Among all the elements of a corporate compliance program, perhaps the most difficult piece to understand is the testing and monitoring of your controls.
Clearly the two are important. The U.S. Justice Department says so in its guidelines for effective compliance programs, where it states that the ideal program should allow for “timely and effective monitoring and testing of policies, controls, and transactions.” Britain says essentially the same in its six principles for compliance with the U.K. Bribery Act, where Principle 6 is titled “Monitoring and Review.”
OK, but exactly what’s the difference between testing and monitoring? How do you decide which policies and controls to test, and which only to monitor? And what needs to be in place at your enterprise and within your own compliance program so that both of those exercises go smoothly?
Those are all important questions to understand if you want your compliance program to run effectively, so today let’s try to answer them.
First, monitoring and testing are different.
What is compliance monitoring?
Monitoring is simply the observation of how your business processes or controls operate. For example, you might check a compliance dashboard to see how many employees have completed online training, or how many exception requests have been submitted for your travel and entertainment policy. Monitoring should (ideally) happen on an ongoing basis, because as the name implies, you’re just watching to see how your compliance program is running.
What is compliance testing?
Testing, on the other hand, is a direct attempt to see whether your compliance processes might break down under certain conditions. For example, you could simulate a data breach to see whether IT and business operating units report the breach to the right people within the right timeframes. Or you could push a flurry of suspicious (but fake) customers through your due diligence system to see whether the names are properly flagged. Testing requires you to identify specific controls you want to examine, and then figure out the best way to kick the tires.
How do you decide which controls to test and which to monitor?
The simple answer is that you should test those controls that address your most pressing compliance risks, but that raises numerous other questions a compliance officer needs to answer first. For example:
- Which of your compliance processes already have known trouble, where you should test them to be sure those processes still work as intended?
- How are your organization’s business processes or technology changing? Because those changes might leave your compliance processes no longer aligned with how the business actually works.
- How is your overall regulatory environment changing? Some risks that had previously been low (tariffs or undocumented workers, for example) might now be high, or new regulations (the EU AI Act) might create risks you previously didn’t need to consider.
You also need to consider your overall schedule for testing compliance controls, which could unfold over a multi-year timeframe. Perhaps some controls for low-risk issues only need to be tested every few years, but controls for high-risk issues should be tested annually. So how do you plan that schedule strategically? How do you assure you have enough resources when necessary, and nothing gets banished to “we’ll get around to it eventually,” which often means never?
The point here is that your decisions about which controls to test can’t be made in a vacuum. Those decisions depend on conducting a smart risk assessment and looking at the results of prior testing to see which areas are or aren’t problematic. They depend on the strength of your regulatory change management system so you know what’s new; and the relationship you have with internal audit, IT, or other risk management teams to secure the personnel and tools your testing effort might need.
Above all, and as always, you also need to “know the business” to understand how business processes are evolving.
What else do you need for success?
Compliance officers need numerous other pieces of a compliance program to exist and be working well too, if you want your testing and monitoring to be effective (and informative).
You need some sort of risk register and a controls library, to be sure that you’ve captured the whole universe of issues you might need to monitor and test. That is, once you’ve done the thorough risk assessment (as mentioned in the previous section), you need to log those risks, categorize their priority, and decide which controls will be used to address them.
Ideally you’ll use a technology tool to map your controls to your risks. This helps to provide structure to your testing and monitoring, since the tool should be able to send you reminders for when certain tests should be conducted or monitoring reports pulled from the data.
You also need a documented testing plan. For example, exactly how will you test your controls for pre-approval of travel and entertainment expenses for high-risk clients? Or how will you test your validation of new vendor documentation to weed out AI-generated fakes? Those procedures should be documented, including a short explanation of why the testing procedure should work to test the effectiveness of the control. If you need help designing those procedures, enlist internal audit, IT, or cybersecurity teams as necessary.
You need to act on testing results. Yes, the results of your testing should always be documented for posterity (and to guide future testing plans) – but you also need to act on what those results tell you. If you document an issue and then take no action, that will be an enormous red flag to auditors, regulatory examiners and prosecutors.
So, think about the remediation actions you would take. New training for employees? A policy change, such as some additional level of manager approval? New technology? Then you’d need procedures to implement those changes and document them, too.
And then keep going.
In short, testing and monitoring are an endless cycle. You observe, test for weaknesses, find problems, fix them, and start all over again. Moreover, that cycle must evolve over time as your business, technology, regulatory risks, and compliance processes all evolve too.
And all of it must also fit within your larger compliance program of risk assessments, training, policy management, and more. None of that will work well if your monitoring and testing effort doesn’t work well either.
Ready to learn how the NAVEX One platform can enable better compliance program testing, monitoring and performance? Learn more in the link below.
