Why It Matters
A compliance program without monitoring is like a security system that's never turned on. Regulators don't just ask "do you have policies?" โ they ask "how do you know they're working?" The DOJ explicitly evaluates testing and monitoring as a key indicator of compliance program effectiveness. Organizations that monitor proactively detect issues early and fix them before they become violations.
Monitoring vs Auditing
| Monitoring | Auditing | |
|---|---|---|
| Frequency | Continuous or regular (daily/weekly/monthly) | Periodic (quarterly/annually) |
| Scope | Specific controls and risk areas | Comprehensive, often broader |
| Who | Compliance team, first line | Internal audit (third line) or external |
| Purpose | Detect issues in real-time | Verify overall program effectiveness |
| Output | Alerts, exception reports, dashboards | Formal audit reports with findings |
Both are necessary โ monitoring catches issues quickly, auditing provides independent assurance.
Methods
Transaction Testing
- Sample testing of transactions for compliance with policies
- Automated alerts for unusual patterns (e.g., payments above thresholds, transactions with sanctioned entities)
- Reconciliation checks between systems
Policy and Procedure Review
- Regular review of policies for accuracy and completeness
- Assessment of whether procedures match actual practice
- Gap analysis against regulatory changes
Key Risk Indicators (KRIs)
Metrics that signal potential compliance problems:
- Training completion rates โ percentage of staff completing mandatory training
- Policy acknowledgment rates โ who has (and hasn't) signed off on policies
- Incident and complaint trends โ volume, types, resolution time
- Regulatory findings โ open findings, remediation timelines
- Audit deficiency rates โ percentage of audits with findings
- Third-party risk scores โ vendor compliance assessment results
Compliance Testing
- Walk-throughs of key processes to verify controls operate as designed
- Mystery testing (e.g., testing whether staff follow KYC procedures)
- Simulated scenarios (phishing tests, social engineering tests)
Data Analytics
- Automated analysis of large datasets for patterns indicating non-compliance
- Continuous monitoring tools that flag exceptions in real-time
- Trend analysis over time to detect emerging risks
Building a Monitoring Program
- Risk assessment โ prioritize what to monitor based on risk
- Define metrics and KRIs โ what will you measure?
- Set thresholds โ what triggers escalation?
- Assign ownership โ who monitors, who acts on findings?
- Automate where possible โ manual monitoring doesn't scale
- Report regularly โ dashboard for management, periodic reports for the board
- Act on findings โ monitoring without remediation is useless
- Review and update โ as regulations and risks change, adjust the program
Key Frameworks
- DOJ Evaluation of Corporate Compliance Programs โ testing and monitoring section
- COSO Internal Control Framework โ monitoring activities component
- ISO 37301 โ compliance management system (monitoring requirements)
- Three Lines Model (IIA) โ monitoring responsibilities across lines