Cannabis businesses: Are you prepared for a compliance audit?

Written By Ed Nodland

The cannabis industry is a highly regulated industry. There are several types of compliance audits and several different parties that may require an assessment of your operation. There are supplier audits if you are in the supply chain. The State licensing and enforcement department is certain to drop in now and then. There are fire, worker safety, and food handling inspections.

More banks are beginning to work with CRBs (Cannabis-Related Businesses). Banks are required by FinCEN, the Financial Crimes Enforcement Network, a bureau of the U.S. Department of the Treasury, to know that their CRB customers are not directly or indirectly violating any of the eight FinCEN priority concerns. This requires banks and credit unions to conduct an initial in-depth audit and periodic audits to monitor compliance.

Banks and credit unions will only want to work with state-legal CRBs and they will want to reduce their own risk. Banking is a highly regulated industry. When a bank works with CRB customers they are required to conduct extensive due diligence and ongoing monitoring of their CRB clients.

A man kneeling down in a cannabis greenhouse.

The cannabis industry is highly regulated. Businesses should always be prepared for audits by regulators and inspectors. Stock photo by Vecteezy

Cannabis business owners can be prepared for an audit with these 4 steps

1. Conduct an internal audit

Conducting an internal audit provides an understanding of what to expect during a second or third-party audit or inspection. An internal audit can be conducted by an independent external auditor or by your own staff as a self-audit. To perform a self-audit you need to develop or acquire an audit program. An audit program is developed from applicable compliance criteria that are transformed into questions and checklists.

2. Get your operations in order

After the internal audit you will want to take action to correct any issues. Cannabis compliance and operational criteria and issues fall into several categories that often expand into many more subcategories.

  • Licensing and ownership records

  • Documentation of policies, processes, and procedures

  • As applicable, good agricultural, manufacturing, testing, or retail procedures

  • Environmental protection and waste handling

  • Facilities, equipment, tools, and systems

  • Security systems and procedures including adverse event handling

  • Staff qualifications and training

  • Consistent execution of procedures

  • Production issue detection, corrective action, and process improvement procedures

  • Product quality, testing, packaging, and labeling

  • Business to business transactions

  • Consumer transactions, if applicable

  • Operational record keeping

  • Financial reconciliation with product tracking and inventory

  • Marketing restrictions

  • Workplace safety and health, including fire safety and disaster preparedness

  • Management and HR systems and procedures

Depending on the purpose and scope of an audit, a good auditor will conduct thorough reviews, interviews, and inspections to ensure that the following items are in place or occurring for each of the categories listed above. An experienced auditor can recognize a business that takes quality and safety seriously. An internal audit should ensure:

  • Policies are established and documented

  • Processes and procedures are documented

  • Facilities, equipment, tools, and systems are inplace and maintained

  • Staff is trained to meet all policies and perform job responsibilities as required

  • Policies and procedures are followed

  • Measures are in place to detect and correct issues

  • A culture of quality and safety exists

  • Business and production records are maintained and retained

To prepare for an external third-party audit your internal audit should address all of these matters.

3. Educate your staff

The staff should know:

  • The purpose and objective of the audit

  • The company policies, regulatory compliance criteria, and the applicable business and production procedures

  • How to access policy and process documentation that covers their employee and job responsibilities

  • How to work with the auditor(s)

  • How to answer audit questions

They should be able to:

  • Redirect questions that they are not responsible for to the appropriate manager

  • Be honest

  • Not make excuses or respond with uncertainty (An answer of, "I will get that information" is better than an, "I don't know" response)

For an internal audit, everyone should provide plenty of detail and expose issues to guide internal corrective and improvement activities. For a government licensing and enforcement department audit, a.k.a. inspection, they should answer without excessive detail but always answer honestly.

4. Pay attention to the small things

The major elements of compliance must be in order when being audited. By having routines that address small items, your company demonstrates that it takes business and quality seriously and has the understanding and capability to operate as a top-class organization. Your operation should be clean and orderly. Follow all regulations with the auditor for signing in, issuing a visitor badge, hairnets in food handling areas and other actions as required. Plan for the needs of the auditor such as a designated workspace where they can sit and make notes, or a room where they can review documents and records.

Everyone wants to help

It has been said that cannabis is a budding industry. Everyone wants the legal cannabis industry be successful. At this point in time everyone is learning and working together to make this happen. Some states and countries have had legal cannabis in one form or another for several years while others are just entering this industry. There is a wide variety of regulations and adoption of standards throughout the industry.

State regulators and inspectors want to help the legal operators succeed to force the illicit operations out of business for several reasons. Downstream business customers want to know that the products they receive meet safety and quality standards and are from legal suppliers. Investors obviously want your business to be a success and bankers want to help their clients meet compliance requirements so that the bank is not held accountable for money laundering or violating other federal financial regulator requirements.

Open, honest, and constructive relationships with regulators, community organizations, local law enforcement, customers, investors, and bankers is in everyone’s best interest.

To get more information about conducting compliance audits or implementing reliable compliance processes contact us.

Ed Nodland
Next

Clock is ticking on USDA testing requirement for hemp