We will talk about the element number four of an effective sanctions compliance program. In particular, you will learn a bit more about the importance of proper and proportionate testing and auditing of a sanctions compliance program.
Testing And Auditing
An effective sanctions compliance program requires organizations to assess the effectiveness of current processes and check for inconsistencies between these and day-to-day operations.
Comprehensive and objective testing or audit function within the compliance program ensures that a company has identified program weaknesses and deficiencies, and it is the company’s responsibility to enhance its program. Such enhancements might include updating, improving, or recalibrating compliance program elements to account for a changing risk assessment or sanctions environment. Testing and auditing can be conducted on a specific element of the compliance program or at the enterprise-wide level.
Components Of The Elements Of Compliance Program
Under this element, a company should consider the following three components:
First of all, an organization should ensure that the testing or audit function is accountable to senior management, is independent of the audited activities and functions, and has sufficient authority, skills, expertise, resources, and authority within the organization. There are three general requirements under this prong.
First, both the testing and audit functions for trade control must have a line of sight into senior management. Second, the testing and audit function is separate from the design and application of the trade control functions (akin to auditor independence). Finally, the testing and audit function must not only have authority to do their job, but they must be capable of doing so, both from an ability and staffing view.
Secondly, an organization should have testing or audit procedures appropriate to the level and sophistication of its compliance group and that this function, whether deployed internally or by an external party, reflects a comprehensive and objective assessment of the organization’s sanctions-related risk assessment and internal controls. The key under this prong is comprehensive and objective. Your audit team must be able to do a robust and thorough audit of your trade compliance program. Further, it must be truly objective.
Last but not least, an organization should ensure that, upon learning of a confirmed negative testing result or audit finding pertaining to its compliance program, it will take immediate and effective action, to the extent possible, to identify and implement compensating controls until the root cause of the weakness can be determined and remediated. If you find a deficiency or a gap, you must move forward to remedy it. But more than simply implementing a remedy, you perform a root cause analysis to understand the true cause of any failure.
What Is A Test Of Control?
We assist our clients in identifying the controls that they have or need to implement when performing a System and Organization Controls (SOC) examination. These controls will demonstrate to their clients that the services they provide or the environment in which they work is safe and secure. So, once the controls have been identified, how do you ensure they are operational? This is where a control test comes into play. There are several methods for confirming or testing that a control is operational. The five testing methods used for testing controls as part of a SOC examination are outlined below.
A control test is an audit procedure used to evaluate the effectiveness of a control used by a client entity to prevent or detect material misstatements. Auditors may choose to rely on a client’s system of controls as part of their auditing activities based on the results of this test. If the auditors discover an error in a control test, they will increase the sample size and conduct additional testing. If more errors are discovered, they will consider whether there is a systematic control problem that renders the controls ineffective, or whether the errors appear to be isolated instances that do not reflect on the overall effectiveness of the control in question.
When To Use the Different Audit Testing Procedures?
Population samples are chosen for testing based on the type of test being performed (a test of one would be completed for an automated control using re-performance, but a sample of the population would be selected for an inspection control). The population size and the level of precision we want to achieve in the testing are also factors to consider.
If the auditor discovers an error in a control test during testing, they will increase the sample size and conduct additional tests, or they will expand the sample size and conduct additional tests. Additional types of testing procedures may be necessary or beneficial. If more errors are discovered, the auditor will consider whether there is a systematic controls problem that renders the controls ineffective, or if the errors appear to be isolated incidents that do not reflect on the overall effectiveness of the control in question.
What are the Main Procedures for Obtaining Audit Evidence?
When completing control tests, it is critical to consider how audit evidence will be obtained. To be able to rely on the evidence obtained, the auditor must be confident that it is complete and accurate. This can be accomplished by directly observing the pulling of audit support from the person in charge of the support. Sitting with a system administrator, for example, while they pull up and screenshot password restrictions or a population of all system users. Furthermore, queries can be obtained and reviewed to ensure that no part of the population has been filtered out.
Final Thoughts
These procedures assess a control’s effectiveness in preventing or detecting a material misstatement. Depending on the results of this test, the auditor may decide to include a client’s system of controls in the audit plan. However, if the test reveals that the controls are inadequate, the auditor will increase the use of substantive testing, which typically raises the audit cost. A control test is performed regardless of the dollar amount of the underlying business transaction; the main goal of the test is to see if a control functions properly, so the dollar amount of a transaction is unimportant to the test’s goal.
