Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.
Today I visit with Timur Khasanov-Batirov. Tim is a compliance practitioner with focus at high-risk markets and author of practical guide “Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States”. Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine. He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.
Tim has also recently released the first two installments of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.
We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions
1: Can we define this region as a single territory for the Compliance program structuring?
2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?
3: What is the biggest challenge in embedding corporate Compliance program in this region?
4: Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?
5: Is it legally permissible to deploy our FCPA/UKBA programs in the countries of the region?
6: What is the most effective way to deliver training in this part of the world?
7: If there are any important things to remember when imposing penalties for misconduct on local personnel?
8: Do people on the ground appreciate compliance & ethics efforts?
Show Notes for This Week in FCPA-Episode 64, for the week ending August 4, the 10 Year Anniversary Edition
In this special Saturday edition, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
Net 1 UEPS Technologies, Inc. obtains a full declination. Yet the company went through the investigation after being turned in by a competitor. Bryan Cave attorneys Mark Srere and Kristin Robinson explore in their article FCPA Investigations – Competitors Dropping the Dime.
Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for continuous controls monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, controls monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to controls monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a controls monitoring process that yields sustainable, repeatable results?
I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained that their firm has a five-step process. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.
Brainstorm
Under this step, the controls monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the controls monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.
Acquire and Map Data
The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.
Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple controls processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International - Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third-party controls. All data should initially be secured and then transmitted to the controls monitoring tool. Of course, you need to take care that your controls monitoring tool understands and properly maps this data in the form that is submitted.
Write Queries
This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the controls monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:
Analyze and Report
In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.
Refine and Sustain
This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient controls, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.
If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of controls monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Next I consider how the Internal Audit (IA) function can be used to facilitate more effective continuous improvement. According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.
IA is doing compliance all the time as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.
It should be apparent there are numerous benefits to compliance having a closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.
One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers – Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”
When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.
From the compliance aspects, IA is really kind of the watchdog or monitoring facility for the entire company. This dovetails explicitly into this ‘gatekeeper’ function. Additionally, and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. I have certainly seen numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: "Are these people aware of standards of business conduct? Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?"” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjunction with audit and HR could develop a remediation plan.
With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes. Such integration can work to strengthen IA's network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.
For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this inaugural podcast of Across the Board, I consider the Holder Report to the Uber Board of Directors, which led to the resignation of CEO Travis Kalanick. In June, the law firm of Covington & Burling LLP (Covington), released its long-awaited report (Report) to the Special Committee of the Board of Directors of Uber Technologies, Inc. (Uber). It is truly one of the most unique corporate documents you will ever see. The Report was commissioned after Susan Fowler, a former engineer at Uber, published a blog post detailing allegations of harassment, discrimination, and retaliation during her employment at Uber, and the ineffectiveness of the company’s then-existing policies and procedures. The next day, Uber retained Covington. This podcast discusses the Holder Report and the role of the Uber Board.
In the Evaluation of Corporate Compliance Programs under the section entitled, “Continuous Improvement, Periodic Testing and Review” it stated, “Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”
Interestingly, Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed, audits are specifically delineated in the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.
Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls.
In addition to the collection and analysis of evidence, an auditor's objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company's management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.
Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place you must actually do the work going forward.
Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:
Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, Matt Kelly and I explore last week’s announcement by the Securities and Exchange Commission (SEC) of the resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company continues to resonate and provide lessons for the compliance practitioner. We consider the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.
For more information, see my blog posts:
Welcome to the August edition of One Month to More Effective Continuous Improvement. As you know, each month in 2017 I am presenting a series of podcasts on one topic which will allow you to create a more effective compliance program. This month I will discuss what techniques to create continuous improvement in your compliance program.
Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.
You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following:
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, I visit with Margaret Johnson, the author of the book from From SOS to WOW. This book can help you to move your leadership skills to a new level through by helping you bust through assumptions, unleashing your creative ideas and taking courageous action to finally make the move to where you really want to be personally or professionally. Johnson is a long-time business leadership coach who shares some of the techniques she uses to help folks achieve greater results in business and in life.
We discuss her growing up and college years in Michigan why she got to Texas as quickly as you could. She details her professional career in the energy and power industries and how that work prepare you for your current career. She then talks about what led her to write her book and how it can be used by a person to help achieve personal and professional goals.
You can find the book on Amazon.com by clicking here.
You can find out more about Margaret Johnson by checking out her website, ideasandbeyond.com.
I conclude this one month series by considering the recently concluded Securities and Exchange Commission (SEC) resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company. I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.
In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise.
According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period.
However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton.
In each of these attempts, the company bumped up against its own internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent”. In this initial attempt, the internal control held as the business folks abandoned their efforts to contract with the Angolan agent.
The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria).
Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t]his is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.”” In other words, the internal controls held and were not circumvented or over-ridden.
The Angolan agent was then moved from commercial agent status to that of a supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team was able to contract with the Angolan agent for these services in September 2009 and increase the contract price, all without the Angolan agent going through the procurement internal controls.
