5 Steps to Enhance Your Organization’s Compliance Efforts

Compliance is not just a buzzword – it’s a vital aspect of successful organizations. In the normal course of operations, an organization is expected to demonstrate compliance in what seems to be endless operational functions. This list includes but is not limited to:

• Organizational policies, procedures, codes of conduct, etc.
• Regulatory requirements (laws, rules, and regulations)
• Legal requirements (contract terms and conditions)
• Grant requirements (grant agreements)
• Financial requirements (bank covenants)

We all grasp the significance of compliance in averting risks such as fines, penalties, reputation damage, funding setbacks, legal hurdles, and operational interruptions.

However, the challenge lies in effective compliance monitoring. How can organizations proactively safeguard themselves? How do they navigate the intricacies of decentralized structures, especially in today’s remote work environments?

In this article, we present five actionable considerations for developing or enhancing your compliance monitoring program. Whether you’re a seasoned professional or just starting, these steps offer a simplified yet customizable roadmap.

1. Develop a Framework

The first step involves identifying which operations or functions demand compliance. Organizations should identify the unique risks and requirements specific to the policy, contract, grant, regulation, etc. Each area carries distinct compliance needs and associated risks. This understanding leads to a structured framework, which should:

• Document requirements, risks, and existing internal controls to mitigate those risks.
• Identify risks that are not fully mitigated by existing internal controls.
• Determine stakeholders who will be involved in the compliance effort.
• Identify and document data sources necessary for achieving or monitoring compliance (e.g., related reports and the system/application they source from).
• Develop a plan for evaluating compliance that includes monitoring attributes such as who, what, when, where, how, and why. The following provides a summary of attributes to be considered in a compliance monitoring plan:
  • Why: Defines the specific requirement, such as the code, law, regulations, agreement, or contract.
  • What: Defines the documentation that provides evidence that the compliance requirements have been met.
  • Who: Defines the individual, department, or third-party who will be responsible for obtaining, creating, and/or maintaining the compliance-related documentation.
  • When: Defines the frequency that the compliance requirements must be achieved (e.g., monthly or quarterly). It can also define a due date, such as the date a report must be submitted to a regulatory agency.
  • Where: Defines where documentation is maintained, such as a network drive or system.
  • How: Defines the actions or tasks that must be performed to achieve and evidence compliance with the requirement.
• Define how and where stakeholders will retain compliance documentation, such as a centralized repository (see step 2 below for more information).
• Develop a compliance checklist to ensure compliance tasks are conducted timely and completely (see step 4 below for more information).
• Develop escalation and remediation plans for when noncompliance is identified.
• Communicate the plans and individual tasks to stakeholders, and clearly define and assign each stakeholder’s responsibility.

2. Create a Central Repository

All compliance-related documents should be stored in a central location that allows access to essential users. Consider using electronic folders within a cloud-based system to organize different types of documentation such as emails, reporting documents, financial support (invoices, timesheets), etc. To enhance consistency and transparency, establish version controls and naming conventions.

The document repository location and expectations should be shared with all stakeholders. The more clearly expectations are defined, the easier it will be for stakeholders to perform their duties.

3. Maintain Evidence

Maintaining proper evidence is essential to meet compliance requirements. For example, certain grants may require that documentation be maintained for seven years after the grant’s closure. Federal grant programs generally require documentation retention for three years from the date of submitting the final financial report. However, each grantor agency may have different requirements. It’s important to familiarize yourself with all record retention guidelines. If record retention requirements are not clear, seek guidance from the regulatory agency, grantor, or third-party. Alternatively, if record retention requirements are not documented or available, you may be able to rely upon state record retention requirements, such as the example below:

• Commonwealth of Virginia’s record management schedules
• Maryland’s record management guidance

Significant communication may take place via email, providing a valuable means to document events that impact decisions, activities, or operations (also known as an audit trail). Stay informed of our organization’s email retention policies that may automatically delete messages at established intervals, potentially leading to evidence loss. Additionally, employee turnover can result in evidence loss if essential documentation isn’t preserved during employment. To ensure future evidence availability, consider saving key emails externally, such as a shared drive.

Regularly assess whether evidence has been securely stored in a central document repository. When communication occurs over the phone or during a meeting, consider the following steps:

• Follow up with an email: After a phone call or meeting, send an email to confirm understanding and create audit evidence.
• Document unique circumstances: For instance, if your organization seeks guidance from a regulatory agency due to a unique circumstance, ensure that communication is well documented.
• Establish mutual understanding: Send follow-up emails to solidify understanding and retain regulatory agency responses.

4. Create a Compliance Checklist

A manageable approach to monitoring compliance requirements is to create a compliance checklist. The purpose of a compliance checklist is to discover gaps and monitor compliance processes. The checklist should include information/criteria that is easy to understand and complete. Consider the following steps:

1. Requirement Breakdown: Divide each compliance requirement based on its frequency – daily, weekly, monthly, or quarterly.
2. Consistent Data Sources: Specify the relevant data sources (system names, reports, and contact information for data requests) and maintain consistency to streamline the monitoring process.
3. Determine Responsibility: Decide whether the checklist will be a shared document, with multiple stakeholders updating their sections, or if one individual will oversee all compliance tasks.
4. Evidence and Accountability: Incorporate spaces for signatures and dates on the checklist. These serve as evidence that necessary actions have been taken.
5. Issue Resolution: Establish escalation and remediation plans for any identified compliance issues. Promptly addressing these ensures ongoing adherence.

Remember to store your checklists in a central document repository for easy access and efficient management. The checklist should include information/criteria that is easy to understand and complete. Data sources (name of the system, report, and contact information for data requests) should be consistently provided. The checklist can be a shared document, with each stakeholder responsible for updating their piece, or it can be one individual’s responsibility to ensure all compliance tasks have been performed and documented. Signatures and dates should be included on the checklist to evidence actions performed. Identified issues should follow escalation and remediation plans. Further, checklists should be saved in a central document repository.

5. Maintain Accountability

A common challenge with compliance monitoring programs is inconsistent follow-up and accountability by stakeholders charged with performing compliance tasks. Ideally, stakeholders should execute compliance tasks completely, accurately, and promptly, eliminating the need for additional follow-up. However, establishing a centralized position or group dedicated to overseeing all compliance activities can significantly enhance accountability.

Options to ensure stakeholders are held accountable include:

• Scheduling recurring meetings on calendars to ensure compliance efforts have been performed.
• Conducting periodic meetings with stakeholders to discuss compliance efforts, findings, issues, and remediation.
• Periodically re-assessing risks and updating the compliance framework as needed.
• Continuously refining plans and monitoring techniques to identify and mitigate risks.
• Performing self-audits or having an internal audit function evaluate the compliance management function. This can provide timely feedback for improvement before an issue arises or an external audit occurs.

Want to learn more about compliance?

Check out these resources:

• An advanced approach for monitoring compliance would be to outsource compliance monitoring or invest in a compliance monitoring system/application. For more information on compliance monitoring, the following resource is available: The Importance of a Mature Contract Compliance Audit Program.
• For more information on grant compliance, read our blog, “Successfully Completing Grant Compliance Reviews: Five Recommendations for Grantees”.

SC&H is well versed when it comes to assisting organizations that are looking to implement a compliance program for the first time, as well as organizations that need help improving their current system. If you have any questions on how your organization can implement or update its compliance monitoring program, please reach out to our Risk team.