An effective corporate compliance program is critical for companies looking to ensure that they actively prevent fraud, corruption, sanctions violations and other non-compliance issues and meet regulatory expectations. The Department of Justice and other regulatory agencies expect compliance officers to ensure that their company has an effective compliance program with continuous compliance monitoring that can detect and prevent compliance violations.
Therefore, companies must make sure they are regularly testing their compliance program to ensure it is performing effectively and continuing to address the shifting expectations of regulatory agencies. The Department of Justice asks three questions when examining a company's compliance program:
-
Is its compliance program well designed?
-
Is it adequately resourced and empowered to function effectively?
-
Does the compliance program work in practice?
None of these questions can be fully answered without continuously testing your compliance program and procedures to verify that they are working as intended and in accordance with regulatory expectations. Let's break down why the Department of Justice and regulators expect companies to test their compliance programs continuously.
The Department of Justice Expects Corporate Compliance Programs to be Continuously Tested
Having a system in place to continuously test your compliance program demonstrates to regulators and prosecutors that your company is committed to running an effective compliance program and is actively seeking to foster a culture of ethical behavior. Prosecutors and regulators know that even the most advanced compliance systems will be unable to mitigate 100 percent of non-compliance. Still, they are willing to give credit to companies that have made concerted efforts to prevent such behavior and detect it immediately when it does occur.
Continuously testing your company’s activities—for example, by testing 100 percent of your financial transactions—can provide a holistic and objective assessment of whether non-compliance is occurring within your organization. Such continuous testing can provide much wider and real-time assessment when compared to traditional methods such as sample-based audits and whistleblower reports.
When the Department of Justice is considering corporate resolutions—including guilty pleas, deferred prosecutions, and non-prosecution agreements—the Department is now considering whether Chief Compliance Officers, as opposed to just Chief Executive Officers, must certify at the end of the term of the agreement that their company's compliance program is reasonably designed and implemented to help detect and prevent violations of the law. Continuous testing is key to supporting such a certification.
Suppose a compliance program isn't regularly testing activities and transactions for risk. In that case, it may be challenging for the Chief Compliance Officer to provide such a certification and to convince regulatory agencies and law enforcement that the certification is grounded in reality rather than wishful thinking.
Compliance programs that run on data - and are capable of analyzing said data - are better positioned to meet regulatory expectations regarding continuous testing. Compliance officers can use the insights provided by their compliance analytics program's data to upgrade their compliance processes to address the root causes of misconduct. Continuous program improvement directly aligns with Department of Justice expectations, which emphasize the importance of continually testing and iterating compliance programs to ensure they are sustainable and adapt to changing risks.
Crucially, implementing procedures that enable continuous testing of a corporate compliance program ensures that companies do more than take a basic "tick the box" approach to their compliance processes. The Department of Justice expects Chief Compliance Officers to demonstrate knowledge and ownership of their compliance programs, while the compliance officers on their team should be empowered to follow suit. Companies with well-tested compliance programs that can detect and mitigate non-compliant activity at scale and in real-time will be better positioned to avoid having monitorships imposed on them if their compliance processes are under examination.
How Companies Can Create a Feedback Loop to Continuously Test Their Compliance Program
Companies can test the effectiveness of their compliance programs by attempting to determine the success of metrics, such as training completion rates, and communication tools, such as hotline reports. Traditionally, these tools have been used as companies' primary compliance metrics, but there are shortcomings to that approach. For example, a company may have a low number of hotline reports in a given year, but that doesn't necessarily mean that fraudulent activity isn't happening. Without further data, it could mean that a company has fostered a culture of fear of retaliation that has dissuaded employees from reporting such activity.
Another example would be a company that reports a high training completion rate. Ninety-nine percent of a company's employees might have completed their mandatory ethics and compliance training courses, but that statistic doesn't guarantee that employees follow that training or even understand its importance.
