The first myth
about compliance program assessment is that it is an optional part of an effective
compliance program. The same sentence in the Sentencing Guidelines that
mandates a hotline also mandates compliance program assessment. And, even if
program assessment were not mandatory, it is would be incumbent on your
organization to undertake assessment. Organizations measure what is important
to them. If there is no call for
compliance program assessment in your organization, your compliance program is
not as important as it should be.
The second myth
about compliance program assessment is that an internally conducted assessment
is as good as an externally conducted assessment. Internally conducted program
assessments are good and they are useful. But they are also conflicted. It is a
rule in audit - and should be a rule in compliance - that you don't audit your
own work. Both compliance and internal audit are part of the control
environment of the organization and both need to be periodically assessed
externally. This need not be an annual activity but there should be a fixed
schedule such as every 3 or 5 years.
The third myth
is that it is risky to have an external program assessment since it may turn
out negatively. It is true that an assessment that turns out positively is more
protective than one that indicates a flawed compliance program. But we have
seen more than one case in which a negative assessment, when paired with a
detailed plan of remediation, has forestalled a CIA or other enforcement
action. Why? The fact that you conducted and acted on a program assessment
indicates that your organization takes its compliance program seriously and
will remedy weaknesses without prodding from the outside.
A final myth
about compliance program assessment is that everyone uses the same standards.
While this may seem to be the case, different consultants interpret the
relevant external standards in widely different ways. The standards to be used
in your assessment should be fully disclosed before you choose an assessor. A
good assessment also includes bench marking. Boards and senior executives are
often indifferent to consultants’ opinions. But they are interested in real
information about how your organization stacks up against other like
organizations. For more information visit http://healthethicstrust.com/services/cpa/.