Compliance

(OBJ 5.4)

Ensures adherence to laws, regulations, guidelines, and specifications relevant to its business processes.
Includes compliance reporting and compliance monitoring

Systematic process of collecting and presenting data to demonstrate adherence to compliance requirements
Two Types of Compliance Reporting
- Internal Compliance Reporting
  - Involves the collection and analysis of data
  - Ensures adherence to internal policies and procedures
  - Conducted by an internal audit team or compliance department
  - Example:
    - A financial institution might have an internal policy that requirements all transactions above a certain threshold to be reviewed and approved by a compliance officer. The compliance department will then have to generate and report detailing all such transactions, including whether they were appropriately reviewed and approved.
- External Compliance Reporting
  - Demonstrates compliance to external entities such as regulatory bodies, auditors, or customers
  - Mandatory, often by law or contract
  - Example:
    - Pharmaceutical companies must submit regular reports to the Food and and Drug Administration (FDA), detailing their adherence to good manufacturing practices or GMP.
    - These reports include data on product quality, safety measures, and process controls.

The process of regularly reviewing and analyzing an organization's operations for compliance with laws, regulations, and internal policies
Includes due diligence and due care, attestation and acknowledgement, and internal and external monitoring

Due Diligence
- Conducting an exhaustive review of an organization's operations to identify potential compliance risks
- Identifying compliance risks through thorough review
Due Care
- The steps taken to mitigate these risks
- Mitigating identified risks
  - Implementing measures to ensure compliance with these laws, such as training employees on the new regulations or hiring local legal advisors.

Attestation
- Formal declaration by a responsible party that the organization’s processes and controls are compliant
Acknowledgement
- Recognition and acceptance of compliance requirements by all relevant parties
Example:
- IT company might require its software developers to attest that they have followed all necessary data security protocols when creating a new application.
- The devs will also acknowledge these protocols by signing a compliance agreement.

Internal Monitoring
- Regularly reviewing an organization’s operations to ensure compliance with internal policies
External Monitoring
- Third-party reviews for compliance with external regulations or standards
Example:
- A manufacturing company might conduct internal monitoring by regularly reviewing the production processes to ensure that they meet internal quality standards.
- The company might also undergo external monitoring by a third party auditor to verify compliance with ISO 9001 quality management standards.

Automated compliance systems streamline data collection, improve accuracy, and provide real-time monitoring
Example:
- A Health-care provider might use an automated system to monitor patient data privacy compliance. The system could automatically flag any unauthorized access to patient records, enabling the provider to quickly identify and address any potential HIPAA violations.
- Automated system to monitor transactions in a bank.