Session 7B Compliance auditing – Ensuring your compliance program is on the mark

Peter Sheville PMIIA, Director, Vincents Audit and Assurance

Compliance AuditingEnsuring your compliance program is on the mark

7 January 2016

Session 7.B

Peter Sheville PMIIA, Director, Vincents Audit & Assurance

01A WORLD WITHOUT

COMPLIANCEWhy is compliance

auditing important?

02ITS BEGINNING AND

PURPOSEWhen did it begin and

what is trying to be

achieved?

03COMPLIANCE

OBLIGATIONSIdentifying and assessing

your key compliance

obligations

04COMPLIANCE RISKRisk-based approach in

managing and mapping

compliance risk

05COMPLIANCE

MANAGEMENTEnsuring appropriateness of

processes, documentation

and reporting

06ROLE AND

RESPONSIBILITIESKey role and

responsibilities of the

organization and Internal

Audit

07COMPLIANCE AUDIT

PLANEssentials in preparing an

effective regulatory

compliance audit plan

08SUMMARYKey items revisited

09QUESTIONS

Agenda

A World Without ComplianceWhy is compliance important?

WORLD WITHOUT COMPLIANCE:

Why is compliance auditing important?

5

https://www.youtube.com/watch?v=LH8ZSuVOPfc

WORLD WITHOUT COMPLIANCE:

Why is compliance auditing important? (cont’d)

6

Organisation What Happened How They Got Caught

Waste Management $1.7 billion in fake earnings New CEO and management team

Enron $74 billion shareholder loss Turned in by internal whistle-blower

WorldCom $180 billion in losses for investors Internal Audit department

Lehman Brothers $50 billion in loans disguised as sales Went bankrupt

Freddie Mac $5 billion in misstated earnings SEC investigation

Queensland Health $16.7 million in fraudulent transactions One large transaction raised alarms

Queensland Health $40k in timesheet fraud CCC investigation

http://www.accounting-degree.org/scandals and http://www.ccc.qld.gov.au/

Its Beginning and PurposeWhen did it begin and what is it trying to achieve?

02. ITS BEGINNING AND PURPOSE:

When did auditing begin and what is it trying to achieve?

• Dates back as far as 4,000 B.C. and can be traced to the

Zhao dynasty in China as well as to finance systems in

Babylonia, Greece, the Roman Empire, etc1

• Used by governments and businesses to manage concerns of

incompetent and opportunistic officials

• The development of the joint-stock company concept in 19th

century led to auditing being a necessity in modern day

business2

8

1 (Bailey, Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)

Pu

rpo

se

Transparency

Accountability

Good Governance

02. ITS BEGINNING AND PURPOSE:

When did auditing begin and what is it trying to achieve? (cont’d)

9

• Internal audit first began as a means of protection against payroll

fraud, loss of cash and other assets

• Need for independent verification of accounting errors, asset

misappropriation and fraud drove its scope to almost all financial

transactions

• Moved from an “audit for management” emphasis to an “audit of

management” approach1

• This laid the foundation for what Internal Audit has become today,

“… an independent, objective assurance and consulting activity

designed to add value and improve an organization’s operations.

It helps an organization accomplish its objectives…”4

1 (Bailey, Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)

Image acknowledgement to haan249.

Compliance ObligationsIdentifying and assessing your key compliance obligations?

03. Compliance Obligations:

Identifying and assessing your key compliance obligations

Identifying who you are as an organization:

• What is your structure and size?

• Who is held accountable for performance?

• Where are you located geographically?

• Who are your stakeholders?

• Who do you do business with?

• What industry does your organization form part of?

• What type of licenses/permits do you hold?

• What type of products/services do you offer?

• Do you trade, import or export?

• What are your future growth expectations?

11

Assessing where your organization is in its journey to where it

wants to be:

• Where are you now and where do you want to be?

• What drives your organization and will is this likely to change?

• What are your offerings and is change expected in the future?

• Is the organization expanding from its current setting?

• Where is the industry in its lifecycle and where is it trending to?

