Are You Prepared For a Compliance Audit?
July 08, 2019 · 4 minutes
The cannabis industry is a highly regulated industry. There are several types of compliance audits and several different parties that may require an assessment of your operation. There are supplier audits if you are in the supply chain. The State licensing and enforcement department is certain to drop in now and then. There are fire, worker safety, and food handling inspections.
More banks are beginning to work with CRBs (Cannabis-Related Businesses). Banks are required by FinCEN1, the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury to know that their CRB customers are not directly or indirectly violating any of the eight FinCEN priority concerns. This requires banks and credit unions to conduct an initial in-depth audit and periodic audits to monitor compliance.
Banks and credit unions will only want to work with state-legal CRBs and they will want to reduce their own risk. Banking is a highly regulated industry. When a bank works with CRB customers they are required to conduct extensive due diligence and ongoing monitoring of their CRB clients.
1 See "What Does the FinCEN Guidance Mean for Banks?" for details.
Cannabis business owners can be prepared for an audit with these 4 steps
1. Conduct an Internal Audit2
Conducting an internal audit provides an understanding of what to expect during a second or third-party audit or inspection. An internal audit can be conducted by an experienced external auditor or by your own staff as a self-audit. To perform a self-audit you need to develop or acquire an audit program. An audit program is developed from applicable compliance criteria that are transformed into questions and checklists. See the post titled, “Developing an Audit Program” for more details.
2 An internal audit refers to an audit that is conducted for internal reasons by an independent auditor or as a self-audit. See the posting titled, "Perspectives on the Scale, Objectives, and Types of Audits?"
2. Get Your Operations in Order
After the internal audit you will want to take action to correct any issues. Cannabis compliance and operational criteria and issues fall into several categories that often expand into many more subcategories.
- Licensing and ownership records
- Documentation of policies, processes, and procedures.
- As applicable, good agricultual, manufacturing, testing, or retail procedures
- Environmental protection and waste handling
- Facilities, equipment, tools, and systems
- Security systems and procedures including adverse event handling
- Staff qualifications and training
- Consistent execution of procedures
- Production issue detection, corrective action, and process improvement procedures
- Product quality, testing, packaging, and labeling
- Business to business transactions
- Consumer transactions, if applicable
- Operational record keeping
- Financial reconciliation with product tracking and inventory
- Marketing restrictions
- Workplace safety and health, including fire safety and disaster preparedness
- Management and HR systems and procedures
Depending on the purpose and scope of an audit, a good auditor will conduct thorough reviews, interviews, and inspections to ensure that the following items are in place or occurring for each of the categories listed above:
- Policies are established and documented
- Processes and procedures are documented
- Facilities, equipment, tools, and systems are inplace and maintained
- Staff is trained to meet all policies and perform job responsibilities as required
- Policies and procedures are followed
- Measures are inplace to detect and correct issues
- A culture of quality and safety exists3
- Business and production records are maintained and retained
3 An experienced auditor can recognize a business that takes quality and safety seriously
To prepare for an external third-party audit your internal audit should address all of these matters.
3. Educate your Staff
The staff needs to know:
- The purpose and objective of the audit
- The company policies, regulatory compliance criteria, and the applicable business and production procedures
- How to access policy and process documentation that covers their employee and job responsibilities
- How to work with the auditor(s)
- How how to answer audit questions
- To redirect questions that they are not responsible for to the appropriate manager
- To be honest
- To not make excuses or respond with uncertainty. An answer of, "I will get that information" is better than an, "I don't know" response
For an internal, audit everyone should provide a lot of detail and expose issues to guide internal corrective and improvement activities. For a government licensing and enforcement department audit, a.k.a.inspection, they should answer without excessive detail but always answer honestly.
4. Pay Attention to the Small Things
The major elements of compliance must be in order and having routines that address the small items shows that your company takes business and quality serious and have the understanding and capability to function as a top class operation. Your operation should be clean and orderly, Follow all regulations with the auditor for signing in, issuing a vistor badge, hairnets in food handling areas and other actions as required. Plan for the needs of the auditor such as workspace to sit and make notes or room to review documents and records.
Everyone Wants to Help
It has been said that cannabis is a budding industry. Everyone wants the legal cannabis industry be successful. At this point in time everyone is learning and working together to make this happen. Some states and countries have had legal cannabis in one form or another for several years while others are just entering this industry. There is a wide variety of regulations and adoption of standards throughout the industry.
State regulators and inspectors want to help the legal operators succeed to force the illicit operations out of business for several reasons. Downstream business customers want to know that the products they receive meet safety and quality standards and are from legal suppliers. Investors obviously want your business to be a success and bankers want to help their clients meet compliance requirements so that the bank is not held accountable for money laundering or violating other federal financial regulator requirements.
Open, honest, and constructive relationships with regulators, community organizations, local law enforcement, customers, investors, and bankers is in everyone’s best interest.
To get more information about conducting compliance audits or implementing reliable compliance processes contact us