In Focus

November 2, 2005

Compliance Medicine

n our previous post, we wrote about a European accounting perspective on American-style regulation, which focused its ire on the harvest American-style lawyers have reaped from heavy-handed regulation. In our response, we suggested some ironies arising from this European outlook, one of which is that American regulators, at least, are now far more inclined toward a standards-based, consultative (read European) approach to regulation, and are moving away from the old-style checkbox (read American) approach. More evidence for this below.

Last week, two senior SEC officials in the Office of Compliance, Inspections, and Examinations - Mary Ann Gadziala and Director Lori Richards - delivered speeches to the Securities Industry Association on the current philosophy governing SEC oversight of internal controls at registered firms. The speeches focused specifically on the approach the SEC has taken with broker-dealers. However, most of the statements apply more generally to the broader universe of public companies.

Broadly speaking, it seems the Commission is now emphasizing development of what one might call compliance partnerships, in which internal audit teams of a corporation join hands cooperatively with external regulators. The purpose of these partnerships is to anticipate and prevent problems before they actually occur.

Here, in a nutshell, are the types of compliance medicine the two officials propose to practice.

1) Preventive Medicine. The trend in SEC examinations of business internal controls is to be "proactive". This primarily seems to mean evaluating how companies discipline and manage risk - the goal being to avoid violations from occurring at all.

2) Alternative Medicine. Ms. Gadziala also emphasized a "holistic" approach to risk assessment, in which the Commission works closely with SROs to gather, share, and assess all information about Commission-registered entities. In this instance, the purpose of a comprehensive approach is to eliminate unnecessary duplication of effort by the Commission and other regulators, while improving clarity and depth of vision into the examination system.

3) Personal Medicine. The most significant theme of these speeches is the degree to which the Commission intends to lean on independent audit and oversight work of registrants for insight and valid self-assessment. The recurring theme is to "leverage" the internal audits of firms with effective internal controls, enabling the Commission to focus its resources on areas that are either of higher risk or not covered by a firm's internal reviews.

4) Anticipatory Medicine. Broadly related to the first point regarding preventive medicine, the SEC now seeks to anticipate problems before they occur using three kinds of proactive audit initiatives:

a) risk management and internal controls examinations;
b) comprehensive compliance examinations; and
c) analysis of conflicts of interests.

What auditors are looking for are clearly defined core principles of risk management including:

a) top level involvement;
b) clear responsibilities at each level of management;
c) independence of risk controls;
d) strong well-developed systems, and
e) effective monitoring and reporting

Earlier activation of the internal audit can frontload risk assessment and lead to remediation before problems leading to violations occur downstream.

5) Best Practice Medicine. Working with the NYSE and NASD, the Commission has conducted comprehensive compliance examinations of 14 financial services megaliths with 55 broker-dealers to harvest both best practices and worst practices for enhancing compliance. The Commission expects to share these findings with Commission and SRO staff and, presumably, registrant compliance professionals.

6) Collaborative Medicine. In her speech, Lori Richards emphasized that in the future the Commission will make more extensive use of the internal audit function of registrants to determine the scope and intensity of its examinations. Her assumption is that internal auditors can and should be independent from the activities they audit, that they are organically more aligned with outside regulators than with the business units of their own firm.

In this effort to create a medically attuned, caring and compassionate audit and examination regime (where is the mention of actual enforcement?), Richards sees possibilities for blocking problems before they start and for creating enormous efficiencies in the audit and examination process, generally. The open question is whether internal auditors can really separate themselves from the environments they are policing and whether the patients themselves - in this case the corporations themselves - will want to practice this kind of cooperative compliance medicine.