Session 7B

Compliance auditing – Ensuring your

compliance program is on the mark
Peter Sheville PMIIA, Director, Vincents Audit and
Assurance
Compliance Auditing
Ensuring your compliance program is on the mark

Session 7.B
Peter Sheville PMIIA, Director, Vincents Audit & Assurance
7 January 2016
Agenda

01 02 03 04 05
A WORLD WITHOUT ITS BEGINNING AND COMPLIANCE COMPLIANCE RISK COMPLIANCE
COMPLIANCE PURPOSE OBLIGATIONS Risk-based approach in MANAGEMENT
Why is compliance When did it begin and Identifying and assessing managing and mapping Ensuring appropriateness of
auditing important? what is trying to be your key compliance compliance risk processes, documentation
achieved? obligations and reporting

06 07 08 09
ROLE AND COMPLIANCE AUDIT SUMMARY QUESTIONS
RESPONSIBILITIES PLAN Key items revisited
Key role and Essentials in preparing an
responsibilities of the effective regulatory
organization and Internal compliance audit plan
Audit
A World Without Compliance
Why is compliance important?
WORLD WITHOUT COMPLIANCE:
Why is compliance auditing important?

https://www.youtube.com/watch?v=LH8ZSuVOPfc

5
WORLD WITHOUT COMPLIANCE:
Why is compliance auditing important? (cont’d)
Organisation What Happened How They Got Caught
Waste Management $1.7 billion in fake earnings New CEO and management team
Enron $74 billion shareholder loss Turned in by internal whistle-blower
WorldCom $180 billion in losses for investors Internal Audit department
Lehman Brothers $50 billion in loans disguised as sales Went bankrupt
Freddie Mac $5 billion in misstated earnings SEC investigation
Queensland Health $16.7 million in fraudulent transactions One large transaction raised alarms
Queensland Health $40k in timesheet fraud CCC investigation

http://www.accounting-degree.org/scandals and http://www.ccc.qld.gov.au/

6
Its Beginning and Purpose
When did it begin and what is it trying to
achieve?
02. ITS BEGINNING AND PURPOSE:
When did auditing begin and what is it trying to achieve?
• Dates back as far as 4,000 B.C. and can be traced to the
Zhao dynasty in China as well as to finance systems in
Babylonia, Greece, the Roman Empire, etc1
• Used by governments and businesses to manage concerns of Transparency

Purpose
incompetent and opportunistic officials
• The development of the joint-stock company concept in 19th
Accountability
century led to auditing being a necessity in modern day
business2
Good
Governance

1 (Bailey, Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)

8
02. ITS BEGINNING AND PURPOSE:
When did auditing begin and what is it trying to achieve? (cont’d)
• Internal audit first began as a means of protection against payroll
fraud, loss of cash and other assets
• Need for independent verification of accounting errors, asset
misappropriation and fraud drove its scope to almost all financial
transactions
• Moved from an “audit for management” emphasis to an “audit of
management” approach1
• This laid the foundation for what Internal Audit has become today,
“… an independent, objective assurance and consulting activity
designed to add value and improve an organization’s operations.
It helps an organization accomplish its objectives…”4

1 (Bailey,
Gramling & Ramamoorti, 2003) 2(Encyclopedia Britannica) 3 (ISSAI 400 Fundamental Principles of Compliance Auditing) 4 (Gleim, n.d.)
Image acknowledgement to haan249.

