Preparing A Compliance Report: What Should You Include?

BY: ComplyLog|February 4, 2022|Compliance

Being compliant with current legislation and being seen to be compliant are both essential in modern business. The regulatory environment is continuously evolving as governments look to counter threats such as data breaches, corruption, insider dealing and more. With this in mind, you should set about preparing a compliance report. It will help you bring together proof of your efforts to remain within the legislation of the countries in which you operate.  

In order to create a consistent approach to compliance, you should document your efforts and establish best practices within the organisation. But rather than simply being a step along the route, for many regulations, compliance is an ever-present concern that must always inform decision-making.  

For example, the IT Governance blog says that the General Data Protection Regulation (GDPR) “elevates accountability into a principle.” Your compliance report needs to document all aspects of implementation, from the Privacy Policy on your website to your retention of records procedure and data training policy. In the event of a data breach, you must be able to show how you took steps to avoid the situation and a compliance report is an effective way to do this. This will increase the chance of the authorities showing some leniency and you avoiding penalties that can reach as high as €20 million or four per cent of last year’s turnover.  

Table of Contents 

What-is-a-Compliance-Report

What is a compliance report?

The compliance report is the document in which you collate all the information relating to your efforts to comply with the various standards and pieces of legislation that apply to your industry and location. It must describe the compliance activities in your organisation, taking into account all the risks the business faces and the steps taken to mitigate them.  

Compliance reporting might differ depending on the intended audience of the specific report. You might produce a compliance report for:  

  • External auditors and regulators
  • Business partners
  • Investors
  • Board members and senior management 

All of these parties have a stake in the compliance of the organisation, although the language used and detail entered into might vary.  

Who is responsible for creating a compliance report?

If your business is large enough to employ a Chief Compliance Officer (CCO), they and the compliance function will be responsible for drawing up your compliance reports. It is their job to prevent compliance breaches, as well as to swiftly identify and correct any contraventions that do occur. They may also request that experts in various arms of the organisation feed into the report, using their knowledge and experience to create a comprehensive overview of compliance. 

Companies without a CCO should choose a suitably qualified employee to head their compliance reporting. This individual should have a good understanding of the regulatory challenges facing the organisation as well as the operational structure of the business. 

The importance of compliance reports

  • Understanding which areas of the business are fully compliant and which are lacking helps you allocate resources where they are most needed. A compliance report will highlight this and can then inform your future strategy. 
  • The report acts as proof that you took reasonable steps to prevent a negative event from occurring and shows how quickly and effectively you took corrective action to address any issues that do happen. This is good evidence to have when pleading your case for leniency with authorities. 
  • A compliance report that shows compliance is interwoven in the processes of the company allows peace of mind for management and other internal stakeholders. They don’t need to worry about nasty surprises that could see the company suffering financial penalties or reputational damage. 
  • Being able to prove compliance also makes a business more attractive to investors and customers.  

Types of Compliance Reports

 

Type Description
Compliance audit report  This is the main method of assessing the current state of the organisation’s compliance coverage. You can spot potential violations and remedy them before they cause problems with compliance auditing. 
Compliance investigation report A compliance investigation report follows an accusation or suggestion that there is a compliance failure somewhere in the organisation. The investigation assesses the truth of the claim and attempts to fix the issue.  
Compliance incident report This is the document for recording compliance incidents, including the identities of those who knew about the compliance breach and what happened.
Compliance assessment report This is used by an external body to ensure that entities under its authority remain compliant. 
Annual compliance report A regular assessment of compliance activities to ensure they are running as they should be. Annual compliance reports aid continuous improvement efforts.

 

What a Compliance Report Should Include

1. The regulations in question

It is important that you identify the regulations to which you are required to comply. There are a large number of different pieces of legislation that could affect your organisation, from the EU Whistleblowing Directive to the Market Abuse Regulation.  

By understanding all of the regulatory pressures on the business, you can properly assess your compliance robustness.  

