Monitoring, Auditing, and Internal Reporting Systems

Question 1

Internal Reporting

Answer 1

• Protect anonymity and confidentiality within legal and practical limits for those reporting
• Publicize the reporting system to employees, vendors, and third parties
• Ensure systems exist to enable employees, vendors, and third parties to report any noncompliance and seek advice (e.g., hotline)
• Assure processes exist to respond to compliance and ethics concerns expressed through internal reporting
• Include compliance and ethics questions in exit interviews

Question 2

Auditing

Answer 2

• Audit compliance and ethics related risks
• Analyze compliance and ethics audit results (e.g., track, trend, evaluate, benchmark)
• Ensure audit results from external entities (e.g., outside counsel, government,
  consultants) are addressed

Question 3

Monitoring

Answer 3

• Monitor compliance and ethics related risks
• Monitor compliance and ethics related activities (e.g., hotline calls, training, and investigations)
• Monitor for organizational misconduct (e.g., violations of applicable laws, regulations, policies and procedures)
• Evaluate the effectiveness of the compliance and ethics program on an ongoing basis

Question 4

Differences between Auditing and Monitoring

Answer 4

Auditing
* Formalized method
* Independent from management
Provides objective assurance to
board and others
* Concurrent vs. retrospective

Monitoring
* Day to day process by management
* Not required to be independent

Question 5

Independent Monitors

Answer 5

Independent Monitors -
* When are they useful?
* Proactively identify problems
* In response to a pattern of complaints
* During or after a regulatory sanction

Question 6

Compliance Plan

Answer 6

• Develop a periodic risk-based audit compliance plan
• Assess the existing risk-based audit compliance plan to address dynamic changes in risk priorities