ISACA Journal - 2013 Volume 6

The word “compliance” is used more and more to refer to the corporate practice of seeking to ensure adherence to and safekeeping of procedures and regulations. Similar to the terms “good habits” and “corporate behavior” (ethical and honest) being used to refer to enhancing clear, effective and efficient management of the business. Along these lines, an enterprise’s compliance function is in charge of safeguarding its operations, since it must always be vigilant in identifying any attempts at altering the “right corporate order” and interfering with and overcoming them as required.

This trend is a warning that world-class corporations are increasingly demanding of themselves high levels of corporate assurance that rely on people and processes to ensure that the execution of their activities does not follow a random path, but instead conforms to open, ethical and transparent corporate practices.

In light of this and the corruption scandals at international and domestic levels globally, it is necessary to insist on a culture that incorporates beliefs and values into its structure. The culture must also include strategies that foster behaviors akin to good corporate reporting and control practices, and can guarantee responsible corporate processes in respect to the enterprise’s global results.

KEY FEATURES OF THE COMPLIANCE FUNCTION There are several approaches to defining the compliance or chief compliance officer (CCO) function, which, on first review, show an inquisitive or accusatory role in terms of compliance with regulations:

A CCO is a corporate official in charge of overseeing and managing compliance issues within an organization, ensuring, for example, that a company is complying with regulatory requirements and that the company and its employees are complying with internal policies and procedures. 1

The definition of a CCO presents a corporate executive who considers corporate benchmarks, validates their application and reports on the level of compliance to determine any gaps and risk derived from a limited execution of the benchmarks. That is, the CCO develops a proactive and preventive monitoring function that detects inadequate execution of practices, reports them, and performs a follow-up on the assessed areas in order to overcome the identified condition. This helps strengthen the self-assessment that should be an inherent part of processes and their participants.

Others define compliance as “adherence to and the capacity to show observance of directives, requirements defined by laws and regulations, as well as voluntary requirements, as a result of contractual obligations and internal policies.” 2

This definition is restricted to a function of law enforcement and ensuring third-party obligations. It does not address the fundamental resources required to consolidate the practices associated with mandates whose fulfillment is compulsory, such as culture and risk anticipation, affecting corporate dynamics. In this sense, in the same way as noted previously, the definition relies on control execution reports defined by the corporation, which indicates a certain level of process assurance and accounts for the evidences revealed by the mitigation status of the identified risk.

The following are five key features for the development of an effective compliance function: 3

• Authority—Authority must be adequately allocated in the organizational structure with a reporting level that ensures independence and the incorporation of practices to help an organization move from one maturity level to the next.

Jeimy J. Cano M., Ph.D., CFC, CFE, CMAS, is a distinguished professor at the School of Law of the Universidad de los Andes (Bogota, Colombia). He has been a practitioner and researcher on information security, information technologies and digital forensic science for more than