Compliance means "adherence to rules" - regardless of what kind of rule it is and who makes it. In the event of violations, the company's top management is directly liable. Organizations must therefore decide whether to implement a cross-company compliance management system (CMS) to ensure adherence to the rules. But it doesn't end there. How exactly does one verify the effectiveness of a CMS?


With regard to compliance management in small- and medium-sized companies (SMEs), the design and enforcement of a compliance management system (CMS) may at first glance appear to be a time-consuming economic burden for any company. However, if you look deeper, you will find interesting perspectives: supported by the management body, but also by a review of the appropriateness and effectiveness of the CMS by internal and external auditors, the compliance culture grows sustainably and opens up the opportunity for increasing corporate success and thus for increasing the value of the company.

What are the main motives for setting up a CMS?

The majority of SMEs see liability avoidance and the prevention of corruption as the most important motives for setting up a CMS. Increasingly, however, business partner requirements and reputation protection are also ecoming more important. Corruption, competition law infringements and data protection are regularly at the top of the list of relevant compliance issues. Other top issues are labor and social standards in the company.

On the other hand, SMEs fear the additional burden on the organization associated with compliance in the form of so-called compliance bureaucracy. A sensible approach for SMEs will therefore have to differ significantly from that for large corporations.

Identify hazards

First of all, it is important that the company clarifies to itself its individual compliance hazards by way of a risk analysis. Only in these important identified risk areas should existing regulations and behaviors then be reviewed and, if necessary, supplemented. For example: companies can first look at whether critical sub-areas in the company (e.g., data protection in human resources) or individual types of compliance are covered, for example, compliance with legal obligations in occupational health and safety. Put another way: Compliance measures are ultimately reasonable and necessary if they are based precisely on this risk assessment.

Compliance management in SMEs: Relevant standards

Published in April 2021, the first standard to be mentioned here is of course ISO 37301:2021-04. The standard formulates requirements for compliance management systems with guidelines for application. THe standard is availabke from Beuth. In the meantime, ISO 19600:2016-12 (Compliance management systems - Guidelines) has been withdrawn.

ISO 31000:2018-10 is also interesting from the perspective of risk orientation. The standard sets out guidelines for dealing with risks faced by companies. The standard is available from Beuth.

Audits to ensure effectiveness?

Particularly in view of the management duty of the legal representatives, a continuous effectiveness audit must be placed alongside the actual CMS. The reason for this lies in case law. Here, the management has to fulfill two tasks as part of its monitoring duty: On the one hand, it must monitor the measures established in the company to ensure compliance. Secondly, it must critically monitor their effectiveness - and do so regularly, not just on an ad hoc basis. This obligation applies to board members of stock corporations as well as to managing directors of limited liability companies.

"The effectiveness review of the CMS by an independent third party is the objective proof that monitoring obligations are fulfilled."

Monitoring is intended to ensure that the implemented principles (behavioral guidelines, policies, etc.) and measures (training, controls, etc.) of the CMS are suitable for preventing, significantly impeding, or timely detecting rule violations as defined by the CMS. The effectiveness of the CMS can be checked by internal and external controls:

  • Effectiveness monitoring through internal controls: Monitoring that is internal to the system is referred to as "internal control." This control is an essential component of a CMS, which can also be referred to as quality management (QM). QM thus includes all measures that contribute preparatory, accompanying and downstream to create or maintain a previously defined quality of the CMS.
  • Effectiveness monitoring through external controls: Monitoring external to the system is referred to as "examination" or "audit". In this form of monitoring, the auditing entity is independent of the system and is not involved in bringing about its actual state. There is an advantage here in terms of independence. The CMS is audited by external auditors (e.g. lawyers, auditors, accredited certifiers such as DQS or other external experts).

Regular reviews - Well planned

To ensure the effectiveness of system-independent reviews, the intervals should be well planned. A review can be helpful whenever a CMS is newly implemented. In addition, external audits should be repeated on a regular basis every three to five years. Occasional reviews are carried out after compliance violations have been identified. However, even with an established CMS, it is becoming increasingly apparent that regular audits are regarded as de facto mandatory. In addition to process-related controls, the design, adequacy and effectiveness of CMSs should be regularly reviewed and independent system audits or certifications should ideally take place once a year and at least every three years.

Advantages of compliance audits

When it comes to compliance management in SMEs, added value can generally be expected from compliance audits as follows:

  • Optimization of existing processes
  • Perception of weaknesses in the CMS
  • Increasing the efficiency and effectiveness of the CMS
  • Introduction of modern standards
  • Establishment of a compliance culture
  • Increasing competitiveness
  • Security for the operational business
  • Securing sustainable corporate success
  • Increasing the value of the company

The right auditor - The most important decision criteria:

CMS effectiveness audits entail multidisciplinary requirements.Therefore, the auditor's professional expertise must come first.→ For example, the auditor must have relevant legal and business knowledge as well as industry experience . → The independence of the auditor must be guaranteed (independence in facts but also with regard to the public independence in appearance).→ Finally, it is important that the audit has a high market reputation.→ An example of established auditing and certification standards is, for example, the IDW auditing standard "Principles of Proper Auditing of Compliance Management Systems" (IDW PS 980).→ The results of external audits of the CMS can be used to "certify" an audited CMS. The certificate to be issued represents external proof of compliance with defined requirements for the CMS. It defines the validity period and scope of the certificate, the target object and audit procedure (subject, type and scope of the audit), as well as requirements for the independence and competence of the auditing body ("accreditation").


More about compliance audits by DQS

  • Valid analysis of compliance risks in your company
  • Systematic compliance with legal regulations
  • Effective reduction of liability risks
  • Improved corporate image


The management of an efficient and economical compliance management system can also be supported and further developed by an external audit. The auditor supports the company management in establishing and consolidating the compliance culture.

The prerequisite is the conscientious selection of the external expert. With superior comparison possibilities, experience from other companies and his view of things as a neutral third party, he must be able to represent a valuable discussion partner. It is also important to select a suitable set of rules as a basis for external audits.

DQS: Simply leveraging Quality.

As an internationally recognized certifier for management systems and processes, DQS audits on more than 30,000 audit days per year. Our claim starts where audit checklists end: Take us at our word! We look forward to talking to you and will be happy to show you what the performance and quality of our audits are based on, which are:

  • Competent auditors with integrity and industry experience
  • Tailor-made solutions that are appropriate for your organization and your management system
  • Targeted identification of potential weaknesses and risks
  • Objective, comprehensible results and substantial decision-making aids
  • Internationally recognized certificates with high market acceptance
  • The follow-up of audit/analysis results including effectiveness checks of measures taken
  • Individual development and creation of criteria catalogs and evaluation systems
fragen-antwort-dqs-fragezeichen auf wuerfeln aus holz auf tisch

Do you have any questions?

Contact us - without obligation and free of charge.

Viola Beecken

Viola Beecken is an auditor and tax consultant with her own office in Hamburg, Germany, as well as an auditor of DQS for the auditing standard IDW PS 980 "Principles of proper auditing of compliance management systems". Furthermore, she is active in the field of quality assurance systems for auditors ("Peer Review") and tax consultants (ISO 9000:2015).


Relevant articles and events

You may also be interested in this
a green paintbrush with some green paint, on a pale green background with some blank space on the le

Greenwashing - recognizing and avoiding risks

dqs-informiert-header-blog-viele bunte buecher in regalen in bibliothek

What does compliance mean?

compliance-header-blog-säulen gerichtsgebäude

Effective compliance management reduces liability risks