Compliance with applicable laws and regulations has always been a concern of business ventures. Historically, internal or external legal counsel provided guidance, usually on a case by case basis. Over recent history, compliance efforts have become more structured and formal as the number and complexity of rules have increased, and as government has provided rewards for demonstrating efforts to comply and punishment for failing to demonstrate efforts to comply.1 As business entities and government have interacted over the years, a complex system of compliance management has evolved.
II. Strategic Considerations
A. The Current Compliance Context
Today, compliance programs are commonplace. Many different professions are involved, including a new class of "compliance professionals" with their own certifying bodies.2 Compliance rules stretch across many federal rule areas, witnessed by the fact that more than a dozen agencies potentially have a say in how a U.S. financial institution operates abroad.3 Compliance concerns no longer stop with legal compliance, and now include industry protocols, licensing requirements, and an array of standards and ethical concerns.
Additionally, foreign compliance regimes now span the global business environment and do not necessarily match up with U.S. compliance rules as reflected, for example, by the fact that common U.S. compliance hotlines appear to conflict directly with EU and individual European nation data protection rights.4 Parts of Europe are opposed to anonymous reporting.5 Growing international protocols regarding foreign bribery are expanding compliance requirements for many companies.6
What began as voluntary efforts to mitigate corporate monetary penalties in the event of certain federal criminal prosecutions, have evolved into mandated or quasi-mandated compliance programs. Over time, these compliance programs have become increasingly complex and expansive, and the continuous layering of rule explanations has morphed into a maze of intricate requirements.7 Some contend that the annual cost of compliance programs in the United States exceeds $1.75 trillion.8
This paper focuses on a single aspect of this evolution, the growing need to adequately monitor and audit the compliance system itself. Certainly, for some time, the use of internal and external audits has been a part of compliance activities. This paper contends that more and more organizations will find it imperative to apply audit protocols to the compliance program itself. That is, compliance programs themselves need to be audited to insure that the compliance program is itself compliant.
B. Compliance Program Goals
While compliance activities have a long history, most credit for their current scope is attributed to the growth of Federal Sentencing Guidelines in the 1990s which provided reduced corporate criminal sentences when the corporation had established a corporate compliance program.9 The idea was that successful compliance programs help with early detection and prompt correction of noncompliance with laws.10 Over the past two decades, there have been continued increases in government involvement in compliance, and it is reasonable to expect that increased enforcement is likely for the foreseeable future.11 As compliance efforts grow, new areas for concern are added to the mix. An example of the trend is the Department of Justice, in settlements with companies over alleged violations, gradually requiring the company to include mandatory due diligence practices with all of their thirdparty business partners.12
One of the difficulties in discussing compliance program auditing is the less-than-agreed-upon language used to describe compliance in general, as well as particular compliance program elements. The terms used in the focus on compliance now include monitoring, auditing, enterprise risk management, internal controls, performance auditing, risk stratification, compliance programs, and many more. …