I have been asked to give examples of the sort of problems we find on compliance reviews. Without breaching confidentiality, it may help if I explain why we do reviews and what we look for.
Why do a review?
The reasons we do reviews include:
- to update processes for law changes;
- as part of a merger or acquisition (to ensure that the key assets will be acquired without the prospect of future legal action);
- as part of an ongoing compliance program (eg to test compliance annually);
- because the Board or senior management want assurances before making declarations of compliance;
- because a problem has been identified either internally, through a customer dispute or by a regulator.
When a problem has already been identified we may be asked to confirm the extent of the particular problem and whether other problems exist. This is important when a penalty hearing is likely and the background and extent of a breach is a relevant factor in determining the penalty.
We look for compliance in the areas of highest risk and ways clients can improve processes. We frequently recommend best practices to clients.
Problems can be one off, eg through a manual error or a software glitch, or systemic (eg a disclosure error that has affected all documents for a particular product).
We start off with a checklist for the particular issue we are reviewing. It is based on the statutory requirements and identifies the client’s documents, materials, computer systems and procedures we need to look at.
A theme may develop as we conduct our review.
We interview key staff.
Often there will be issues staff want to discuss.
Sometimes there will be issues related to an out of date procedure or a change to a compliant procedure which was not authorised. Or a document was copied from elsewhere without understanding its assumptions.
If an issue is identified as part of an ongoing review, it is evidence that your compliance framework works. The problem can then be remedied by you rather than wait for a customer complaint or regulator investigation.
