Compliance

What is Compliance Management?

As regulatory standards change, CFOs must ensure that accounting teams are able to meet their compliance responsibilities by practising effective compliance management.

In Deloitte’s State of Compliance Survey 2022, 57% of respondents identified regulatory change as their key compliance challenge – up from 49% in 2020. Of those respondents, only 7% said that their companies were actually prepared to meet their new compliance challenges. In 2022, survey respondents also revealed a lack of confidence in the effectiveness of their compliance management function, with almost 50% saying that their risk management frameworks were integrated only with second-line compliance functions or not integrated at all. 

The complexity of existing, and incoming, financial regulations makes compliance management too important to ignore – and a critical risk consideration. With that in mind, CFOs should understand how to implement a compliance management system (CMS) within their organisation, and how to leverage technology to make the compliance process easier.  

An Introduction to Compliance Management

Compliance management is the practice of ensuring that a company’s financial systems and processes conform to all applicable laws, and meet all industry regulations and contractual obligations.

Central to the compliance management process is the need to develop a company-specific framework of policies and procedures that facilitate compliance – typically through the application of internal controls. However, compliance management goes beyond the day-to-day activities of teams and individual employees, and extends to C-suite executives, who must understand the regulatory risks that their company faces in order to shape compliance policy and develop effective controls.  

With that in mind, companies should seek to build their compliance management framework around these principle considerations: 

• Legislative environment: Compliance management frameworks must align with jurisdictional legal obligations.
• Risk exposure: A compliance management framework should minimise the company’s exposure to regulatory risk and, by extension, potential compliance penalties. 
• Internal controls: Companies should develop and implement appropriate controls which function to fulfil compliance obligations. 
• Accountability: A compliance management framework should encourage an internal culture of compliance that promotes personal and collective accountability for the application of controls. 

Compliance Management Objectives

The primary aim of compliance management is to ensure that companies mitigate risk and build a deep-rooted internal culture of compliance. 

However, specific compliance management objectives may be more complex, and differ by company. In the EU, for example, tax law is different in each of the 27 member states, meaning that companies must train their accountants to manage finances for each jurisdiction in which they operate, and take that diversity into account during the month-end close. 

Accordingly, an effective compliance management framework should enable accounting teams to keep pace with an increasingly complex, and rapidly changing, regulatory landscape – where failing to do so would expose them to unprecedented levels of legal risk and damaging financial  penalties. 

The rate of regulatory change is a significant compliance priority: in PWC’s 2022 Global Risk Survey, four out of five respondents stated that keeping pace with the speed of digital and other transformations was a major risk management challenge. Similarly, the 2023 Global Risk Survey revealed that 57% of respondents viewed technology investment as the “biggest motivating factor” in prompting a review of their risk landscape. 

Avoiding Compliance Penalties

Beyond affirming regulatory compliance and creating a culture of compliance, a compliance management framework serves to help companies avoid costly non-compliance penalties. 

Failure to comply with regulatory requirements, knowingly or unknowingly, may lead to serious consequences, including:

• Hefty fines and penalties
• Lengthy lawsuits and court cases
• Business prohibitions
• Reputational damage

The consequences of non-compliance can seriously damage a company’s brand, restrict operational capacity, and wipe out financial resources. For example, in the EU, member states typically set their own financial penalty rates, however, collective fines for General Data Protection Regulation (GDPR) violations alone reached a record €2.1 billion in 2023. 

Legal Requirements and Regulatory Frameworks

Compliance risk exposure varies based on a range of factors, such as company size, industry, and geographic location. However, certain industries are more heavily regulated than others, such as those in the banking and financial services industries, and accordingly, need to dedicate more resources and administrative focus to compliance. Broadly, all companies should be aware of the legal requirements and regulatory frameworks that apply to their operations, and implement an appropriate compliance management solution. 

Examples of prominent compliance regulations include:

• The EU General Data Protection Regulation (GDPR) 
• The EU Corporate Sustainability Reporting Directive (CSRD)
• The EU Non-Financial Reporting Directive (NFRD)
• The UK Corporate Governance Code 

Emerging Compliance Concerns 

The evolving regulatory landscape means that companies should conduct horizon scanning to anticipate emerging risks and possible vulnerabilities in their compliance solutions. In 2024, emerging regulatory compliance concerns include:

• Environmental social governance: Governments around the world are introducing regulations that promote ethical business activity, often referred to as environmental social and governance (ESG). The EU’s CSRD, for example, imposes new reporting regulations on certain companies, with obligations to track data on metrics such as carbon emissions, environmental impact, and workforce diversity.
• Cryptocurrency: As virtual assets continue to gain traction in markets around the world, governments are introducing regulations to promote their safe use. The Markets in Crypto Assets (MiCA) regulation was introduced in 2023, imposing licensing and record-keeping requirements on crypto exchanges in the EU and beyond. 
• Data privacy: The increasing sophistication of cyber-attacks has increased governmental focus on the protection of personal data. The EU’s GDPR imposes strict data management responsibilities on companies that collect and store customer information. 

Key Elements of a Compliance Management System

Having set out compliance objectives, companies must develop a CMS – sometimes referred to as compliance management framework, capable of fulfilling them. An effective CMS typically includes the following elements: 

• Oversight: The board and senior management employees should oversee CMS development and operation in order to ensure that it meets required standards – and to continuously foster a company-wide culture of compliance. 
• Compliance Officer: Most financial regulations require companies to appoint a compliance officer responsible for the CMS and for periodic compliance audits. The compliance officer should have the expertise and authority to execute their role effectively, and may, in larger organisations, be a full-time appointment. 
• Policies and procedures: The CMS should set out policies and procedures that facilitate compliance with the relevant regulations, including the application of internal compliance controls. The company should train employees to follow those policies and procedures, and periodically review and update them to ensure they remain applicable to the risk landscape. 
• Monitoring and auditing: Companies should monitor their CMS to identify emergent vulnerabilities and opportunities to strengthen. Similarly, the CMS should be subject to regular audits to ensure ongoing efficacy. 

