Creating Ethics and Compliance Programs That Work with Sarbanes-Oxley

Vendors/Customers

Here are the key questions to assess:

• Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?
• Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Has the company's ethical expectations been communicated to those vendors and suppliers?
• Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? This author believes that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

• Assessment of the control environment to identify high-risk areas.
• Identification of applicable statutes and regulations affecting the company and its industry.
• Assessment of the current understanding and adherence to compliance related policies and procedures.

Assess the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

• Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
• Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
• Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

• Interviews with key employees regarding ethics and compliance related risks.
• The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
• Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
• Assessment of the strength and effectiveness of the compliance related practices.
• Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

• Identification of refinements to the compliance program based upon the findings above.
• Development of a corrective action plan to implement the refinements.
• Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
• Implementation of the policy changes identified above.
• Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.

Conduct of Training

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

• The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
• Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.
• This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

Conclusion

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.

Part Two of a Two-Part Article

Last month, we discussed how brightly the spotlight is shining on ethics and compliance programs. We explained that Sarbanes-Oxley has a provision that provides Federal protection for employees of SEC registrants who report wrongdoing to the government and/or law enforcement. The Act has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. And we urged that companies assess the effectiveness of their ethics and compliance efforts.

Having reviewed program design, board of directors and senior management, and employees in last month's article, we continue that theme, concentrating on vendors and customers, the assessment, and ongoing monitoring systems.

Vendors/Customers

Here are the key questions to assess:

• Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?
• Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Has the company's ethical expectations been communicated to those vendors and suppliers?
• Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? This author believes that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

• Assessment of the control environment to identify high-risk areas.
• Identification of applicable statutes and regulations affecting the company and its industry.
• Assessment of the current understanding and adherence to compliance related policies and procedures.

Assess the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

• Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
• Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
• Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

• Interviews with key employees regarding ethics and compliance related risks.
• The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
• Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
• Assessment of the strength and effectiveness of the compliance related practices.
• Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

• Identification of refinements to the compliance program based upon the findings above.
• Development of a corrective action plan to implement the refinements.
• Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
• Implementation of the policy changes identified above.
• Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.

Conduct of Training

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

• The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
• Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.
• This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

Conclusion

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.