Compliance Framework – CS Professional Study Material

Chapter 1 Compliance Framework – Secretarial Audit Compliance Management and Due Diligence ICSI Study Material is designed strictly as per the latest syllabus and exam pattern.

Compliance Framework – Secretarial Audit, Compliance Management and Due Diligence Study Material

Question 1.
Write short note on the following:
Risk of non-compliance (Dec 2014, 3 marks)
Answer:
Risk of non-compliance

• The risks of non-compliance of the law are many:
• Cessation of business activities
• Civil action by the authorities
• Punitive action resulting in fines against the company/officials
• Imprisonment of the errant officials
• Public embarrassment
• Damage to the reputation of the company and its employees
• Attachment of bank accounts.

Question 2.
Write note on the following:
Compliance programme (June 2015, 3 marks)
Answer:
Compliance Programmes:
Compliance programmes have following three main purposes:

1. They strive to prevent violation of law,
2. Promote a culture of compliance, and
3. Encourage good corporate citizenship.

Question 3.
Write short note on the following:
Compliance Risk (June 2018, 3 marks)
Answer:
Compliance risk is the current and prospective risk to earnings or capital arising from violations of, or non conformance with, laws, rules, regulations, prescribed practices, internal policies, and procedures, or ethical standards. This risk exposes the institution to fines, civil money penalties, payment of damages, and the voiding of contracts. Compliance risk can lead to diminished reputation, reduced expansion potential and an inability to enforce contracts.

Question 4.
Write short notes on the following:
Compliance Dash Board. (Dec 2018, 3 marks)
Answer:
The compliance dashboard helps In simplifying the compliance obligation, effectively managing the compliance risk, facilitating board oversight, effective co-ordination of functional units. Some of the features of an effective Compliance Dashboard is as follows:

• The Compliance Dashboard should alert the company in the risk prone areas or in case of non compliances.
• It should display the compliance obligations on the compliance calendar or dashboard.

Question 5.
Distinguish between the following:
‘Apparent’, ‘adequate’ and ‘absolute’ compliance. (Dec 2015, 3 marks)
Answer:
Apparent compliance is a disguise form of non-compliance, which is worse than a non compliance. The classic example for Apparent Compliances are generating documents such as notice, agenda, minutes on papers for board and general meeting which are not actually held.
Adequate compliance is compliance in letters. The aspects specified in law are complied in letters, without getting into the spirit of the law, e.g. box ticking practices.

Absolute compliances are those which are in line with the spirit and intent of the law. A typical example in this regard is demonstrating shareholder democracy as prescribed by law. When a company complies with law in spirit it gains public confidence as well.

Question 6.
Examine and comment on the following:
Compliance audit is not a fault finding exercise; rather a device to scale-up compliance mechanism of a company, commensurate to its size and operations. (Dec 2014, 4 marks)
Answer:
Compliance audit involves a full process of research and analysis as well as investigation and evaluation. Such an exercise is undertaken in order to determine the potential issues and get a realistic view about how the entity is performing and how it is likely to perform in the future.

Question 7.
Explain the role of the Board of Directors in doing their oversight function on the subject of Compliance Management. How Company Secretary of the Company could play a significant role in helping the Board in institutionalizing an adequate and effective Compliance Management System? (June 2017, 7 marks)
Answer:
Role of the Board of Directors in doing their oversight function on the subject of Compliance Management

• The Board should be updated with the compliance of applicable laws at least every quarter, ensuring compliance by all functional heads and presented by Compliance department/Chief compliance officer helps in effective Board oversight.
• Compliance Management programme has to be revisited at regular intervals in tune with the business environment, regulatory changes etc.
• The Board Members are expected to visit Compliance Dashboard every day in over-seeing the compliance level in the organization.
• The Board should be updated with the applicable laws at regular intervals that helps the board in reviewing compliance plan, overseeing compliances, reading compliance dash board etc.

