Should Compliance Systems be Audited like Accounting Systems?
For over 50 years, the accounting standards have given management and investors a mechanism to prove (through audit and certification) the accounting systems of companies. If that model has been so successful and robust, why are we not rushing to apply the same principles to other areas like Compliance?
Every year, large companies, medium sized companies, and even many small ones are required to have their financial systems independently audited. The purpose of these audits is to check the governance, accuracy, and reporting of financial transaction records. This is principally a requirement for the benefit of shareholders and management. It gives the leadership and shareholders comfort that they can rely on the financial systems work done by management. There are also two additional pieces that make the audit even better as a management, leadership, and shareholder tool.
A Testing Standard
There is clearly a need to have a set of rules that define what is acceptable and how auditors can judge compliance. The world recognised this challenge and set out a series of standards, known as the accounting standards (e.g. GAAP, IFRS). These accounting standards allow your company's financial staff and auditors to test each company against a known set of rules. Without them an audit would be impractical and never be a truly comparative tool. This has made accounting standards an essential part of the process to protect shareholders.
Auditing the Auditors
It only makes sense that someone should be making sure that the auditors conducting an audit against the accounting standards are not only qualified to make that assessment, but also are following a known auditing approach. Bodies like the PCAOB make it very simple to know whether an audit firm meets the requirements of being an auditor, and that their people and process continues to meet the requirements of the standard. This element gives additional protections to 'the system' and ensures that the audit process is as tight as possible, almost guaranteeing it to be accurate and complete.
How Does This Relate to the Compliance Industry?
Up until very recently, we had no real standard on building compliance programs, no audit structure, nor any oversight over auditors. For years we received requests from clients asking us to conduct audits against 'best practices', which without a standard, was a totally subjective and a weak way testing a programme. Every compliance programme was built based on what each compliance team knew or learned from events and conferences. There was minimal structure to most programmes and only a few recognised best practices which had been loosely followed. Most of these recognised best practices had been drafted to specifically minimise the fines imposed by regulators. Therefore, most programmes were never designed with the intention of being great.
A New Set of Standards
Fortunately, we have now moved out of the old world guesswork that results from a lack of standards. Two globally relevant international standards have been produced by the International Standards Organisation, known generally as ISO. The first is ISO 19600, a non-certifiable standard that is applicable to any and every risk issue that a compliance program is built to manage. The second is a certifiable standard for anti-bribery programs called ISO 37001.
A massive change in our industry, every compliance person should now be thinking about how they can engage with these standards to redevelop their management systems. Their development will refine the whole approach to corporate and regulatory compliance.
For the certifiable standard ISO 37001, the ISO framework also provides a mechanism to accredit certification bodies. This mechanism is global and has been in place for many years. Its original purpose was to give accreditation to organisations that passed very stringent tests in following another standard, ISO 17021. This model solves the 'auditor or auditors' issue which also existed in the accounting world.
What is Now Stopping Organisations from Using These Standards?
- Fatigue- Many compliance officers just finished building their programmes on 'best practices'. The thought of reviewing and changing their plans to meet the standards is daunting. Not a great excuse, but it’s reality.
- Awareness- Many compliance officers simply are not aware of the standards. The ISO group is not known for its marketing and awareness has been low.
- Accreditations- It takes some time, often a year or two, for a certification body to be accredited for auditing and certifying against the standard. Only a few organisations have thus far been accredited under the ISO 37001 Standard, but as more undergo accreditation there will be more options for certifications.
- Wait and See- There are a fair amount of compliance officers who are taking the wait and see approach, monitoring who else gets certified. Thus far, there are around 100 companies and organisations who have already been certified around the world. Leading countries include France, Malaysia, and the UAE.
- Confusion- There has been a fair amount of negative press on the standards, written by pundits within the compliance community. These comments are almost always subjective or based on a flawed understanding.
- Value Proposition- Some companies are struggling to see the value proposition. Outlined in many other blogs, the value is clear, but it takes some work to calculate it in real dollar terms. However, if that work and research are done then businesses can still use this set of terms that makes the most sense to them.
Companies and organisations should buy the standards, read them, consider their depth, and decide whether adjusting their compliance programmes to meet the them is a good thing. If the conclusion is positive, at least as it applies to anti-bribery, then they should consider certification under ISO 37001.
One thing is for sure, the standards are not going away. New ones are currently being drafted, so an informed decision needs to be made.