Feature insight - Compliance
IT policies would normally cover areas such as system security (password format and expiry etc), data security, and hardware security to ensure data and the internal network are not compromised. Financial policies would be concerned with areas such as the segregation of duties to mitigate the risk of fraud or collusion. Finally, the controls introduced by auditors would be expected to support observance of, and adherence to, all published external legislation, as well as internal policy. This is by no means an exhaustive list, and each organisation will have its own variations; however, it should provide a good overview from which to begin a review and appreciation of your own organisation’s ‘rules and standards’. So, what are the common areas of non-compliance? As an independent consultant working with a vast range of organisations, across a huge array of industries, I have observed many issues of non-compliance. I can tell you that there appears to be no pattern in terms of whether large or small organisations are generally more or less compliant, or whether complexity has a direct effect on compliance. However, I do find that the root causes of any non-compliance usually fall into one of the following: ● lack of (or ineffective) controls and checklists ● inability to keep up to date with legislation ● out of date policies, or lack of version control ● no segregation of duties ● lack of training, development and support ● out of date process documentation ● cross-border legislation. What is interesting to note is that when these controls were first introduced, or when these policies or documentation etc were first rolled out, they were usually compliant – so why are they no longer?
The simple answer is that change has usually happened, and whilst change has often been adopted into local practice it rarely gets reflected in official documentation – so that documentation quickly becomes out of date. ...a way of life, and so be accepted as an integral part of everything you do What can we do to prevent non- compliance? Compliance should become a way of life, and so be accepted as an integral part of everything you do. All best-practice organisations should be operating a quality management system that underpins all operational activity, and within that quality management system we would expect to see adherence to all of the legislation and policies that we have identified. So, what might our ‘plan for compliance’ look like? ● Regularly review areas of potential risk, understand where things might go wrong (before they do), assess the probability, and put preventative steps in place. ● As legislation changes, ensure you have a formal process of gaining new knowledge and information, and sharing it with your colleagues. ● Encourage a good working relationship with your stakeholders, as this will ensure you are always aware of organisational change, and can react accordingly. ● Regularly review, plan and deliver training needs to your team, to ensure they have the right information and knowledge to operate in a professional and compliant way. ● Test your process controls through regular internal auditing to catch potential areas of non-compliance before they happen. ● Have your processes audited and benchmarked by external organisations such as those that assess processes against standards such as ISO for example. ● Engage with the CIPP to have your operational activity reviewed against its benchmark Payroll Assurance Scheme, as this will provide an assessment of how effective your processes and operational activity are, helping identify opportunities
for improvement. What should we do if we identify non-compliance? Despite all our best endeavours there will always be times when we recognise that we have become non-compliant. It’s how we deal with that non-compliance that determines whether we are operating in a best-practice way or not, and has the potential to set the course for what happens next. When any non-compliance is discovered, the following are recommended: ● Be honest and up front about it. HMRC (and anyone else for that matter) will normally be much more forgiving if you choose to disclose non-compliance before they find it. ● Ensure you understand what the non- compliance was, how it happened, and what effect it had on your organisation and your employees. ● There’s no point in conducting root- cause analysis if you are not going to do anything with it. So, ensure you make improvements to your processes to prevent the same thing happening in the future. ● Once you have implemented the changes, conduct internal auditing to monitor them to ensure that they are effective in practice, and if not review and update. So, in summary, compliance is the observance of and adherence to ‘rules and standards’ and should be integral to everything we do ensuring we are not exposed to risk or fraud. It is not just concerned with HMRC and associated legislation, but also with our own internal organisational policies. Change is often the biggest underlying cause of non-compliance, usually because processes, policies and documentation have not been updated to reflect the change, and so should never be underestimated. Regularly reviewing areas of potential risk, and understanding where things might go wrong, provides the opportunity to put steps in place to prevent non- compliance before it becomes a reality. Finally, when it goes wrong…admit it, face up to it, fix it, and ensure it never happens again. n This article, now slightly revised, was first published in Issue 17, February 2016.
47
Issue 35 | November 2017
| Professional in Payroll, Pensions and Reward |
Made with FlippingBook flipbook maker