• Who are your stakeholders and will they change as your journey

progresses?

Compliance RiskRisk-based approach in managing and mapping compliance risk

04. COMPLIANCE RISK

Risk-based approach in managing and mapping compliance risk

13

5 (Curtis & Carey, 2012)

• Traditional view of risk management was to make an attempt

at removing or eliminating risk

• Negatively impacts organization’s pursuit of value

• Balancing the level of acceptable risk and expected return,

results in optimal risk-taking5

• Optimal risk-taking, largely related to an organization’s risk

appetite, is identified through risk assessment

• Variety of methods exist to assess risks, however,

fundamentally, they are aligned

Optimal Risk-Taking

Expected Return

Acceptable Risk

04. COMPLIANCE RISK

Risk-based approach in managing and mapping compliance risk (cont’d)

14

4 (Gleim, n.d.) 5 (Curtis & Carey, 2012)

• Risk is the possibility that an event will occur and adversely affect the achievement

of organizational objectives

• Identifying risks precedes the risk assessment process and produces a list of risks

that have the potential to negatively impact the organization

• Key risks are those that have the potential to adversely impact the organization’s

objectives; clarity in understanding organizational objectives is a must for

successful risk management4

• The assessment process includes the development of assessment criteria, the

assessment of the specific risks, assessment of risk interactions, and prioritization

of risks5

• The final element is the risk response and how the identified risks will be managed

• Converse to traditional means, managing risks is achieved through response

techniques that typically result in avoiding, accepting, mitigating, sharing or

exploiting the risk4

Identify Risks

Assess Risks

Respond to Risks

Compliance ManagementEnsuring appropriateness of process, documentation and reporting

05. COMPLIANCE MANAGMENT

Ensuring appropriateness of process, documentation and reporting

16

6 ("New compliance standard: AS/ISO 19600:2015", n.d.)

• Compliance management – where has your organization set

its benchmark?

• Is the underlying process of how the organization manages its

compliance obligations and compliance risks systematically

• International Organization of Standardization (ISO) released

ISO 19600:2015 Compliance Management Systems

• Adopted in Australia as AS/ISO 19600:2015 and acts as a

guideline to the development and implementation of a sound

compliance management system6

• A key focus is to embed compliance within the organization’s

culture and integrate it with the organization’s management

processes

Compliance Management

Compliance Risks

Compliance Obligations

05. COMPLIANCE MANAGMENT

Ensuring appropriateness of process, documentation and reporting (cont’d)

17

6 ("New compliance standard: AS/ISO 19600:2015", n.d.)

• Communication is integral in ensuring successful compliance

management and should be driven by board and senior

management

• It should be evident in the culture, policies and procedures,

individual responsibilities and reporting of the organization

• Performance evaluation and improvement is the final element

of the process and identifies areas in which the system in

place can become better

• Compliance management is not a one off process – it is a

cyclical process that restarts upon its final step of performance

evaluation and improvement6

Risk Assessment

Risk Response

Communication

Performance Evaluation and Improvement

Establishing Context

Role and ResponsibilitiesKey role and responsibility of the organization and Internal Audit

06. ROLE AND RESPONSIBILITY

Key role and responsibility of the organization and Internal Audit

19

7 (Compliance Management System, n.d.)

• Compliance management systems help organizations:

• Learn about their compliance responsibilities

• Ensure personnel are aware of requirements

• Embed requirements into culture and processes

• Continuously review and improve risks

• Respond to risks prior to them occurring

• Three key elements to a successful compliance management

system:

• Board and management oversight

• Compliance program

• Compliance audit

• If all elements are strong and cooperate, compliance

responsibilities and risks should be managed appropriately7

Board and Management Oversight

Compliance Program

Compliance Audit

06. ROLE AND RESPONSIBILITY

Key role and responsibility of the organization and Internal Audit (cont’d)

20

7 (Compliance Management System, n.d.)

