Internal audit and monitoring functions are important to an organisation's ability to design and implement an effective compliance programme. Although each function has a distinct mandate, both contribute to the organisation's ability to understand its compliance risks, tailor its compliance programme to those risks, and continually reassess and improve its internal controls to respond to an ever-changing compliance landscape. Ultimately, the presence, empowerment and performance of these functions contribute to sentencing and post-event outcomes.

Regulator expectations

Regarding sanctions and other enforcement action, global standard setters (such as the Organisation for Economic Co-operation and Development) recommend that countries incentivise 'good corporate behaviour' by considering mitigating factors such as fulsome, timely and voluntary disclosures of misconduct, acceptance of responsibility and the implementation of an effective compliance programme.2 In the United States, sentencing guidelines for organisations require any fines imposed to be based on both the seriousness of the offence and the culpability of the organisation. A court's assessment of culpability is determined by six factors,

two of which mitigate the ultimate punishment of an organisation – the existence of an effective compliance and ethics programme, which includes monitoring and auditing to detect criminal conduct, and self-reporting, cooperation or acceptance of responsibility.3 In the United Kingdom, prosecutors assign similar importance to the design of an organisation's compliance programme and its willingness to self-report.4 Often, an organisation's ability to self-report is dependent on effective operation of its gatekeeping and defence functions – most notably internal audit and monitoring.

Risk-based auditing and monitoring as components of an effective compliance programme

US regulators tend to evaluate programmes using three enquiries: 'Is the company's compliance programme well designed? Is it being applied in good faith? Does it work?'5 The presence of effectively operating internal audit and monitoring functions contribute to the design and implementation of an effective compliance programme and allow an organisation to assess its effectiveness.

Effective compliance programmes are grounded in a robust risk assessment, one that is best informed by well-functioning internal audit and monitoring processes, because risk assessments help an organisation tailor its compliance programme to its size and scope. Although strategies and procedures can be similar, there is no such thing as a 'one size fits all' approach to compliance, a fact recognised by most practitioners, government agencies and international bodies, such as the United Nations.6 However, as an organisation's compliance risks increase, so should the resources devoted to auditing and monitoring.7

An organisation's assessment of risk also allows it to focus resources on higher risk markets or transactions. Regulators in the United States and the United Kingdom recognise that companies have limited resources and that a decision to focus on a higher-risk area based on the company's risk assessment may result in the lack of prevention of an infraction in a low-risk area. Despite such a fact pattern, companies subject to enforcement actions may still receive credit for having an effective compliance programme. However, organisations that fail to understand their risks and focus resources accordingly may receive less credit for the quality and effectiveness of their programmes.8

Regulators also expect effective compliance programmes to incorporate continuing monitoring of third parties.9 To do so, an organisation needs to understand the landscape, and, most importantly, where the risks reside, of its third-party relationships. A meaningful risk assessment informs a company's understanding of third-party risk, but auditing and monitoring facilitate the processes that keep that risk assessment current along with periodic due diligence updates, exercise of audit rights, training and tracking of annual certifications.

Most importantly, regulators expect effective compliance programmes to embrace the idea of continuous improvement, and auditing and monitoring processes drive the feedback loop. As a company's business, regulatory requirements, customers and environments change, so must its compliance programme.10 Organisations must review and test their controls and processes to ensure not only that they are working as intended but that they are aligned with the company's risks.

Auditing versus monitoring

Although both auditing and monitoring drive the risk assessment needed to develop, implement and improve effective compliance programmes, each function is distinct in its structure and aims. Traditional auditing functions are more structured and systematic in their approach and are designed to evaluate effectiveness of controls, determine the root cause of identified failures and drive improvements in a company's control environment. Audit exercises assess controls at a specific point in time and are performed retrospectively by individuals or teams independent of the process being examined. Where within the organisation an auditing function is housed can be dependent on the organisation's size, scale and risk profile. Some organisations choose to audit compliance processes with a dedicated compliance audit function. Others perform those same activities under the umbrella of a more traditional internal audit group. Regardless, audit activities are more formal in nature.

Footnotes

1. Sara Shaner is a senior director and Jean-Michel Ferat and Shelly Mady are senior managing directors at Ankura Consulting Group, LLC.

2. Organisation for Economic Co-operation and Development, 'Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions', Sanctions and Confiscation: Article XV, available at https://legalinstruments.oecd.org/en/instruments/OECD-LEGAL-0378 (last accessed 6 June 2022).

3. United States Sentencing Commission, Guidelines Manual, Chapter 8 – Sentencing of Organizations, available at https://www.ussc.gov/guidelines/2018-guidelinesmanual/ 2018-chapter-8#NaN (last accessed 6 June 2022).v

4. The Crown Prosecution Service (CPS), 'Bribery Act 2010: Joint Prosecution Guidance of The Director of the Serious Fraud Office and The Director of Public Prosecutions', available at https://www.cps.gov.uk/legal-guidance/bribery-act-2010-joint-prosecution-guidance -director-serious-fraud-office-and#a21 (last accessed 6 June 2022).

5. 'A Resource Guide to the U.S. Foreign Corrupt Practices Act', available at https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf (last accessed 6. June 2022).

6. United Nations Convention Against Corruption, Article 12(f), available at https://www.unodc.org/documents/treaties/UNCAC/Publications/ Convention/08-50026_E.pdf (last accessed 6 June 2022).

dance', op. cit. note 4, above.

8. id.

9. id.

10. 'Bribery Act 2010: Guidance', op. cit. note 4, above.

To view the full article, click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.