Paul McNulty, the former Deputy U.S. Attorney-General, once famously said, “If you think compliance is expensive, try non-compliance”. With an ever-increasing compliance burden, more scrutiny from the public, parliament, and regulators, it is more critical than ever that Government entities get it right.
It is important to always remember the fundamental reason why we monitor non-compliance. Aside from meeting any relevant reporting requirements, such as the reporting of significant non-compliance, it is to support the accountable authority, audit committee, and other senior entity management in making reasonable assessments about the effectiveness, or otherwise, of the entity controls framework, and any actions that might be required to remedy issues and/or improve controls.
Like many things, it is easy to complicate our approach to compliance. Today, I want to share three simple steps that will ensure you are heading in the right direction with your compliance strategy.
Step 1: A Targeted Approach
If you aim for everything, it is quite likely you will hit nothing. Streamlining compliance in an organization requires a well-tailored system, designed to target specific risk areas without imposing unnecessary restrictions.
When the requirement for an annual Certificate of Compliance was first introduced about 15 years ago, Commonwealth entities often gathered very detailed non-compliance information across the entire finance law. Doing this required significant effort and often the resulting data was never used for any practical purpose. The current trend is for entities to take a more targeted, risk-based approach. This is consistent with the risk-based approach to governance inherent in the Public Governance, Performance and Accountability Act 2013 (PGPA Act).
Aside from prima facie legislative and regulatory non-compliance, consider the value to the organisation of targeting some of the more subjective non-compliance risks such as:
- Achieving value
- Efficient and effective outcomes
- Meeting ethical standards
Step 2: An Effective System
An effective system for monitoring non-compliance will include strategy, policy, processes, and technology. If any one of these elements is missing, your outcomes will be less than optimal.
Key features of an effective non-compliance monitoring system include:
- A documented framework that describes all elements of the system (strategy, policy, process, technology)
- Multiple sources for non-compliance data, such as:
- Real time reporting by officials that self-identify non-compliance
- Periodic surveys or checklists – completed by specified officials who report any known non-compliance for the reporting period, or confirm that they are not aware of any non-compliance
- Non-compliance identified and reported by relevant business areas (e.g. travel, procurement etc.)
- Non-compliance identified and reported through internal or external audits
3. A central repository for all non-compliance data
4. Technology that facilitates efficient collection, analysis and reporting of data with the minimum of administrative effort and manual intervention
5. The use of the data to create insights and inform management decisions
Step 3: Relevant Assurance
Relevant assurance activity focused on the targeted areas of non-compliance is a valuable mechanism to provide a level of comfort to the accountable authority and audit committee about the completeness and accuracy of non-compliance data.
Assurance activities currently undertaken by Commonwealth entities, include:
- Reviewing samples of procurements for compliance with the CPRs
- Reviewing samples of trips for compliance with WoAG travel policy
- Reviewing a sample of credit card transactions for compliance with entity AAIs
- Reviewing samples of decisions to confirm that delegations have been properly exercised by officials holding the required delegation
Lighthouse Supports Entities in Monitoring Non-Compliance
Lighthouse (by Torque Software) provides a full range of functionality to support entities in meeting better practice in the collection, collation, analysis, and reporting of non-compliance:
- Non-compliance register – a central repository for all non-compliance data
- Non-compliances module that facilitates the real-time reporting of non-compliance by any official
- Compliance surveys and/or checklists that can be deployed on demand or at scheduled intervals to selected officials
- Assurance Certificates/Assurance Register – record the details and outcomes of assurance activities
- Comprehensive reporting – both real time and scheduled – across all non-compliance functionality
- Curated compliance content, including model compliance frameworks
Torque’s Customer Success Program assists clients in designing and implementing non-compliance functionality tailored for their entity.
Lighthouse clients can administer their own non-compliance functionality or Torque Software can provide a fully managed service, or clients can choose a combination of both.
This article was written by Zane Edwards, Global Director of GRC at Torque Software. Zane is a chartered accountant and has 20 years experience in Government and Private sector GRC management. Not only is he passionate about the digital transformation of governance, but he is also a skilled and influential communicator with extensive national and international experience in a variety of channels, including conferences, radio, television, and video.