A second internal control which was over-ridden was the procurement requirement that the supplier procurement process begin with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backwards, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, there was a separate internal control that required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or over-ridden.
Yet this arrangement was not deemed sufficient local content by Sonangol officials. After all of this and further negotiations, Halliburton entered into another agreement with the Angolan agent, where the company would lease commercial and residential real estate and then sublease the properties back to Halliburton at a substantial markup, and also provide real estate transaction management consulting services (the “Real Estate” contract).
This Real Estate contract also had to go through an internal control process. Initially, there were questions by the company about the Real Estate contract as a single source for the procurement function, the upfront payment terms to the Angolan agent, the high costs, and the rationale for entering into subleases for properties that would cost less if leased directly from the landlord. Indeed, “One Finance & Accounting reviewer at headquarters noted that he could not think of any legitimate reason to pay the local Angolan company over $13 million under the Real Estate Transaction Management Agreement and that it would not have cost that much to run Halliburton’s entire real estate department in Angola.”
Halliburton internal controls required that when a single source was used by the company it had to be justified. This justification would require a showing of preference for quality, technical, execution or other reasons, none of which were demonstrated by the Angolan agent. Finally, if such a single source was used, the reasons had to be documented or in Halliburton’s internal controls language “identified and justified”. None were documented by the company.
Finally, as the internal controls were either circumvented or over-ridden; “As a consequence, internal audit was kept in the dark about the transactions and its late 2010 yearly review did not examine them.” This was yet another internal control failure but was built on the previous failures noted above.
So how many internal controls failures can you spot? Whatever the number, the lesson for the compliance practitioner is that you must do more than have internal controls. They must be followed and be effective. If you are doing business in high risk regions, you have to test the controls and then back up your testing by seeing if payments are being made in those regions. Perhaps the best concept would simply be Reaganian, trust but verify.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In this episode, I visit with Virginia Suveiu who counsels on legal risk management, regulatory compliance and public policy, as well as commercial and international law matters.
She is a subject matter expert on risk and developed the Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program as well as the Contract Management Certificate Program. She has published articles on a variety of business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum, among others.
There are a wide variety of risks that every corporation and compliance practitioners faces. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to on the over-arching concept of risk management or if the approach needs to be fined tuned by organization? We discuss the Legal Risk Management Specialized Studies Certificate Program, including what are the program benefits and who should attend. We explore the approach in teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk.
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. The amendments become effective for public entities for annual reporting periods beginning after December 15, 2017. In other words, we are now less than six months away from a new Revenue Recognition (“new rev rec”) standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward.
I conclude this section on the COSO 2013 Internal Controls Framework by considering what COSO says about assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal control.
This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
The fifth and final Objective is Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.”
However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In the Five Principles of an Effective Compliance Program, Principle 5 includes ongoing monitoring and this is reinforced in the 2013 COSO Framework.
In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.
Objective-Monitoring Activities
The Monitoring Activities objective consists of two principles. They are:
Principle 16 - “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
Principle 17 - “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.
For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated.
This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.
Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”
Discussion
Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.
Here the thing which is most important is that all the controls all need to be sustainable. You cannot just build one off controls that allow you to do one period and not have a process in place that is going to help you through all the periods that you need to cover. The controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.
There must also be a mechanism for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In its Framework Volume, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is how information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.”
However, as with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”
Information and Communication
The objective of Information and Communication consists of three principles. They are:
Principle 13 - “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”
Principle 14 - “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
Principle 15 - “The organization communicates with external parties regarding matters affecting the functioning of internal control.”
A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the CCO or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the SEC will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.
The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. Rittenberg said this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas within a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.” The Framework Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”
This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.
Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.
This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”
Discussion
Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.
Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.
Howell noted that “communication internally is how you establish the communications with your sales organization, with your sales operations? How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the audit committee of the board comfort that the company has put in place the right levels of controls.
A final point on communications externally. In the compliance realm, your external communications fall towards your third parties because that is your greatest risk for bribery and corruption. Your third parties are either part of your sales side of the organization in the form of agents, distributors, resellers, et cetera, or on the supply chain side who are delivering a product yet, as part of the supply chain, they are helping you create and build your product or integrate into your service that you're going to deliver, that you're going to sell, that is going to be subject to review.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
We take things a different way in this episode as the commentators throw out five topics for consideration by the group. Last week we had topics from Jay and Matt; this week from Jonathan and Tom.
Topics from Jonathan:
Topics from Tom:
The top commentators in compliance are back for another episode of Everything Compliance.
In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.” The concept of a ‘second set of eyes’ is directly enshrined in this objective. Finally, Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.
Control Activities
The objective of Control Activities consists of three principles. They are:
Principle 10 - “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”
Principle 11 - “The organization selects and develops general control activities over technology to support the achievement of the objectives.”
Principle 12 - “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”
A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”
Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”
The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.
This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”
While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.
