Compliance audit is an assessment as to whether the provisions of the applicable laws, rules and regulations made there under and various orders and instructions issued by the competent authority are being complied with. This audit by its very nature promotes accountability, good governance and transparency as it is concerned with reporting deviations, identifying weaknesses and assessing propriety. A compliance audit is a review performed to ascertain an enterprise's adherence to regulatory guidelines. Audit reports evaluate the strength and comprehensiveness of an organization's compliance preparations, security policies, user access controls, and risk management procedures.
Author: Brig R S Sundaram SM,VSM
The concept of compliance audit is embedded in the description of the purpose of public sector audit in the Lima Declaration of Guidelines on Auditing Precepts ‘......Audit is not an end in itself, but an indispensable part of a regulatory system whose aim is to reveal deviations from accepted standards and violations of the principles of legality, efficiency, effectiveness and economy of financial management early enough to make it possible to take corrective action in individual cases, to make those accountable accept responsibility, to obtain compensation, or to take steps to prevent or at least render more difficult, such breaches
ISSAI 4100 defines compliance audit as audit which deals with the degree to which the audited entity follows rules, laws and regulations, policies, established codes, or agreed upon terms and conditions, etc. Compliance auditing may cover a wide range of subject matters.
The CAG’s Regulations on Audit and Accounts, 2007 define compliance audit as : ‘an assessment as to whether the provisions of the Constitution of India, applicable laws, rules and regulations made there under and various orders and instructions issued by the competent authority are being complied with’.
The CAG’s Regulations on Audit and Accounts, 2007 envisage that compliance audit includes an examination of the rules, regulations, orders and instructions for legality, adequacy, transparency, propriety and prudence and effectiveness that is whether these are:
(a) Intra vires the provisions of the Constitution of India and the laws (legality)
(b) Sufficiently comprehensive and ensure effective control over government receipts, expenditure, assets and liabilities with sufficient safeguards against loss due to waste, misuse, mismanagement, errors, frauds and other irregularities (adequacy)
(c) Clear and free from ambiguity and promote observance of probity in decision making (transparency)
(d) Judicious and wise (propriety and prudence)
(e) Effective and achieve the intended objectives and aims (effectiveness)
The CAG’s Regulations on Audit and Accounts, 2007 further provide that the compliance audit also examines the rules, regulations, orders and instructions for their consistency with each other.
Compliance Audit in Public Sector
Seen from the perspective of public sector audit, compliance with rules, regulations and applicable authorities is the primary and most important requirement for ensuring accountability of the public executive, which primarily relate to safeguard and use of resources – financial, natural, human and other material resources. Compliance audit also performs the function of deterrence, especially in situations where internal controls are not as effective. The objective of public-sector compliance auditing, therefore, is to enable the CAG to assess whether the activities of public-sector entities are in accordance with the authorities governing those entities. Compliance audits are carried out by assessing whether activities, financial transactions and information comply, in all material respects, with the authorities, which govern the auditable entity. It is concerned with regularity and propriety audit.
As such compliance audit not only includes examination of rules, regulations, orders, instructions but also every matter which, in the
judgment of the auditor, appears to involve significant unnecessary, excessive, extravagant or wasteful expenditure of public money and resources despite compliance with the rules, regulations and orders.
Compliance audit in Public Sector audits have certain basic elements
(a) Three parties in the audit i.e. the auditor, the responsible party, intended user
(b) Subject matter and
(c) Authorities and criteria to assess the subject matter.
Subject matter refers to the information, condition or activity that is measured or evaluated against certain criteria while conducting an audit. Compliance auditing may cover a wide range of subject matters depending upon the audit scope. Subject matter may be general or specific in nature. Some of these may be easily measureable (for example – compliance with a specific requirement like adherence to environment Criteria are the benchmarks used to evaluate or measure the subject matter consistently and reasonably. The auditor identifies criteria on the basis of the relevant authorities. To be suitable, compliance audit criteria must be relevant, reliable, complete, objective, understandable, comparable, acceptable and available. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding. Where formal criteria are absent audits may also examine compliance with the general principles governing sound financial management. Suitable criteria are needed both in audits focusing on regularity and in audits focusing on propriety. laws) while others may be more subjective in nature (for example- financial prudence or ethical behavior).
Compliance Audit: A hindrance to productivity
The reasons for compliance audit being a hindrance are as follows:-
(a) Mistaking Legal accountability for compliance effectiveness .Firms rely on completion rates not because doing so has been shown to be the “right way” to measure success but because their objective is merely to demonstrate to regulators that they’ve accomplished the task—they can check that training box. Compliance policies serve important legal functions, but forcing them into legal frameworks may limit their ability to positively influence employee behavior. Firms often respond by showing that employees signed a statement that they had read and understood the company’s policies and codes of conduct. While such a signature may provide legal grounds to fire someone who violates a rule, it does not demonstrate that an employee has converted knowledge about policies into everyday work practices. How many times do we all reflexively assent to the legal terms of an agreement, especially those that we have no power to negotiate? Employees may sign an acknowledgment of corporate policies without actually having read or understood the terms. Moreover, the policies may be hard to grasp because they are written in language that is legalistic, technical, or just plain dense. There could also be an implicit understanding within the firm that the policies don’t really have to be followed or that best practices can be improvised. Thus, counting employees’ legally binding assents to policies is not an appropriate way to quantify the effectiveness of a compliance initiative.
(b) Self-reporting and self-selection bias Compliance managers often rely on surveys to assess the performance of their programs. The challenge with surveys is that self-reporting and self-selection by the respondents may bias the results and lead managers to draw incorrect conclusions. Employees who have observed dishonest behavior, for example, may be reluctant to “out” their colleagues and may choose not to answer related survey questions, which will skew the results toward employees who have not observed wrongdoing. Similarly, people in senior positions and those who actually do engage in misconduct may be less inclined to participate. Thus, bias in the data collected needs to be accounted for when interpreting the metrics.
