I’ve learned that there is a clear difference between those teams that prepare for an audit and those that are always prepared for an audit.
Audits are part of nearly every ethics and compliance program. They come from the Internal Audit Department, outside auditors testing control systems and processes, and in some cases, government regulators evaluating the effectiveness of your program as part of an investigation. In most assessments, auditors will focus specific attention on policy related processes. Are they current? Are they reviewed regularly? Are employees attesting when required and following expectations? The objective is to determine whether you are doing what you say you are going to do.
A successful audit is more than just a “clean” audit – it’s one that is relatively pain-free and does not drain unnecessary time, money or energy from legal, accounting, compliance or human resources.
As a CEO I’ve had the opportunity to take a step back from the audit process, specifically audits that call for robust documentation such as policy management. These types of audits, whether it be a formal audit by external entities or an impromptu phone call from a client asking about a business practice, require us to provide quick, accurate responses that have the necessary evidence to prove their validity.
I’ve learned that there is a clear difference between those teams that prepare for an audit and those that are always prepared for an audit. The difference is in how they handle the day-to-day.
“Less than 40 percent of respondents ranked any attribute of their policy management system Very Good or Excellent.” – 2016 Ethics & Compliance Policy Management Benchmark Report
Unfortunately, many organizations could do better when it comes to audit-readiness of their policy management processes. This is a persistent problem in the world of ethics and compliance – inability to access or use efficient tools and processes to keep up with the growing demands of the industry. And if our regular processes are unsatisfactory, our irregular processes – audits – will be exponentially worse.
The good news is that there is a solution to this abiding challenge: automation. Automating compliance functions not only makes each day more efficient, but also puts you in position to respond to an audit request quickly, thoroughly and effectively.
Bringing Documentation into the Modern Compliance Era
Consider for a moment the internal audit process of your policies. Is it manual? Does it rely on hardcopy documentation? Does it leave inordinate room for human error? Are reports or analytics siloed between departments? Does the process rely on multiple systems with various owners? There is a good chance you answered “yes” to several of these. That’s because many organizations are still working to bring compliance programs up to the same level of automation as other business processes. I’m sure there are many reasons why some organizations have failed to automate critical compliance functions, but those reasons won’t matter to auditors. Our job is to make sure our internal processes hold up to external review — and to make the necessary changes when they do not.
In the world of compliance, this intention translates into auditor goodwill – a benefit that is intangible but also invaluable.
If you have been through an audit before, you know that auditors often rely on the resources of the targeted organization to find answers to their questions and determine their findings. Those resources are your documents, and more specifically the systems you employ to archive and call up those documents. When your organization can produce information quickly and thoroughly it has two immediate benefits. First, it shows that your organization has control of the processes and data required. Second, it shows that your compliance is not by chance. It is intentional, achieved through daily investment and commitment. In the world of compliance, this intention translates into auditor goodwill – a benefit that is intangible but also invaluable.
As they say, if it isn’t written down, it didn’t happen. When it comes to an audit, we are looking to prove a clear “yes” or “no,” so if “it didn’t happen,” chances are it’s going to be a “no.”
Investing in a system that effectively manages your daily compliance program processes shows your organization’s commitment to doing the right things right. And auditors and investigators will take notice. As we’ve seen recently, government agencies reward organizations that demonstrate a culture of ethics and strong compliance programs, even if an investigation uncovers a problem.
The common denominator between being compliant on audit day and being compliant every day is automation. Automating business processes removes manual overhead, digitizes paper trails so they are easily navigable, reduces the chances for human error and provides a single source of truth for the information requested.
Beyond policies, also consider your training programs – do you have on hand the proper documentation that proves completion? How about your case management program – is there a system in place the catalogues incident reports as well as case closures and resolutions?
Not every day is audit day. But with the right tools and commitment to compliance excellence, audit day will (almost) just be another day for you and your team to show your proficiency and deepen your company’s reserve of goodwill.