COMPLIANCE AUDITING

Compliance auditing determines whether a process or transaction has or has not followed applicable rules. If rules are violated, the auditor determines the cause and recommends ways to prevent future deviations. The rules being tested can be those created by the organization for itself through corporate by-laws, policies, plans, and procedures; can be those imposed on the organization through external laws and regulations; or can be those external standards that the organization has chosen to follow (e.g. ISO 9000 quality management systems, or ISO 14001 environmental management systems). Characteristic of compliance audits, are the yes/no aspects of the evaluation. For each process or transaction examined, the compliance auditor must ultimately decide whether it complies with the chosen standard or does not. Often, the ratio of non-compliant outcomes to compliant outcomes is calculated and used as a basis to estimate an overall percentage of "non-compliance." (Such ratios, often used to extrapolate sample results to the total population, should be verified to be sure that underlying assumptions support their use as estimators.) The auditor typically reports reasons for noncompliance, if found; describes implications and risks of noncompliance; and suggests corrective action to prevent future occurrences.

Compliance auditors must have the skills to research issues effectively using authoritative materials, understand how to apply the knowledge gained to the circumstances being tested, and be able to explain to the organization what compliance means in day-today operations. Reaching a conclusion that an outcome complies or does not comply with a standard is not necessarily simple, especially in domains governed by complex regulations (e.g. occupational health and safety, environmental, employment practices, health care, insurance, federal grants and contracts, employee pensions and benefits, federal tax etc.). Technical specialists, and attorneys experienced in the particular subject matter, can assist with evaluations. But specialized assistance does not assure clear cut answers when standards are open to interpretation and defensible positions can be made on both sides of an issue. In such cases regulatory assistance is available, at a nominal cost, through mechanisms such as official agency advisory opinions or private letter rulings. Opinion of legal counsel can also provide some comfort, but such letters may not coincide with a governmental agency official ruling.

WH O PERFORMS COMPLIANCE AUDITS AND
WHO REQUESTS THEM?

Compliance audits can be performed by employees of the organization, public accountants or attorneys hired by the organization, or governmental auditors assigned by a regulatory agency. Compliance audits are often done by internal auditors or staff attorneys in advance of an external compliance audit so that any potential problems can be detected and corrected in advance. When internal auditors have already audited activities and management has taken action to correct noncompliance, external examiners may request that documentation as evidence of the organization's good-faith effort to correct noncompliance.

A few examples that follow illustrate some of the varied combinations of compliance audit sponsors, audit topics, and auditors. The Department of Health and Human Services, Office of Inspector General, sends its staff to review Medicare Part B (physician) billings at ten major teaching hospitals to ensure that reimbursements were reasonable, allowable, and properly documented in accordance with regulations. The board of directors of an organization ask the internal auditors to examine the company's investment portfolio to assess whether maximum maturity, foreign investments, degree of diversification, and credit ratings of issuers conform to board mandated investment policies. A vice president requests that legal counsel review company practices for compliance with the Fair Labor Standards Act. A lender requires that an organization provide annual certification, prepared by a certified public accountant, that a company has followed debt covenant requirements. The Defense Contract Audit Agency (DCAA) sends its auditors to a defense contractor to determine whether cost accounting practices meet federal standards. The chief information officer requests internal auditors to verify that security administrators have followed system access protocols. An outside sponsor, exercising a right-to-audit clause in its original agreement with the company, requests access to verify that the terms of its contract with the organization are being met. The Internal Revenue Service sends auditors to evaluate whether the company is properly withholding and remitting income, social security, and Medicare taxes.

HISTORY AND BACKGROUND

The growth of compliance auditing is fundamentally a 20th century phenomenon. Its emergence as a distinct type of auditing coincides with the rapid growth of business after the industrial revolution and the concurrent growth in efforts by organizations and governments to direct and control business practices.

Laws, regulations, policies, and procedures were implemented to ensure control. It became the responsibility of auditors to verify that these rules were indeed being followed. Several distinct groups of "auditors" emerged and grew—external auditors in public accounting firms; attorneys specializing in particular regulatory domains; "compliance auditors" employed within organizations such as internal auditors; technical compliance specialists (for example, radiation safety officers), and quality assurance evaluators; and auditors employed by state, local, or federal governments, agencies, or regulatory bodies.

