense: Internal audit should be responsible for “testing the tests.” In some industries, internal audit plays a broader role. For example, in the financial services industry, internal audit functions go a step beyond testing the tests. Rather than rely on the results of second-line testing, they perform additional transactional and process-related testing.
Effective testing programs involve professionals with specialized knowledge or skill sets that may be different from those found in a traditional corporate compliance and internal audit department. In many instances, professionals with knowledge of the applicable rules and regulations, expectations of regulators, and drivers of compliance risk are required to design and execute testing programs.
“This is not to say that existing compliance or internal audit staff cannot be trained to meet those needs,” says Ms. Sandford. “However, in the post-Sarbanes-Oxley world, many internal audit departments have professionals with more traditional financial accounting controls experience. These individuals may not have the regulatory and compliance subject-matter expertise required to execute effective compliance testing. Ongoing training and cross-training of personnel in different functional areas can fill gaps in experience,” Ms. Sandford adds.
Another characteristic of a leading testing program is the process used to design the testing itself, and that typically starts with a robust compliance risk assessment. An effective testing program takes the output of the risk assessment and goes further: Key compliance risks are mapped to the business units and business processes where those risks are most likely to present themselves. This is sometimes called an “applicability analysis.”
“Great testing programs are repeatable and statistically valid,” says Mr. Darcy. “While it is good to know if a control is functioning well right now, great testing programs recognize that sustainable quality is achieved when key risks and the related controls are tested periodically, using statistically valid sampling methodologies,” he adds.
Strong Monitoring Programs
Highly effective monitoring programs also have a number of attributes in common. In the past, monitoring programs have relied too much on key risk indicators (KRIs) and key performance indicators (KPIs) that are easy to monitor, such as hotline call volume or ethics training completion rates. While this type of data is important, organizations have other data that can provide more meaningful insight from a testing and monitoring perspective. Moreover, well-conceived KRIs and KPIs often provide meaningful operating insights, offering business unit leaders an incentive to allocate resources to gather more information.
Monitoring programs sometimes rely on the availability of large amounts of data, and often that data exists in another function within the organization. “The decentralized nature of data presents several challenges to ethics and compliance professionals,” notes Mr. Darcy. “First, companies may need to invest in technology applications to efficiently manage the testing and monitoring processes, or in analytical tools that can process large datasets, ideally on an ongoing basis. Second, quality data is critical to this endeavor,” he adds. Poor data quality and data governance must be addressed in order to implement a data-analytical approach to monitoring. Finally, the compliance function must collaborate with other internal teams—the ones that have the data—to obtain the needed information.
As with testing, repeatability is key. “Monitoring activities—whether or not they are automated—are most valuable when they are performed on an ongoing basis,” notes Ms. Sandford. “Trend data is critical for analyzing changes in underlying business processes, as well as emerging risks. When it comes to effective monitoring programs, a ‘once-and-done’ approach simply does not work,” she adds.