"The Management Board ensures that all provisions of law and the enterprise’s internal policies are abided by and works to achieve their compliance by group companies (compliance)."
article 4.1.3 German Corporate Governance Code
Non-compliance by employees or board members can have adverse effects to the company in various ways: through negative news in the media, through administrative fines or changes in government contracting, to name just a few. The management board is primarily responsible for preventing these adverse effects by implementing adequate measures to ensure that the company and its employees abide by legal requirements and that internal rules are respected.
The responsibility of the supervisory board is basically the same as that of the management board - except that the supervisory board stands in the second position, in line with its duty to supervise management. To enable the supervisory board to comply with its responsibility, "the Management Board informs the Supervisory Board regularly, without delay and comprehensively, of all issues important to the enterprise with regard to (...) compliance" (art. 3.4 German Corporate Governance Code).
The supervisory board can delegate its tasks related to compliance to an audit committee. All members of the supervisory board remain, however, responsible for carefully selecting members of the audit committee and supervising their work on a regular basis.
Examination of compliance management systems by German public auditors
Although recognized framework concepts and best practices have developed in recent years, management and supervisory boards must often ask themselves “are we doing enough in the area of compliance to effectively avoid the risk of personal liability or possible legal consequences for the company?” The increasing demand for audit services in the area of compliance has prompted the German Public Auditors’ Institute (Institut der Wirtschaftsprüfer in Deutschland e.V., IDW) to develop a standard for the auditing of compliance management systems (CMS). On March 11, 2011, the 'Hauptfachausschuss' approved the IDW audit standard: “Principles of proper auditing of compliance management systems” (IDW PS 980).
The aim of a CMS audit is not to discover individual violations, but rather to assess whether systems are appropriate for ensuring that behavior complies with the regulations. This includes preventative and detective measures as well as reactions to compliance violations. Unlike the audit of financial statements, the recipient of the CMS audit report is not the public, but rather the party engaging the auditor (the management board, supervisory board or chief compliance officer).
IDW PS 980 distinguishes between the following three mutually-supporting audit types:
Type 1: assessing the conceptual content and documentation of the CMS
Type 1 examines whether the system described by the management comprises all of the most important (basic) elements of a CMS and if these are appropriately represented.
Type 2: Auditing design
The goal of the Type 2 audit is to assess whether the measures described are appropriate, in conformity with the CMS principles applied, for identifying risks of significant violations of regulations with sufficient certainty, preventing violations and ensuring that the principles and measures ar implemented at a particular time.
Type 3: Auditing effectiveness
As a complement to Type 2, with Type 3 the auditor inspects whether the principles and measures presented in the CMS description were effective within a certain period for selected sub-areas of the CMS.
Benefits and limitations of a voluntary audit
Even a CMS that appears effective has intrinsic systemic limits. Significant violations of regulations can occur even in an audited CMS, without being prevented or discovered on the system side. In practice, externally-conducted CMS audits can help management and supervisory boards ensure that the issue of compliance is treated in accordance with its importance in a targeted way, and in a way that is appropriate to each situation.
Compliance in entrepreneurial practice
The External and Internal Monitoring of Enterprises study group of the Schmalenbach-Gesellschaft für Betriebswirtschaft e.V. (Schmalenbach Business Management Society – SBMS) has published ten theses for the business practice of compliance management in the professional journal “Der Betrieb” (Der Betrieb, edition 27/28, dated 16.07.2010, page 1509-1518). The following article provides a summary.
Managing the Business Risk of Fraud
A practical guide
This guide recommends ways in which boards, senior management, and internal auditors can fight fraud in their organization. Specifically, it provides credible guidance from leading professional organizations that defines principles and theories for fraud risk management and describes how organizations of various sizes and types can establish their own fraud risk management program.
Global corruption barometer 2010/2011
A global public opinion survey
Transparency International’s 2010/2011 Global Corruption Barometer reveals a growing distrust of business, the daily struggle of the world’s poor with petty bribery and public unconvinced of governments’ anti-corruption efforts. A global public opinion survey, the 2010/2011 Barometer reflects the views of more than 100.000 people from 100 countries and territories around the world.