Special Report: Compliance Testing, Data Access Falls Short

An exclusive new report finds that most corporate compliance teams struggle to perform adequate testing and monitoring of their compliance programs, and also struggle to get access to the enterprise data they need to address their organizations’ compliance risks effectively.

Those are just some of the findings of a study released this week by Rethink Compliance and Radical Compliance. We surveyed more than 200 compliance officers to ask them about the testing and monitoring they perform on their programs; and about the access to data they do or don’t have at their organizations. The findings weren’t all bad, but several of them should give compliance officers pause.

For example… 

  • Only 32 percent of respondents indicated they test or monitor ethics and compliance controls on an ongoing basis. 
  • Only 22 percent said that they have sufficient budget and resources to test or monitor important E&C controls.
  • Only 19 percent said that most of their high-priority E&C controls are tested or monitored using data from systems. (That is, data pulled directly from other business operating teams in the enterprise.)

We also asked about companies’ efforts to preserve business communications, since enforcement of off-channel messaging has been a hot issue this year with regulators. Those findings weren’t great either:

  • Only 31 percent said they were confident that their organization has the ability to capture and preserve all business communications as necessary for investigations or litigation.
  • Only 17 percent conduct audits of their disciplinary processes.

That’s all rather yucky, because it suggests that companies are not meeting expectations that the Justice Department has for effective compliance programs. The department’s guidelines — updated as recently as last week — expressly talk about testing, monitoring, and access to data as important issues that prosecutors are likely to ask about if your business is ever under investigation.

“Our biggest takeaway from the study is that most programs’ testing and monitoring efforts are falling below regulatory expectations,” said Jamie McKillop, vice president of advisory services at Rethink. “The results indicate that the biggest reason behind this shortfall is compliance teams not having access to the right internal data or systems… If you don’t have access to the correct data, you can’t get the complete picture of compliance program performance that you need. If you don’t have that complete picture, then your ability to understand where the program is or isn’t effective — that gets a lot harder, if not impossible.”

The State of Testing

Let’s start with a few more findings. The good news is that 79 percent of respondents said their organizations conduct some sort of testing and monitoring of the compliance program. When you dig into that group, however, only 32 percent say they test on an “ongoing” basis. Another 33 percent indicated they test or monitor controls on a “planned” basis, while 10 percent said they test or monitor controls on an “ad hoc” basis.

And what types of testing do compliance officers conduct? Most common were tests to see whether your policies and procedures are consistently followed. Compliance-focused surveys were in second place, independent assessments in third. See Figure 1, below.

testing

Fifty-five percent of respondents said they work with internal audit, finance, or some other Second Line control function to perform testing, while 35 percent said they use external resources such as an audit or consulting firm. A brave 33 percent said they do testing themselves (although I immediately wonder how many compliance teams have sufficient manpower and skill to do that alone).

Roughly two-thirds of respondents also said they rely on various key performance metrics to monitor their compliance program. Figure 2, below, shows what those KPIs are.

Delighted to see that most compliance officers are using KPIs to monitor the success of their program, although I do have two notes of caution here. 

First, it’s important to think about which KPIs measure how busy your program is, which might not be the same KPIs that tell you how effective it is. You’ll likely need to track multiple KPIs over time, to see whether changes to your program (new training modules, new policies, new procedures) lead to changes in behavior (more complaints about certain issues, higher named reports versus anonymous, and so forth). 

Second, our report found that most compliance officers who establish KPIs only track them at the enterprise level (cited by 67 percent of respondents). Far fewer track compliance KPIs at the business unit level (28 percent) or department level (27 percent); and only 10 percent track KPIs at the individual level.

Enterprise-level KPIs do have their place; you can’t monitor the success of your compliance program without them. But the further down within the organization that you can establish KPIs, the more you’ll be able to identify new or evolving risks. For example, KPIs at business unit level might help you uncover bribery issues in far-flung business units; KPIs at the department or individual level might uncover managers engaging in personal misconduct or blocking employees from raising issues. 

Also in the report are more findings about who receives all this data about compliance program performance, and findings about the various ways that compliance teams audit their programs (which is not the same as testing and monitoring your program).

Access to Data

Part and parcel of testing and monitoring your program is access to compliance-related data, because if you don’t have access to that data, you can’t be confident that you’re testing the right controls or getting accurate results. Hence we asked a bunch of questions about access to data, too.

Our findings suggest that most compliance functions need more access to a broader set of data. Respondents said they are generally doing well leveraging the data and systems that compliance teams typically “own,” such as internal reporting or compliance training systems; but considerably fewer are leveraging data and systems outside of their direct control. 

For example, only 42 percent of respondents said the compliance department is given access to data when requested, and only 28 percent said the compliance function has the same level of access to necessary data, systems, and tools as other business functions at their organizations do.

Well, consider how that would look to prosecutors investigating your company for an issue. The compliance team might be doing great analyzing data it owns — but if that’s all the data you get, then your compliance program is just dancing in a corner by itself, while the rest of the enterprise is grooving to a tune you can’t hear. Does that sound to you like a company that takes ethics and compliance seriously?

Our survey also found some interesting tensions in the technology that’s used to track important compliance data. Some important compliance processes (internal reporting of possible violations, for example) were run by dedicated tools that the compliance team itself could control (58 percent, in this case). 

Other processes highly important to the compliance program, however, were typically run by larger systems beyond the compliance officer’s control. For example, 55 percent of respondents said invoice and payment requests were managed by larger systems (presumably ERP software such as Oracle or SAP) beyond the CCO’s control. 

Figure 3, below, is a sample of what we mean. (The report lists a lot more issues than eight shown here.)

Obviously CCOs can’t expect to have stand-alone technology tools under their direct control for all relevant issues; that would cost a fortune and be a data management nightmare. Hence the importance of senior management supporting the CCO’s access to data in a broader way, either by directing business leaders to share necessary data or by designing IT systems to allow easy transparency into the data that compliance officers need. 

My worry is that such support for data access isn’t where it needs to be. Figure 3 does not assuage my concerns. 

One final point for today: we also found that compliance officers who do get necessary access to data also tend to test and monitor their controls more thoroughly

That is, among those who said they typically get access to data when requested, 88 percent of them also said they test and monitor controls. Among those who didn’t have easy access to data, the figure was only 74 percent. 

Anyway, the report is well worth downloading and reading. I’d love to know what you think of it, and what questions we forgot to ask; email me at mkelly@radicalcompliance.com at any time!

Leave a Comment

You must be logged in to post a comment.