By: Christine V. Williams
Regardless of the business line, companies must comply with various laws and/or regulations. The compliance audit that checks the adherence to those laws and/or regulations is generally not a one-time occurrence; rather, effective audits are periodic and build upon each other. The goal of a good audit should be to do the following: (1) monitor and minimize risk associated with company policies and procedures; (2) ensure that both formal and informal (see the earlier series on front line policy makers) company polices and procedures conform with the applicable standards; and (3) determine whether employees are properly educated, value the policies or if they can improve upon them; and (4) follow the policies and procedures that are in place to minimize risk.
The audit, in turn, should be expected to produce results: both high level and tangible results. These results generally include the following: (1) a stronger internal control system; (2) an enhanced company culture/image (both internally and externally); (3) reduced incidence of civil or criminal bad acts; and (4) a stronger, more productive work environment. In order to return results that benefit the company the audit team and scope of the audit must be considered. For the team, a company may evaluate whether a steering committee oversees the audit, whether it is performed by internal personnel, or whether the audit is performed by outside counsel or consultants.
The scope of the audit should also be determined up-front. Some compliance auditors refer to this as a transactional due diligence type of undertaking with a spin because a company is looking for strengths and weaknesses overall and at a micro-level. What departments the company chooses to focus upon may be where it thinks it has the greatest risk. Is this Government Contracting or Human Resource policies or Accounting? Once a general scope is determined, the goals of the audit team and relevant laws and regulations and key issues should be disseminated to the audit team.
Deliverables should also be identified from collecting various materials with various tools. Specific recommendations that can be measured are a necessity. Did the review of existing policies and procedures reveal a weakness that could be corrected? Did interviewing personnel confirm that the policies and procedures are being followed and how they are followed? Are there adequate tests and controls in place to catch a pre-event before it actually becomes an event and then are those controls stress tested? Finally, how to document the work of the audit and the results becomes a necessity. Measurable milestones, the closer examination of a certain departmental function, or re-writing/tweaking a manual are items that can be identified and measured for completeness.
Laws change, regulations change, and companies must change to be effective and compliant. A well defined and effective audit can make a company’s world a much easier place to do business in as well as providing lasting benefits to the company and its established values. Studies have shown that a company who walks the walk, tends to have greater productivity as well as greater value placed on it by its own employees.