The growth in the number of federal audit agencies has been quite visible. Federal auditors do perform a variety of audit services, but compliance auditing has always played a key role. Federal audit divisions include the General Accounting Office (GAO), the Internal Revenue Service (IRS), Defense Contract Audit Agency (DCAA), and the Offices of the Inspector General (OIG). As of mid-1995, Public law 95-452 indicates that 61 individual offices of the Inspectors General had been established. (There is an Office of Inspector General for each federal department including ones such as Agriculture, Commerce, Defense, Education, Energy, Equal Employment Opportunity Commission, Federal Emergency Management Agency, Health and Human Services, Housing and Urban Development, Interior, Justice, Labor, State, Transportation, Agency for International Development, Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Small Business Administration, and Veterans Administration.) In addition, several federal regulatory agencies perform their own audits. These agencies include the Securities and Exchange Commission, Federal Energy Regulatory Commission, Federal Communications Commission, Federal Maritime Commission, Federal Trade Commission, and the Health Care Financing Administration.

Despite the seemingly large number of governmental audit units, governmental capacity to perform compliance audits has not kept pace with the growing number of laws and regulations. More and more regulatory compliance audits are being performed by the private sector. In response, public accounting firms and law firms have significantly expanded their compliance services. That expansion has been further stimulated by legislation requiring that organizations pay external consultants to perform compliance audits to be submitted to the government. The requirement for an external compliance audit frequently becomes a condition for receiving federal funds. Organizations should be aware that under these arrangements the external compliance auditor may be acting as the agent of the regulator, even though the organization is paying the audit fee.

FEDERAL SENTENCING GUIDELINES

Federal Sentencing Guidelines, passed in 1991, require an organization to remedy the harm caused by its offense and apply a monetary fine for the violation of federal law. The fine is calculated by applying a multiplier based on a "culpability score" to the "base fine." The culpability score is increased for such factors such as size of organization, years since previous offense, violation of a previous order, and obstruction of justice. The culpability score is reduced by such factors as existence of organization programs to prevent and detect non-compliance and the organization's self-reporting of violations, cooperation with the regulators, and acceptance of responsibility. Culpability factors are further mitigated if the organization had implemented and communicated compliance standards and procedures and had assigned responsibility for compliance to a qualified individual—a "Compliance Officer"—at a high enough level to achieve an effective program to prevent, detect, and correct violations. Predictably, the Federal Sentencing Guidelines spawned major growth in compliance programs and compliance offices in organizations, such as hospitals, defense contractors, and major research universities, subject to multiple sources of federal regulation. In some cases these compliance offices were joined with the internal audit function, in other cases they remained separate.

FEDERAL COMPLIANCE ASSISTANCE AND
ADVISORY OPINIONS

In the last decade the federal regulatory agencies have been proactive in providing compliance assistance. Examples of agency cooperation with companies that "self-disclose" and correct violations are publicized. Agencies have created examples of model compliance programs and made them available through Internet sites and federal publications. Certain agencies, such as the Internal Revenue Service, have promoted voluntary compliance programs and established amnesty periods for "self-correcting" violations, primarily for employee benefits regulations. Many agencies offer their "advisory opinions" or "private letter rulings," at a nominal fee, to assist with complex regulatory scenarios and to provide "official" rulings on issues.

THE COMPLIANCE AUDIT DILEMMA

Despite significant increase in assistance from regulators, organizations still feel caught in a compliance audit dilemma for a number of reasons. If the organization "gets caught" it is subject to severe penalties. If it is not caught by regulators, someone knowing of a violation may file suit for the violation, on behalf of the federal government, under the False Claims Act. If the organization "self-reports" violations they find through compliance audits, they can be penalized anyway when they do not meet an agency's pre-established criteria. For example, the EPA may still recommend criminal enforcement for a violation uncovered by an audit, promptly disclosed, and corrected, if one of nine other conditions is not met. Further, if organizations report violations to an agency, there may be no confidentiality or "privilege" provisions for what the organization's compliance audits and nothing to prevent discovery of those audits by other authorities or third parties.

Compliance audits produced by organizations have been "discoverable" in civil litigation by parties attempting to introduce "evidence" derived from that audit, sometimes to the detriment of the organization. That possibility of "discovery" has continued to dampen enthusiasm for robust, proactive compliance auditing notwithstanding the Federal Sentencing Guidelines. Under certain circumstances (under advise from their legal counsel) organizations can use the "attorney-client privilege" or the "work product doctrine" under common law, to protect compliance audits from discovery. (When organizations do this as a matter of operating procedure, they may acquire some protection but could then attract the curiosity of regulators.)