Testing whether those basic metrics equate to effective compliance will allow companies to better meet Department of Justice expectations. For example, instead of taking the aforementioned 99 percent completion rate as a sign that your company's employees are behaving ethically, a compliance officer could use data analytics to monitor 100% of employee expenses or vendor or customer transactions to validate whether there are examples of non-compliance within that data.
The Department of Justice expects companies to be testing their compliance programs and procedures on an ongoing basis rather than just periodically. Those standards include an expectation that companies can effectively manage risk across the lifespan of their relationship with any given entity, particularly with third party risk management.
For example, a third party designated as low risk during the initial due diligence process may have been misclassified, or the scope of their work may have changed throughout the relationship, positioning them to behave unethically after onboarding. A company with a compliance program that has been fine-tuned to provide continuous third party risk management can detect wrongdoing in a fraction of the time, which is what regulators expect from compliance programs.
Companies Can Save Time and Money
By Rigorously Testing Their Compliance Programs
Being diligent in testing your company's compliance program isn't just about adhering to regulatory expectations - doing so will also have a materially positive impact on your company's bottom line by quickly rooting out fraud, waste, and abuse.
A basic compliance program might require employees to submit records of T&E expenses, invoices, rebates, and other financial transactions. Still, if the program isn't testing each transaction or using compliance analytics to discover anomalies - such as running data analyses to detect unusual trends, patterns, and financial discrepancies - the program may be unable to detect corrupt and fraudulent behavior, which can adversely impact a company's bottom line.
On the other hand, a more advanced compliance analytics system capable of running meaningful tests can subject any transaction to dozens of statistical, behavioral, and rule-based analyses and automatically assign aggregated transactional risk scores, ensuring that high-risk transactions can be easily detected and singled out for further review. This continuous compliance monitoring ensures that compliance officers focus their limited time and resources on high-value activities rather than attempting to comb through the entirety of their company's data manually.
Testing the speed at which a compliance program can accurately detect and manage suspicious activity is also essential. Consider how difficult it can be to manually detect issues such as bribery and corruption in a reasonable timeframe. It's possible for such activities to be hidden in emails, documents, or a myriad of other electronic files stored across systems in multiple departments.
To further complicate matters, such fraudulent activity could be in different languages, take the form of images instead of text, or be otherwise obfuscated to make manual detection particularly difficult. However, if a compliance officer understands these issues and has tested their compliance program and iterated upon it to overcome these problems, the system could be better situated to root out such suspicious activity. Example solutions could include sophisticated search and analytics tools and continuous monitoring programs that track and risk score every corporate transaction automatically and would be able to detect potential bribes or fraud in a fraction of the time manual reviews would be capable of doing so.
Conclusion
A compliance program capable of being regularly tested is a compliance program that is ideally situated to root out non-compliance and satisfy regulatory expectations. Traditionally, compliance teams have struggled to adopt this kind of mentality or have lacked the tools to enable continuous testing. This is a conundrum that Lextegrity's founders set out to resolve - Lextegrity was founded by a team of long-time compliance and audit professionals who wanted to create the kind of compliance and audit programs that they wished they had while they were working in-house.
We understand the challenges that companies face with regards to compliance program modernization and empowering compliance and audit professionals to regularly stress test their policies and procedures through real-time transactional testing. If you have questions about how Lextegrity can help, don't hesitate to reach out to us.
FAQs
What three questions does the DOJ examine when looking at a company’s compliance program?
Is its compliance program well designed? Is it adequately resourced and empowered to function effectively? Does the compliance program work in practice?
Why should I continuously test my compliance program?
Having a system in place to continuously test your compliance program demonstrates to regulators and prosecutors that your company is committed to running an effective compliance program and is actively seeking to foster a culture of ethical behavior.
Who is responsible for ensuring a compliance program is continuously tested?
When the Department of Justice is considering corporate resolutions—, including guilty pleas, deferred prosecutions, and non-prosecution agreements—, the Department is now considering whether Chief Compliance Officers, as opposed to just Chief Executive Officers, must certify at the end of the term of the agreement that their company's compliance program is reasonably designed and implemented to help detect and prevent violations of the law.
