Double Standard? Accounts get Audited... but compliance systems don't?
For over 50 years, the Accounting Standards have given management and investors a mechanism to prove (through audit and certification) the accounting systems of companies. If that model has been so successful and robust, why are we not rushing to apply the same principles to other areas like Compliance.
Every year, large companies, medium sized companies and even many small ones are required to have their financial systems independently audited. The purpose of these audits is to check the governance, accuracy and reporting of the recording of financial transactions. This is principally a requirement for the benefit of shareholders and management. It gives the management, leadership and the shareholders comfort that they can rely on the work done by management in the financial systems. Having a firm check the transactions and sign off on the audit is a huge comfort to everyone involved. It makes sense and is a great comfort to shareholders that they can rely on what they are being told by management and being reported.
There are a few additional pieces that make the audit even better as a management, leadership and shareholder tool. The first is that the Standards that the auditor uses to test the financial system. There is clearly a need to have a set of rules that define what is acceptable and how the auditors can judge compliance. The World recognised this challenge and set out a series of Standards, known as the Accounting Standards (e.g. GAAP, IFRS). These Accounting Standards allow financial staff of your company and the auditors to test each company against a known set of rules. Without this, an audit would be impractical and never be able to be truly a comparative tool. Having the accounting Standards simply makes sense. An essential part of the process to protect shareholders.
The second thing which was essential to make the process work is to have an auditor of auditors. Someone that can make sure the auditors conducting an audit against the Standards are qualified to make that assessment and are following a known approach in the way in which they audit. Also, very sensible. These bodies like the PCAOB make it very simple to know whether an audit firm meets the requirements of being an audit and that their people and their process continues to meet the requirements of the Standard. This element gives additional protections to 'the system' and ensures that the audit process is as tight as possible and almost guaranteed to be accurate and complete.
Now, let's assess the compliance industry.
Up until very recently, we had no real Standard on building compliance programs. We had no audit structure and we had no oversight over auditors. For years I have been asked to conduct audits for clients against 'best practices' which is totally subjective and a weak way of really testing a program. Every Compliance program was built based on what that compliance knew or learned from events and conferences. There was minimal structure to most programs and only a few recognised best practices that have been loosely followed. Most of these recognised best practices have been drafted to specifically minimise the fines imposed by regulators. They were not designed to build great programs in the first place.
The old World of lack of Standards has now changed. We have two globally relevant International Standards produced by the International Standards Organisation, known generally as ISO. The first, a non-certifiable Standard, ISO 19600 applicable to any and every risk issue that a compliance program is built to manage, and, secondly, a certifiable Standard for anti-bribery programs called ISO 37001. What a huge change in our industry! Every compliance person should now be thinking about how they engage with these Standards to redevelop their management systems. They are the biggest development in our industry and can refine the whole approach to corporate and regulatory compliance.
For the certifiable Standard, ISO 37001, the ISO framework also provides the mechanism to be accredited to be a certification body. The mechanism is global, has been in place for many years and is known for giving accreditation to organisations that pass very stringent tests in following another Standard, ISO 17021. This model allows the 'auditor or auditors' issue solved in the accounting World and set out above.
Now that we have two very clear and simple Standards produced by ISO, and we have in place an accreditation system for the certification bodies, what is stopping companies and organisations from using these Standards?
Fatigue. Many compliance officers just finished building their programs on 'best practices'. The thought of reviewing and changing their plans to meet the Standards is daunting. Not a great excuse, but it’s reality.
Awareness. Many compliance officers simply are not aware of the Standards. The ISO group is not known for its marketing and awareness has been low.
Accreditations. It takes some time, often a year or two for an accreditation body to be accredited to audit and certify the Standard. Only a few organisations have been accredited under the ISO 37001 Standard bit several are undergoing accreditation which will give more options for certifications.
Wait and See. There is a fair amount of wait and see with compliance officers waiting to see who else gets certified. There are around 100 companies and organisations already been certified around the World with countries like France, Malaysia and the UAE leading the way.
Confusion. There has been a fair amount of negative press on the Standards written by pundits within the compliance community. These comments are almost always subjective or flawed in their understanding.
Value Proposition. Some companies are struggling seeing the value proposition. The value is outlined in many other blogs. The value is clear, but it takes some work to calculate it in real dollar terms, the only set of terms that really makes sense to a business.
Companies and organisations should buy the Standards, read them, consider their depth and decide whether adjusting your Compliance Programs to meet the standards is a good thing, and, at least as it applies to anti-bribery, consider certification under ISO 37001.
One thing is for sure, the Standards are not going away, and, indeed, new ones are being drafted. Make an informed decision.