One point that many people miss about principles-based regulation is that it gives regulators an additional enforcement tool, other than addressing actions that are improper. That tool is a process audit.

Audits can be very useful. In 1990, Freddie Mac’s “internal audit” unit found severe problems in its Quality Control department (QC). QC was supposed to protect Freddie Mac from purchasing defective mortgages. (No, this was not the problem in 2005-2007. During those years, purchasing defective mortgages became a strategic objective–they might as well have abolished QC.)

The audit found that the QC’s internal management and reporting were so weak that there was no way of even knowing whether it was doing its job or not. I was one of the people brought in to help with that (internal audit ultimately gave us a passing grade).

But there is more to the story of QC. This was before automated underwriting, and it was up to human underwriters working for mortgage lenders to decide whether, say, a mortgage to a borrower with a 60-day late credit card bill could be sold to Freddie Mac or should be viewed as defective. Freddie Mac had some bright-line regulations, but there was a lot of allowance for exceptions, based on underwriting judgment.

It turned out that one of the most effective tools for QC, when working with high-volume lenders, was an “onsite audit,” where our staff would go to the mortgage lender’s office and examine the process of underwriting loans there. You could examine the training, the lender’s internal QC, and their management reporting. You could pull out loan files at random, interview underwriters to gauge their knowledge and experience, and so forth.

It is with that experience in mind that I think that if I were at a regulatory agency charged with implementing principles-based regulation, I would use audit teams. If a company really intends to comply with a principle, it will have a powerful executive responsible. It will have training programs in place. Low-level employees will understand how compliance with the principle affects their jobs. And so forth.

So don’t just think of principle-based regulation as an alternative criterion for prosecuting action X. Think of it as the basis for rigorous audits of corporate processes. These audits can expose weaknesses in systems and controls, so that the problems are corrected prior to any violation taking place.

Of course, that may not work in practice. But I believe it would be better to see it tried in some way than to just have it vetoed out of hand by those who criticize it in theory.