(c) Unpreparedness. The employees are not groomed to the compliance requirements for audits leading to unpleasantness and ineffective results to the audit. The auditors need to function not just by the rule as it leads to bias responses and ineffectual results. Unpreparedness is a hurdle to the productivity.
(d) Disconnected Systems. When compliance responsibilities are confined in silos, chances are that the technology used to carry out those responsibilities is just as disconnected. That makes it very difficult to efficiently manage compliance across multiple business lines, functions, or locations. And with no easy way to exchange data, multiple people end up chasing down the same information.
(e) Incomplete or nonexistent metrics. Cobbling together information from multiple disparate systems – often by hand – into meaningful reports is a time-consuming, error-prone process. By the time a report is finally assembled, it’s likely to be out of date. And without the help of sophisticated analytics to calculate potential risk and priorities efforts, you are left managing compliance largely through a lens only able to focus on the past, not the future.
(f) No visibility. Without an integrated view of compliance-related activities, it’s nearly impossible to identify gaps and inconsistencies in how compliance is tracked and managed. That means a damaging risk can easily slip by undetected or unaddressed because you couldn’t gauge the full impact until it was too late.
(g) Multiple Compliance Obligations. Organizations have multiple compliance obligations. They have to comply with a variety of different regulation standards. There’s the need to maintain compliance with all of these regulations. That is a challenge. Sometimes, organization’s policies conflict with compliance frameworks. Other times, different regulations don’t agree with one another. Even if there is no program, organizations need to be careful to fine tune any compliance standards in a way that complements their business needs and workflows. They need to do so in a way where all of their compliance efforts get along and don’t run into each other.
(h) Missing element. The auditors at times are so conforming to the rule book that they neglect the element of responsiveness, empathy or the human element. That’s why the call for rule to role, rather than being legalistic and sticking to the parameter. Many a times decisions are based on the sixth sense and clairvoyance, which is the neglected element in the compliance management.
Bringing Effectiveness to Compliance Audit
The following could be measures to bring effectiveness to compliance audit and increase productivity:-
(a) Linking Compliance Initiatives to Objectives. So how do you create models that can credibly evaluate the impact of a compliance program? The first step is recognizing that such programs actually have multiple purposes. The three main goals of bringing effectiveness to compliance audit are to prevent misconduct, to detect misconduct, and to align corporate policies with laws, rules, and regulations. Each component of a compliance program should be linked to one of these objectives. For example, training serves to prevent misconduct, whistle-blower hotlines are designed to detect it, and codes of conduct are intended to align employees’ behavior with company policies and external regulations. Although it’s possible that one compliance initiative will overlap with or impact another, clearly identifying the goals of each will help managers create more-meaningful metrics. the goal of training is not only to improve employees’ understanding of the rules but also to instill and perpetuate appropriate behavior. Again, a regression model can help firms understand the link between training sessions and changes in employee behavior. By controlling for the other factors that may contribute to policy violations, we can test whether the individuals who undergo training become more or less inclined to break the rules.
(c) Compliance Engineering. Compliance Engineering is designing and developing products to meet the applicable market and government compliance requirements. (Including any rules and regulations (laws) formulated for that product). Compliance building as a part and parcel of the assessment programs is needed to be understood as just not fault finding program but a program to increase the effectiveness of any project. Some companies may be willing to invest significant time and resources in compliance and ethics programs because they see them as critical to the organization’s long-term success. It should be understood that with all the other competing demands on a firm’s limited resources, the ever-present regulatory and liability concerns often become the rationale driving compliance efforts. Yet this focus on the regulatory aspect is exactly why it’s critical to get serious about measuring outcomes. As compliance programs continue to be more closely scrutinized, those that cannot show meaningful results will fail to meet the stronger regulatory standards being applied today.
(d) Compliance training for ensuring effective execution. Although ensuring compliance is seen as a legal exercise, it is really much more a behavioral science. That assertion may make many employees uncomfortable, but for compliance programs to have real impact, managers need to test what works and what doesn’t. This will require firms to engage in some experimentation and innovation. Codes of conduct should articulate policies that are core to a firm’s success. And hotlines should exist not only to record reports of wrongdoing but also to help employees resolve predicaments before they make a bad move. By developing better measures of effectiveness, firms can adopt more ambitious and innovative programs that really do curb improper behavior. Proper training program should be implemented for the compliance program to become effective.
(e) Developing a lucid evaluation framework. Governance from rule based to role based being the prime concern for government and all government institutions and given all the complex regulations governing business and government today, it’s no wonder that companies struggle to understand and meet their legal and ethical obligations. It would be convenient if there were a one-size-fits-all yardstick that could show if a compliance program is on track or not. But simple univariate metrics will not adequately capture a program’s effectiveness. Successful compliance engineering requires some creativity, some testing, and careful model design to appropriately measure outcomes. Better measurement can help managers identify redundant or ineffective initiatives that can be replaced or eliminated—and ultimately reveal opportunities to make programs more effective. In the present time when governance is the key issue, it is required that a lucid and clear evaluation framework be developed and the stake holders trained for its implementation.
(f) Moving from rule to role. The compliance auditors at times consider it legalistic to abide by the rule, but the matrix should be considered in the light of the better implementation of the system and functioning of the program rather than sticking to the yardstick. The role of the auditor then just does to become an assessor but as an implementer and innovator.
Compliance matrix is a needed tool to ensure that all requirements as laid down are complied with. The judicious use of the same will decide whether the same is a reason for productivity or a hinderance to productivity.