How to Implement Effective Compliance TestingPublished August 25, 2020 by Tricia Scherer • 6 min read
Compliance testing, also known as conformance testing, is a periodic, independent, and objective assessment of compliance-related processes and/or controls.
The goal of compliance testing is to determine whether the elements, processes, and controls of your compliance program are designed appropriately and operating as designed. Compliance testing follows an established process and plan as well as a risk-based approach.
Strong compliance monitoring and compliance testing play a major role in identifying vulnerabilities in existing compliance risk management controls. As such, compliance monitoring and compliance testing are key components of an effective company-wide compliance risk management program.
Compliance testing is an integral part of ensuring that your company’s compliance management system is working as intended.
Identifying requirements violations, e.g., violations of regulations or internal policies, and remediating their underlying causes as quickly as possible is critical to mitigating your compliance risk.
Consequently, implementing an effective compliance testing program is key to managing your compliance risk and ensuring the health of your compliance management system.
When you perform compliance testing, it’s important to remember that you’re testing against a rule, regulation, law, or statute, meaning that anything you find is technically a violation of a law or statute.
It doesn’t matter whether your internal audit or compliance department performs your compliance testing, these steps will help you successfully implement an effective compliance testing process as part of your compliance function.
- Create the Requirements Library
Even if your company already has a small compliance testing program or you’re developing a new program, the first thing you have to do is build the requirements library. You’ll use the requirements library, which establishes the requirements that apply to your company, later to identify the existing controls—or lack of controls—that mitigate your company’s compliance risk.
A requirements library is basically an inventory of in-scope requirements that you then use to identify the compliance risks to your organization. To establish the library, you have to identify all the statutory, regulatory, or contractual requirements that apply to your company’s operations.
You might want to first consider consulting with a subject matter expert in your industry who can help you identify the in-scope requirements. Then work with the executives from each business unit, including your legal team, to ensure you capture all the applicable requirements.
The next thing you should do is map the requirements to their applicable business functions and work with the executives of those business units to define the compliance risks. You should also validate the applicability of the requirements with the business owners to help them clearly understand the importance of each requirement and what could happen if it’s not met.
Also, you should define compliance risks in terms that your employees at any level of the company—from analysts to executives—will understand. And you should distill the relevant information in your risk statements into its most basic, actionable form.
Once you’ve mapped the requirements and identified the risks, you should identify the controls you have in place to mitigate the compliance risks. This is a great opportunity for you to determine how many controls mitigate each compliance risk and where you should focus on compliance testing in the future to minimize duplicate testing.
You should establish your requirements library as the source of truth in regard to the requirements that apply to your company. In fact, it should be the only reference point that’s used to communicate regulatory requirements. It’s extremely important that your organization understands its obligations and the requirements it must adhere to.
Maintaining your requirements library within governance, risk, and compliance system ensure that you preserve the integrity of the source of truth. You can also implement controls to prevent unauthorized users from making unintended additions, deletions, or other changes that could compromise your requirements library.
- Conduct a Compliance Risk Assessment
You first have to define the parameters of your compliance risk assessment, including the categories and factors you’re going to measure, and the data sources you’re going to use to conduct the risk assessment.
Now you have to evaluate the inherent risk for each risk, e.g., the risk of violating a requirement absent of controls, by measuring the likelihood of a regulatory violation and the effect it will have on your company. Then obtain the effectiveness rating of the control that mitigates the risk. After you’ve evaluated the inherent risk and the effectiveness rating of the control, you can use a matrix to develop the residual risk for each requirement.
Finally, you utilize the residual risk to prioritize the importance of the underlying compliance requirements and which mitigating controls, if any, should be tested.
- Develop the Compliance Testing Methodology
After performing the risk assessment, you have to develop a compliance testing methodology to determine how you’ll test in-scope requirements and/or their associated controls.
To develop the testing methodology you have to define the:
- Testing approach, including purpose, scope, and objective.
