By Murray Markowitz, CCO at Kroll Bond Rating Agency
Technological advances have meant that organizations find themselves able to gather more data about their operations than ever before. In turn, regulators are acknowledging the integral role of accurate and meaningful data in operating an adequate compliance program. Recent regulatory guidance emphasizes maintaining access to data and testing internal controls to confirm the adequacy of the compliance function. Similarly, updated Enterprise Risk Management (ERM) best practices reference the importance of sufficient access to data and resources for monitoring compliance programs, together with the need for strong documentation and recordkeeping procedures.
Ensuring Adequate Resources and Testing Controls
In June 2020, the Criminal Division of the Department of Justice (DOJ) issued updated guidance on the specific factors that prosecutors should use when investigating a corporation’s compliance function in a memo entitled, “Evaluation of Corporate Compliance Programs.” The memo identifies components DOJ would expect of an effective compliance program. Although many of these factors have been discussed in previous DOJ guidance, a particularly noteworthy new element in the June memo involves data collection and data analytics. When assessing whether a compliance function has sufficient resources and autonomy, DOJ will consider whether compliance and control personnel have “sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls, and transactions.” DOJ also considers whether there are any limitations on the compliance function’s access to relevant sources of data, and what management is doing to address those limitations.
The revised guidance emphasizes another critical element of corporate compliance programs: ongoing verification that the program is working effectively and showing continuous improvement. In DOJ’s view, these goals can be achieved through periodic review and testing of both the internal controls and the data that are gathered during the compliance monitoring process. Organizations should regularly review and test the controls and process in which they collect and analyze data used in compliance monitoring.
Effective Use and Maintenance of Data in Compliance Monitoring and Reporting
Following DOJ’s June memo, in November 2020, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released “Compliance Risk Management: Applying the COSO ERM Framework,” to provide “guidance on the application of the COSO ERM framework to the identification, assessment, and management of compliance risks.” Here, COSO shows how its ERM framework – which comprises five components and twenty underlying principles – can be used to align risk management with compliance and ethics (C&E) goals. Of particular significance are the principles associated with information, communication, and reporting. Within this component, the framework notes that effective C&E programs appropriately take advantage of information and technology, communicate risk information, and report on risk, culture, and performance:
“Nowhere is technology more useful to compliance than in the monitoring and auditing component of the C&E program. Unlike with a sampling approach to auditing, properly designed data analytics can analyze 100% of a population of transactions or activities for red flags. These tests can target (1) breakdowns in internal controls designed to prevent noncompliance, (2) instances or patterns of noncompliance, (3) breakdowns in internal controls designed to detect noncompliance, or (4) other indicators or effects of noncompliance. Data analytics look through digital records to identify anomalies that are consistent with any of these four targets. Further, properly designed data analytics can be deployed in a manner that focuses on high-priority compliance risk areas based on the risk assessment.” ~ COSO ERM Framework
How does a C&E function make sure that it gets complete and accurate information to use in auditing and monitoring operations? This is where timely access to all data relevant to the compliance program is essential to a C&E function. The framework identifies certain characteristics as key to making effective use of information and technology:
- Ensure that compliance has access to all information relevant to effectively manage compliance risk
- Provide compliance with relevant information technology/data analytics skills or access to such skills
- Utilize data analytics in monitoring/auditing (monitor compliance and performance of internal controls)
- Create automated dashboards/reports for monitoring compliance
- Leverage technology to provide for the delivery of effective compliance and ethics training
- Utilize technology to facilitate risk assessment process (scoring, reporting, etc.)
Another aspect of the effective use of information, communication, and reporting is maintaining strong documentation procedures, especially related to compliance monitoring and audits. As stated in the framework:
“It is crucial to properly handle, preserve, and maintain these materials and records in the event of legal action or government inquiry. Each compliance-related investigation should be well documented, include a timeline of events and key steps actions taken along the way, and summarize any remedial steps. . . . From these records, useful reports can be generated that provide insight into the needs and effectiveness of the investigation’s element of compliance risk management.” ~ COSO ERM Framework
Demonstrating Compliance Risk Management
While firms are improving their use of data analysis to monitor the adequacy of compliance risk management programs, regulators all over the world are trying to keep pace by updating guidance and supervisory strategies. Gathering data to monitor C&E is only the first step in effective compliance risk management. Firms need to make sure not only that the information they get is complete, but that it is used in a meaningful way. In other words, brute force data analysis on its own is not enough; good compliance risk management requires subject matter expertise coupled with good judgment to distinguish the signal from the noise in all those data.
Furthermore, another hallmark of a strong compliance function is management’s ability to demonstrate the adequacy of its compliance program through proper documentation. Comprehensive recordkeeping of compliance monitoring and verification procedures are essential to provide regulators and investigators a clear indication that a strong culture of compliance has been established within the organization.