Landline: +27 (0)10 595 9610
Compliance Audit Methodology
We base our compliance approach on the Compliance Framework that we have developed to implement effective compliance activities with our clients. This allows for the determination of the compliance universe as it relates to the organization. It determines what compliance activity is needed to achieve compliance and who should perform that activity. Further it provides for the collection of evidence for the completion of the task with escalations when not timeously completed. Compliance assurance is also facilitated through the tool. Reporting to management and the Audit Committee/ Council is affected through the tool to provide the current state of compliance at reporting date.
A key element of assessing the compliance responsibilities is evaluating how the compliance universe responsibilities are spread throughout an entity and establishing the compliance activity ownership is appropriate for the activity.
Review the process of embedding of compliance monitoring and reporting
Our approach will depend on the extent that the activities are electronically recorded and how monitoring is achieved on the recorded activities.
- In principle there should be a compliance diary that sets out what compliance is needed. Our assessment will then determine through observation, review and discussion to the extent that the Compliance Calendar has been effectively completed.
- Certain of the compliance activities are embedded into the day-to-day activities such as PFMA, PoPI, and Transaction Screening. The assessment of the effectiveness of these activities will be assessed through ensuring that the activities are appropriate, are sufficiently automated, are referenced to external sources where necessary (e.g., PEPs), and how exceptions are handled (including the authority required to resolve the exceptions).
- We hold interviews with key Board members and senior management to determine their satisfaction with the embedding of compliance and the extent that they are satisfied with the recorded state of compliance and how satisfied they are with the assurance provided over the specific compliance activities through the Combined Assurance approach.
- We review the reports provided to management and the Audit Committee and assess the usefulness and format of the content.
Communicating changes to regulations
We anticipate that most clients have subscribed to statutory and regulatory update services – e.g., Lexis Nexis, Juta – and we will through observation and discussion determine the process followed in communicating the relevant changes throughout the organisation and in updating the Compliance Calendar, compliance activities and responsibilities and possible training completed.
We use our own knowledge of changes to existing legislation or new legislation promulgated to select a specific sample and test how the change was handled as per the above process.
Review the compliance regulatory universe/framework for completeness;
Our scope in these reviews is to assess the effectiveness of legal and regulatory compliance and the effectiveness of the Compliance function in supporting the activities. hese are normally included in the scope of risk-based audits.
We will review the process through observation and discussion as to how the universe was determined.
- We expect that there would have been a review of all possible regulations and legislation that has been issues at date of assessment.
- We test for the processes applied in identifying the legislation and in prioritising it against other legislative requirements.
- We evaluate the results against our own knowledge of what legislation we believe is appropriate and compare to client compliance universe.
Review the unit’s staffing, skills, capacity, systems and budget resources to ensure its effectiveness
- We assess the Compliance functions staffing, skills, capacity, systems and budget based on the benchmarked understanding of the team.
- In addition, we assess the functions performance measures and individual contracts as to appropriateness to client and function.
- We address the continuing education of the staff and relevance to the function.
- We survey/ interview the staff on their own assessment of the function and what can be done to improve their effectiveness and career progress.
- Our assessment covers how the function is included in the Combined Assurance.
- To the extent that compliance is automated the system is assessed. Other software in use, e.g., for monitoring work is evaluated as it applies to the whole risk division as it is expected to be integrated to those used by the other functions within the division.
- Our assessment includes consideration of overlaps with responsibilities of other functions within the Risk Division, and the extent that they co-ordinate their efforts and resources – e.g., use of staff across the functions.
- The effective use of software tools is also assessed.
Comply and Declare
We have developed our own solution for managing compliance which we call “comply and declare”.
This solution identifies relevant compliance activities and assigns the responsibilities and escalations that ensures compliance has been achieved. We know of at least 21 activities that every company should attend to each month. The solution is content rich with compliance requirements, forms to be submitted and links to regulators systems for submissions. Compliance requirements can be included for the business sector and to include internal compliance requirements – like financial close.
Our clients use the solution on their own platforms, our cloud platform or we complete the compliance on their behalf using the compliance diary.
The declare element is used to record declarations, gifts and PFMA/ MMFA reportable matters. It can be used for other purposes such as independence sign-offs, ethics education and sign off, and conflicts of interest declarations.