9
Compliance Obligations
Identifying and assessing your key
compliance obligations?
 03. Compliance Obligations:
Identifying and assessing your key compliance obligations
Identifying who you are as an organization:
• What is your structure and size?
• Who is held accountable for performance?
• Where are you located geographically?
• Who are your stakeholders?
• Who do you do business with?
• What industry does your organization form part of?
• What type of licenses/permits do you hold?
• What type of products/services do you offer?
• Do you trade, import or export?
• What are your future growth expectations?
11
Assessing where your organization is in its journey to where it
wants to be:
• Where are you now and where do you want to be?
• What drives your organization and will is this likely to change?
• What are your offerings and is change expected in the future?
• Is the organization expanding from its current setting?
• Where is the industry in its lifecycle and where is it trending to?
• Who are your stakeholders and will they change as your journey
progresses?
Compliance Risk
Risk-based approach in managing and
mapping compliance risk
 04. COMPLIANCE RISK
Risk-based approach in managing and mapping compliance risk
• Traditional view of risk management was to make an attempt
at removing or eliminating risk
• Negatively impacts organization’s pursuit of value
• Balancing the level of acceptable risk and expected return,
results in optimal risk-taking5
• Optimal risk-taking, largely related to an organization’s risk
appetite, is identified through risk assessment Acceptable
Optimal Expected
• Variety of methods exist to assess risks, however, Risk Risk-Taking Return
fundamentally, they are aligned

5 (Curtis & Carey, 2012)

13
 04. COMPLIANCE RISK
Risk-based approach in managing and mapping compliance risk (cont’d)
4 (Gleim, n.d.) 5 (Curtis
14
• Risk is the possibility that an event will occur and adversely affect the achievement
of organizational objectives
Identify
Risks
• Identifying risks precedes the risk assessment process and produces a list of risks
that have the potential to negatively impact the organization
• Key risks are those that have the potential to adversely impact the organization’s
Assess objectives; clarity in understanding organizational objectives is a must for
Risks
successful risk management4
• The assessment process includes the development of assessment criteria, the
Respond assessment of the specific risks, assessment of risk interactions, and prioritization
to Risks of risks5
• The final element is the risk response and how the identified risks will be managed
• Converse to traditional means, managing risks is achieved through response
techniques that typically result in avoiding, accepting, mitigating, sharing or
& Carey, 2012)
exploiting the risk4
Compliance Management
Ensuring appropriateness of process,
documentation and reporting
 05. COMPLIANCE MANAGMENT
Ensuring appropriateness of process, documentation and reporting
• Compliance management – where has your organization set
its benchmark?
• Is the underlying process of how the organization manages its
compliance obligations and compliance risks systematically
• International Organization of Standardization (ISO) released
ISO 19600:2015 Compliance Management Systems Compliance Compliance Compliance
Obligations Risks Management
• Adopted in Australia as AS/ISO 19600:2015 and acts as a
guideline to the development and implementation of a sound
compliance management system6
• A key focus is to embed compliance within the organization’s
culture and integrate it with the organization’s management
processes

6 ("New compliance standard: AS/ISO 19600:2015", n.d.)

16
 05. COMPLIANCE MANAGMENT
Ensuring appropriateness of process, documentation and reporting (cont’d)
• Communication is integral in ensuring successful compliance
Establishing Risk management and should be driven by board and senior
Context Assessment
management
• It should be evident in the culture, policies and procedures,
individual responsibilities and reporting of the organization
• Performance evaluation and improvement is the final element
Performance of the process and identifies areas in which the system in
Risk
Evaluation and
Improvement
Response place can become better
• Compliance management is not a one off process – it is a
cyclical process that restarts upon its final step of performance
Communication evaluation and improvement6

6 ("New compliance standard: AS/ISO 19600:2015", n.d.)

17
Role and Responsibilities
Key role and responsibility of the
organization and Internal Audit
 06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit
• Compliance management systems help organizations:
• Learn about their compliance responsibilities
• Ensure personnel are aware of requirements
Board and Management
• Embed requirements into culture and processes Oversight
• Continuously review and improve risks
• Respond to risks prior to them occurring
• Three key elements to a successful compliance management Compliance Program

system:
• Board and management oversight
• Compliance program Compliance Audit

• Compliance audit
• If all elements are strong and cooperate, compliance
responsibilities and risks should be managed appropriately7
7 (Compliance Management System, n.d.)

