All companies, regardless of their size, business model and scope of activities, must understand and comply with a plethora of laws and regulations in diverse areas such as employment, health and safety, intellectual property, real property, tax, antitrust, finance, securities law and consumer protection. Given the complex legal environment that applies to every business organization, it is essential for companies to develop processes and procedures to conduct voluntary and self-analytical legal and compliance audits on a regular basis. In fact, a number of federal and state laws and regulations, as well as the agencies responsible for their enforcement, specifically require companies to assume responsibility for policing their own conduct and compliance and to report any potential misconduct to the appropriate authorities.
In light of this trend, internal compliance audits have taken on significant importance, and establishing adequate procedures for such audits is an essential part of the company’s overall compliance program, which should include appropriate monitoring and auditing systems (e.g., periodic reviews of company business practices, procedures and policies), internal controls for compliance with standards of conduct and special legal requirements imposed on the business, and internal or external compliance audits. Just like internal investigations, compliance audits and investigations must be conducted carefully and managed by experienced lawyers and compliance professionals. Specifically, precautions must be taken to manage the expense of the process and reduce disruption to business operations. Moreover, care must be taken in structuring and conducting routine compliance audits since there are circumstances where the results of the audit will not be eligible for protection under the attorney-client privilege.
A variety of techniques can be used to complete the compliance audit process and those persons involved in conducting the audit often follow many of the procedures that are normally used when conducting a due diligence investigation in the transactional context. Accordingly, questionnaires should be prepared and disseminated to various departments within the company, including sales and marketing, accounting and finance, human resources and legal. The information collected from the questionnaires should always be supplemented by conversations with officers and employees responsible for functions that impact significant operations, as well as discussions with outside consultants and professionals. If the company has already opened offices and facilities in foreign countries to conduct sales or manufacturing, questionnaires should be circulated to local managers and follow-up interviews should be conducted. In addition to questionnaires and interviews, information regarding the company and its business processes can be obtained by reviewing business plans and disclosure documents prepared for distribution to investors, material contracts and written policies and procedures and through inspection of the company’s facilities and observation of managers and employees carrying out their day-to-day job responsibilities.
Specific steps that should be taken include assembling the audit team and briefing the members on the goals of the audit and the relevant laws and regulations; collecting and reviewing background information about the company’s business and legal environment; establishing the scope of the audit and identifying the key issues to be covered by the review (e.g., changes in compliance procedures necessitated by changes in applicable laws and regulations); collecting and reviewing material contracts and other documents (e.g., policies and procedures); collecting information via questionnaires, inspections and interviews; reviewing the existing compliance policies and procedures and assess the company’s overall compliance environment; conducting searches of public records to verify registrations and recordings; and, finally, analyzing the information to reach a determination regarding the level of compliance and make suggestions for remediation.
Compliance audits should not be “one time” events. Rather, a consistent schedule of periodic compliance audits needs to be built into every legal compliance program. Depending on the size of the company, the audit may cover all functions of the business, or separate audits of particular functions or business units may be performed in order to preserve scarce resources. Companies should also consider conducting “unscheduled” audits to be sure officers and employees are diligently maintaining records and procedures on a day-to-day basis and not simply waiting until a prearranged audit period to get things in order. Companies must also monitor the effectiveness of remedial actions during the periods between formal audits.
Extensive information on Compliance Audits is available in Chapter 225 of Business Transactions Solutions (Westlaw Next). In addition, a Business Counselor Institute program on “Conducting Compliance Audits” is being presented on Tuesday, September 8, 2015 at noon, Central time. You can register for that program by clicking here. Registration information is available here.