• Board and Management Oversight:

• Hold ultimate responsibility of organizational compliance

• Lay foundation for organization’s success of compliance through

demonstrating clear expectations formally and informally

• Tone at the top drives culture and it is communicated directly or indirectly

through to all levels of the organization

• Compliance Program:

• The policies and procedures of an organization

• Training and education of personnel

• Response to internal and external complaints

• Monitoring and identification of risks7

Board and Management Oversight

Compliance Program

Compliance Audit

06. ROLE AND RESPONSIBILITY

Key role and responsibility of the organization and Internal Audit (cont’d)

21

7 (Compliance Management System, n.d.)

• Compliance Audits:

• Independent, objective review of compliance

• Assists Board and Senior Management in maintaining compliance

and identifying potential risks

• Complements compliance program through additional monitoring

• Cooperation with Board in determining scope and frequency

• Cooperation with organization in identification of risks and

maintaining compliance

• Communication of compliance audits to Board and Senior

Management ensuring opportunities for improvement flow through

organization

Board and Management Oversight

Compliance Program

Compliance Audit

Compliance Audit PlanEssentials in preparing an effective compliance audit plan

07. COMPLIANCE AUDIT PLAN

Essentials in preparing an effective regulatory compliance audit plan

23

• Knowing the key stakeholders and their relationships as

well as understanding the roles and responsibilities of

the audit engagement team

• Documenting the expected and agreed upon timeframes

for the audit

• Understanding the internal and external regulatory

requirements as well as other key stakeholder requirements

• Gaining and developing an understanding of the organization,

its purpose, objectives and strategies

• Incorporating objectives and strategies of the organization

when preparing audit’s scope and objectives

• Develop understanding of organization’s control environment,

control activities and risk assessment process through

interviews, data and information gathering techniques

• Reviewing potential industry analysis to determine key risk

areas that may exist within the external environment

• Addressing the objective and scope through the testing

approach that will be taken

Performing

Communicating

Planning

SummaryKey items revisited

08. Summary

Key items revisited

25

• What happens when compliance is removed from the picture?

• The need for compliance and auditing remains aligned to why

it was needed many years ago – transparency, accountability

and good governance

• To identify and assess your obligations, you need to know

who your organization is are and where it is going

• Optimal risk-taking is a result of the organization’s expected

return and acceptable risk levels

• Effectively managing and mapping risks is a result of

identifying risks, assessing risks and responding to risks

• Compliance management should be embedded in the culture

of an organization

• Compliance management is achieved through evaluating,

improving and communicating risks

• Compliance management is a continuous process

• Board and management hold the ultimate responsibility for

compliance and set the tone at the top

• A compliance program is an essential element of a

compliance management system along with board and

management oversight and compliance auditing

• Understanding the organization, its purpose, strategy and

objectives are essential in effectively establishing a

compliance audit plan

Questions?

www.vincents.com.au

References

27

5 (Curtis & Carey, 2012)

• Bailey, A., Gramling, A., & Ramamoorti, S. (2003). Research opportunities in internal auditing. Altamonte Springs, Fla.: Institute

of Internal Auditors Research Foundation.

• Curtis, D., & Carey, M. (2012). Risk Assessment in Practice (1st ed., pp. 1 - 18). Durham, NC: The Committee of Sponsoring

Organizations of the Treadway Commission (COSO). Retrieved from http://www2.deloitte.com/ie/en/pages/deloitte-

private/articles/risk-compliance-management-assurance-mapping.html

• Encyclopedia Britannica,. (2016). auditing | accounting. Retrieved 8 February 2016, from

http://www.britannica.com/topic/auditing-accounting

• Fundamental Principles of Compliance Auditing. (2014) (p. 4). Vienna.

• Gleim, I. CIA review Part 1.

• New compliance standard: AS/ISO 19600:2015. Retrieved from https://complispace.wordpress.com/2015/07/31/new-

compliance-standard-asiso-196002015/

• Compliance Management System (1st ed.). Retrieved from

https://www.fdic.gov/news/news/financial/2006/2cep_compliance.pdf