Implementing a Compliance Management System

The practical details of CMS implementation will differ by company, but should typically involve the following steps: 

• Communicate vision and strategy for compliance: The company’s vision and strategy should be aligned with overall business strategy. CFOs should communicate the details of the CMS to all employees – not just the accounting team. 
• Write clear, user-friendly policies and procedures: Employees at all levels or seniority must understand compliance rules. For this reason, policies and procedures should be as simple, clear, and concise as possible.
• Complete a comprehensive risk assessment: The risk assessment process should include identification of key financial compliance risks, such as fraud, errors, and regulatory violations. The risk assessment should also identify the potential consequences of each risk, and the controls in place to mitigate them.
• Provide training to employees: Train all accounting employees on the company’s compliance policies and procedures at recruitment, and then on an ongoing basis. Training should be tailored to each employee’s role and responsibilities.
• Iterate the compliance program: Compliance is an ongoing process and CFOs should seek to optimise their CMS whenever possible. Accordingly, accounting teams should continuously review the framework to ensure it is effectively mitigating risks.

Integrating Compliance into Business Processes

Ideally, companies should seek to integrate their compliance management framework with as little disruption as possible to products and services. This means facilitating communication between departments and stakeholders both during the development of policies and procedures and then on an ongoing basis after CMS deployment. 

Companies should lean-in to process automation during the integration process since the interface of technology and compliance workflows will determine the effective execution of policies and procedures. Automated software can not only add speed and accuracy to the application of controls, but minimise the chance of human error, enable real-time communication, and centralise access to critical resources. 

The Advantages of Effective Compliance Management

Compliance management is not just a question of regulatory box-ticking. Effective implementation typically brings meaningful operational benefits, including:

• Addressing threats: Effective compliance enables companies to spot mistakes and potential wrongdoing and so contribute to the global fight against financial crime and malpractice. 
• Time and cost savings: Automated compliance tools save employee time and resources, but also help companies avoid the costly penalty fines that may follow violations. 
• Forecasting: The more effective the application of internal controls, the more accurate the data a company has on its own financial status. Boards can then use that information to improve financial forecasting and decision-making. 
• Competition: By avoiding compliance violations, companies can better protect their reputation and may also distinguish themselves from competitors in a crowded marketplace.
• Scalability: CMS that are built on compliance software typically scale up quickly, and help companies manage the increased compliance burden that comes with growth. 

Risk Management and Compliance

The risk assessment is one of the most important components of compliance. Most regulators require a risk-based approach to compliance, which means that companies must deploy mitigation measures commensurate with the risk they face. With that in mind, the risk assessment process might include the following elements: 

• A review of relevant regulations and other legislation to determine which compliance standards they need to meet.
• Identification of regulatory liabilities – which might reflect the company’s size, industry, supply chain, or geographic location. 
• The assessment process itself, in which employees gauge the likelihood of risks causing a regulatory violation. 
• A reporting mechanism to escalate potential violations as and when they are identified. 

The compliance management framework should go beyond the identification and assessment of risk, and include consideration of mitigation strategies. The primary mitigation mechanism is the effective application of controls – as part of critical financial processes such as the monthly close. With the benefit of compliance software, CFOs can assign control responsibilities to accounting teams, track their application, and automatically escalate alerts to the compliance officer so that reports can be made to the relevant authorities. 

Ethics and Corporate Compliance Culture

Corporate ethics is a critical foundation of healthy compliance. Recent regulations, such as the EU CSRD and the UK’s Corporate Governance Code, reflect an increasing global focus on ESG and corporate compliance culture, and the public expectation that businesses contribute to important social issues, such as climate change, and labour equality. 

Senior management employees set the standards by which their teams operate. Accordingly, CFOs should build a compliance culture on accountability and transparency, encouraging close communication and collaboration and investing in technology that facilitates the fulfilment of compliance tasks, such as reporting and record-keeping. Similarly, companies should seek to provide ongoing training for their compliance employees to prepare them for both changes on the compliance landscape, and emerging risks. 

Automation: The Key to Effective Compliance Management

The changing risk landscape, and the increasing complexity of compliance regulations, mean that CFOs must seek to create compliance management frameworks that are robust and flexible. The best way to achieve that goal is to automate compliance wherever possible by integrating software tools.

Compliance automation is not just about efficiency. Deployed effectively, software tools help companies focus on, and build, their internal compliance culture. 

FloQast Compliance Management, for example, is designed to make the compliance process smoother  from end to end, enabling accounting teams to embed controls into daily financial workflows, retain and retrieve critical data, and are always ready for audit requests. Similarly, FloQast increases visibility and accountability of compliance tasks, enabling team members to take ownership of their control responsibilities, access resources remotely, track progress accurately, and ultimately, deliver the standard of compliance performance that their company needs. 

Learn more about effective compliance management, contact FloQast today. 

Stefan van Duyvendijk

Stefan van Duyvendijk is the Accounting Operations Evangelist at FloQast. Previously, Stefan served as the Corporate Controller for Kodiak Cakes, a private equity owned, leading consumer packaged food company, and as a Controller for Skullcandy, a multinational headphone CPG. These positions followed his five years at KPMG. His experience includes ASC 606 implementation, reduction of financial close timelines, accounting operational improvements, business combinations, financial statement audits, SOX audits and implementation, management reporting, debt, treasury, and systems integrations/implementation.