In essence, testing and auditing are variations of the same answer to the question, is our program working as intended and as needed? Testing and auditing are the means for your organization to evaluate the effectiveness of your sanctions compliance program in practice. In terms of the differences between the two, testing is best understood as a real-time view of how the controls are working and performing in practice as a snapshot of the overall SCP framework. An audit, on the other hand, is more of a comprehensive review of the overall approach to your program, controls, or specific aspects of each, including a review of policies, procedures, and their application, with a focus on what is working and what needs to be improved. The approach of an audit takes into account your organization’s sanctions risk, risk appetite and evolving sanctions environment to assess against what is needed in your program as where testing focus more on evaluating if the current controls are working as intended.
How to test and audit
Your organization’s controls and processes should be tested and audited regularly to identify any deficiencies or inconsistencies. It can be helpful to think of both as efforts “trying to break the controls” and “doing the wrong things” because the point is to prove that the controls are working and enabling your organization to comply with its policies.
It is always better to find issues internally than to be informed of failures from an external review, so a successful test or audit is one that finds areas for improvement. If you find any deficiencies these must be documented, and your organization must respond to any negative test or audit result by implementing compensating measures to ensure appropriate control. Once deficiencies are identified, your organization should define, commit to, and implement improvements to ensure sanctions compliance in a timely manner. It is also important that this timeline is adhered to as best as possible and it is better to embrace a reasonable timeline from the start rather than an aggressive one that must be changed and delayed when it is not met.
Testing and auditing measures must be supported by senior management, but also should be used to hold senior management accountable. The evaluation of the organization’s risk assessments and internal controls must be independent, objective, and comprehensive, and in our experience the number of people designing and formulating the tests and audits should be kept to a minimum. When it comes to the quantity of personnel directing tests and audits it is often the case that less is more!
We are often asked if you need a dedicated team to conduct the tests and audits, but this depends on the size and nature of your company. It is important to have qualified personnel that are able to evaluate your company’s operations and it can often help to have external support for audits, as external advisors can help to define the international sanctions environment facing your company and provide a fresh perspective for how your operations are performing in practice.
We are also often asked what the appropriate frequency for conducting tests and audits is, and the truth is there are not hard and fast rules. There should always be an annual testing and audit plan with as many actions as is reasonably possible for your organization’s personnel to perform. Large organizations with dedicated audit teams should have audits constantly occurring, in contrast, smaller companies operating with SMEs can appropriately have fewer actions in a year. The most important element is not the quantity of tests and audits but the quality and demonstrating that your company is committed to constant improvement in your sanctions compliance program.
Questions to ask to evaluate your organization’s testing and auditing measures
- Does our testing and auditing find faults in our SCP by “trying to break” our controls?
- Do staff embrace testing and auditing or argue against the scope of audits or problems being identified?
- How many improvements are completed within the set original time frame? Are solutions to identified deficiencies regularly delayed and “put on the back burner” for other priorities?