Professional Documents
Culture Documents
ch
2 How can your organisation perform effective and efficient compliance testing?
Effective compliance testing
• How is compliance testing Compliance testing is one element of an Many companies struggle to establish
defined, and what are its effective compliance programme. The compliance testing across their comp-
notion of a compliance programme, liance universe, in particular because
objectives? which has developed largely since the of a lack of resources. Nevertheless,
• What are the elements of an mid-nineties, can be defined as the the regulatory pressure to do so is
effective second line of defence entirety of the strategic, organisational increasing. Under these circumstances,
and process-related measures that aim how can companies find a balance
testing process?
at establishing ethical and compliant between establishing a lean compliance
• How can a company increase behaviours within a company. and meeting the legal requirements for
efficiency by aligning its compliance testing?
compliance testing activities
across the three lines of
defence?
How can your organisation perform effective and efficient compliance testing? 3
1. Definition and objective of compliance testing
Compliance testing is part of Compliance testing can be defined as Some of the testing activities are con-
a periodic, independent and objective ducted by independent functions within
the broader notion of compli-
assessment of compliance-related the business, some are performed by
ance programme evaluation. processes and/or controls. The aim of compliance personnel, and others by the
It is one of the instruments compliance testing is to assess whether internal audit function. Nevertheless,
used to assess whether the the elements, processes and controls of the main responsibility for the manage-
the compliance programme are de- ment of the compliance programme and
compliance programme effec- signed appropriately and are operating the performance of compliance testing
tively and efficiently reduces as designed. Compliance testing follows usually lies with the second line of de-
compliance risks to an accept- an established process and plan as well fence, the compliance function itself.
able level for the organisation. as, according to best practices, a risk-
based approach. For further definitions and descriptions
In other words, it is one of the of evaluation, monitoring and testing
key instruments for assessing In general, compliance testing activities activities, see for example Internal
whether a company’s efforts to are performed, in some form or other, Control – Integrated Framework, May
ensure compliance with laws within all three lines of defence (busi- 2013 (COSO 2013) or the ISO standard
ness, compliance and internal audit; see ISO 19600 – Compliance Management
and regulations are bearing below under 3.1 for a proposed defini- Systems (ISO 19600).
fruit. tion of the three lines of defence).
4 How can your organisation perform effective and efficient compliance testing?
2. Compliance testing process
Compliance testing is usually performed by all three lines of defence. This section describes an
effective compliance testing process within the second line of defence, the compliance function.
Elements of the compliance testing
process:
2.1 Establish annual risk- dependencies between the various to the defined standards. Any
testing activities. improvement measures should be
based compliance testing
Testing should be performed on defined if relevant and reported to
plan management.
the basis of testing methodologies
The compliance testing plan is one
including sample methodologies, The quality standard programme
of the key elements of the annual
documentation standards, as well also has to include training
compliance plan. It is based on the
as standards and procedures for measures to ensure that sufficient
compliance risk universe, which
assessing and classifying findings. expertise exists within the testing
is derived from all the relevant
Alongside an assessment of the team.
regulatory requirements and could
findings and their ratings, a root
be documented, for example, within
cause analysis and an assessment
a risk and controls matrix.
of severity must also be performed.
The compliance testing plan should The company should also develop The compliance testing process is part of
ideally cover all elements of the a methodology allowing it to the annual compliance risk management
compliance programme: compliance perform an overall assessment of cycle, which comprises of the following
strategy, governance and key the effectiveness of the compliance elements:
compliance processes. programme.
