How Do I Check Compliance Functions to Make Sure They Are Working?

Patty P. Tehrani, Esq.
Founder, Policy Patty Toolkit ( and author of the CCO Toolkit Series 1.0

Do you remember the last time you checked your compliance functions to see if they’re working as intended? As the Chief Compliance Officer (CCO), you run your organization’s Compliance Program (Program) and the various functions it encompasses. You know these controls are not optional, and frankly, they’re necessary to protect and run your highly regulated organization. But checking them while having to contend with a proliferation of new regulatory requirements and possibly more liability (Read moreHaider Settlement) is a daunting task. And that’s not all.  You also have to contend with growing stakeholder expectations to drive value, produce sustainable cost-savings, and support business strategies all balanced against the need to remain compliant.

If you’re scratching your head and not sure what to do, take this quick survey to help you determine your next steps.

1 Policy Are your compliance policies and procedures current and maintained per a documented policy management process?
2 Roles and


Are the roles and responsibilities for your compliance function documented?
3 Inventory Do you maintain a current inventory of applicable laws and regulations that are integrated into your function, tracked, reported and acted on per a documented regulatory change management process?
4 Assessments Are your compliance function controls included in your periodic assessments?
5 Communications and Training Do you deliver periodic communications and training on your compliance function and related controls to raise and reinforce awareness?
6 Monitoring and Testing Is your compliance function monitored and tested periodically to measure compliance and assess effectiveness with program requirements?
7 Procedures Is your compliance function implemented through documented and current procedures?
8 Implementation Do you require and confirm implementation of compliance function requirements?
9 Reporting Do you report periodically to senior management and as applicable the board of directors on the compliance function?
10 Maintenance Do you take steps to periodically review and where necessary update your compliance function to assure it remains current?

How did you fare?  Don’t worry if you ended up with more “no” responses than you would have liked. First, the good news is that you made this determination and not a regulator, litigant, or some other third-party. Second, you have lots of great information online to help you assess your compliance functions. But if you’re short on time and dealing with lots of priorities (which is most likely the case), here are a couple of tips. The first is to download my program checklist and adapt it as needed to do a quick check of your compliance function (click here). Next, if you have the time, do a more extensive review and engage your staff and other stakeholders (e.g., Legal, Risk, Finance, Operations, and business management) check your functions by answering the following questions:

  • What are the objectives of these controls, such as:
    • Protecting the organization’s reputation and value;
    • Meeting the demands and expectations of internal and external stakeholders;
    • Supporting business strategies in adherence with governance, ethics, risk management and compliance requirements; and
    • Balancing remediation of non-compliance while protecting the organization against legal and regulatory enforcement.
  • What types of controls you have for important compliance functions such as:
    • Code of Conduct;
    • Compliance Communications and Training;
    • Compliance Monitoring;
    • Compliance Program Assessment;
    • Internal Investigations;
    • Policy Management Framework;
    • Preparing and Conducting Regulatory Exams;
    • Regulatory Change Management; and
    • Selecting Technology.
  • What the function needs to do (see my CCO toolkit for more guidance);
  • Which requirements (legal, regulatory and business) does the function address;
  • Who helps and needs to help maintain and support the function;
  • What key dates should be considered (remediating findings, rule change compliance date;
  • What controls (e.g., policies, procedures, systems, etc.) are currently in place;
  • How to assess the function to identify gaps and deficiencies (collectively, “gaps”);
  • What gaps and deficiencies (gaps) are identified from the assessment;
  • How to document an action plan for remediating in consideration of priorities, risks, resources, etc.;
  • How to operationalize agreed upon measures to address gaps; and
  • When to schedule the next review to assess the function.


While the scope and complexity of regulations may never dissipate, you can’t lose sight of what you need to do to keep your compliance functions and controls effective for your organization.  Remember that to position Compliance for success, as Compliance leaders, you need effective compliance controls. However, you approach the assessment of these controls, always remember that you need to check them from time-to-time to see if:

  • They are working;
  • Their goals are being met;
  • Their value is known and promoted; and
  • Deficiencies are identified and remediated.

[clickToTweet tweet=”How Do I Check My Compliance Function to Make Sure They Are Working?” quote=”How Do I Check My Compliance Function to Make Sure They Are Working?” theme=”style3″]

For more information on Patty:
Patty P. Tehrani, Esq., is an experienced compliance attorney and founder of the Policy Patty Toolkit ( Patty has nearly 20 years’ experience in compliance including senior in-house roles at top financial institutions, authoring articles and blogs, and compliance consulting engagements. Patty is a graduate of Binghamton University and earned her Juris Doctorate from American University, Washington College of Law. She is a member of the New York and US Supreme Court Bars. You can follow Patty on LinkedIn, Twitter or email her at


  1. Good Morning Patty – thanks for the piece and helpful tools. Always important to step back and remember the big picture. I had a leader once, who always reminded me, “John, always remember that you sometimes forget to see the forest because of the trees.” Many times, we get involved with trees that eat up a lot of our bandwidth. It is always important to step back and look at the whole forest.

    • Thanks, John for the feedback.
      Absolutely agree that perspective is in order. My objective in writing the piece is to prompt and promote a proactive stance toward compliance functions. I have been witness to a reactive posture to fix deficiencies and gaps with these functions and in most cases those identified by a party outside of Compliance. Something I hope Compliance leaders can avoid.

  2. Nice toolkit. Thanks for the info. At the same time from a compare and contrast perspective, I find that the recent tool put together on how to measure the effectiveness of a compliance program also asks questions that can also help achieve the same objective.

    I am very glad to hear of different options out there as this gives people an opportunity to know about and find tools that they may wish to use.

    This “other” tool is at:

    Again…many thanks for posting.

  3. Thanks, Frank!

    Your tool is very helpful.

    I wrote the article largely to promote a more proactive stance toward maintenance of compliance functions where possible rather than a reactive one to a finding flagged by auditors or regulators. This principle carries over into the my just released CCO Toolkit Series 1.0 (a compilation of nine guides) to help assess important compliance functions. More on the toolkit:

    Thanks again for your comment and tool!

  4. Is it unethical for a medical records director to be a corporate compliance director also while checking medical records ?

Comments are closed.