2. The scope of the report

Anyone reading the compliance report needs to know which areas the COO looked at when compiling the document and which they did not. This relates to the purpose of the report and ensures you have covered all of the areas you need to in order to conform with your regulatory requirements.  

3. Review of the compliance process

Knowing how the processes were reviewed and how they should run helps to show that you complied with proper procedures to fully understand the status of the company’s compliance infrastructure. You can show regulators the exact steps you took to conclude that your processes were robust enough.  

4. Summary of the analysis

You should report your findings in full but also provide a summary. This allows stakeholders to see a quick status check, displaying where the company is compliant and what needs to change. 

Timelines-for-Improvement

 5. Timelines for improvement

As the stakes are so high when it comes to compliance, you must make sure that you repair any shortcomings as soon as you can. By setting timelines to improve your procedures and meet your corporate compliance requirements, you set these actions in motion. You also show any auditors that investigate your intention to improve and comply.  

Tips and best practices

Make the information accessible to all

A compliance report must be accessible for multiple audiences, meaning you might have to present the information in a number of different ways. Auditors have in-depth knowledge of the subject matter, so your report for those bodies should be more technical. For directors of the company, you might need to pull out the key takeaways in a digestible format so they can gain the best understanding of the situation in the limited time that they have.  

Be objective in the report

Objectivity is essential for a compliance report. The only way you can be sure that your systems are effective is if you look at them dispassionately in the same way as a regulator would. Of course, we would all like to think we were doing things the right way, but in order to be certain your controls are as watertight as possible, you must be prepared to see failures. That is the only way you can shore up your procedures.  

Report frequently

As the regulatory landscape keeps shifting, your compliance infrastructure needs to adjust to remain in step. Making sure you report frequently helps you maintain a culture of continuous improvement that can help you remain on the right side of the law. Annual compliance reports are the best way to ensure you are on track. 

Examples of Compliance Reports

FAQ

Who will read the compliance report?

There are many different audiences for a compliance report. Of course, the regulator will want to read it, especially if there has been a breach in compliance. It is also essential reading for management and the board, so they can understand where the company stands and what regulatory risks it faces. Finally, internal and external stakeholders who perform compliance auditing, customers and investors might want to take a look, too.  

Should you report on the effectiveness of compliance controls?

Using testing and monitoring, you should make sure that corporate compliance controls are working as they should and not being bypassed by employees. As this can affect your regulatory compliance, you should certainly report on it.  

Should you report on policies and procedures?

So many pieces of legislation require organisations to implement stringent policies and procedures. Therefore, it makes sense to add these to your report. For example, MiFID II dictates that investment advisory firms must run procedures for employees to log their personal trades, including a pre-clearance system that can allow or disallow certain trades based on various parameters. If your organisation is affected by MiFID II, you need to know that this process is working as it should. So, it makes sense to report on it.

Improve-Companys-Compiance-Robustness

Conclusion

Preparing a compliance report is the best way to ensure that your systems and processes are working properly and your company’s activities are within the law. It is a large project to collate all the relevant information from across the company, but it is essential for avoiding potential penalties and reputational damage.

In order to improve your company’s compliance robustness, you may want to take a look at the tools provided by ComplyLog. They offer the chance to automate your reporting requirements and processes for accepting whistleblowing reports, creating insider lists and clearing employee trades in a manner that is compliant with the various pieces of legislation within the EU. Learn more about these tools today.  

 

References and Further Reading

Popular posts

Insider list management

Market Abuse Regulation (MAR) Explained

Whistleblowing

4 Interesting Examples Of Whistleblowing In The Workplace

Insider list management

The 7 Behaviours That Qualify As Market Abuse – Part 1

Whistleblowing

How To Encourage Whistleblowing (And Why It’s Key For Compliance)

Insider list management

Market Abuse Penalties Under MAR + 5 Case Studies