Role of Company Secretaries in Compliance Management:
Corporate Compliance Management can add substantial business value only if compliance is done with due diligence. A Company Secretary is the ‘Compliance Manager’ of the company. It is he who ensures that the company is in total compliance with all regulatory provisions. Corporate disclosures, which play a vital role in enhancing corporate valuation, is the forte of a Company Secretary. These disclosures can be classified into statutory disclosures, non-statutory disclosures, specified disclosures and continuous disclosures. SEBI (Listing Obligations and Disclosure Requirements) Regulation, 2015 spells out elaborately on various aspects of disclosures which are to be made by the company such as contingent liabilities, related party transactions, proceeds from initial public offerings, remuneration of directors and various details giving the threats, risks and opportunities under management discussion and analysis in the corporate governance report which is published in the annual accounts duly certified by the professional like company secretaries. A Company Secretary has to ensure that these disclosures are made to shareholders and other stakeholders in true letter and spirit.

In nutshell, the Company Secretary is the professional who guides the Board and the company in ail matters, renders advice in terms of compliance and ensures that the Board procedures are duly followed, best global practices are brought in and the organisation is taken forward towards good corporate citizenship.

Question 8.
Hindstan Zinc Ltd. has issued the tender for developing Compliance Software for the Company. Webscroll Co. Ltd. was the successful bidder giving lowest price bid. As a Compliance Solution provider, what are the approaches to be adopted by Webscroll Co. Ltd. (5 marks)
Answer:
Compliance solution providers adopts following approaches for creating or enhancing an ethics and compliance program for companies:
Risk/Cultural Assessment: Through employee surveys, interviews, and document reviews, a company’s culture of ethics and compliance at all levels of the organization is validated.

Program Design/Update: In this phase, compliance solution providers help company in creating guideline documents that outline the reporting structure, communications methods, and other key components of the code of ethics and compliance program.

Policies and Procedures: In this phase compliance solution providers help company to develop or enhance the detailed policies of the program, including issues of financial reporting, antitrust, conflicts of interest, gifts and entertainment, records accuracy and retention, employment, the environment, global business, fraud, political activities, securities, and sexual harassment, among others.

Communication, Training, and Implementation: Compliance solution providers help company to clearly articulate, communicate, and reinforce not only the specifics of the program, but also the philosophy behind it and the day-to-day realities of it. in this way, key stakeholders and other personnel are more likely to embrace the program and incorporate it into their attitudes and behaviours.

Ongoing Self-Assessment, Monitoring, and Reporting: The true test of a company’s ethics and compliance program comes over time. How do one know in one year or five that both the intent and letter of the law are still being observed throughout organization? How does the program and the organization adapt to changing legislation and business conditions? As the organization evolves for example, through mergers and acquisitions will the program remain relevant? The cultural assessment, mechanisms, and processes put in place including employee surveys, internal controls, and monitoring and auditing programs, help organisations achieve sustained success.

Question 9.
“Good Corporate Governance demands compliances level that match the intentions of Legislature, expectations of Stakeholders and requirements of Regulators”. Explain. (June 2019, 5 marks)
Answer:
Good Corporate Governance demands compliance level that match the intentions of legislature, expectations of stakeholders and requirements of regulators. The compliance, however, generally found to fall in three categories, i.e. Apparent Compliance, Adequate Compliance and Absolute Compliance.

Apparent compliance is a disguise form of non-compliance, which is worse than a non-compliance. The classic example for Apparent Compliances are generating documents such as notice, agenda, minutes on paper for board and general meeting which are not actually held.

Adequate compliance is compliance in letters. The aspects specified in law are complied in letters, without getting into the spirit of the law, e.g. box ticking practices.

Absolute compliances are those which are in line with the spirit and intent of the law. A typical example in this regard is demonstrating shareholder democracy as prescribed by law.

When a company complies with law in spirit it gains public confidence as well. Experts view annual report as self-appraisal report of the company. The shift from shareholder concept to stakeholder concept has necessitated the corporates to provide a transparent report which is viewed by all stakeholders such as shareholders, creditors, lenders, strategic investors etc. as a potential source of information. In order to attain corporate subtainability and to ensure a level playing field with international market, corporates has to necessarily increase their level of compliance from apparent to adequate leading to level of absolute compliance.

