An effective compliance system must be constantly improved and developed. At the same time, the corruption risks faced by companies may change, as well as the nature and scale of their activities, so the procedures adopted to reduce risks may also require modifications.

Monitoring and testing a compliance process is one of the tools for maintaining its operating effectiveness. Without testing, it is impossible to identify which compliance process works appropriately and is adequate and which needs improvement. Monitoring and testing are also a mandatory part of the compliance process to combat bribery by the legislation of Ukraine.

The Purpose of the Process of Monitoring and Testing of the Compliance System

The purpose of the process of monitoring and testing the compliance system is as follows:

• Supervising the implementation of measures of the compliance system and checking their effectiveness
• Detection of any drawbacks in the adoption of compliance procedures or their violations
• Detection of manifestations of corruption
• Providing and subsequently implementing recommendations concerning the detected violations and taking other appropriate corrective measures to improve the effectiveness of the compliance system

While adopting monitoring and testing procedures in the company, it is necessary, first of all, to determine the following:

What needs to be controlled and tested?

All processes of the compliance system are subject to monitoring. However, adopting a risk-oriented approach to determining the list of processes that will be added to monitoring will be relevant.

First, compliance procedures in the processes to which a high level of risk is assigned without taking into account the implementation of compliance controls need to be included in the list.

Such high-risk areas usually include the following processes:

• Hiring employees
• Contractual work
• Concluding agreements of a civil law character
• Presenting gifts by the company
• Carrying out charitable projects
• Sale of services or goods of the company at a discounted price or provision of individual price offers
• Incurring representation expenses
• Undergoing anti-corruption training by employees
• Holding marketing or PR events
• Approval of intermediaries and company representatives, especially regarding the legal and regulatory activities of the company
• Approval of mergers and acquisitions (M&A)
• Procurement
• Hotline

What information is collected during checking?

During monitoring, compliance controls and processes are checked based on collected documentary evidence from relevant sources.

Independent collection of information concerning transactions may be performed depending on access to the compliance function to information, for example, in the case of the electronic document flow and access to it in the compliance function.

It may also depend on responsible units that provide such information upon a request or within specified terms, for example, providing registers, reports, downloads from accounting programs, etc. The forms and terms of providing such information can be agreed upon before the procedure.

Who is responsible for monitoring?

Compliance is usually the responsibility of the compliance function of the company.

However, suppose it is necessary to add to monitoring the process owned by the compliance function itself, for example, “Hotline”. In that case, monitoring and testing should be delegated to another company function, if possible, for example, to the internal audit. Or, if there are sufficient resources in the compliance function, it is necessary to ensure that monitoring is conducted by the employees who are not involved in the process being checked.

What are the methods of monitoring and testing?

While choosing a method of sampling the transactions to be checked, it is advisable to adopt a risk-oriented approach, that is, to take into account the level of risk of the process, the presence of the violations detected during previous inspections, and the number of transactions and other criteria.

For example, in a large company for processes with a large number of transactions in contractual work, a random quantitative sample may be used to identify the number of contracts to check for the inclusion of anti-corruption clauses. More attention should be paid to contracts with a high level of risk, such as the involvement of an intermediary and the participation of Politically Exposed Persons or PEPs. 

The frequency of conducting monitoring can be set based on the resources available to the compliance function and the peculiarities of the organization, the size, number of transactions, etc. But in practice, quarterly monitoring and testing are optimal to maintain the effective operation of the compliance system.

When should monitoring and testing be conducted?

It should be conducted in processes with fewer transactions, and a higher level of continuous risk checking can be applied.

However, suppose the level of a compliance culture in the company is high enough, and no violations have been detected according to the results of inspections, for example. In that case, monitoring such processes, if their level of risk is low, can be conducted less often, but they must be included in the plan of inspections during the reporting year.

When should monitoring results be analyzed and assessed?

The terms of conducting monitoring and analysis of the collected information need to be set depending on the volume of information to be checked, the resources available to the compliance function, and other factors that may affect the terms.

What measures should be taken concerning the detected violations or ineffectiveness of compliance processes?

If possible, it is desirable to eliminate the shortcomings during an inspection.

If violations are detected during an inspection, their consequences need to be eliminated. The necessity to eliminate the cause of their arising need to be assessed to ensure that this will not recur. 

Measures are required to be taken, which may be, for example:

• Conducting additional training or instruction sessions
• Settlement of conflicts of interests
• Correction of work of compliance process automation, if it is available
• Change of compliance procedures
• Introduction of new compliance procedures
• Conducting an internal investigation
• Setting new deadlines
• Imposing disciplinary sanctions by the labor legislatio

Each monitoring and testing should begin with checking the implementation of the recommendations provided according to the approved results of previous inspections.

To whom and how must such information be transferred?

The report of the conducted monitoring results is submitted to the company’s head, who considers the results of such an inspection and, if necessary, makes the necessary decisions. Information concerning the processes and/or transactions in which violations are detected is sent to their owners.

And if there is a parent company where a compliance system is implemented, a report can be sent to the representatives of its compliance function.

Final Thoughts

As regulatory compliance obligations continue to grow, it is more important than ever to have a clear picture of your performance in terms of good governance and compliance. Organizations have responded to this challenge by implementing ever-stricter compliance monitoring processes. Larger and more complex businesses, as well as smaller, simpler ones, face challenges in meeting their obligations across all of their entities. In this section, we define compliance monitoring and examine why it is so important in today’s legislation-heavy business landscape.