Most multinational companies are aware of the need for robust compliance programs consisting of risk assessments, policies, and procedures adopted to mitigate identified compliance risks, and identifying and responding to violations of policies and procedures (or laws and regulations). (For additional context, see our three-part series on implementing an international compliance program (1) here, (2) here, and (3) here.) Not to be overlooked, an important part of an effective compliance program is a mechanism to check whether the program is actually designed and operating effectively to achieve its goals. Compliance audits are one such mechanism that multinational companies should implement along with their compliance programs.
The U.S. government has highlighted the importance of compliance audits. The U.S. Department of Justice policy on evaluation of corporate compliance programs advises prosecutors to consider whether a company has audited its compliance controls in any area of misconduct.[1] Similarly, the U.S. Sentencing Guidelines require an organization to take reasonable steps to ensure its compliance and ethics program is followed, “including monitoring and auditing to detect criminal conduct” for its compliance and ethics program to be evaluated as effective — a potential mitigating factor in criminal sentencing.[2] Agency and regulatory guidance on the FCPA,[3] U.S. economic sanctions,[4] environmental regulations,[5] and even recent statutes such as the Uyghur Forced Labor Prevention Act[6] have all noted the importance of compliance audits to an effective compliance program.
But what is a “compliance audit?” The term often is used somewhat loosely to cover a variety of activities, ranging from comprehensive assessments of whether a company is in substantial compliance with an applicable legal or regulatory requirement to more limited assessments of whether individual control activities within a company’s compliance framework are operating as designed. That said, common features of compliance audits include a clear compliance-related assertion or set of assertions to be tested and a process to obtain objective evidence to support or contradict those assertions.
Considerations for Effective Compliance Audits
To provide meaningful information on the overall operation of a compliance program, compliance audits should not be undertaken solely on a one-off or ad hoc basis; rather, they should be planned and undertaken systematically based on the company’s overall risk assessment, with heavier and more frequent coverage of the compliance program as implemented with respect to the higher-risk areas of operation — whether based on the nature and volume of the business, geography, particular counterparties, instances of identified misconduct, significant changes to operations, or other factors — and lighter and less frequent coverage for lower-risk areas of operation. Companies also should include, within the scope of the compliance audit program, periodic tests of companywide elements of the compliance program such as risk assessments, compliance certifications, whistleblower hotlines, or discipline of personnel. Reviews also should include contractual and certification requirements as well, such as reviews of the company’s standard terms and conditions, legal riders, and certifications, to ensure that they are up to date and compatible with current laws of all relevant legal authorities.
In many cases, the company’s internal audit staff is responsible for performing compliance audits as the “third line of defense.” In others, the responsibility rests primarily with members of the compliance or legal departments. Other companies may rely extensively on external specialists. To be effective, personnel responsible for performing compliance audits should have the knowledge, experience, and resources needed to perform the audit and should be independent of the compliance processes being tested.
It also is important that a company design its key compliance processes to be “auditable” in that they generate the types of evidence that would allow an auditor to assess the operation of that process. Compliance audits often require contemporaneous documentary evidence, such as records of transaction review and signoff or compliance training, rather than relying solely on evidence such as walkthroughs, inquiry of personnel, and direct observation through site visits. Audits should also confirm that all relevant records are retained for an appropriate amount of time to ensure that important records such as due diligence results remain accessible when needed.
Compliance Audits of Counterparties
To mitigate legal risks to a company posed by the activities of counterparties such as agents, consultants, suppliers, and distributors, it is now standard practice to implement contractual undertakings regarding compliance with U.S. laws, such as those prohibiting bribery, money laundering, or use of forced labor, in agreements with these third parties. Record efforts by many governments (both the U.S. and otherwise) to impose supply chain integrity and transparency requirements add urgency to such requirements. To provide a mechanism to assess whether counterparties are complying with these undertakings, it also is common to include some form of audit rights in these agreements.
Companies should ensure that they periodically exercise audit rights with respect to the operations of other parties, consistent with their overall risk assessment, and work with auditors to facilitate effective audit strategies within the constraints of their contractual audit rights. When negotiating or renegotiating agreements, companies also should consider whether those contracts should include audit rights and, if so, tailor those audit rights to the compliance risks posed by the activities of the counterparty.
In practice, these audit rights will tend to be significantly more constrained than the audit procedures that can be undertaken over the operations of the company itself. For example, audit rights may permit only review of documentary evidence. Auditors may not be able to perform site visits, and interviews of personnel, if permitted at all, may be monitored or otherwise controlled by management of the counterparty. These issues may, in turn, limit the extent to which compliance audits can effectively mitigate the compliance risks posed by the operations of those counterparties. As part of the overall risk management process, companies should assess whether counterparty compliance risks can be mitigated to an acceptably low level through the exercise of audit rights, among other safeguards, and consider terminating relationships with counterparties for whom these risks cannot be effectively mitigated.
Responding to Audit Results
For compliance audits to be effective, a company must respond appropriately to the results of compliance audits. In some cases, testing exceptions may be indicative of a deficiency in the design or operation of the compliance program. The compliance audit results even may indicate that violations of applicable laws or regulations may have occurred (which can be a good reason for compliance audits to be conducted under the direction and control of an attorney). But in other cases, even if a testing exception indicates that a compliance process is not operating effectively, compensating controls may work to mitigate the impact of an ineffective control activity. Following analysis of the results of the compliance audit and assessment of the severity of any identified deficiencies, management of the company, at the appropriate level, should develop, document, and implement remediation measures and follow up to ensure that recommendations are properly implemented.
[1] U.S. Department of Justice Criminal Division, “Evaluation of Corporate Compliance Programs,” March 2023, at III.A.
[2] U.S.S.G. § 8B2.1(b)(5)(A).
[3] Department of Justice Criminal Division and U.S. Securities and Exchange Commission, “A Resource Guide to the U.S. Foreign Corrupt Practices Act,” July 2020 (https://www.justice.gov/media/1106611/dl). See, e.g. pp. 66-67 (“An organization should take the time to review and test its controls”) and p. 81 (noting “periodic internal audits of customs payments” in connection with a declination).
[4] Office of Foreign Assets Control, “A Framework for OFAC Compliance Commitments,” May 2, 2019, (https://home.treasury.gov/system/files/126/framework_ofac_cc.pdf) at p. 7.
[5] EPA Audit Protocols, (https://www.epa.gov/compliance/audit-protocols).
[6] Department of Homeland Security Office of Strategy, Policy, and Plan, “Strategy to Prevent the Importation of Goods Mined, Produced, or Manufactured with Forced Labor in the People’s Republic of China,” March 17, 2022 at pp. 44, 50-51.