Compliance
Best Practices

The compliance best practices, or leading practices, listed below have been proven to produce superior results compared to other similar methods. Implement these best practices to improve compliance department performance.


Risk Management Best Practices

Best Practice (Good)

Risk managers need to go beyond the traditional role of just imposing restrictions. Not only do they need to understand and challenge the front office, they also need to develop a deep understanding of concentrations, correlations, and early warnings. Finance must develop a more critical understanding of the underlying risk-return drivers of profitability.

Typical Practice (Bad)

Risk managers take a reactive approach to managing risk and only seem to fulfill the role's persona as narrowly as possible, acting simply as an associate that restricts processes and sets limits for the front office.

Benefits of the Best Practice: Implements practices that allow managers to take a proactive approach to risk management, promoting a culture of evaluating and identifying risk at multiple levels within the organization. This decreases the amount of time needed for staff to identify risk incidents and decreases overall number of risk incidents.

Best Practice (Good)

Require annual written reports on each high-priority risk being monitored within the company, as well as the duration of the monitoring and the frequency at which that risk areas is being monitored.

Typical Practice (Bad)

Address high-priority compliance risks as incidents are identified, without keeping an active log of the compliance risk once it is resolved.

Benefits of the Best Practice: Encourages risk management to be proactive when monitoring compliance risks. Identifies recurring risks so that policy can be made to curb their recurrence. Decreases resolution time for high-priority compliance risks.


Policy Creation Best Practices

Best Practice (Good)

When educating employees on compliance procedures, send out mass emails stating the importance of adherence to each policy. Provide factual information on the ramifications of non-compliance, both at the individual and organizational levels.

Typical Practice (Bad)

Train employees on compliance procedures in large groups to print and distribute literature on related guidelines and policies.

Benefits of the Best Practice: Increases the likelihood that employees will strictly follow compliance guidelines.

Best Practice (Good)

The compliance office should take reasonable steps to communicate periodically, and, in a practical manner, its standards and procedures to directors, officers, and employees, by conducting effective training programs. Such training programs should be tailored to the needs of particular segments of the company. For example, sales and marketing personnel should receive training in antitrust and competition, and senior officers and those travelling outside the U.S. should be trained on the Foreign Corrupt Practices Act (''FCPA'') and the OECD Anti-bribery Statutes.

Typical Practice (Bad)

New employees are briefed on compliance policies, best practices, and procedures during their introductory period. Any changes to compliance policies are distributed via email and paper notices posted in high traffic areas.

Benefits of the Best Practice: This practice will increase the number of compliance incidents reported because employees will be able to identify those incidents easily, cutting down on fines or fees that could potentially result from not addressing the incident more proactively.


Policy Enforcement Best Practices

Best Practice (Good)

Ensure that all business partners (vendors, clients, venture partners, etc.) are also in compliance with policies, industry regulations and federal and state laws.

Typical Practice (Bad)

Focus only on internal compliance. Allow business partners to develop and audit their own compliance activities.

Benefits of the Best Practice: Reduces risk and expense related to non-compliance of business partners. Recent legislation, such as a Gramm-Leach-Bliley Act, requires financial institutions to ensure that business partners take similar security measures.

Best Practice (Good)

Ensure that all policies are understood on a regular basis (annually) and require employees to sign an acknowledgement statement for each new policy. The acknowledgement statement should specify that the employee has received a copy of the policies, they have read the policies, and they agree to abide by the policies.

Typical Practice (Bad)

Distribute company-wide emails reminding employees of how policies are enforced within the organization, in combination with new policies that require enforcement.

Benefits of the Best Practice: Enforces employees' responsibility regarding compliance policies by having a formal recognition of compliance policy guidelines, increasing the amount of policy incidents identified and decreasing the amount of high-risk compliance incidents that are identified too late.


Internal Audit Best Practices

Best Practice (Good)

Prior to an internal audit, communicate (via email) the schedule, leadership, scope, objectives and processes involved to all employees who will be a part of the audit.

Typical Practice (Bad)

Notify all affected employees of an upcoming internal audit at least three days prior to its start date via email or announcement from management.

Benefits of the Best Practice: Allows all affected employees to prepare for the upcoming audit thoroughly and to allocate a certain amount of time to deal with audit activities.

Best Practice (Good)

Focus on gathering only relevant data by communicating with department stakeholders and ensuring that the data is focused and clean. Focus on the key pieces of data that are needed during data acquisition.

Typical Practice (Bad)

Request data dumps from departments for audits, which causes the internal auditing team to sift through irrelevant information and requires them to clean the important data.

Benefits of the Best Practice: Decreases the time internal auditing teams spend on sifting through data and increases their understanding of the relevant operations within a department to better identify improvement opportunities.


Regulatory Reporting Best Practices

Best Practice (Good)

Restrict the making of general ledger (G/L) entries to a single employee (the general ledger account manager) who is accountable for adding and editing all G/L information.

Typical Practice (Bad)

Allow all accounting employees to edit and add items to the general ledger.

Benefits of the Best Practice: Reduces instances of duplicate entries and late submissions to the general ledger that impact the financial reporting accuracy.

Best Practice (Good)

Document any sensitive information that must be provided to third party technology providers, noting the vendor name, contact information, what information was sent and how the vendor will use the information.

Typical Practice (Bad)

Provide sensitive information to third party technology vendors upon request but only when absolutely required.

Benefits of the Best Practice: Ensures that the vendor uses the information responsibly and reduces the risk related to possible vendor data leakage or security breach.

Best Practice (Good)

Regulatory reporting software should interface directly with the general ledger system.

Typical Practice (Bad)

Export general ledger data into an Excel spreadsheet to compile data for regulatory reports.

Benefits of the Best Practice: Reduces the amount of manual work in the reporting process, which drastically reduces reporting cycle time and improves report accuracy.