The specific risks, and the elements Upd
ate risk universe
,
of the compliance programme upda
te strategy
Establi
comp
with the results of previous testing,
with predefined reporting standards
liance plan
the number of incidents and other
sh a n n u a
Annual
and procedures. In particular, compliance cycle
metrics used by the company to
r
Info
How can your organisation perform effective and efficient compliance testing? 5
3. Aligning compliance testing across the three
lines of defence
As described above, compliance In our experience, compliance testing the first line of defence (the operational
is not always optimally aligned across units) has the primary responsibility of
testing is usually performed not
the three lines of defence. Moreover, managing compliance risks. The second
only by the compliance function many companies are unable to perform line of defence (the compliance and
(second line of defence), but all the testing that would be necessary risk functions) has the responsibility
also by the business (first line or cannot complete the planned testing of providing tools to manage risks and
consistently.1 One way to improve the monitor compliance. The third line of
of defence) and internal audit efficiency of testing activities is to align defence (the internal audit function) has
(third line of defence). compliance testing across the three lines the responsibility of conducting inde-
of defence. pendent testing to assess, in particular,
compliance.
3.1. Definition of the three lines
of defence concept
Figure 1 below illustrates the functions
and their roles within the three lines of
defence. In summary, under this model
Central Analysis,
Policies and Risk Consolidation of Oversight
compliance oversight, procedures assessment reporting controls
function direction
Business Monitoring
Risk assessment
processes processes
Policies and
Business controls Audit
procedures
1
See in particular PwC’s publication ‘Making the grade: How financial institutions can improve compliance testing’, November 2015.
6 How can your organisation perform effective and efficient compliance testing?
3.2. Aligning compliance testing between the three lines of defence to
ensure no duplication of testing, consist-
activities across the three lines
ency in the reporting of results as well
of defence as the alignment of remediation and
Frequently, all three lines of defence improvement measures.
perform testing activities: independent
functions within the first line perform Moreover, employees often have insuf-
independent testing of business process- ficient knowledge and understanding
es, the second line of defence plans and of their roles and responsibilities within
executes compliance testing, and the the company’s compliance programme.
third line of defence, within its yearly
testing plan, performs compliance-relat- As a result, organisations experience
ed testing activities. drains on their resources, a lack of
appropriate resources and duplication of
These testing activities are often per- effort, which leads to productivity losses
formed in silos. Senior management and ultimately has a negative impact on
fails to communicate about the testing customers.
activities of the different lines of de-
fence, and there is no function formally One solution to this problem could be to
tasked with coordinating activities adopt the following approach:
1 2 3 4 5
Roles and Testing tools, Activities are Business is informed Reporting is
responsibilities are methodologies and coordinated across the about testing activities consolidated across all
communicated procedures are three lines of defence of the two other lines three lines of defence
standardised across of defence
the three lines of
defence
Ensure that the roles Consider how tools, Integrate coordination Inform the business to Consolidate all
and responsibilities methodologies and activities within the enable them to plan reporting activities
of each line of procedures that are yearly compliance their own activities of the three lines of
defence with regard applied for testing by process and the yearly accordingly. defence
to compliance testing the different lines of audit process to ensure
are clearly defined and defence can be aligned second line and third
communicated, and and leveraged to line of defence testing
that people are trained improve effectiveness activities are aligned
accordingly. and efficiency. at all stages (planning,
execution, reporting
and remediation).
2
See also related to internal audit: “Revolution, not evolution. Breaking through internal audit analytics’ arrested development”, January 2018.
www.pwc.com/us/en/services/risk-assurance/library/internalauditanalyticsrevolution.html
How can your organisation perform effective and efficient compliance testing? 7
Authors and contacts
Robert Borja
Assurance Partner
PwC
Birchstrasse 160
8050 Zurich
+41 58 792 29 56
robert.borja@ch.pwc.com
Véronique Besson
Assurance Director
PwC
Birchstrasse 160
8050 Zurich
+41 58 792 23 68
veronique.besson@ch.pwc.com
Karin Kirkpatrick
Assurance Senior Manager
PwC
Birchstrasse 160
8050 Zurich
+41 58 792 24 70
karin.kirkpatrick@ch.pwc.com
© 2018 PwC. All rights reserved. “PwC” refers to PricewaterhouseCoopers AG, which is a member firm of PricewaterhouseCoopers International Limited,
each member firm of which is a separate legal entity.