Discussion
This Objective demonstrates the inter-relatedness of the corporate functions in your organization. From a financial reporting perspective, the Control Activities objectives requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets, software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.
Howell explained in the financial realm, “if you're dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that that is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.
This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place both for the disclosures that you need to make for the reconciliation of that disclosure.
This Objective requires that you have new ways of capturing that information, gathering that information, confirming the accuracy and completeness of the controls reporting it. When selecs the control activities, what control activities do you need if you are using disparate accounting systems in different locations across the globe? Moreover, if you getting into the general controls over technology, what are the system controls are in place to ascertain that the new information that you're getting is the information you really need and it's what you think you're getting? The Control Activities regarding the policies and procedures is certainly an important consideration going forward.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In this episode, Matt Kelly and I take a deep dive into the Dodd-Frank and Sarbanes-Oxley reform initiatives in the House of Representatives and as articulated by incoming SEC Chairman Jay Clayton. Will the new administration gut SOX and Dodd-Frank compliance requirements?For more see Matt Kelly's blog post SEC Chair Clayton Talks Compliance Costs.
The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.
I. Objective-Risk Assessment
The objective of Risk Assessment consists of four principles. They are:
Principle 6 - “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”
Principle 7 - “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
Principle 8 - “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”
Principle 9 - “The organization identifies and assesses changes that could significantly impact the system of internal control.”
Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.
Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”
Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.
It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.
II. Discussion
The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.
Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company's business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”
Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren't being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren't being reported back into the process of how does that affect the estimate of cheap revenue going forward.
Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There's always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In this episode, Richard Lummis and I explore leadership lessons from Toussaint Louverture, who held the only successful slave revolt in the Western Hemisphere. Our remarks are based on the recent biography of him entitled, Toussaint Louverture by Phillipe Gerrard. While not an obvious character for study in a business leadership podcast, Louverture nonetheless presented several important lessons which translate into to today’s business environment.
The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. However, it built up Objectives. The 17 principles represent fundamental concepts associated with the five components of internal control. Together, the Objectives and Principles constitute the criteria will guide companies in assessing whether the components of internal controls are present, functioning and operating together within their organization.
The first of the five objectives is Control Environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the Control Environment object are as follows:
Principle 1 - The organization demonstrates a commitment to integrity and ethical values.
Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.
What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.
This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.
This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.
This Principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.
This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.
Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable this requirement is met. Finally, there must be evidence the company has appropriate disclosure controls in place because that is central to the Objective itself. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.
Howell related that under Principle 3, “structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.”
Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing, as Howell stated, “One of the big reasons that companies have said do not have money to invest again the deep dive study and process improvement necessary to implement it [the 2013 Framework], is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company's disclosures.” You must only “put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.”
All these leads of course ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Framework and to the spirit of the standard. Howell said, “those individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.”
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com
In this episode I visit with James Koukios, a partner at Morrison and Foerster on the firm’s newsletter, Top Ten International Anti-Corruption Developments for May 2017. Our topics include:
To see a full copy of the firm’s publication, Top Ten International Anti-Corruption Developments for May 2017, click here.
This week we turn our attention to COSO, with an introduction to the organization and its framework for internal controls. I will go through the internal controls and how they relate to compliance. Finally, I will end with a discussion of evaluation of internal controls through the COSO Framework. Once again, I am joined in this exploration by internal controls and accounting expert Joe Howell, EVP at Workiva, Inc.
What is COSO? That acronym stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted in 1992, as a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, to provide a more supportable approach when adversarial third parties challenge whether a company has effective internal controls (such as the SEC). While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s compliance internal controls. This means that you need to understand what is required under the 2013 Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
COSO has produced three volumes detailing the 2013 Framework. The first lays out the Framework and is entitled “Internal Control – Integrated Framework”, herein ‘the Framework volume’. The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, herein ‘the Illustrative Guide’, which discusses how best to assess your internal control regime and provides forms and work sheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary’. All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program.
In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting Objectives – internal and external financial reporting; and (III) Compliance Objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.
The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will be exploring throughout this series.
Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework”, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls [and compliance programs] evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is significant because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.
The primary object is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have the unique knowledge that a compliance officer has that would impact all the elements of the Framework. The compliance officer's role is to provide the input to the Chief Financial Officer (CFO) and others involved in the implementation, to be sure that there is a proper focus on the risks that really are part of the compliance world. This primarily comes through the risk assessment component, the control activities, and then the monitoring. Companies typically do risk assessment from an operational standpoint and address business risks going forward and then develop the controls that deal with those business risks, which could be project financial results, doing business in certain countries, strategic decisions and similar issues. All of this puts the compliance function in the unique position to be the fulcrum on many issues which will come up with a COSO based analysis or implementation.
The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.
Joe Howell noted that the COSO Framework can be seen as both a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one off things that allow you to do one period and not have a process in place that is going to help you through all of the periods that you need to cover. The controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function in a manner which is sustainable throughout the organization.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.