19
 06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit (cont’d)
• Board and Management Oversight:
• Hold ultimate responsibility of organizational compliance
• Lay foundation for organization’s success of compliance through Board and
demonstrating clear expectations formally and informally Management Oversight
• Tone at the top drives culture and it is communicated directly or indirectly
through to all levels of the organization
• Compliance Program: Compliance Program

• The policies and procedures of an organization

• Training and education of personnel
• Response to internal and external complaints Compliance Audit

• Monitoring and identification of risks7

7 (Compliance Management System, n.d.)

20
 06. ROLE AND RESPONSIBILITY
Key role and responsibility of the organization and Internal Audit (cont’d)
• Compliance Audits:
• Independent, objective review of compliance
Board and Management
Oversight • Assists Board and Senior Management in maintaining compliance
and identifying potential risks
• Complements compliance program through additional monitoring
Compliance Program • Cooperation with Board in determining scope and frequency
• Cooperation with organization in identification of risks and
maintaining compliance
Compliance Audit • Communication of compliance audits to Board and Senior
Management ensuring opportunities for improvement flow through
organization

7 (Compliance Management System, n.d.)

21
Compliance Audit Plan
Essentials in preparing an effective
compliance audit plan
 07. COMPLIANCE AUDIT PLAN
Essentials in preparing an effective regulatory compliance audit plan
• Understanding the internal and external regulatory • Knowing the key stakeholders and their relationships as
requirements as well as other key stakeholder requirements well as understanding the roles and responsibilities of
• Gaining and developing an understanding of the organization, the audit engagement team
its purpose, objectives and strategies • Documenting the expected and agreed upon timeframes
• Incorporating objectives and strategies of the organization for the audit
when preparing audit’s scope and objectives
• Develop understanding of organization’s control environment,
control activities and risk assessment process through Planning Performing
interviews, data and information gathering techniques
• Reviewing potential industry analysis to determine key risk
areas that may exist within the external environment
Communicating
• Addressing the objective and scope through the testing
approach that will be taken

23
Summary
Key items revisited
 08. Summary
Key items revisited
• What happens when compliance is removed from the picture?
• The need for compliance and auditing remains aligned to why
it was needed many years ago – transparency, accountability
and good governance
• To identify and assess your obligations, you need to know
who your organization is are and where it is going
• Optimal risk-taking is a result of the organization’s expected
return and acceptable risk levels
• Effectively managing and mapping risks is a result of
identifying risks, assessing risks and responding to risks
• Compliance management should be embedded in the culture
of an organization
25
• Compliance management is achieved through evaluating,
improving and communicating risks
• Compliance management is a continuous process
• Board and management hold the ultimate responsibility for
compliance and set the tone at the top
• A compliance program is an essential element of a
compliance management system along with board and
management oversight and compliance auditing
• Understanding the organization, its purpose, strategy and
objectives are essential in effectively establishing a
compliance audit plan
 www.vincents.com.au

Questions?
 References
• Bailey, A., Gramling, A., & Ramamoorti, S. (2003). Research opportunities in internal auditing. Altamonte Springs, Fla.: Institute
of Internal Auditors Research Foundation.
• Curtis, D., & Carey, M. (2012). Risk Assessment in Practice (1st ed., pp. 1 - 18). Durham, NC: The Committee of Sponsoring
Organizations of the Treadway Commission (COSO). Retrieved from http://www2.deloitte.com/ie/en/pages/deloitte-
private/articles/risk-compliance-management-assurance-mapping.html
• Encyclopedia Britannica,. (2016). auditing | accounting. Retrieved 8 February 2016, from
http://www.britannica.com/topic/auditing-accounting
• Fundamental Principles of Compliance Auditing. (2014) (p. 4). Vienna.
• Gleim, I. CIA review Part 1.
• New compliance standard: AS/ISO 19600:2015. Retrieved from https://complispace.wordpress.com/2015/07/31/new-
compliance-standard-asiso-196002015/
• Compliance Management System (1st ed.). Retrieved from
https://www.fdic.gov/news/news/financial/2006/2cep_compliance.pdf

5 (Curtis & Carey, 2012)

27