- Sampling method that you’ll use when performing testing.
- Process you’ll follow when you identify compliance violations or issues.
- Involvement of the compliance testing function remediation.
- Reporting requirements, including stakeholders.
You have to communicate the testing methodology to the business unit of your company that’s being audited as well as to the relevant parties that perform the testing to reduce duplication of efforts.
Communicating a clearly defined methodology to the business early in the testing process can also help reduce resistance in the entities that are being audited by letting them know what they should expect and when.
Your methodology may evolve every year as your compliance program becomes more mature. For example, your objective for the first year may just be to ensure that all areas comply with the applicable laws by testing all the requirements in your library. In succeeding years, you don’t need to limit compliance testing just to verifying compliance. You may also want to test the controls that mitigate the compliance risk.
- Establish the Testing Schedule
Use the residual risk you established in the compliance risk assessment to determine how often you should test for each requirement. Your schedule will vary depending on the size of your team and your company’s objectives. For example,
- High residual risk: quarterly (or more frequently)
- Medium residual risk: semiannually
- Low residual risk: annually
Group the requirements by business function or overarching regulation and state when each of these groups will be tested.
Add the established timeframe as a data point in your risk assessment to ensure you have testing coverage for all requirements. Once you’ve completed your schedule, communicate it to the business units so that they all understand when you’ll be testing them and what you’ll be testing against.
- Perform Testing
Notify the business units about the planned audits well in advance and include what you’ll require of process owners and department heads. Allocate enough time to submit document requests and review the evidence you’ve gathered.
Obtain the data and materials you’ll need to perform testing against the regulatory requirements. Then test per the established testing methodology that you’ve communicated to the business unit being audited. This ensures that your testing process stays consistent by eliminating confusion and frustration for the leaders of your business units.
Document the testing programs and preserve evidence of the results of the testing. Follow up on findings to ensure that the issues or control gaps you’ve identified aren’t false positives.
Communicate the final results to the business units and obtain the approval or agreement from the affected business function on any issues that you’ve identified. When you’ve completed all the testing steps, draft and issue the final report of your results to the relevant parties, such as the audit committee.
- Implement an Issues Management Process
Once you’ve identified and confirmed the issues or control gaps, you have to implement an issues management process to define how you’ll manage an issue from identification through remediation.
Start by entering the issues you’ve identified in your issues management system. Then assign ownership by determining which business function is responsible for the compliance violation based on the mapping you did when you were creating your requirements library.
Determine the severity of the impacts of the compliance violation on your company. When you rate violations of law, you should also assess the pervasiveness, duration, and severity of the violation.
Then document the underlying cause of each issue and work with the affected business units to document the remediation plan to address that underlying cause, including milestones you want to achieve and when you want to achieve them.
- Validate Remediation
When you’ve completed the milestones of the remediation plan, validate that the plan worked as intended. Validation should ensure that the corrective actions addressed the immediate issue and that the long-term remediation prevents the issue from happening again. You may be required to perform the test again so you can adequately validate that the remediation plan worked. You will need evidence that you completed the remediation plan.
- Monitor Sustainability
You should establish a period of sustainability that must be achieved before you can close the issue, e.g., the compliance violation should not occur again for at least two months. Based on your organization’s risk appetite, you could increase the number of months.
At the end of the sustainability period, you have to gather and maintain evidence that the issue did not recur. If the issue did not recur, then you can close the issue. However, if the issue did recur during the sustainability period, you’ll have to reestablish the underlying cause and adjust the remediation plan accordingly.
If you operate in a regulated environment, you’re expected to have a compliance management system. If you want your compliance management system to be effective, you must perform testing against the statutory, regulatory, or contractual requirements that impact your company. Performing compliance testing in an ad-hoc manner can lead to increased regulatory scrutiny since you won’t be able to provide evidence that you have a fully functioning compliance testing program.
By following these steps, you’ll be in a good position to get your company’s compliance testing program off the ground.