Compliance Study_complet - pwc
Compliance Study_complet - pwc
Compliance Study_complet - pwc
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
26 © PricewaterhouseCoopers - Protecting the brand, May 2005<br />
Police officer<br />
Monitoring compliance with policies and procedures<br />
“Three line of control approach:<br />
• Business unit - execution of controls<br />
• Group compliance - oversight of monitoring<br />
and testing<br />
• Group audit - independent assurance”<br />
Over 95% of respondents indicated that <strong>Compliance</strong> was responsible for monitoring adherence to policies and procedures,<br />
often working closely with internal audit. However, in a few cases - generally where compliance functions were less<br />
developed - this was the sole responsibility of internal audit. In some European countries, however, where explicit<br />
requirements for compliance functions were relatively recent, less emphasis was placed on <strong>Compliance</strong>’s role with regards to<br />
compliance monitoring (the primary emphasis being advice to business).<br />
Monitoring day-to-day business transactions (suspicious transactions, employee dealing, etc.) was often an intrinsic<br />
part of local compliance staff responsibility. These compliance staff might be simultaneously responsible for oversight of<br />
monitoring and testing at the business unit level, potentially creating tensions and confusion about the differentiation<br />
between the roles. Regular reporting was both to local management, and through the compliance network.<br />
Where appropriate technological infrastructures were in place, Group <strong>Compliance</strong> backed up this “real-time”<br />
monitoring (e.g. with global trading position monitoring). Group compliance also undertook special monitoring visits,<br />
sometimes in conjunction with internal audit and legal. One European respondent carried out three to four wider “theme”<br />
reviews per annum into specific risk areas. A North American respondent indicated that internal audit undertook some 20 to<br />
30 special reviews into compliance on an annual basis. More broadly, <strong>Compliance</strong> collaborated closely with internal audit to<br />
monitor compliance, often providing advice to internal audit as to what should be covered in its annual audit plan. However,<br />
although the roles of compliance and internal audit were sometimes clarified through compliance charters or service level<br />
agreements (SLAs), some respondents mentioned also the blurring of lines between the two functions, and the fact that<br />
senior management and business did not always understand the differences between their roles. Others stressed frequent<br />
communication as a means to avoid overlap between <strong>Compliance</strong> and internal audit.<br />
<strong>Compliance</strong>’s ability to comprehensively prepare its monitoring plan was dependent on its awareness of both past<br />
events, and future regulatory and business developments. Where <strong>Compliance</strong> was not involved directly in new business<br />
initiatives, respondents indicated that both business and internal audit kept <strong>Compliance</strong> informed of potential compliance<br />
risks emerging from new business in the majority of cases (see p. 33).<br />
Taking corrective measures<br />
Business line management was deemed responsible, in the main, for the rectification of compliance breaches and<br />
weaknesses, although, this was seen as <strong>Compliance</strong>’s responsibility in a number of cases. In leading organisations,