With the frequent personnel changes that many companies are experiencing right now, it’s important to consider how turnover affects companies’ compliance efforts. Almost every company is required to comply with some type of law, rule, regulation, or reporting standard. This blog post will provide some ideas for helping to provide sufficient compliance training as part of companies’ overall compliance plans.
What is Compliance Training?
Compliance training is the process of providing company personnel with the information they need to execute key controls related to compliance. An effective compliance training program takes into consideration the company’s current maturity levels, the desired end state, and the steps required to reach it. It also requires one or more owners who oversee the implementation of the compliance training program and make necessary course corrections.
Why is Compliance Training Important?
Lacking a formal compliance training program exposes companies to potential non-compliance. Failure to qualify or certify for a specific compliance-related standard (such as an unqualified SOC 1 or SOC 2 report) can introduce many risks, including the following:
- Operational Risk – If governing bodies or clients require a given level of compliance, a company may no longer be able to operate as a going concern.
- Legal Risk – A company may be subject to expensive legal fees and drawn-out lawsuits.
- Financial Risk – Along with the risks above, a company may incur extra costs associated with additional audit procedures to compensate for the failure of some controls.
- Reputational Risk – A company’s reputation may be damaged resulting in the loss of revenue.
What Should Compliance Training Include?
Compliance training should start with an understanding of what a company’s current requirements are. Different groups in a company such as executive leadership, audit, compliance, and legal should meet and agree on the scope of compliance training. After the initial scope is defined it should be revisited periodically to determine if any adjustments should be made based on changes to the business and the environment in which it operates.
What Are Some Characteristics of an Effective Compliance Training Program?
Training programs will necessarily vary depending on a company’s risk profile and compliance requirements. However, provided below are some common characteristics that can help a training program be successful and impactful.
As with many things compliance-related, an effective compliance training program starts with the tone from the top and a culture of compliance. Leadership that is engaged in compliance and norms that reinforce its importance help make compliance training a natural part of the employee experience. Efforts should be made to help employees understand that compliance is key to the success of a business and more than just a check-the-box activity.
Compliance training should be integrated with a company’s overall training program, including security awareness training and other types of periodic training that usually occurs annually. Consideration may be given to whether all training courses are given at once, or if they are spread out over time to help employees feel less rushed and have more time to absorb the information in the training.
Certain events should trigger training. Examples include personnel changes, role reassignments, changes to the business, and control failures or findings identified from recent audits or reviews. This is particularly true for roles that are highly involved in compliance-related activities such as system administrators.
A timeline set in which the training should be completed and a record should be kept of who has completed training and who has not. People leaders should be responsible for monitoring training completion and following up with employees who are not on track for completion. This is important since completion of training is itself often required for compliance with many different types of certifications and audits. Providing training that qualifies for CPE credits for various certifications can be an extra incentive for employees to complete training on time.
Employees should be able to provide feedback on the training experience and relevance to their roles. This can help refine and streamline the training process, as well as help employees feel more engaged in the process.
How Does Compliance Training Relate to Compliance Activities?
Some compliance principles and regulations apply universally to all personnel in a company. However, thought should be put into additional training that is more specific and targeted to employees who are responsible for executing controls or who are at greater risk of potential non-compliance with a specific regulation or standard.
Integration with the Control Inventory
As alluded to above, the control inventory can be a key driver in helping personnel understand their responsibilities and the importance of maintaining compliance. A SOC 2 report provides a good example to illustrate how this can be done. SOC 2 reports consist of nine or more common criteria, also known as Trust Services Criteria, or TCSs, with one or more controls in each of those sections.
For a business that undergoes a SOC 2 audit, it’s fairly straightforward to maintain an inventory of controls as simple as copying the controls into a spreadsheet and recording control owners there. Options exist from software vendors but the principle is the same. As personnel changes occur, those changes can be recorded in the control inventory and the changes can trigger training for the new employees that will be responsible for executing the control.
Facilitating Knowledge Transfer
Compliance-related activities and the operation of controls should be documented to help facilitate a clean handoff when responsibilities change, especially in the case of sudden or unexpected departures.
Compliance can seem like a mundane subject, but certifications and audit reports such as a SOC 1 or SOC 2 can be a differentiator to help set companies apart from their competitors. The key to this is adequately training employees through compliance training, no matter the size of the company. Hopefully, this post has given you useful ideas for how you might implement or improve your compliance training program.
Tim Nackos joined Linford & Company, LLP in 2022. The first 5 years of his career were spent at the “Big Four” firms EY and KPMG providing IT assurance and advisory services. He also spent 10 years at two large financial institutions primarily in internal audit performing data analytics. Tim is a certified public accountant (CPA) in the state of Utah and is a certified information systems auditor (CISA). He holds both a Master of Accountancy and a Bachelor of Science degree in Accounting from Brigham Young University.