Compliance on the forefront

Update

Compliance on the forefront: How to establish and maintain an effective compliance programme

Cristian Manganiello
Assurance Partner

Organisations are rolling out digital initiatives in an arena defined by more data, more automation, sophisticated cyberattacks, a constantly evolving regulatory landscape, and constant changes in customer expectations. Overregulation continues to be a top threat identified by CEOs in PwC’s 22nd Annual Global CEO Survey. And with the widening breadth and quickening pace of digital transformation, regulatory compliance requirements continue to evolve, and issues are arising more and more often. The likelihood is far greater today that when an issue arises, it will snowball quickly.

Stricter regulatory enforcement, mounting pressures from global movements (such as #metoo), and watchdogs such as whistle-blowers, activist groups, and investigative journalists are escalating the importance of a strong and ethical culture as well as more-transparent internal reporting channels. Compliance failures can cause organisations to suffer reputational damage, customer churn, and costly fines. In fact, the importance of noncompliance is greater than ever before.

A new assurance standard to establish trusted compliance management systems

EXPERTsuisse has released the new Swiss Audit Standard SAS 980 (“Schweizer Prüfungsstandards” or “Norme d’Audit Suisse”) that defines the principles in relation to providing assurance on Compliance Management Systems (hereinafter referred to as “CMS”), that are either established on a legal or on a voluntary basis. The standard provides practitioners for the first time with a comprehensive framework to assess the effectiveness of a CMS, which allows organisations to obtain greater transparency on their programme, build trust for their stakeholders and potentially unlock commercial advantages. Ultimately, the provision of formal assurance acts as a catalyst for more confidence between organisations and their stakeholders. While the assurance standard provides practitioners with guidance on how to independently assess, conclude and attest the design, implementation and effectiveness of the CMS, it provides organisations with an excellent basis to review and further enhance their existing compliance programme.

Figure 1: Principles of CMS in accordance with SAS 980

Core principles for an effective compliance programme

The standard not only addresses the required assurance procedures to form a conclusion in relation to an effective CMS, but also introduces five interlinked principles. These are fundamental to an effective compliance programme and should be integrated as part of the organisation’s business processes: 1) compliance culture, 2) compliance goals / objectives, 3) compliance risks, 4) compliance program and 5) compliance organization.

Organisations that implement these principles and related criteria successfully are able to:

establish an ethics and compliance culture across all relevant levels of the organisation,
consider the impact that general business goals have on the CMS,
drive a structured risk assessment / management approach to determine compliance risks,
implement an effective CMS to enable both the detection and prevention of compliance risks,
define responsibilities and accountabilities in relation to the compliance organisation, and
establish and maintain an effective compliance programme.

Areas where the core principles can be applied

Next to the core principles for a CMS that is valid throughout the organisation, there are a number of other areas where sound governance frameworks are required to establish and maintain an effective level of compliance, e.g.:

1) Distributed Supply Chain

A characteristic of the today’s ecosystem is that networks of contributors play their role in the production in almost every physical or virtual product or service. Its suppliers and component producers are working in an interoperable or cooperative workspace connected via legal contracts and relationships driven by financial interests.

To protect and ensure their own reputation and as a risk and quality measure, multinational companies request from their suppliers attestations that they comply with minimum legal requirements as well as generally accepted principles. For suppliers and multinational companies alike, an attestation about the existing CMS before entering into or sustaining a business relationship forms the foundation for mutual trust. To name a few legal requirements that may be considered: e.g. corporate governance, anti-money laundering, anti-bribery, sanctions or voluntary principles: norms as described in International Labour Organization conventions (e.g. Ethic trading initiative, Social accountability etc.), Global Compact SDG Goals or greenhouse gas protocol, sustainability requirements for suppliers issued by a multinational manufacturer.

2) Data Protection

The principle of accountability is increasingly embedded into data protection laws and regulations. For instance, organisations subject to the General Data Protection Regulation (GDPR) issued by the European Union (EU) must demonstrate their compliance with these rules. By being transparent about how an organisation is meeting the requirements of applicable laws, it can provide the trust that business partners, other stakeholders and society in general seek.

In this area, there are a number of standards and guidelines that can be applied as part of a data protection specific CMS. A practitioner might, for example, use the GDPR-CARPA (Certified Assurance Report-based Processing Activities Certification Criteria) from Luxembourg or the NOREA-PCF (Privacy Control Framework) from the Netherlands to evaluate the specific CMS.

3) Tax Compliance

Compliance across all taxes, statutory accounting and tax reporting is becoming increasingly complex. Companies are struggling to do more with less while driving value out of their tax and finance functions. The centralisation of finance and accounting functions presents additional challenges when dealing with complex local rules, disparate technologies, and manual processes during the compliance cycle. This results in a greater risk of compliance failures and minimal time for strategic forecasting or planning.

A tax-specific CMS enables organisations to implement a sound compliance programme, while rethinking their approach to domestic and global compliance and reporting by taking a closer look at their technology, processes, resources, and service providers (including co-sourcing/outsourcing).

4) Corporate Sustainability

As worldwide focus on sustainability intensifies, businesses are facing an ever-growing array of new restrictions on the materials they use, the by-products they produce, the safety of their facilities and other aspects of their operations. The restrictions, both voluntary and involuntary, are emanating from a variety of industry initiatives, and governmental and non-governmental organizations, frequently with overlapping jurisdictions and each with a unique set of reporting requirements. The need to verify adherence to these multiplying standards and restrictions is creating vast new demands on businesses’ compliance and assurance functions.

Sustainable companies understand that both corporate sustainability and compliance teams have a critical role to play in driving ethical behaviour and embedding values throughout the organization. These teams need to coordinate more with each other and across the business in an integrated CMS to design more effective ways to generate resilience dividends.

How PwC can help

To understand the impact and opportunities that the new Swiss Audit Standard SAS 980 will bring to you, we are able to assist you with assessing the impact of the different principles outlined in the standard. Our readiness, gap analysis and attestation activities tackle the required compliance culture, objectives, significant risks, overall program and organizational aspects of your CMS – throughout your company or to specific areas of your organisation.

Article overview