Question 10.
Z Ltd. seeks your opinion on the role of the various levels of management for compliance ownership. Explain the role. (June 2019, 5 marks)
Answer:
The ownership of the various compliances has to be described function wise and individual wise. Clear description of primary and secondary ownership is also very important. While the primary owner is mainly responsible for the compliance the secondary owner (usually the supervisor of the primary owner) has to supervise the compliance. The role of the various level of management for compliance ownership can be illustrated as under:
(a) Top Management:

• Understanding the compliance obligations and recent changes.
• Approval of Policy and Procedures.
• Motivating employees to ensuring compliance on time.

(b) Legal Cell:

• Identification of new and changed relevant local laws, regulations and standards.
• Communication in Writing to compliance owner/ executor.
• Review of systems, policies and Procedures.
• Resolution of Doubts and Clarity in Directions.
• Periodical Review and Assessment.

(c) Senior Management and functional Heads:

• Analysis and research on the Regulatory changes.
• Formation of Policy and procedure.
• Motivating Compliance officer to ensure timely compliance.
• Guiding compliance officer in executing compliance.
• Tracking the Compliance chart.
• Risk Escalation.
• Conflict Resolution.

(d) Compliance Officer/ Subordinate staff:

• Performing Compliance Obligations.
• Updating Compliance obligations into the Compliance Chart.
• Risk Identification and intimation.
• Conflict intimation.

Question 11.
Explain the process of Compliance Risk Mitigation indicating various risks of non-compliance. (Dec 2020, 5 marks)
Answer:
Compliance Risk Mitigation is the process of developing and implementing controls such as standards, policies, procedures and guidelines to prevent or minimise risks arising from compliance obligations. From time to time, the company may issue a policy that must be implemented at the local level. If a corporate policy does not encompass local obligations of any unit of the company, a local policy to facilitate the effective management of the identified compliance risk must be developed. Framework components, policies and procedures must be developed and communicated and should be placed either on the local server accessible to all employees or on the prominent places in the organization, so employees understand their obligations (e.g. how to make a whistle blower report, complaints handling process, gifts, entertainment and anti-bribery procedures, etc.

All documentation must be easily accessible to employees. Maintenance of the supporting material can be in the form of a manual, handbook or other physical or electronic means.
Various Risk of Non-compliance:
The risks of non-compliance of the law are many which include the followings:

• Cessation of business activities
• Civil action by the authorities
• Punitive action resulting in fines against the company/officials
• Imprisonment of the errant officials
• Public embarrassment
• Damage to the reputation of the company and its employees
• Attachment of bank accounts.

Question 12.
Unique Ltd., a start-up company launched in the year 2019, manufactures electric two-wheelers. Jayco, the Company Secretary was discussing the corporate compliance framework of the company. One of the consultants suggested that the Compliance Chart is a vital part of the framework and the company must at present first focus on preparation of the Compliance Chart. Explain the activities in preparation of a compliance chart and its contents. (Aug 2021, 5 marks)
Answer:
The compliance chart of a company is prepared after considering the operations and the structure of the company as the compliance requirements for an organization are based on the type of organization, activity of the organization, scale of operations, industry, sector in which the company operates and laws which are specifically applicable to the company.
Broadly, the compliance chart is prepared by considering the following activities:

• Identification of compliances under applicable Laws, Rules and Regulations
• Risk Assessment
• Risk Mitigation (includes Training)
• Compliance Monitoring (includes Action Tracking)
• Compliance Reporting (includes Incident Management)

The Compliance Chart of any company must contain the complete information on compliance dashboard, which provide a detailed compliance procedure to the compliance executor, this information includes:

• Reference to the key compliance related laws, regulations, industry standards and compliance related policies and standards of the company;
• Concise statements that capture the relevant internal and external compliance obligations and the risks associated with those obligations;
• Inherent and managed risk level (critical, high, medium, low) of the identified obligations;
• The business processes or people to which the compliance obligations are linked or on which they have an impact;
• Specific compliance risk mitigation activities and compliance risk tracking and monitoring for managing the compliance obligations;
• To whom and how frequently compliance related results and findings are reported; and
• Clear ownership of the processes, activities and obligations outlined in the chart.
  Such compliance chart must be practical and concise on the role and responsibilities of the management and of the compliance officer who is specifically responsible for existing and newly identified business activities.

