Jefferson Kiyohara (jefferson.kiyohara@protiviti.com.br) is Head of Risk & Compliance of Protiviti in Brazil and a compliance teacher at FIA Business School.
Audit to alleviate doubt
After performing a compliance risk assessment and implementing a compliance program and its elements, such as a code of conduct, an ethics committee, a hotline, policies, training and communication, due diligence and background checks, investigation, and others, some common doubts that a company might have are: Is my compliance program really working? What kind of improvements should I perform? Audit can bring the answers.
The first focus is usually the compliance program itself. When you audit the elements of the program, it’s important to verify the existence of each element and the evidence that the related process is operational and real (e.g., Does the code of conduct really exist? Is there a place where employees can access the code? What’s the percentage of employees who received the code? How many were trained, and how many did the sign-off?) An independent gap analysis can bring useful inputs for the Compliance department and can be performed internally or, preferably, by an external expert. The benefit would be a differentiated look, without bias, from someone who is not in the daily life and could contribute new ideas.
Audit critical processes and transactions
The second approach would encompass transaction auditing, with the objective of assessing whether the organization’s rules are in fact being followed, with an emphasis on processes typically critical to compliance, such as vendor registration, corporate credit cards, petty cash, expense refunds, gifts and entertainment, mergers and acquisitions, donations and sponsorship, payments to agents and distributors, and others. Unlike the traditional internal audit approach, including internal control tests, compliance auditing must consider that the concept of materiality must be in the consequence, not in the act itself. For example, improper payments of $20,000 may not be material for a company with revenues of $1 billion, but if they were used to corrupt foreign public agents, the reputational, financial, and legal impacts on the organization will certainly be much greater than $20,000.
Another fundamental aspect is to consider that because they are critical processes, the analysis should be done in an exhaustive way, not by sampling. It is a small universe of critical transactions that need to be audited in depth. In this scenario, the use of analytics solutions and tools appear as facilitators, as well as the continuous monitoring of transactions supported by customized red flags, adjusted to the company’s reality. More than identifying possible frauds, it is essential to identify and understand the use that has been made of the company’s assets. If an executive uses his/her corporate credit card for the undue benefit of a family member, it will be a negative factor for the company. If a cash advance from the card was used to bribe a public agent and unduly obtain the licenses necessary for the operation of the company’s sole factory, the effects can be catastrophic.
