I recently spoke with a CFO whose roles included management accounting and internal auditing as well as compliance and risk.

I asked him who he reported to and he rattled off 3 different reporting lines depending on the role he was performing, including reporting to a Board Risk Committee with copies to the CEO for important compliance or audit functions as opposed to reporting to the CEO for usual business reporting.

Developing a compliance plan helps clarify reporting lines and the role of the person whose function includes that of compliance officer.

Not every business can afford a dedicated compliance officer: that person’s role may overlap with the role of internal auditor (and sometimes company secretary or general counsel).

A compliance plan should set out who does what, when and how.

Compliance officers generally review compliance with external regulatory requirements (eg laws, regulations, codes, standards) rather than internal business policies and controls.

The compliance officer may also have a training and development and business process improvement function.

A compliance plan also needs to identify who is responsible for:
• developing and administering monitoring and surveillance systems to detect potential breaches of legal and regulatory requirements;
• investigating, rectifying and reporting on breaches of legal and regulatory requirements (including customer complaints);
• filing various notices and returns with regulators; and
• liaising with regulators in relation to regulatory matters.