Question 13.
The audit of Financial Statements in respect of Spinex Ltd. for the year ended 31st March, 2021 was not completed due to difference of opinion on certain accounting matters between the Management and the Statutory Auditors. Hence, the company was not able to hold its Annual General Meeting (AGM) within the statutory timelines. As the AGM was not conducted the Company Secretary was in a dilemma whether to file the Annual return. Advise the Company Secretary. (Aug 2021, 5 marks)
Answer:
According to section 92(4) of the Companies Act, 2013, where no Annual General Meeting (AGM) is held in a particular year, the Annual Return has to be filed within 60 days from Lhe last day on which the annual general meeting should have been held together with the statement specifying the reasons for not holding the annual general meeting, with such fees or additional fees as may be prescribed.

Consequently, the company cannot excuse itself from the obligation to file the Annual Return on the plea of the AGM not having been held. As per the proviso to Section 403(1) if the Annual return under section 92 is not filed within the due date the same can be filed on payment of additional fee as may be prescribed, which shall not be less than ?100 per day and different amounts may be prescribed for different classes of companies.

Where there is default on two or more occasions in submitting, filing, registering or recording of the document, fact or information, it may, without prejudice to any other legal action or liability under this Act, be submitted, filed, registered or recorded, as the case may be, on payment of a higher additional fee, as may be prescribed and which shall not be lesser than twice the additional fee provided under the first or the second proviso as applicable.

Also, where a company fails or commits any default to submit”, file, register or record any document, fact or information, before the expiry of the period specified in the relevant section, the company and the officers of the company who are in default, shall, without prejudice to the liability for the payment of fee and additional fee, be liable for the penalty or punishment provided under this Act for such failure or default.

Thus, management cannot escape from the responsibility of filing the return, if the AGM is not held. Similarly, the responsibility cannbt be abandoned even if the company is inoperative. This section casts an important obligation on the part of management to file the returns and can be relinquished only when the company is wound-up or its name struck-off from the Register maintained by the Registrar of Companies.

Question 14.
Sames Ltd. is a recently listed company. To cater to the growing reporting requirements, the company recruited various professionals across its finance and secretarial team. The Company Secretary was requested to prepare a Compliance training and education programme for providing training to the new recruits. Briefly explain the objective and contents of such Compliance training programme. (Aug 2021, 5 marks)
Answer:
Objective of Compliance Training Program
A strong Compliance training and education programme reinforces the company’s compliance culture. It builds awareness and understanding of compliance standards, procedures, guidelines and issues. The objective of Compliance training programme is to build awareness and understanding of:

• Company Framework, including the four conduct-related integrity risk areas;
• Roles and responsibilities outlined in the policies and framework;
• Critical and high compliance obligations identified in the Compliance Chart;
• The process for addressing compliance issues and reporting concerns, and
• Consequences of failing to meet compliance obligations.

An annual plan for Compliance Risk related training and education must be developed and updated, as necessary, and should indicate the target audience and training delivery method. Compliance Risk related training program should, to the extent possible, be integrated into the training plans. Contents of Compliance Training Program

The plans for compliance training and education program must include:

• Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations;
• The business processes to which the compliance obligations are linked or on which they have an impact;
• Brief description of the training or education activity;
• Target audience (refresher for existing Employees, induction for new Employees, or Adhoc when required);
• Frequency of training or education activity.

Question 15.
“ The Compliance Chart of any company must contain the complete information on compliance dashboard, which provide a detailed compliance procedure to the compliance executor”. As a Company Secretary, list out the various content of the Compliance Chart. (Dec 2021, 5 marks)
Answer:
Content of Compliance Chart
The Compliance Chart of any company must contain the complete information on compliance dashboard, which provide a detailed compliance procedure to the compliance executor.

This information includes:

1. Reference to the key compliance related laws, regulations, industry standards and compliance related policies and standards of the company;
2. Inherent and managed risk level (critical, high, medium, low) of the identified obligations;
3. Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations;
4. Specific compliance risk mitigation activities and compliance risk tracking and monitoring for managing the compliance obligations;
5. The business processes or people to which the compliance obligations are linked or on which they have an impact;
6. Clear ownership of the processes, activities and obligations outlined in the chart;
7. To whom and how frequently compliance related results and findings are reported.

Such compliance chart must be practical and concise on the role and responsibilities of the management and of the compliance officer who is specifically responsible for existing and newly identified business activities.

Question 16.
You are the Company Secretary of the newly formed company Star Infrastructure Ltd. Your chairman has asked you to prepare a compliance chart. What are the various points you would mention in the compliance chart? (June 2022, 5 marks)

Question 17.
What are the various risks a company may face for non-compliance of law? (June 2022, 5 marks)

Question 18.
ABC Ltd. is having a paid up capital of ₹ 1,000 crore and annual turnover of ₹ 2,500 crore. The company has asked you, as a Company Secretary in Practice, to advise it on preparation and finalization of its Compliance Management Framework. Give your advice. (Dec 2020, 5 marks)
Answer:
Any corporate compliance management framework encompasses the various steps relating to Compliance Identification, Compliance Ownership, Compliance Awareness, Compliance Reporting and Periodical Compliance MIS.

The Compliance Identification involves the identification of compliances under various legislations applicable to the company, in consultation with the functional heads. The legal team has to identify the legislations applicable to the company and identify the compliances that are required under each legislation or rules and regulations made there under.

The Compliance Ownership of the various compliances has to be described f unction wise and individual wise. Clear description of primary and secondary ownership is also very important. While the primary owner is mainly responsible for the compliance the secondary owner (usually the supervisor of the primary owner) has to supervise the compliance. Ex: Secretarial Officer/Company Secretary may be primarily responsible.

The Compliance Awareness covers the establishment of the legal compliance management and creation of awareness of the various Legal Compliances amongst those responsible. Sometimes the compliances are handled by persons who are not fully aware of the requirements of the legislations and hence creating appropriate awareness amongst the owners is very important. This could be done in the form of meetings/trainings explaining the various compliances or some manual containing the details of compliances.

In the process of the Compliance Reporting status of Compliances or non-compliances should be communicated to the concerned. Reporting of non-compliances ensures that appropriate corrective action is being taken by the responsible person in case of the failure in doing compliances.

Question 19.
Ashok, the Managing Director (MD) of XYZ Ltd., has observed that some confidential information has leaked in the company. MD has called the Company Secretary and asked him to prepare Standard Operating Procedure (SOP) for protecting the confidential information. Suggest the matters for inclusion in the SOP. (June 2022, 5 marks)

Question 20.
Write a short note on significance of corporate compliance management.
Answer-
Compliance with the requirements of law through a compliance management programme can produce positive results at several levels:

• Companies that go the extra mile with their compliance programs lay the foundation for the control environment.
• Companies with effective compliance management programme are more likely to avoid stiff personal penalties, both monetary and imprisonment.
• Companies that embed positive ethics and effective compliance management programme deep within their culture often enjoy healthy returns through employee and customer loyalty and public respect for their brand, both of which can translate into stronger market capitalization and shareholder returns.
• Safety valve against unintended non compliances/ prosecutions, etc.
• Cost savings by avoiding penalties/fines and minimizing litigation
• Better brand image and positioning of the company in the market
• Enhanced credibility/creditworthiness that only a law abiding company can command
• Goodwill among the shareholders, investors, and stakeholders.
• Recognition as Good corporate citizen.
  Space to write important points for revision :

Question 21.
Explain the content of compliance chart.
Answer:
The Compliance Chart of any company must contain the complete information on compliance dashboard, which provide a detailed compliance procedure to the compliance executor, this information includes:

• Reference to the key compliance-related laws, regulations, industry standards and compliance related policies and standards of the company;
• Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations;
• Inherent and managed risk level (critical, high, medium, low) of the identified obligations;
• The business processes or people to which the compliance obligations are linked or on which they have an impact;
• Specific Compliance Risk mitigation activities and Compliance Risk tracking and monitoring for managing the compliance obligations;
• To whom and how frequently compliance-related results and findings are reported;
• Clear ownership of the processes, activities and obligations outlined in the Chart.

