June 29, 2005
Evaluating the Effectiveness of the Compliance Program
An article in today's New York Times raises a compliance question I have heard a lot about lately: What should companies be doing to evaluate the effectiveness of their compliance programs? The federal organizational sentencing guidelines provide: “The organization shall take reasonable steps . . . to evaluate periodically the effectiveness of the organization’s compliance and ethics program . . . .” The NYT article mentioned that the FBI recently tested the effectiveness of government controls for processing passport applications:
The names of more than 30 fugitives, including 9 murder suspects and one person on the Federal Bureau of Investigation's most-wanted list, did not trigger any warnings in a test of the nation's passport processing system, federal auditors have found.
. . . .
The lapses occurred because passport applications are not routinely checked against comprehensive lists of wanted criminals and suspected terrorists, according to the report, which was provided to The New York Times by an official critical of the State Department who had access to it in advance. For example, one of the 67 suspects included in the test managed to get a passport 17 months after he was first placed on an F.B.I. wanted list, the report said.
The State Department also too often fails to aggressively pursue leads that could allow the government to catch black-market sellers of fake identification documents essential to getting a fraudulent passport, said Michael Johnson, a former State Department security official.
Should companies be running similar tests of their compliance programs? For example, a company might have internal controls to ensure that it does not do business with people who pose an unreasonable risk of either money laundering or bribery. The company could run a test where it creates a dummy transaction using the name of a person (or some other suspicious fact) that should raise a red flag. The company could then track whether the internal controls adequately identified and followed up on the red flag. The sentencing guidelines do not mention this possibility, but the fact that the government does it shows that it is a possible. Also, drills and tests are done in some compliance areas, such as disaster planning and for some environmental risks. On the other hand, the PCAOB’s Audit Standard No. 2, which provides guidance on Sarbanes-Oxley section 404's requirement that auditors attest to management's assessment of financial internal controls, does not mention that type of proactive testing. Instead, it recommends interviewing personnel with control responsibilities, reviewing completed transactions, and walkthroughs of the control process.
TrackBack URL for this entry:
Listed below are links to weblogs that reference Evaluating the Effectiveness of the Compliance Program: