An introduction to Compliance Monitoring
This tutorial outlines how to test the effectiveness of a compliance program and distinguishes effectiveness testing from the typical internal audit review
Subscribe to our tutorials Subscribe
1. COMPLIANCE MONITORING [Edit]
To ensure that compliance programs are working as intended, it is necessary to develop methods for testing compliance effectiveness. 
By effectiveness testing one can achieve due diligence and increased utilisation of the compliance program. Furthermore, a well designed testing program will identify not only deficiencies within a program but also inefficiencies in procedures or system applications. Organisations are investing large sums into their compliance programs. Like any investment, its success should be measured and tracked.
2. EFFECTIVENESS TESTING VERSUS AUDIT [Edit]
Internal audits of compliance functions often reduce to simple testing to determine whether documented procedures are being followed. This is different from assessing the effectiveness of a documented procedure or control, or the competence of a specific technology tool.

For example, an internal audit might seek to determine whether particular transactions have been reviewed against governance requirements It is less likely, however, that the internal audit will assess the search logic and capabilities of software tool and review meeting used to conduct the monitoring.

Similarly, a typical audit might confirm that all fraud investigations have been completed and logged into a investigation database. It is less likely that the scope of the audit workplan will include a more comprehensive review of the investigation files to assess the completeness of the work performed, the clarity of the basis upon which the conclusion is based and the competence of the investigator.
3. HOW TO TEST EFFECTIVENESS? [Edit]
Like all aspects of compliance programs, effectiveness testing should be risk based. The specific aspects of a program to be tested, the frequency of testing and the extent of testing should be based on the degree of risk to the organisation from non-compliance. The testing program should be tailored and the function being tested. Methods that an institution may choose to employ as part of its effectiveness testing follow.
4. Visibility [Edit]
Visibility of targets interacting within the scope of a compliance program is all important to the calculation of risk and security, especially in trust intensive processes like anti-corruption compliance requirements, these should be documented within existing business process descriptions by discussing them with a variety of stakeholders and usually documented using swim lanes, process hierarchy and sub-processes with a standard like BPMN. They can be further extrapolated using UML in Use Cases and sequence diagrams in order to get a clear and accurate understanding of the processes.
5. Tracking and assessing incidents [Edit]
Evaluating the types of  incidents as well as the manner in which they are handled, may indicate a need for greater employee training or enhanced procedures.
6. Interviews [Edit]
Interviews of individual staff members can identify inconsistencies on their understanding of roles and responsibilities, or in their approach to handling similar matters.
7. Trend analysis [Edit]
Developing trends can be an indicator of compliance effectiveness or potential problems. For example, an upward swing over time of user management issues may be an indicator of more effective provisioning and employee awareness of compliance. On the other hand, it may also be an indicator of breakdowns or deficiencies in the user provisioning process
8. Compliance Review Meetings [Edit]
Conducting a full scope review on a periodic basis to focus a compliance program.
9. Functional Testing [Edit]
Critical technology tools - such as identity management systems, event logs and  monitoring programs - should be tested to ensure that they are functioning as intended. "Dummy" transactions can be created to test that alerts are triggered.
10. Reviewing Reports [Edit]
Reviewing available reports can be useful in assessing program effectiveness. In some cases reported issues may not by themselves, suggest a program flaw or deficiency. When reviewed in conjunction with information contained in other independent reports, the issues may become more apparent and concerning. Examples of reports that can be useful in this regard include internal audit reports, regulatory examination reports, exception reports, management reports and committee minutes.
11. Benchmarking [Edit]
Benchmarking a compliance programs component against regulator expectations and industry norms and trends is a good way to maintain effectiveness. Participation in industry associations and informal peer meetings, as well as compliance conferences and seminars, can reveal techniques or tools used by others which may improve the effectiveness of your compliance program. Additionally, informal meetings or conversations with regulators can produce helpful suggestions for improvement. An institution may want to aggregate and consider all such advice as part of its effectiveness testing.
ComplianceTutorial can assist with this.
Contributing Authors
Jeremy
Tools
Bookmark
Add to Blinkbits Add to Blinklist Add to Delicious Add to Digg Add to Furl Add to Google Add to Magnolia Add to Newszine Add to Reddit Add to StumbleUpon Add to Tailrank Add to Technorati