Compliance Program Assessment Should Include Internal and External Reviews

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Michael Greene

Sept. 24 — The best compliance program assessments leverage both internal and external reviews, according to Erica Salmon Byrne, NYSE Governance Services' executive vice president of compliance and governance solutions.

This practice requires annually planning and conducting an internal review, as well as periodically inviting somebody from outside the organization to review what it is doing well and what it can do better, she said during a Sept. 23 webinar on monitoring the effectiveness of compliance and ethics programs.

Why Conduct Assessments

Byrne discussed two reasons why organizations should conduct compliance program assessments. First, regulators “have made it very clear” that they expect organizations to assess the effectiveness of their programs to ensure they are supporting a culture of compliance.

Secondly, organizations also face non-regulatory pressure to periodically evaluate the performance of their programs. This pressure comes not only from inside the organization, but also from investors, said Byrne.

According to Byrne, shareholders expect companies to “take good care” of their money, which means not squandering it on fraudulent activities that can cause the company to suffer fines, penalties and additional regulatory costs.

Internal vs. External Assessments

Byrne additionally discussed the pros and cons of internal and external assessments.

Internal assessments can be faster, easier to organize, and sometimes allow an organization to leverage existing audit or risk management functions, she said.

However, she added that the downsides include “overlooking blind spots” and “dealing with competing priorities” within the organization.

Additionally, another possible drawback is that competing priorities within the organization can impede the progress of the assessment, she said.

In contrast, external assessments provide organizations with access to different ideas and practices from other clients or industries, and can provide an unbiased view of the program, she said.

However, the downsides are the dollar and time costs of this review, said Byrne. These costs vary greatly depending on many factors, including who is providing the assessment.

Best Practices

Ultimately, according to Byrne, the best compliance and ethics programs conduct both internal and external reviews.

The best programs lift their “head up every year” and determine if there are any practices that must be implemented in the coming year, according to Byrne.

Additionally, Byrne said the best programs “every couple of years” invite somebody from the outside to perform reviews. She recommended that if a company has not conducted an external assessment within three years, it should prioritize doing so.

After all, she said, it can take up to 18 months to implement changes and improvements as part of a compliance program, and an organization can change dramatically during a three-year period. An assessment should not be so infrequent that a company is missing significant changes.

Byrne also mentioned data from The 2014 Compliance and Ethics Program Environment Survey conducted by the Society of Corporate Compliance and Ethics and NYSE Governance Services.

The survey found that 36 percent of the organizations surveyed perform formal assessments of their overall compliance and ethics function annually, whereas 8 percent perform this task every three years and 17 percent do not perform assessments at all.

Key Elements

Byrne also discussed some of the key elements of an internal and external review. These elements include making sure the review process is: recognizable and repeatable; tied to meaningful metrics; and organized in way to evaluate the program's effectiveness.

Byrne added that for external reviews, it is also important for companies to make sure they are “benchmarking.” Companies need to ensure they are receiving recommendations for improvements that not only identify gaps in their programs, but also how to close them.

NYSE Governance Services sponsored the program, titled “Periodically Monitoring the Effectiveness of Your Program: The Whys and Hows of Evaluations and Peer Comparisons.”

To contact the reporter on this story: Michael Greene in Washington at

To contact the editor responsible for this story: Ryan Tuck at

A link to a “Compliance & Ethics Program Diagnostic” provided by NYSE is available at



Request Corporate on Bloomberg Law