Why It Matters
A compliance program without monitoring is like a security system that's never turned on. Regulators don't just ask "do you have policies?" — they ask "how do you know they're working?" The DOJ explicitly evaluates testing and monitoring as a key indicator of compliance program effectiveness. Organizations that monitor proactively detect issues early and fix them before they become violations.
Monitoring vs Auditing
| Monitoring | Auditing | |
|---|---|---|
| Frequency | Continuous or regular (daily/weekly/monthly) | Periodic (quarterly/annually) |
| Scope | Specific controls and risk areas | Comprehensive, often broader |
| Who | Compliance team, first line | Internal audit (third line) or external |
| Purpose | Detect issues in real-time | Verify overall program effectiveness |
| Output | Alerts, exception reports, dashboards | Formal audit reports with findings |
Both are necessary — monitoring catches issues quickly, auditing provides independent assurance.
Methods
Transaction Testing
- Sample testing of transactions for compliance with policies
- Automated alerts for unusual patterns (e.g., payments above thresholds, transactions with sanctioned entities)
- Reconciliation checks between systems
Policy and Procedure Review
- Regular review of policies for accuracy and completeness
- Assessment of whether procedures match actual practice
- Gap analysis against regulatory changes
Key Risk Indicators (KRIs)
Metrics that signal potential compliance problems:
- Training completion rates — percentage of staff completing mandatory training
- Policy acknowledgment rates — who has (and hasn't) signed off on policies
- Incident and complaint trends — volume, types, resolution time
- Regulatory findings — open findings, remediation timelines
- Audit deficiency rates — percentage of audits with findings
- Third-party risk scores — vendor compliance assessment results
Compliance Testing
- Walk-throughs of key processes to verify controls operate as designed
- Mystery testing (e.g., testing whether staff follow KYC procedures)
- Simulated scenarios (phishing tests, social engineering tests)
Data Analytics
- Automated analysis of large datasets for patterns indicating non-compliance
- Continuous monitoring tools that flag exceptions in real-time
- Trend analysis over time to detect emerging risks
Building a Monitoring Program
- Risk assessment — prioritize what to monitor based on risk
- Define metrics and KRIs — what will you measure?
- Set thresholds — what triggers escalation?
- Assign ownership — who monitors, who acts on findings?
- Automate where possible — manual monitoring doesn't scale
- Report regularly — dashboard for management, periodic reports for the board
- Act on findings — monitoring without remediation is useless
- Review and update — as regulations and risks change, adjust the program
Key Frameworks
- DOJ Evaluation of Corporate Compliance Programs — testing and monitoring section
- COSO Internal Control Framework — monitoring activities component
- ISO 37301 — compliance management system (monitoring requirements)
- Three Lines Model (IIA) — monitoring responsibilities across lines