Differences Between Compliance Assurance Programme and Compliance Audit
Audit and assurance are two different protocols. However, since these two processes often go hand-in-hand, it’s easy to confuse between them. Even seasoned practitioners tend to mix them up. Therefore, this blog attends to the difference between compliance assurance Programme and compliance audit.
Compliance Assurance Programme
Here’s the basic idea of a compliance assurance Programme. It refers to independent checks as to whether the controls and processes of an entity are in line to offer compliance for the business. Do note that it does not check whether the controls and processes are compliant altogether. It rather confirms if the existing procedures can provide compliance.
The CAP must be forward looking and capable of a dynamic response to the rapidly changing business climate. The Programme must follow up with the impact due to corporate events such as mergers and acquisitions. Introduction of new products and services and senior personnel changes are also meant to influence compliance assurance Programme.
A Compliance Assurance Programme must include the following parameters.
- What is the objective of the CAP (this can be confusing as stakeholders may hold different views)
- A framework with manageable boundary ( It should commence with high level strategic planning and key process risks)
- Not covering an excessive evaluation in a single assurance map (it is usual to have different maps at different levels such as planning and evaluation)
- Direction, support, and ownership from the board
- Not consisting of technical jargon (the protocol must be represented in an easy-to-understand language, even for staffs whose native language may not be English)
Compliance Audit
On the other hand, compliance audit is an independent evaluation ensuring that the entity is compliant with external and internal procedures. On the external front, the company should oblige with applicable laws and regulations. On the internal front, the company must exhibit compliance with company bylaws, policies, procedures, and controls under board oversight.
FMA Guidelines
The Financial Market Authority of New Zealand issued an information sheet on compliance assurance Programmes back in May 2018. According to it, the use of ‘Compliance Assurance Programme’ or CAP has become a specific ‘defined’ term, at least in New Zealand.
The guidance provided by the FMA clearly mentions what a CAP is and how it is different from a compliance audit. The guidance mentions, ‘We appreciate the term “compliance assurance Programme” is easily confused with a “compliance Programme”, but the two are very different.’
Difference between the two terms
- You can outsource compliance audit. You cannot outsource the accountability of the firm with respect to compliance assurance Programme. The board and management of the firm remain “on the hook” for both processes.
- Auditing ensures that the company works on an accurate evaluation of compliance protocols and its ethical representation.
- Assurance ensures stakeholders that there are no red flags in ensuring compliance.
What is the ideal role of a Quality Compliance Assurance Manager as advertised by a headhunter in a job bulletin?
- Ensuring that the products and services are fit for purpose and consistently meet both internal and external requirements, including client expectations and regulatory requirements
- Liaising with other managers and team members to ensure the processes and policies are functioning properly by a “no surprise” policy
- Wherever appropriate, advise on changes and implement them, and provide tools, training, and technique required to achieve quality standards.
The above pyramid illustrates the inter-relationship between Compliance Audit and Compliance Assurance Programme.
No one can predict or be held responsible for what future new risk may emerge, but a soundly constructed CAP provides a solid opening position with a robust structure that can help mitigate, minimise regulatory, reputation/brand, and wider business/market risks.
An executive, from a leading UK asset management firm observed that many Boards fail to ask the most important question of all “what is wrong with our business?”. Whilst applying to the “whole of enterprise” the outcome from this simple question has important ramifications for any CAP.