Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Transcription

1 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 1

2 How to Build and Run an Effective Compliance Assessment Program AKBAR PASHA, BAXTER CHRIS MCCLELLAN, DELOITTE FAS APRIL 1, 2019 Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 2

3 Agenda -Compliance Assessment- What, When & Why -Assessment Stakeholders & Governance -Selecting Assessment Location and Determining Scope -Assessment Planning- Assessment in a Box (Templates & Timelines) -Assessment Fieldwork- Testing, Interviews & Analysis -Assessment Reporting- Risk Rating and Summary Reports -Remediation Ownership & Tracking -Coordination with Investigations -Practical Tips Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI 3

4 What is a Compliance Assessment? Compliance Assessments are audit-like processes, usually done at a market, regional, country or cluster level, that: combine quantitative, analytical and qualitative approaches to measure the effectiveness of the compliance program in mitigating risk in the specific market or business unit being assessed identify areas of weakness and need for improvement with specific, trackable plans to remediate Compliance Assessments are not Risk Assessments. Risk Assessments should be done at the outset as a prerequisite to designing and implementing the compliance program for the market. Compliance Assessments are best done after the Compliance Program has been operating for some time, and measure how effective the Compliance Program is at mitigating the risks identified in the Risk Assessment

5 When are Compliance Assessments Performed? Post-acquisition, usually within 180 days of close, as part of broad integration effort, and consistent with expectations of US regulators Typically, budgets and external resources available, high-level support able to clear conflicts and manage competing priorities On a regular, documented, risk-informed cadence, as part of an overall Compliance Program Budget/resources limited, less support, competing priorities Our focus today is how to embed regular compliance assessments into compliance program. We ll discuss how to standardize the process so that fewer internal and external resources are needed; how to navigate through competing priorities; and how to staff and execute in a way to both minimize disruption and maximize value

6 Why Perform Compliance Assessments? Meets regulator expectations: [C]ompliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale. Reality of modern multi-national is disconnect between necessarily broad, allencompassing global policies and processes, and local business models, risks and program execution View from global or regional headquarters often different from local. Are there unappreciated risks? What is the user experience for the technology platforms? Are local resources and skills sets adequate? Demonstrate willingness to listen to, and work with, local leaders. Move compliance from one-way, top-down directive to two-way conversation

7 Who is Involved? Depends on the organization, and the risks that are within scope, but a typical approach it would be owned by Compliance, partnered with Internal Audit, as advised or directed by Legal Whoever is involved, important to have clear ownership Role of local Compliance, Legal, and Internal Audit: If possible, best practice to not include local employees, including those in risk management functions like Compliance, on the Assessment team, as their work is within scope of assessment and is an aspect of the compliance program effectiveness being assessed Key role in scoping phase to inform Assessment team of local risks, on-going issues, and to help navigate and liaise with local operations Typically play key role, if not overall owner, for Remediation Plan

8 Where to Start Build a core team at corporate/global level to ensure consistency in execution, documentation and reporting Implement a governing document corporate policy (best if possible), directive or protocol Create template assessment in a box Develop set of objective criteria for choosing Year 1 markets Set a realistic goal for Year 1 for both scope of assessments, number of assessments completed, and number of remediation plans in flight

9 Governing Document Important to have some corporate-level governing document that: Establishes and provides justification for an Assessment Program Signals clear senior management support Designates ownership and other roles internally Sets basic standards for program Defines in-scope risks and operations Cadence/schedule Formally establishing the program helps manage up setting budgets and priorities and across with market management, driving understanding of assessments as standard, required processes, and limiting internal appeal opportunities Governing documents are the tie-breaker in cases of conflict

10 How to Choose Markets for Assessment Based on assessment of compliance risks that takes into account: Feedback from regional compliance partners and Audit Compliance monitoring results Investigation trends in specific areas and markets Business model complexity and business growth (both historical and projected) Country compliance and enforcement environments Rotational basis Practical tips: No perfect way to do it. Choose a defensible process and try it first year. Improve as you go Leave room for more subjective analysis. Your gut feeling is often right Best done as part of broader audit/assurance planning process where are other groups going? Can you coordinate? Example: Assessment 6-12 months ahead of Audit, include Assessment Remediation with-in Audit scope Example: Assessment immediately follows Audit, where Assessment testing is included in Audit testing to minimize disruption and maximize efficiencies

11 Assessment in a box Standardize as much as possible up front: Announcement letters, kick-off meeting invites, document request s, interview requests, and other internal communications Overall schedule covering all five phases Document requests Testing templates Interview outlines basic outline can be supplemented with plug-ins for specific roles (Finance, Supply Chain) or topics (EHS, anti-trust) Summary Reports Remediation Tracking

