ARTICLE
3 September 2024

Sleuthing For Compliance Data: Where To Find It

N
NAVEX

Contributor

NAVEX is trusted by thousands of customers worldwide to help them achieve the business outcomes that matter most. As the global leader in integrated risk and compliance management software and services, we deliver our solutions through the NAVEX One platform, the industry’s most comprehensive governance, risk and compliance (GRC) information system.
In an increasingly data-driven world, finding useful data remains challenging, especially for compliance officers facing heightened regulatory expectations. To improve compliance programs, companies should cast a wide net, leveraging data from systems across departments, such as legal, HR, audit, finance, and procurement. By collecting and analyzing relevant metrics, compliance teams can meet regulatory demands, prove program effectiveness, and uncover trends affecting company culture and cont
United Kingdom Compliance

This post was originally published by Spark Compliance Consulting on the Compliance Kristy blog.

Data may be everywhere, but finding useful data is harder than it looks. In a world increasingly powered by data lakes and artificial intelligence, the promise of data is rich, but its usefulness often falls short of the promise.

Regulatory expectations

Regulators have high (unrealistic?) expectations about the data available to compliance officers. They have an entire paragraph in their Evaluation of Corporate Compliance guidance on data analytics and data analysis.

Specifically, the guidance tells prosecutors to ask a company under investigation, "Do compliance and control personnel have sufficient direct or indirect access to relevant data sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?" The requirement to obtain and analyze data isn't just in the new guidance. It's become a theme at the DOJ.

Choosing metrics to track

Data is critical to choosing good metrics. If you don't have good metrics, you don't have a good way to show the effectiveness of your program. Where do you start?

Start with a wide net

It's critical to know the types of data available to you so you can sift through it to find the gems. Starting with a wide net allows you to understand your universe of choices so you can narrow it down with a complete picture of what's available.

Compliance-related

The obvious place to start is with compliance-related systems. Do you have any of the following?

  • Third-party due diligence software
  • Sanctions screening software
  • Policy management software
  • Conflicts of interest management software
  • Investigations management tools
  • eLearning modules
  • Ethical culture survey results
  • Engagement survey results
  • Risk assessment and tracking software
  • Gifts and hospitality register
  • Trackers relating to supply chain (human rights/environmental)

For each program you have, call your vendor representative and ask about the data analytics that can be gathered from the system(s).

You may think you know everything about running reports, but software companies are continually updating the ability to parse data into usable information. Ever since the original DOJ Guidance on evaluating compliance programs focused so intensely on proving the effectiveness of the compliance program, technology vendors have stepped up to develop advanced metrics within their software. Find out everything you can from the systems you already have.

You can also obtain your own data using:

  • Focus groups
  • Surveys
  • Questionnaires

While compliance-related systems are a good place to start, other data will give you a much greater understanding of the state of the company. You can begin your search for more data with the Legal Department.

Legal

Many Legal Departments have contract management software that will help you find information. Some contract management software can do keyword searches. Other software can separate contracts using tags for important terms, or by contract amount. You may be able to find out the:

  • Number of contracts above and below a certain threshold amount
  • Number of contracts with higher-risk third-parties
  • Number of contracts with a requirement to report known or potential:
    • Data breaches
    • Bribery-related allegations, charges, or convictions
    • Trade sanctions and/or export violations
    • Modern slavery/human trafficking allegations, charges or convictions
    • Other compliance-related allegations, charges, or convictions
  • Number of contracts requiring the company to agree to sign a supplier code of conduct
  • Number contracts requiring the contracting party to sign onto your company's supplier code of conduct

Ask the legal team for training on, and access to, the contract management system's reporting function. There will be a wealth of information at your fingertips.

Human Resources

In most companies, the Human Resources department houses a treasure trove of data. Systems like PeopleSoft, Sage SMRS, ADP, and Workday have sophisticated reporting tools to help you gather information that can be used to improve the compliance program. But even if your HR department only has paper data, you can still find great information. This may include:

  • Statistics and reporting derived from exit interviews
  • Statistics and reporting about HR-related issues, including:
    • Sexual harassment
    • Bullying
    • Reports of management misconduct
  • Number/percentage of employees on "performance management" plans on a quarterly or annual basis
  • Number/percentage of employees fired on a quarterly or annual basis
  • Number/percentage of employees whose ratings (inadequate, satisfactory, excellent) have changed on an annual basis
  • Data from the engagement survey, including:
    • Engagement levels by department
    • Engagement levels by geography
  • Number/percentage of employee turnover or "churn"

These types of statistics can give you a strong sense of how the company is managing people, and where compliance challenges may overlap with the greater employee management plan.

Audit

Audit's function is to test and monitor controls. Although Audit typically focuses on financial controls, many audit departments have implemented a review of compliance-related controls as well. You may be able to find out the:

  • Number of audit findings, and how that number changes annually
  • Number of compliance-related audit findings
  • Number/percentage of cleared audit findings on an annual basis
  • Type of audit findings
  • Analysis of the most common audit findings/control failures

If you can, obtain permission to review audit reports as they are filed. This will help you to identify trends that may affect compliance policies and help you to know where training would be useful.

Finance

Finance may have useful information, especially if your company doesn't have a specialty procurement or supplier department. You may be able to find out the:

  • Number of vendors/suppliers that have gone through due diligence
  • Number of vendor/suppliers that have failed payment controls (such as invoice review) versus the number that have passed
  • Amount of reimbursements for third-party spend (up or down?)
  • Number of gift and hospitality requests for reimbursement
  • Amount of due diligence performed (financial) for any merger or acquisition

Finance is the bottom line when it comes to money, and that includes reimbursements and invoice review. Reviewing finance records can help you see monetary trends and spot anomalies that might indicate compliance-related issues.

Some companies have invested in AI tools that search for anomalies in payments and payment requests. You could find out:

  • The number of anomalous payments flagged by the AI tool for a given period
  • The types of payments flagged by the AI tool for a given period

Information Technology

A large part of the IT Department's job is to collect, review, and maintain data. You can leverage the data they have in many ways. For instance, you can ask for:

  • Data relating to the outcome of table-top data breach exercises
  • Data relating to attempted system attacks
  • Data relating to successful system attacks
  • Number/percentage of employees clicking on phishing links in tests
  • Number of employees who accessed various compliance-related policies
  • Number of clicks or number of downloads of the code of conduct
  • Number of views of compliance-related blogs posted on the intranet
  • Number of comments posted on compliance-related blogs posted on the intranet
  • The average number of views of communications/blogs on the intranet compared to the average number of views of communications/blogs posted by compliance or on compliance-related topics
  • Number of subject access requests received and responded to (GDPR)
  • Number of consumer access requests received and responded to (CCPA)

Procurement

Procurement is the gateway through which suppliers, vendors, and other third-parties pass before getting to the finance department. It separates the wheat from the chaff. It also has great statistics and data. You may be able to find out:

  • The number/percentage of each type of supplier/vendor/third-party
  • How many tenders strictly followed the tender process
  • The number/percentage of exceptions or overrides to the proper tender process
  • The number/percentage of third-parties that successfully passed due diligence
  • Number of declared conflicts of interest made during the tender process
  • Number of discovered conflicts of interested uncovered during the tender process
  • Statistics related to the third-party due diligence process

The collection of data points will enable you to effectively review your program. Perhaps more importantly, by engaging with the other functions, you will raise awareness of the compliance program. You will also get a more holistic picture of the state of your culture and awareness of compliance controls.

Professor and Author Chip Heath says, "Once we know something, we find it hard to imagine what it was like not to know it." By gathering and analyzing data from multiple areas of the business, you will not only please the prosecutors, but also make your program thrive.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More