ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training

ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing

ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing

ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing

ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing

ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing
ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing
ComplianceTutorial.com - IT governance executive workshops and risk management, compliance and information security tutorials and training, SOX self testing
In-House Workshops Open workshops Tutors Testimonials Contact Links and resources
Compliance Monitoring
The demand for effective compliance programs continues to grow.

The storm of new laws and regulations implemented over recent years - Sarbanes Oxley, Payments Directives, Basel II, FSA and new regulations for carbon reduction name a few - have meant a big investment in risk and compliance frameworks.

Many board members and senior managers are still operating under the uncertainty and doubt caused by recent regulatory enforcement actions covering areas as diverse as anti money laundering, market  manipulation, and accounting fraud. The large fines that can accompany such enforcement actions - some in excess of $50 million - add to the pressure for effective compliance and due diligence.

This costs money - and in some cases lots of it. Recent surveys and reports indicate that spending on regulatory compliance has risen by more than 50% during the past 3 years. Large institutions are pouring 10's of millions of dollars/euros/pounds into their compliance programs. And, the proportional cost to smaller businesses can be higher.

But how do you know whether a compliance program is effective and that the investment is fully utilised and that the money you invested last year is not being wasted as your compliance profile changes with the introduction of new technology like virtualisation and service models like cloud computing?

To ensure that compliance programs are working as intended, it is necessary to develop methods for testing compliance effectiveness.

This training course outlines how to test the effectiveness of a compliance program, distinguishes effectiveness testing from the typical internal audit review and defines methodology for conducting effectiveness testing.

By effectiveness testing one can achieve due diligence and increased utilisation of the compliance program.

Furthermore, a well designed testing program will identify not only deficiencies within a program but also ineffiencies in procedures or system applications. As noted above, organisations are investing large sums into their compliance programs. Like any investment, its success should be measured and tracked.

EFFECTIVENESS TESTING VERSUS AUDIT

Internal audits of compliance functions often reduce to simple testing to determine whether documented procedures are being followed. This is different from assessing the effectiveness of a documented procedure or control, or the competence of a specific technology tool.

For example, an internal audit might seek to determine whether particular transactions have been reviewed against governance requirements It is less likely, however, that the internal audit will assess the search logic and capabilities of software tool and review meeting used to conduct the monitoring.

Similarly, a typical audit might confirm that all fraud investigations have been completed and logged into a investigation database. It is less likely that the scope of the audit workplan will include a more comprehensive review of the investigation files to assess the completeness of the work performed, the clarity of the basis upon which the conclusion is based and the competence of the investigator.

HOW TO TEST EFFECTIVENESS?

Like all aspects of compliance programs, effectiveness testing should be risk based. The specific aspects of a program to be tested, the frequency of testing and the extent of testing should be based on the degree of risk to the organisation from non-compliance. The testing program should be tailored and the function being tested. Methods that an institution may choose to employ as part of its effectiveness testing include:

Visibility

Visibility of targets interacting within the scope of a compliance program is all important to the calculation of risk and security, especially in trust intensive processes like anti-corruption compliance requirements, these should be documented within existing business process descriptions by discussing them with a variety of stakeholders and usually documented using swim lanes, process hierarchy and sub-processes with a standard like BPMN. They can be further extrapolated using UML in Use Cases and sequence diagrams in order to get a clear and accurate understanding of the processes.

Tracking and assessing incidents

Evaluating the types of  incidents as well as the manner in which they are handled, may indicate a need for greater employee training or enhanced procedures.

Interviews

Interviews of individual staff memebers can identify inconsistencies on their understanding of roles and responsibilities, or in their approach to handling similar matters.

Trend analysis.

Developing trends can be an indicator of compliance effectiveness or potential problems. For example, an upward swing over time of user management issues may be an indicator of more effective provisioning and employee awareness of compliance. On the other hand, it may also be an indicator of breakdowns or deficiencies in the user provisioning process

Compliance Review Meetings

Conducting a full scope review on a periodic basis to focus a compliance program.

Functional Testing.

Critical technology tools - such as identity management systems, event logs and  monitoring programs - should be tested to ensure that they are functioning as intended. "Dummy" transactions can be created to test that alerts are triggered.

Reviewing Reports

Reviewing available reports can be useful in assessing program effectiveness. In some cases reported issues may not by themselves, suggest a program flaw or deficiency. When reviewed in conjunction with information contained in other independent reports, the issues may become more apparent and concerning. Examples of reports that can be useful in this regard include internal audit reports, regulatory examination reports, exception reports, management reports and committee minutes.

Benchmarking

Benchmarking a compliance programs component against regulator expectations and industry norms and trends is a good way to maintain effectiveness. Participation in industry associations and informal peer meetings, as well as compliance conferences and seminars, can reveal techniques or tools used by others which may improve the effectiveness of your compliance program. Additionally, informal meetings or conversations with regulators can produce helpful suggestions for improvement. An institution may want to
aggregate and consider all such advice as part of its effectiveness testing.