Compliance reviews: a positive learning experience

Compliance reviews are a useful tool. They help make sure you’re compliant in all the key areas of your business, and offer the opportunity to improve performance.

Well executed reviews mean you can identify any problems early on, rectify them, and amend any policies and procedures so that the same issues don’t arise again.

“A review shouldn’t be a tick-box exercise,” stresses Dean Neaves, Senior Manager, QAD. “Treat it as a positive learning experience; look at the issues raised and take steps to stop them reoccurring.”

“The things you need to consider in a review are very closely correlated to the sorts of questions and areas we'll look at during QAD monitoring visits,” he adds. “So if you do it right, and you understand it, you're less likely to have problems when these come around.”

Reviews also support completion of ICAEW’s annual return. “It’s useful to refer back to the compliance reviews when completing annual returns to help ensure you are answering the questions accurately,” says Neaves.

Mandatory or best practice

In some areas of work, annual compliance reviews are mandatory; in others, they are best practice.

“All firms (except sole practitioners with no relevant employees) are required to carry out an anti-money laundering (AML) compliance review on a regular basis,” explains Neaves. “At ICAEW, we suggest annually, but AML regulations use the term ‘regularly’.”

“As with other reviews, this is to protect firms and make sure they don't fall foul of the regulations,” he says.

The other review many firms will need to do annually is a clients’ money compliance review, which is for all firms that hold clients’ money.

Although it's not mandatory, ICAEW also recommends that firms carry out a Practice Assurance (PA) compliance review, which covers all the other areas of PA that aren't covered by AML and clients’ money requirements.

Then, for probate, insolvency, DPB (Investment Business) and audit work, annual reviews are mandatory. (see box). These vary in the specific details of when and how they have to be done, but many of the aims, processes and principles are similar.

Document it

Compliance reviews don’t just need to be carried out, they also need to be documented. “People might say: “Oh, I’m a sole practitioner and I've already done the compliance review because I deal with all the transactions and all the clients,” says Christopher Greenhalgh, Manager, QAD. “And that’s all well and good, but we also need you to evidence that to us.”
To support firms in documenting their reviews, ICAEW has produced checklists covering all the key areas of regulated work. But you can also use other checklists, for example from external training providers.

File reviews

The review itself will normally involve going through the various checklists to cover off compliance across the firm, and complementing this with client file reviews, also known as ‘cold file’ reviews.

File reviews help provide a more complete picture of the firm’s compliance. They are mandatory for some work but, even where they are not a requirement, ICAEW recommends them.

“Under the Probate Regulations, file reviews are not a requirement,” says Greenhalgh. “But, as an example, if you’ve got five people in the office carrying out probate work, the authorised individual responsible for signing off and controlling engagements might not have visibility over every single element of their work, so as best practice you should be doing cold file reviews for a sample of your engagements.”

“It’s all very well going through a checklist and saying: ‘Yes, we do that.’ But you need to know whether this happens in reality,” says Neaves. “And the best way to tell is to dip into some files.”

In general terms, he advises picking files with a spread of partners or principals, different lines of service, and any areas with an increased level of risk.

Certain areas of work have specific requirements. For audit registered firms, for example, cold file reviews are mandated alongside a ‘whole firm’ review. These file reviews delve into completed audit files to make sure they’re compliant, and ISQM1 requires they be done by someone independent of the audit and not involved in the engagement.

“The minimum requirement is that firms must do audit cold file reviews every year, covering each Responsible Individual (RI) with an independent review on a cyclical basis (usually at least every two to three years),” says Jeffrey Barnes, Manager at QAD. Another RI, or suitably qualified individual, at the firm could complete these reviews. Alternatively, the firm could engage an external reviewer.

External cold file reviews are not mandatory, but where firms have only one RI - or for sole practitioners - the requirements usually translate into RIs having a cold file review every year, with this being an external review at least every third year.

An improvement tool

Where a review reveals areas of non-compliance or uncovers wider procedural or training problems, you must address these. “If there are any action points, it's important to follow through with them,” says Neaves.

“And when you’re doing each review, don't just follow what you did last year,” he adds, “because the regulations might have changed or you might have changed how you’ve done things.”

“If you're not sure, refer back to guidance on ICAEW’s website to make sure you fully understand what the question is,” he advises. “For example, we can go through a compliance review checklist where the firm’s ticked ‘yes’ to everything, but still find issues on a quality assurance review, and that's usually because it's been treated as a tick-box exercise, and the questions haven't been fully understood.”

“If you’ve just done it as a tick-box exercise, and put it on the shelf, it almost becomes pointless because it's not actually doing what it's supposed to,” says Alison Morgan, QAD’s Insolvency Manager.

“If we later go along and do a monitoring visit,” she adds, “and we find the same things you already identified in the review, and you’ve had sufficient time to put them right but haven’t, that can have more serious consequences than if you had taken corrective and/or remedial action in a timely manner.”

A good review can bring long term benefits, such as enhancing service quality, identifying best practice and providing some assurance on risk exposure. “If you look at a range of files and you see something that's particularly good on one file, make a note and share that good practice across the whole firm so others can benefit and improve what they're doing,” says Barnes.

From an insolvency perspective, Morgan believes compliance reviews offer particular benefits for firms readjusting after the upheavals of the pandemic. “What we're finding on our monitoring visits is that because of home and remote working, some insolvency practitioners (IPs) haven't necessarily been able to exercise their usual degree of oversight over their teams.” The compliance review gives them an opportunity to identify issues that have occurred in this context, and ask: ‘How can we put it right?’”

Added value

Annual compliance reviews are not about adding to the administrative burden. They’re recommended or mandated for good business and public interest reasons. Not only do they help ensure compliance but they also offer additional benefits in terms of improved performance and reduced risk, including of complaints, which can be costly and time-consuming to resolve.

In future articles, we will look in more detail at the requirements for audit, insolvency and probate compliance reviews, and offer tips on some common pitfalls, and how to use the process to add value.

Resources

Download ICAEW’s checklists for annual compliance reviews:

• Practice Assurance
• DPB (Investment Business)
• AML
• Clients’ money regulations
• Insolvency
• Probate
• Audit whole firm compliance reviews
• Cold file audit compliance review

Read more about compliance reviews for DPB (Investment Business) licence holders.