Historically, compliance audits not prepared in anticipation of litigation (work-product) or not prepared for performance of legal service (attorney-client privilege) are not protected. A potential protection for compliance audits might be emerging under a "self-evaluative" or "self-critical analysis" privilege. The primary advantage of such a privilege is that legal counsel's services would not be required to qualify a document, such as a compliance audit, for protection. This privilege first arose in the context of medical malpractice where it was affirmed that hospital staff meetings and peer reviews would be excluded from evidence because of the public policy need to preserve a free-flow of information among doctors. Bredice v. Doctor's Hospital, Inc. (affirmed) 479 F.2d 920 D.C. Cir. 1973. More recently, the self-audit privilege was successfully applied to protect an environmental compliance audit in Reichold Chemicals. Inc. v. Textron, Inc. 39 ERC 1328 (N.D. Fla. 1994). As of 1997, 21 states have now adopted "audit-privilege" laws to encourage their organizations to perform voluntary environmental audits. The strength of the emerging "self-audit privilege" remains unclear. Also, the paths taken by the many states conflict with the EPA's current position that privilege invites secrecy; there is no evidence that it is needed; it encourages parties to claim protections for evidence required to establish a violation; it breeds litigation on the scope of the protections; civil and criminal penalties are already reduced; and law enforcement and public interest groups oppose such privilege.

THE COMPLIANCE AUDIT PROCESS

The person or organization requesting the compliance audit plays the key role in determining the objective, scope, and time period to be reviewed and who will do the work. They may also control the audit process itself by outlining detailed procedures and prescribing methods for judging results.

Before beginning a particular compliance audit, the auditors must be properly qualified through education and experience to perform the work. Also, the auditor must have a clear understanding of the nature, purpose, objectives, and scope of the compliance audit. Next, the auditor should obtain a thorough understanding of the laws, policies, or standards being evaluated, decide how to recognize when a deviation has occurred, and how to evaluate evidence obtained through audit tests. This means that the auditor must figure out, for each event to be tested, just what evidence signifies compliance and what evidence signifies noncompliance. In addition, it is important for the auditor to find out the degree of deviation from standards that is considered tolerable by the audit sponsor. Detailed information about key compliance audit questions often exists in the form of independently published compliance audit guidelines and generally accepted auditing standards. Otherwise, the auditor should make sure that key questions and issues are clarified with the audit sponsor.

Assessing compliance may be simple, requiring a brief inspection to find out whether rules were followed or not. At the other extreme, making a judgment may require extensive research of regulatory requirements, interpretations, and technical materials before a valid conclusion about one event or a single transaction can be made. If the auditor is not sufficiently experienced in very specialized compliance topics then the opinions of an expert should be sought. The auditor will usually choose a sample of events or transactions for testing when it is not practical to examine every one that falls within the scope of the audit. Compliance audit tests can incorporate statistical sampling techniques and measure sampling risk when the following conditions can be reasonably assumed: the population must be large enough to permit the mathematical laws of statistics to operate; errors must be distributed randomly throughout the population; and, evidence of such randomness must exist. More often than not such assumptions cannot be made and a non-statistical sampling approach ("haphazard sampling") is used. Estimates of sampling risk are not valid with non-statistical sampling. At the conclusion of testing, the auditor evaluates evidence from audit tests as a whole. If testing evidence indicates, within tolerable limits, that rules have been followed and prohibitions have not been violated, the organization is deemed to be in compliance with respect to the activities audited. If incidents of noncompliance exceed tolerable limits, the frequency and severity of deviations should be studied. Penalties and sanctions may be imposed in serious cases of noncompliance. Identification of corrective measures that could be applied to bring activities back into compliance becomes important.

Compliance audit reports must communicate in a fashion that is relevant to the person or entity sponsoring the audit. Reports issued to federal regulators must often follow guidelines prescribing form and content. Reports usually describe the objectives of the compliance audit, the number of conditions examined during the time period considered, the frequency of events conforming to conditions, and the number of exceptions. When a statistical sample of events has been tested and required assumptions are appropriate, results from the sample may be used to predict the level of compliance for all events or transactions within the scope of the audit. Compliance audit reports often indicate reasons for deviations from standards, describe implications of those deviations, and recommend actions that strengthen control procedures for assuring compliance.