Compliance defined: “Adherence to policies, plans, procedures, laws, regulations, contracts, or other requirements.”
Compliance is an essential function of organizations everywhere. In the normal course of operations, an organization is expected to demonstrate compliance in what seems to be endless operational functions. This includes but is not limited to:
- Organizational policies, procedures, codes of conduct, etc.
- Regulatory requirements (laws, rules, and regulations)
- Legal requirements (contract terms and conditions)
- Grant requirements (grant agreements)
- Financial requirements (bank covenants)
With compliance requirements, the need for monitoring is ever-present. Compliance monitoring serves to proactively protect organizations from risks and noncompliance by identifying gaps and issues within the compliance management function. This type of monitoring can also help identify issues before external auditors and/or regulatory agencies do. Risks of noncompliance may include:
- Fines and penalties
- Reputation damage
- Delays in, reduction in, or loss of funding
- Disruption of operations and/or loss of revenue due to audits, injuries, or plant shutdowns
One of the main challenges of effective compliance monitoring programs can be organizational decentralization. This can be especially present in the remote work environments organizations are currently operating in. Compliance monitoring may rely on multiple departments or divisions within an organization as well as external third parties that need to collaborate to provide the required documentation and meet requirements.
We have created a list of five considerations that an organization can implement to develop or improve a compliance monitoring program. This information represents a simplified lifecycle that can be customized to fit a specific program, operation, or function.
1. Develop a Framework
An initial step is to determine what operations/functions require compliance and what those requirements are. The organization should identify the risks and requirements specific to the policy, contract, grant, regulation, etc. that it is responsible for, considering that each may have different requirements and risks associated with noncompliance. This formalized understanding leads into a framework, which should:
- Document requirements, risks, and existing internal controls to mitigate those risks.
- Identify risks that are not fully mitigated by existing internal controls.
- Determine stakeholders who will be involved in the compliance effort.
- Identify and document data sources necessary for achieving or monitoring compliance (e.g., related reports and the system/application they source from).
- Develop a plan for evaluating compliance that includes monitoring attributes such as who, what, when, where, how, and why. The following provides a summary of attributes to be considered in a compliance monitoring plan:
- Why: Defines the specific requirement, such as the code, law, regulations, agreement, or contract.
- What: Defines the documentation that provides evidence that the compliance requirements have been met.
- Who: Defines the individual, department, or third-party who will be responsible for obtaining, creating, and/or maintaining the compliance-related documentation.
- When: Defines the frequency that the compliance requirements must be achieved (e.g., monthly or quarterly). It can also define a due date, such as the date a report must be submitted to a regulatory agency.
- Where: Defines where documentation is maintained, such as a network drive or system.
- How: Defines the actions or tasks that must be performed to achieve and evidence compliance with the requirement.
- Define how and where stakeholders will retain compliance documentation, such as a centralized repository (see step 2 below for more information).
- Develop a compliance checklist to ensure compliance tasks are conducted timely and completely (see step 4 below for more information).
- Develop escalation and remediation plans for when noncompliance is identified.
- Communicate the plans and individual tasks to stakeholders, and clearly define and assign each stakeholder’s responsibility.
2. Create a Central Repository
All documents related to compliance should be stored in an agreed-upon central location that allows access to essential users. Folders (electronic folders maintained in a network/cloud-based location) should organize types of documentation such as emails, reporting documents, financial support (invoices, timesheets), etc. Version controls and naming conventions should also be established to improve efficiency, consistency, and transparency.
The document repository location and expectations for what should be saved, the folder structure, version control, and naming conventions should be shared and known by all stakeholders. The more clearly expectations are defined, the easier it will be for stakeholders to perform their duties.
3. Maintain Evidence
Evidence should be maintained based on the compliance requirements. For example, certain grants may require that documentation be maintained for seven years after the grant has been closed. Federal grant programs generally require documentation to be maintained for a period of three years from the date of submission of the final financial report. However, each grantor agency could have different requirements. All record retention requirements should be understood. If record retention requirements are not clear, consider asking the regulatory agency, grantor, or third-party. If record retention requirements are not documented or available, an alternative may be to rely upon state record retention requirements. For instance:
Significant communication may take place via email which can be beneficial for maintaining documentary evidence of events that occurred that impacted a decision, activity, or operation (also known as an audit trail). Key emails may need to be saved externally from an email application onto shared drives so evidence is available for future inspection. Email retention policies may auto-delete at established frequencies which could result in the loss of evidence. Employee turnover could also result in the loss of evidence if necessary documentation is not saved during employment. Therefore, it is important to periodically assess whether evidence has been saved to a central document repository.
If communication occurred via a phone call or meeting, consider following up with an email to 1) confirm understanding and 2) create audit evidence. For example, if an organization reached out to a regulatory agency due to a unique circumstance and the agency provided guidance that will be relied upon, the communication should be documented. Further, the organization should send follow-up emails to establish mutual understanding and save regulatory agency responses.
4. Create a Compliance Checklist
A manageable approach to monitoring compliance requirements is to create a compliance checklist. The purpose of a compliance checklist is to discover gaps and monitor compliance processes. Each requirement should be broken down by the frequency (daily, weekly, monthly, quarterly) and be periodically monitored in the checklist.
The checklist should include information/criteria that is easy to understand and complete. Data sources (name of the system, report, and contact information for data requests) should be consistently provided. The checklist can be a shared document, with each stakeholder responsible for updating their piece, or it can be one individual’s responsibility to ensure all compliance tasks have been performed and documented. Signatures and dates should be included on the checklist to evidence actions performed. Identified issues should follow escalation and remediation plans. Further, checklists should be saved in a central document repository.
5. Maintain Accountability
A challenge with compliance monitoring programs can be a lack of consistent follow-up and accountability by stakeholders charged with performing compliance tasks. Ideally, stakeholders would execute compliance tasks accurately and completely in a timely manner without the need for follow-up. However, establishing a centralized position/group with the responsibility to ensure all compliance tasks have occurred can improve accountability.
Options to ensure stakeholders are held accountable include:
- Scheduling recurring meetings on calendars to ensure compliance efforts have been performed.
- Conducting periodic meetings with stakeholders to discuss compliance efforts, findings, issues, and remediation.
- Periodically re-assessing risks and updating the compliance framework as needed.
- Continuously refining plans and monitoring techniques to identify and mitigate risks.
- Performing self-audits or having an internal audit function evaluate the compliance management function. This can provide timely feedback for improvement before an issue arises or an external audit occurs.
Want to learn more about compliance?
Check out these resources:
- An advanced approach for monitoring compliance would be to outsource compliance monitoring or invest in a compliance monitoring system/application. For more information on compliance monitoring, the following resource is available: The Importance of a Mature Contract Compliance Audit Program.
- For more information on grant compliance, read our blog, “Successfully Completing Grant Compliance Reviews: Five Recommendations for Grantees”.
Our Risk Management team is well versed when it comes to assisting organizations that are looking to implement a compliance program for the first time, as well as organizations that need help improving their current system. If you have any questions on how your organization can implement or update its compliance monitoring program, please reach out to our Risk Management team.