By Deann M. Baker, CHC, CCEP, CHRC
From Y-Comply, a service of the Society of Corporate Compliance & Ethics.
“Trust but verify” is a quote from President Ronald Reagan that those of us in the Compliance field often use to describe the work we are responsible for doing. We all need to trust that individuals are carrying out their duties, their processes, and systems in compliance with policies, procedures, laws, and regulations, but the organization also needs to design and implement analysis activities to detect weaknesses and failures that may create risk.
Auditing and monitoring are functions that are addressed in Chapter Eight of the Federal Sentencing Guidelines (FSG) for Effective Compliance and Ethics Programs. The FSG states, “The organization shall take reasonable steps—(A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct.” Thus, auditing and monitoring activities must be in place for the organization’s compliance program to be deemed effective.
Auditing and monitoring are similar. Audits are evaluations that are conducted by an individual who is independent from the operations being assessed. Audits are periodic and typically retrospective (i.e., they review past activities). Monitoring is an ongoing assessment that may be completed by either the compliance professional or by an individual within the operations area, who would then be responsible for ongoing reporting of the results. But you may wonder, who decides what should be audited and monitored?
Typically these assessment functions are defined in the organization’s annual Compliance work plan and identified and prioritized through the risk assessment process. Auditing and monitoring activities may be identified by previous internal or external findings or because of a new or revised requirement. Monitoring activities may also be defined on the work plan by previous findings that required corrective actions or because the operational area is such a high risk, it requires that the organization frequently evaluates and reports results on an ongoing basis.
Verification activities are in place to protect the organization, its employees, and customers. Compliance professionals have a unique role, but nearly everyone has some level of validation responsibility, whether it is verifying data, the maintenance of equipment, or safety measures. Regardless of roles, we are all required to promptly report an activity that may not be in alignment with requirements and to verify that a reported concern was addressed. We all have a part in establishing an effective compliance and ethics program. It is important for employees to trust one another, but verification is equally important and necessary. We should all strive to build and maintain trust, but we should never neglect our responsibilities to verify.
[clickToTweet tweet=”Compliance Professionals Trust and Verify – It’s What We Do @SCCE” quote=”Compliance Professionals Trust and Verify – It’s What We Do” theme=”style3″]
Y-Comply is intended to help communicate the value and purpose of compliance and ethics to the general workforce. You are free to copy this article to your organization’s website or electronically distribute it to your workforce; no attribution to either SCCE or the article’s original author is necessary. Subscribe to the quarterly Y-Comply newsletter here.