Auditing the compliance function is, of course, a staple of many internal audit plans. And while compliance departments in more highly regulated industries, such as finance and health care, tend to be more advanced, an inadequate compliance function at nearly any company can expose it to the risk of running afoul of laws and regulations, from anti-bribery and corruption laws to data-privacy regulations.
Yet nascent compliance programs are the norm at many companies, according to a new Deloitte poll. More than half (55.5%) of regulatory compliance professionals, board members, and C-suite executive respondents to a recent survey conducted by Deloitte describe their current compliance and regulatory efforts as just foundational—neither modernized nor value-creating.
In fact, the data reveals that compliance modernization seems to be eluding most companies due to a host of reasons including lack of technological capabilities like cognitive intelligence, risk-sensing, and robotic process automation (23.8%); lack of processes to support modernization efforts (19.2%); lack of talent with required skill sets (18.6%); and, lack of business, board, and c-suite engagement (13.4%).
"Many organizations have been living in firefighting mode when it comes to regulatory compliance; they're very point-solution oriented," says Tom Nicolosi, a regulatory & operational risk principal at Deloitte & Touche. "They really haven't taken a step back to implement something more scalable and sustainable."
The pressure to modernize is likely to intensify, says the Deloitte executive. Despite a presidential administration that has promised to roll back some regulations—Dodd-Frank Act provisions in particular—many respondents don't expect much regulatory relief. According to the Deloitte survey, 44 percent actually anticipate an increase in regulatory enforcement in the next 12 months. And if there is a rollback, regulation experts don't expect it to last very long. "We're experiencing a short break from fast-paced regulatory change," says Nicolosi. He added that now may be a great time to consider modernizing your compliance program.
Internal Audit's Role
During compliance audits and assessments of the compliance function, internal audit can aid in identifying areas to modernize and improve processes. Internal audit should look for manual processes that may open up the compliance organization to unnecessary errors, or at a minimum, require extensive amounts of time that could otherwise be used in higher-value ways, says Mike Schor, an internal audit partner at Deloitte.
"They should also focus on people—determining whether the compliance organization has the right capabilities for the right job—both in resource quantity and quality," says Shor. "Finally, they should look at the tools and technology enablers like robotics and analytics being utilized, and compare them to those leveraged at other leading organizations or in other areas of their own enterprises," he says.
Before finding areas to improve compliance processes, however, an organization must first realize that problems exist or that the compliance department is lagging. Compliance departments may be working at a level to avoid large penalties or violations, but are still not functioning efficiently or at a high level, meaning that the next slip-up could occur at any time. Anthony Bellezza, senior vice president and chief compliance officer at Rite Aid and instructor for MISTI's Governance, Risk, and Compliance course, says internal audit should be assessing compliance practices to ensure they are working properly. "Internal audit should be in there making sure you are doing it right," he says.
Five Indicators of Deficiency
Bellezza identified five signs that internal audit should look for that could be indicators that the compliance function needs fixing:
1. There's no support for compliance from the executive team.
According to Bellezza, compliance needs unwavering support and buy-in from the entire executive team and the right tone has to set for compliance, particularly from the CEO. "It has to start at the top," he says. One sign he looks for is if top executives are not actively participating on the compliance committee each quarter. "If top executives can't devote an hour or two of their time with the compliance committee each quarter, then the tone for compliance may not be right and the company really can't say they care about compliance," says Bellezza.
2. Compliance isn't integrated with governance and risk in a comprehensive governance, risk & compliance (GRC) program.
"You have to connect all the dots and all of the people working in governance, risk, and compliance," says Bellezza. "That's the only way it works!" Without an integrated GRC program, he says siloes develop that can hold back compliance efforts. He says companies need to focus their efforts on the top 10 to 15 compliance and risk areas. They need to involve subject matter experts within the company to assist in developing the main requirements within these top compliance and risk areas. This will help the organization to get everyone on the same page and focus on what is important. When you have the compliance team, operations, and internal audit looking at the same top compliance requirements, you can really move the organization forward and reduce your risk, says Bellezza. "Compliance can't be on its own island and expect success."
3. The company has a disciplinary mentality.
Another sign for Bellezza that the compliance function needs improvement is if the company focuses only on punishing those who are responsible for compliance problems and not getting to the root cause of why problems are occurring. "Your organization will not be successful unless you analyze what causes the compliance issue." That doesn't mean Bellezza thinks those who are responsible for compliance failures should be off the hook. He believes that there are better ways to improve an organization's compliance efforts. He says that companies can make greater and faster strides when they create a rewards and recognition program. You can create great momentum and a great sense of pride when you recognize employees for their compliance successes. "Getting an awards program off the ground takes time, however, you can start by recognizing those areas of the company that go a certain length of time without a compliance issue." Bellezza says that "if you reward compliance and ethical behavior you are going to have a better business."
4. Leaders and managers aren't trained in compliance.
Bellezza says tone in the middle is as important as tone at the top, but the only way that those managers and business unit leaders can be effective at preaching compliance is if they get training on compliance requirements. "You have to have an informed tone in the middle," says Bellezza. "If companies are not training their middle managers, they are just throwing them into the fire." He really suggests that training should be coordinated and be on all aspects of GRC. "By training your managers and business unit leaders on GRC, they will have a better understanding of how important their role is in the Three Lines of Defense Model for compliance and risk management."
5. Data isn't gathered and analyzed.
Today, companies have so much information to run their business. Having all of this information is great, however, Bellezza believes that if you are not connecting the data to paint a picture of where risks and compliance issues may be present, then it's not doing you much good. He says, "Compliance functions can leverage all of this data to get ahead of where a potential issue could exist or arise." Data analysis, he says, can help companies target problem areas so they don't waste time looking over areas that are healthy, from a compliance standpoint. Also, Bellezza indicated that many organizations believe that bringing a new tool to help you in your compliance or GRC efforts is the best course. This can be a major mistake if companies have not first put the right GRC processes in place. He says, "You first have to have the right compliance and overall GRC processes in place first before you attempt to enable it with technology."
Deloitte's Nicolosi says the time is right for assessing and modernizing compliance so that it can take advantage of technology and run more efficiently and even get to the point where it is adding value, not just providing a foundational function. "While I realize C-suites and execs want their compliance teams to do more with less, I think now's a great time for those groups to gather, take a step back and really talk about how to optimize their compliance programs," he says. "If you're concerned about regulatory enforcement increases, and you're feeling a brief reprieve from what used to be the very high pace of regulatory changes—there's no time like the present to assess your program and eliminate inefficiencies within it."