The Compliance Officer in the Governance Structure

Where should the compliance officer be in the organization chart?  Should the compliance officer have access to the board of directors?  Should there be a compliance committee on the board or should it be part of the audit committee?

The simple answer is the more important compliance is to your revenue stream, the more likely it is that your compliance officer should have direct access to the CEO.  That is particularly true if there is a high inherent risk (as viewed through the prism of the fraud triangle) of a violation.  If you have a salesman that markets medical devices in a very competitive environment and he is 100% commission-based, you have a high risk of a kickback violation.  It is that simple.  Because the risk of a violation is high, the control structure design must be robust.

I remember years ago working on a health care fraud case at a large hospital in the Northeast.  I needed to interview the Compliance Officer and I literally needed a GPS to find his office.  He was located in a dark corridor, segregated from everyone else.  I finished the interview and told the defense counsel that we had a problem.  The attorney said, “why, what did he say?”  I told the attorney that he didn’t need to say anything.  His location and lack of interaction with the organization spoke louder than words.

On the other end of the spectrum, I worked on an accounting fraud case for an energy company.  The CEO was engaged.  The CEO addressed the VP of internal audit in meetings and made it clear that they had a relationship.  When the meeting was drawing to a conclusion, the CEO recapped the issues and asked for action plans from the key stakeholders.  The attitude of the CEO, the relationship with key management and the organizational respect for controls told me everything I needed to know-  we may have had a mistake, but we probably didn’t have a fraud.

In both of the aforementioned examples, compliance was key to revenue.  One organization disregarded that fact and the other embraced it.  I probably don’t have to tell you how the investigations turned out.

That is not to say that fraud can’t occur in a well-controlled organization.  I have seen it.  I worked on a bank fraud case where an accounts receivable financing arm committed a 300 million dollar loan fraud scheme through manipulation of the aging controls.  It required impressive collusion- at least 15 people were involved.  I used to say you couldn’t find 15 bad people anywhere outside of a University of Florida alumni meeting, but I guess I was wrong!  The organization, as a whole however, avoided prosecution, because it was obvious that this was isolated and collusive- therefore difficult for any control environment to detect.

As to whether there should be a separate compliance committee or just part of the audit committee charter, I would say the same considerations apply.  You should accept, however, that audit committees have a great deal on their plate.  If you add on compliance, it will be just that-- an add on that does not get the committee’s full attention.