By: Dan Potts, process appraisal and certifications director at Ontario Systems
The best leaders can identify issues and act on them before they become major problems — especially when it comes to compliance. The cost of noncompliance and damage to reputation can be debilitating. However, preventive measures save resources by eliminating the cost of noncompliance and damage to reputation, thereby helping to create new business and maintaining a competitive advantage.
For this reason, associated risk management (ARM) agencies should work diligently to prepare for potential compliance audits from the Consumer Protection Finance Bureau (CFPB) or other regulatory authorities who oversee their operations. If they don’t, the risk of fines, penalties, and legal actions may mount to an untenable extent if they aren’t avoided through mitigation actions.
Despite the warnings, many choose less favorable options, either ignoring the need for checks on their compliance tactics, hiring outside contractors who don’t know their business, or simply absorbing the inevitable cost of noncompliance. Leaders take the proverbial bull by the horns, act immediately to avoid expenses, and put their operations in a stronger position.
Immersing yourself in your own business and fearlessly seeking issues that need correction brings your operation to heights you wouldn’t think possible. Here are 10 key pieces you need to avoid botching your compliance audit:
Take a good, hard look at your company and learn where it stands with regard to compliance. Learn the regulations that apply to you, in detail, and gain a full understanding of the ramifications of not following them. Find out where the gaps and vulnerabilities lie. Be honest with yourself and your team.
Audit methods may involve interviews, inspections, observation, testing, and sampling. So take some time to determine the audit’s scope and criteria, select participants, set expectations, and provide reference criteria to specific requirements.
Make all stakeholders aware of compliance expectations, and communicate them to your board of directors and executive leadership. Educate everyone in your organization about the policies, procedures, laws, and regulations as you work to ensure understanding and buy-in.
When it comes time to actually conduct your audit, don’t leave it to run itself — orchestrate and control it. Be proactive, make a plan, and get ahead of possible issues before they become threats. Prepare participants who will meet with auditors and know your evidence: documents and records.
Establishing a culture of compliance starts with communication, but relies on expectation of integrity and accountability. Your organization needs published values and a code of ethics. Write them down, distribute them, evangelize them at company meetings, and reward those who follow.
Establish a formal compliance management system to identify, prevent, and correct compliance breakdowns. Empower leaders within your organization for key roles and responsibilities, and document your policies and procedures. These practices should strengthen your ability to identify and manage compliance violations, as well as identify, analyze, and mitigate risks.
Have a handle on your audit during the process, and plan for the outcomes you expect. That means creating checks and balances for vulnerabilities and measuring key goals and strategic initiatives to monitor achievement and progress. Periodically examine your training records and conduct your own internal audit on your compliance management system.
Schedule your audits to meet business needs with respect to relevance, degree of risk, process stability, prior issues, regulatory requirements, organizational realignment, and infusion of new talent. An audit may be required, but you should take advantage of the flexibility you’re offered.
Create a non-threatening environment for both auditors and associates alike and talk with those handling your business ahead of time. Conduct mock interviews and record your observations and findings, while managing time and content. You should ask open-ended questions that help to describe how employees are trained on consumer financial protection laws, how training is monitored to ensure expectations are met, and how potential violations are identified.
10. Internal Audits
Provide your staff and management with a crash course in compliance, and sponsor and empower objective employees to test your operation ahead of time. Select your own auditors based on competency and integrity in order to ensure objectivity by both organization and relationship. Have them make sure any noncompliance issues you uncover are resolved, and examine every requirement of your business — regulations, policies, processes, laws, standards, and controls are all fair game. Then, identify nonconformance, opportunities for improvement, and capture a description of how you’ve conformed to each.
A compliance audit is a serious matter with serious impact on your business. Take the time to ensure you’re prepared — it will pay serious dividends down the line.
To further reading about the data security and privacy practices of six companies with global operations, download the ACC primer on "Leading Practices in Privacy and Data Security: Compliance Programs Across the Globe". Organizations featured in this primer describe practices and approaches for working through the matrix of varying and changing requirements across multiple jurisdictions, as well as integrating policies and practices with systems and security features.