Question 22.
“A strong Compliance training and education programme reinforces Company compliance culture” Comment.
Answer:
A strong Compliance training and education programme reinforces Company compliance culture. It builds awareness and understanding of Compliance standards, procedures, guidelines and issues. Specifically, it should build awareness and understanding of:

• Company Framework, including the four conduct-related integrity risk areas;
• Roles and responsibilities outlined in the policies and Framework;
• Critical and high compliance obligations identified in the Compliance Chart;
• The process for addressing compliance issues and reporting concerns and
• Consequences of failing to meet compliance obligations.

Compliance Framework Notes:

Compliance Chart is prepared by considering the following activities:

• Identification of Compliance applicable Laws, Rules and Regulations
• Risk Assessment
• Risk Mitigation (includes Training and Education)
• Compliance Monitoring (includes Action Tracking)
• Compliance Reporting (includes Incident Management)

Compliance Risk monitoring plan must include:

• Critical and high Compliance Risks, focusing on inherent and managed risk levels;
• Key Compliance Risk mitigation activities;
• Routine business transactions to which compliance obligations or risks are associated;
• The implementation / embedding of the Framework and all policies issued by the corporate compliance department;
• Compliance with the laws, regulations and standards included in the Chart, including the Company Values and
• The obligations that have been delegated to the Compliance Function (e.g. Complaints Handling, Privacy related obligations)

The Plans for compliance training and education programme must include:

• Concise statements that capture the relevant internal and external compliance obligations and the risks arising from those obligations;
• The business processes to which the compliance obligations are linked or on which they have an
• impact;
• Brief description of the training or education activity;
• Target audience (refresher for existing Employees, induction for new Employees, or Adhoc when required);
• Frequency of training or education activity.

Compliance Audits:
As per CAG Auditing Standards, The Compliance audit is the independent assessment of whether a given subject matter is in compliance with applicable authorities identified as criteria. Compliance audits are carried out by assessing whether activities, financial transactions and information comply in all material respects, with the authorities who govern the audited entity. Compliance auditing may be concerned with

• Regularity: adherence of the subject matter to the formal criteria emanating from relevant laws, regulations and agreements applicable to the entity
• Propriety: observance of the general principles governing sound financial management and the ethical conduct of public officials.

Compliance Reporting:
Compliance reporting allows Management and the Compliance function to assess whether Compliance Risks exceed the risk appetite, of Company. Compliance Reporting also allows for communication and discussion of potential Compliance Risks. Management and the Compliance officer is responsible for gathering information, and then analysing and communicating the results so that informed, timely decisions can be made.
At least quarterly, reports should be discussed at the Risk Management Committee meeting.

The Risks of non-compliance of the law are many which include the followings:

• Cessation of business activities
• Civil action by the authorities
• Punitive action resulting in fines against the company/officials
• Imprisonment of the errant officials
• Public embarrassment
• Damage to the reputation of the company and its employees
• Attachment of bank accounts.

Cyclical Reporting and Incident Reporting:
In Cyclical Reporting, at least quarterly basis, the Compliance officer works with Management and other risk functions to provide non-financial risk reporting. However the Management may require more frequent or other types of Compliance-Risk related reporting, whereas in incident reporting the material compliance incidents are reported, which need to be handled through the risk management process. Material compliance incidents are defined as events that have effect on the company’s integrity, damaging company reputation, legal or regulatory sanctions, or financial loss, as a result of a failure (or perceived failure) to comply with applicable compliance related laws, regulations and standards.