The implementation of new and revised laws, combined with a renewed focus on regulatory compliance in the financial sector, have increased the need for companies to assess and strengthen their compliance programs. In doing so, it is important to focus on risk assessments, policies and procedures, and training. But above all, testing may provide the most insights into remediation needs.
A robust testing program is critical in gathering information about an organization’s weaknesses while also providing advance warning of potential problems. This article explores the best practices for creating and maintaining a quality testing program.
Steps to Creating a Better Program
To build a quality testing program, it is crucial to understand the program’s purpose and the organization’s end goals. Is testing meant to ensure that regulatory requirements are met? Will the tests be operational, regulatory? Will tests measure the organization’s performance, employee performance, or both? Setting goals such as these lays the foundation to pursue the eight steps below.
- Build a Requirements Library – With goals in hand, a requirements library can be built and later used to identify existing controls, or lack thereof, and establish applicable requirements. Working with subject matter experts, it is important to identify all statutory, regulatory, and contractual requirements. From there, each requirement is mapped to a process or function, and potential risks are identified and defined. This provides a great opportunity to determine the number of controls in place and where the focus should be, while also eliminating duplication of testing. To be effective, risk statements should be presented in their most basic and action-oriented form and should define risks in a way that any employee could understand. To limit unauthorized changes, the requirements library should be the only source of truth to communicate regulatory requirements and which controls should be in place to address them.
- Perform a Compliance Risk Assessment – To evaluate the inherent risk of each process identified, first define the parameters of the assessment, including the factors to measure and the data sources to be used. Once the risks have been identified, define the effectiveness rating of the control used to mitigate the risk and use a matrix to identify the residual risk for each requirement. Using the residual risk, prioritize the importance of requirements and which controls should be tested.
- Develop a Compliance Testing Methodology – There are three aspects to developing a proper testing methodology: defining, communicating, and reevaluating the method. To develop a methodology, the main focus should be defining the parameters of the test—the purpose, scope, and objective—and the sampling methodology to be used. Next, it is important to determine a process to follow when errors or issues are found and define how findings will be remediated. The last step is defining the process to report the findings. How will the results of the tests be used? Consider following the sampling methodology espoused by the main governing regulator.To streamline testing and eliminate additional work, it is important to understand the reporting requirements when developing the test. In knowing what information is needed to make determinations on the efficiency of the program, tests can be set up in a way that aids in the collection of information.
A quality test is not enough, though. Communicating the defined methodology is equally important. When relevant parties understand what is expected, there is less resistance among those tested. Likewise, communication helps reduce duplicative testing.
As the program develops, objectives may change. To stay a step ahead, it is important to reevaluate and modify the methodology. A risk-based testing methodology should constantly evolve as controls strengthen and as testing identifies changes in the strength of those controls.
- Build a Testing Schedule – Determine how often testing should occur using organizational objectives and the inherent or residual risks identified during the risk assessment. For example, high-risk issues can be tested monthly whereas low-risk issues may be tested quarterly or annually. Likewise, requirements can be grouped by business function or regulation to determine when each will be tested. To ensure adequate coverage, establish a timeframe as a datapoint. Once again, it is important to communicate the schedule well in advance to all relevant parties. Make sure to leave room for unplanned testing due to identified issues and validation of remediated issues.
- Perform Testing – Prior to testing, it is important to allocate enough time for document requests and ample time for review. As testing progresses, time studies should be performed to better determine the time needed to complete the tasks. Likewise, it is vital to obtain all materials and data needed and ensure all reviewers have the required systems access.To maintain consistency and reduce confusion, reviewers should perform tests as outlined in the testing methodology, and document and preserve the results. Any results should be checked for possible false positives and issues should be communicated with the unit for resolution, where possible. Once testing is complete, final results are delivered to the appropriate business units. A rebuttal period may be warranted if the business disagrees with results.
- Initiate Issue Management Process – Testing often identifies issues for remediation. It is important to define how each unit will manage an issue or control gap, from identification through remediation. Once an issue is identified, ownership must be assigned based on the requirements library. Then, a determination of the severity of the impact must be made. Where there is a violation of law involved, the determination should be based on the pervasiveness, duration, and severity of the violation. All issues should be documented with the underlying cause, a remediation plan, and timelines for remediation.
- Validate Remediation – Once remediation milestones are achieved, it is important to validate that the actions taken properly addressed the underlying cause of the issue and that long-term remediation efforts will prevent future occurrences. Retesting is an effective way to validate the remediation plan.
- Monitor Sustainability – It is vital to ensure that a violation or issue will not reoccur by establishing a period of sustainability. At the end of the period, retest or gather evidence to confirm that the issue has remained resolved. Where the issue reoccurs, the underlying cause needs to be reestablished and the remediation plan adjusted.
Attributes of a Robust Testing Program
The steps above should incorporate the following attributes of a robust testing program:
- Organization-wide Testing: Testing at each level of an organization helps to quickly identify weak controls and highlight where remediation is likely to be needed. Testing should align across the three lines of defense. The first line (business units) and second line (compliance and risk management teams) work together to determine the effectiveness of the program, while the third line (audit team) works completely independently. In other words, the third line demonstrates the effectiveness of the first two lines, identifying vulnerabilities that may indicate that a testing program should be revised. The more issues identified, the less effective the program is—and vice versa.
- Specialized Skillsets: Quality programs involve professionals with specialized knowledge and skillsets who understand the business and regulations. Likewise, the continuous training of employees and cross-training in different areas only increases the effectiveness of compliance programs.
- Risk-Based Approach: A main characteristic of a robust program is the risk-based approach used in the program design. Mapping the results of a risk assessment to the units and processes with the highest risks allows for the documentation of testing and identification of vulnerabilities and controls. Such mapping allows testing to be repeatable and provides actionable results.
- Statistical Validity: Excellent programs recognize the importance of statistically valid results. Comparative statistics can demonstrate sustainability and repeatability, which are key in determining the effectiveness of a program.
Out with the old and in with the new: Automated testing is the future!
Testing will always be a fact of life for compliance programs, and how you handle it can make a significant difference. As technology advances, there is no need to stick with what has been done in the past. Implementing programs that utilize new and evolving technologies such as artificial intelligence (AI), robotic process automation (RPA), and third-party applications that crawl and mine data from various sources can reduce costs, increase efficiency, and improve the overall testing program. Ultimately, the more you can test the better your compliance.