Numbers Alone Don’t Tell Compliance Program Story
When assessing the effectiveness of your firm’s compliance program, don’t simply tally up the number of exception reports and call it a day. Firms should look at the end result: did the program actually detect and prevent compliance violations?
At last week’s NRS conference, OCIE director Lori Richards said that she’s seen “too many” advisers measure the results of their compliance program by the number of their own activities, such as the number of exception reports, the number of investigations commenced, the number of reports to the board, or other numerical measures based on the program’s output. “These things are easy to measure, and certainly it can be easy to show increases in these areas,” she said.
However, Richards cautioned that numerical measures can be misleading if they don't relate to the actual intended result: detecting and preventing violations. She warned that a firm can produce “an ever increasing number of exception reports” and conduct “an increasing number of investigations” while at the same time having an increasing number of violations. “I have seen this in many organizations,” she said.
Richards recommended that firms develop measures that are tied to actual reductions in violations. “Keep your eyes on that result as the ultimate goal,” she said.
Franklin Resources CCO David Lui put it a different way: when evaluating your program, don’t focus on whether individual “cogs” in the compliance program machine are operating smoothly. Instead, get business, legal, and compliance together to look at the relationship between the various parts of the program. The group should address the question: “Is this machine still running right, even though the parts [and] the environment around it has changed?”
Richards’ speech also focused on the “core principles” of compliance, as set forth in a recent discussion paper published by the International Organization of Securities Commissions (IOSCO) titled "Compliance Function at Market Intermediaries.” She noted that the IOSCO paper stated that the compliance function should be subject to review by independent third parties. Having “outside eyes” review the firm’s compliance program can be helpful, said Richards. “It can help you to see things in perhaps a different way,” she said. “It may also empower compliance within the firm.”
Richards suggested that the traditional audit function focus on compliance, as well. “If I were an internal auditor, I would think that the compliance failures of our recent past would give me a great deal of pause in carrying out a program that did not evaluate the risk of failures or weaknesses in compliance and other internal controls,” she said.
She also suggested that external auditors “can do more” in areas such as securities valuation and confirming that that money withdrawn from a mutual fund for fund expenses actually is being used for its approved purpose.
What’s the difference between compliance and internal audit? Lui noted that he’s occasionally asked whether compliance is part of the internal audit function. “That's a reasonable question,” he said.
Lui explained the difference between compliance and internal audit as follows: Supervision is the first line of defense, and compliance is the second line of defense. “It's the safety net,” he said.Internal audit, he said, “is probing both of those fronts in deep dives.” While compliance is constantly operating to ensure that the full program is successful, internal audit tends to probe specific issues, he said.