12 Phase 1: Announcement and Scoping Most important phase crucial for local management buy-in, ensure assessment is focused on right risks and making most effective use of time and resources Before formal announcement letter (usually has broad distribution), schedule short overview call with local leadership to introduce Assessment, set expectations, and explain process and timing Have preliminary document request ready: most recent business plan; recent audits/investigations; org chart. If possible, access and review in advance of scoping call Pre-announcement call with SLT, send prelim doc request with short turnaround, then scoping calls, then send overall document request Scoping interviews: (by phone, 60 minutes or so): Business Head, Legal, Finance, Compliance, other senior business leaders Background on business: strategic focus, challenges, structure, local regulation, recent personnel or organizational changes Not a substitute for later, deeper dive interview

13 Phase 2: Sampling and Testing Testing of compliance related processes, controls and transactions to assess: Adherence to policy requirements (approvals, thresholds, documentation, nature of spend) Assess appropriateness of compliance activities Identify risk of fraud and bribery Address books & record concerns Sampling selection based on: Data analytics using pre-defined risk metrics (split payments, post facto approvals, overspend, questionable timing and venues, unusual $ amounts) Samples must cover adequate timeframe to assess magnitude, frequency and trends associated with observations Sample should account for changes in policy and procedures during in-scope period, with emphasis on most recent policy and procedural requirements

14 Phase 3: Interviews Critical to interview across and up and down organization. Interviews should be conducted all the way to the front lines of the in-scope aspects of the business: AP/AR clerks, field sales reps, logistics managers, marketers, etc. Disconnect between what senior management believes (often in good faith) about how business operates and what actually is happening Be wary of having interviewees selected for you, or being waved off an interviewee. Instead, start with org chart and choose your interviewees Most employees have a fairly narrow involvement with in-scope risk areas. Find out the 1-2 areas they have a real role in and go deep. Don t spend time on areas with minimal/inconsequential substantive involvement Privileged Assessment: work with Legal on Upjohn advisement Typically not necessary to prepare memos; notes are sufficient (best if relevant parts incorporated daily into running narrative) Unexcused no-shows? Presumption is a qualified Report

15 Phase 4: Reporting Best practice: audience is set by governing documents as opposed to ad hoc Report template should be stand-alone document In-scope areas, relevant regulatory framework, procedures performed Testing summary (include illustrative examples if possible) Strengths to leverage (balanced approach, holistic report) Detailed findings (issue, facts, relevant regulations, risks) Risk ratings Set expectations for feedback Factual errors must be corrected Legal analysis (particularly of local laws) should be reviewed and considered Conclusions as to specific findings, effectiveness of compliance program, controls, overall tone and culture, and risk ratings are generally the exclusive responsibility of the Assessment team, unless predicated on legal or factual error. Discussion is encouraged, but Assessment team s final findings are theirs

16 Risk Ratings No standard way to do. If possible, adopt existing risk ratings used by other assurance functions Individual findings can be rated, but findings by definition are already risky. Risk Map may work better to give business sense of priority Overall ratings lack nuance but typically asked for by management in order to develop single view of risk One option: rate compliance program elements (policies, training, monitoring, etc)

17 Phase 5: Remediation In an ideal world, the businesses could be tasked with developing a remediation plan, with guidance from their local Legal, Compliance and Finance leads. Typically, more of a collaborative effort with the Assessment team Remediation plan should include detailed steps specifically tailored to address the findings, and should include owners and due dates. Assessment team is responsible for Reviewing and approving proposed Remediation plan Holding owners accountable for deliverables and due dates Reviewing completed Remediation plan to ensure it satisfactorily address issues and is sufficiently documented to ensure company s actions are defensible Best practice is for Findings and Remediations to be tracked and documented in risk management system like Archer, to ensure records can be located as well as to allow enterprise risk reporting

18 Referral to Investigations Some issues require additional, specialized investigative follow-up to fully manage. Assessment leader should quickly consult with enterprise investigations lead for guidance. Often, additional fact-gathering can be conducted in Assessment to inform next steps Depending on guidance, issue is sometimes flagged in report with note that it was referred to Investigations

19 Practical Tips Have GM assign a local liaison for building access, scheduling assistance, travel, other basic logistics. Often GM admin. Start Assessment with Report Outline already built and add to it End each day with scheduled wrap up team meeting; prepare running daily summary of themes and narratives; request missing/additional documents Leave time for rescheduled and follow-up interviews Prepare draft report before leaving market. Present draft report to senior management and seek alignment on factual statements Have a point of view on risk: what is being managed, what needs to be improved; and what is unacceptable One person s opinions not usually that relevant looking for a mosaic of information to support findings Don t negotiate Findings/Risk Ratings, etc. You are the expert, call it like you see it, including giving credit for well-managed programs

20 Templates Assessment Timeline Assessment Report Template

21 Questions and Answers? END OF PRESENTATION Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

22 Thank you for your time and attention! IIA CHAPTER CHICAGO 59 TH ANNUAL SEMINAR Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI