Many of the Fortune 100 companies tout their compliance programs. They are proud of their gold-plated, compliance programs and their record of success. But the world changed recently – especially for the Fortune 100 companies — with the events in Mexico and the New York Times report.
Fortune 100 companies are not immune to compliance breakdowns. Recent events have underscored this point – no matter how good, how elaborate your compliance program is structured, every company needs to take a look and double-check their compliance programs. So, how should the company do that? What steps should it take?
Let’s start with what they should not do. Companies should not waste their time examining their entire program, auditing every office, and double-checking the entire program. There is a better way to do it. I like to call it the targeted audit program.
Here are some basic steps on how to conduct the targeted audit program.
1. Senior management support – the targeted audit program needs approval and support from the Audit/Compliance Committee and senior management. Without such support no one inside the company will take it seriously.
2. Announcement of the targeted audit program – senior management should provide support by announcing the targeted audit program. Every regional, country or division manager should be told that a compliance audit will be conducted of certain regional, country or divisions to check on their compliance program. This announcement should send an important message to everyone in the company – make sure your compliance program is in good shape because it might be audited.
3. Targeted risk assessment – the compliance staff, in consultation with legal and internal auditing, should work together to identify those regions, countries and divisions which should be audited – this should not be limited to those offices which are most at risk but should include offices or regions which may be less risky. This will help to put together a range of risky audit candidates so that some meaningful benchmarks and comparisons can be made.
4. Audits – a detailed and thorough audit should be conducted of the targeted offices. The audit should review every aspect of the office’s operation – down to petty cash. Transactions should be tested; training should be audited; and a full financial picture should be developed.
5. Audit Reviews – the audits should be consolidated and assessed in comparison to each other and relevant benchmarks. A comparison among the offices should identify those offices which are at risk versus those that are working effectively – these results can be extrapolated to provide the company with meaningful guidance on the overall effectiveness of the compliance program.
6. Assessments – the overall targeted audits should then be incorporated into the monitoring protocol and modifications made to the compliance program, with some specific changes directed at specific offices, countries or divisions.
One thing is clear – Fortune 100 companies cannot ignore recent developments and rest on their laurels. A targeted audit program is an effective way to implement a monitoring process.