Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for continuous controls monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, controls monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to controls monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a controls monitoring process that yields sustainable, repeatable results?
I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained that their firm has a five-step process. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.
Brainstorm
Under this step, the controls monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the controls monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.
Acquire and Map Data
The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.
Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple controls processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International - Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third-party controls. All data should initially be secured and then transmitted to the controls monitoring tool. Of course, you need to take care that your controls monitoring tool understands and properly maps this data in the form that is submitted.
Write Queries
This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the controls monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:
Analyze and Report
In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.
Refine and Sustain
This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient controls, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.
If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of controls monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.