Compliance Best Practices

Best Practices for Compliance Operations

Best Practice #179

Typical Practice
Notify all affected employees of an upcoming internal audit at least three days prior to its start date via email or announcement from management.

Best Practice
Prior to an internal audit, communicate (via email) the schedule, leadership, scope, objectives and processes involved to all employees who will be a part of the audit.

Areas in Scope

Internal Audit

Failure Mode

Irrelevant Instructions: Not Available

Best Practice #180

Typical Practice
Request data dumps from departments for audits, which causes the internal auditing team to sift through irrelevant information and requires them to clean the important data.

Best Practice
Focus on gathering only relevant data by communicating with department stakeholders and ensuring that the data is focused and clean. Focus on the key pieces of data that are needed during data acquisition.

Areas in Scope

Internal Audit

Failure Mode

Reducible: Complexity

Best Practice #181

Typical Practice
Train employees on compliance procedures in large groups and distribute literature on related guidelines and policies.

Best Practice
When educating employees on compliance procedures, send out mass emails stating the importance of adherence to each policy. Provide factual information on the ramifications of non-compliance, both at the individual and organizational levels.

Areas in Scope

Policy Creation

Failure Mode

Irrelevant Instructions: Lack of Detail

Best Practice #182

Typical Practice
Brief new employees on compliance policies, best practices and procedures during their introductory period. Any changes to compliance policies are distributed via email and paper notices posted in high traffic areas.

Best Practice
Have the compliance office take reasonable steps to communicate periodically, and, in a practical manner, its standards and procedures to directors, officers and employees, by conducting effective training programs. Such training programs should be tailored to the needs of particular segments of the company. For example, sales and marketing personnel should receive training in antitrust and competition, and senior officers and those travelling outside the U.S. should be trained on the Foreign Corrupt Practices Act (''FCPA'') and the OECD Anti-bribery Statutes.

Areas in Scope

Policy Creation

Failure Mode

Irrelevant Instructions: Lack of Detail

Best Practice #183

Typical Practice
Focus only on internal compliance. Allow business partners to develop and audit their own compliance activities.

Best Practice
Ensure that all business partners (vendors, clients, venture partners, etc.) are also in compliance with policies, industry regulations and federal and state laws.

Areas in Scope

Policy Enforcement

Failure Mode

NIGO: Incomplete

Best Practice #184

Typical Practice
Distribute company-wide emails reminding employees of how policies are enforced within the organization, in combination with new policies that require enforcement.

Best Practice
Ensure that all policies are understood on a regular basis (annually) and require employees to sign an acknowledgement statement for each new policy. The acknowledgement statement should specify that the employee has received a copy of the policies, they have read the policies, and they agree to abide by the policies.

Areas in Scope

Policy Enforcement

Failure Mode

Irrelevant Instructions: Lack of Detail

Best Practice #185

Typical Practice
Allow all accounting employees to edit and add items to the general ledger.

Best Practice
Restrict the making of general ledger (G/L) entries to a single employee (the general ledger account manager) who is accountable for adding and editing all G/L information.

Areas in Scope

Regulatory Reporting

Failure Mode

Eliminable: Parallel Processing

Best Practice #186

Typical Practice
Provide sensitive information to third party technology vendors upon request but only when absolutely required.

Best Practice
Document any sensitive information that must be provided to third party technology providers, noting the vendor name, contact information, what information was sent and how the vendor will use the information.

Areas in Scope

Regulatory Reporting

Failure Mode

Irrelevant Instructions: Not Available

Best Practice #187

Typical Practice
Export general ledger data into an Excel spreadsheet to compile data for regulatory reports.

Best Practice
Have regulatory reporting software interface directly with the general ledger system.

Areas in Scope

Regulatory Reporting

Failure Mode

Reducible: Duration

Best Practice #188

Typical Practice
Have risk managers take a reactive approach to managing risk and while fulfilling the role's persona as narrowly as possible, acting simply as an associate that restricts processes and sets limits for the front office.

Best Practice
Be sure to have risk managers go beyond the traditional role of just imposing restrictions. Not only do they need to understand and challenge the front office, they also need to develop a deep understanding of concentrations, correlations, and early warnings. Finance must develop a more critical understanding of the underlying risk-return drivers of profitability.

Areas in Scope

Risk Management

Failure Mode

Not Routine: Scope Error

Best Practice #189

Typical Practice
Address high-priority compliance risks as "incidents are identified," without keeping an active log of the compliance risk once it is resolved.

Best Practice
Require annual written reports on each high-priority risk being monitored within the company, as well as the duration of the monitoring and the frequency at which that risk areas is being monitored.

Areas in Scope

Risk Management

Failure Mode

Irrelevant Instructions: Lack of Detail

Back to Top Back to Top