Compliance programs in the services industry need 7 elements


Compliance programs have many moving parts, to address issues from data security to employee training. But each of these parts must be built upon core fundamentals.


“At the center of every well-designed compliance program is a culture of ethics and compliance,” said Grant Thornton National Managing Partner Fred Kohm. “From there, you have key elements, areas, and activities that are all built upon a company’s culture.”


Compliance programs can be seen as a wheel that has culture at the hub, with building blocks, strategies, processes, and topics populating the outer rings. But why start with culture, and how does a professional services firm translate culture into compliance? 


Compliance programs perform essential functions: managing significant risks, maintaining integrity, and building trust. They can prevent or soften the reputational damage of negative news, facilitate the completion of required reporting, and reduce operational and financial risks like employee fraud. 


In a professional services firm, the corporate compliance program framework is like a wheel with a culture of ethics and compliance at the center. Outside of that is a ring of documentation, process, technology and people. This leads to a ring of responsibilities to assess, design, implement and enhance. Finally, there is an outer ring of the topics that the framework needs to address.


Compliance programs are especially important to professional firms because these firms rely on trust and are held accountable to specified requirements. Requirements vary by industry, jurisdiction and firm, but there are some common elements that every compliance program should include.




7 common elements


It’s important to consider past examples as we consider the risks and costs of compliance violations at U.S. organizations. The U.S. Sentencing Commission Guidelines Manual encourages firms to proactively combat fraud and other criminal activity, and the commission recently reviewed the past 30 years of sentencing for violations under Chapter Eight in the manual. The themes of this guidance can be reflected as seven requirements:


  1. Establish standards and procedures, and document the culture.
  2. Implement oversight by high-level personnel, including the appointment of a compliance officer and committees.
  3. Exercise due care in delegating substantial discretionary authority, like checking the backgrounds of compliance personnel.
  4. Ensure effective communication with all levels of employees.
  5. Take reasonable steps to achieve compliance, which include systems for monitoring, auditing and reporting suspected wrongdoing without fear of reprisal. Have systems and use them. Enable and reward whistleblowing. Know who takes the phone call and what actions they take.  
  6. Maintain consistent enforcement of compliance standards, including disciplinary mechanisms. Be fair, reward whistle-blowers, and punish wrongdoers.  
  7. Take reasonable steps to respond to and prevent further similar offenses upon detection of a violation. Install a process for turning mistakes into structural change.

Professional firms will want to look at the relevant laws and regulations in their jurisdictions, as well as professional standards and ethical guidelines.


Finally, all firms will want to review enforcement actions that affect them, look at the technology they have in place, ensure their supply chain partners and contractors align with their efforts, and create robust training and communication programs.  




Compliance as a key to government contracts


The Government Accountability Office reported that, in fiscal 2022, the Federal Government awarded $694 billion in contracts — and $279 billion of that was non-defense spending. That outlay does not include state and local spending. For firms looking for a share of that market, compliance can be a worthwhile new business enabler.


At first, the process can be overwhelming. But once you make the initial investment to gain the required expertise, compliance can become much easier. 


Headshot of Jamie Sybert

“If you have a well-managed, well-oiled compliance program, it’s even easier to add on those additional controls.”

Jamie Sybert

Grant Thornton Government Contractor Solutions Principal and Leader

Before you tackle the more elaborate requirements of government contracts, it helps to have a strong basic compliance program in place. Grant Thornton Government Contractor Solutions Principal and Advisory Leader Jamie Sybert said, “If you have a well-managed, well-oiled compliance program, it’s even easier to add on those additional controls.”


Sybert gave the example of a company with an existing expense policy put in place to prevent vendor fraud and internal leakage. “To comply with government requirements, you often simply need to add a few requirements. You don’t need to build it from scratch.” 




Responding, adapting and adjusting 


Headshot of Fred Kohm

“It's important to remember that compliance programs are not static. They're really living, breathing programs.”

Fred Kohm

Grant Thornton Services Industry National Managing Partner

Like everything in business, compliance evolves. Kohm emphasized that “It's important to remember that compliance programs are not static. They're really living, breathing programs.” In particular, he pointed out the uncertainties of the current economic climate and the recent increase in regulatory focus on compliance and corruption.


The current administration has identified corruption as a national security threat. In response, there has been an uptick in enforcement actions — many against private individuals. New regulations and priorities have emerged. Sybert noted prohibitions against applications appearing on government phones, which went from legislation to an interim rule in six months. Prohibitions can also be applied to contractors and personal phones used in the performance of a contract. 




Customizing your program


Apart from adapting to changes in the larger compliance environment, your compliance program must adapt to your organizational needs. For example, Kohm said, “A publicly traded consulting firm is going to have a compliance program that looks different than a regional, privately held firm. But they should be considering all the same issues. Ultimately, one size does not fit all.  Each firm will focus on specific areas of need.”




Related resources








This means carefully assessing the specifics of your industry, your ownership structure, your geographic reach, your contractor network, your client expectations, your data security vulnerabilities, and your operational risks. Then, you must discern the legal and financial consequences of different options. Based on that, you should set up a system which works for you, with a code of ethics, whistleblowing, enforcement, review processes, and technological enablement.


If done well, your program will permeate the company. But, to return to the first of the seven requirements, it should be driven by leadership. Ultimately, the contours of any compliance program are a board-level discussion — and decision.  






Our fresh thinking