Categories
Blog

Day 20 of 30 Days to a Better Compliance Program, the Board of Directors’ Compliance Committee

Key Takeaways

  1. This committee exists to provide oversight and assist the CCO, not to substitute its judgment for that of the CCO.
  2. This committee should work to hold the CCO accountable to hit appropriate metrics.
  3. This committee is ideal for leading the efforts around strategic planning.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here.

Categories
Blog

Day 20 of One Month to More Effective Internal Controls- Assessing Compliance Internal Controls Under COSO

Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against which you can audit to assess the strength of your compliance internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment.

(1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.”

(2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating internal controls.

(3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency.

(4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls.

Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”  However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program you can use the Tem Hallmarks of an Effective Compliance Program as your guide to test against.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.]]>

Categories
Compliance Kitchen

Keysight Technologies


The Kitchen takes a look at a State Department settlement with Keysight Technologies for alleged export violations.

Categories
STAKE: The Leadership Podcast

Mental Health Doesn’t Matter If…

;
Mental health doesn’t matter at work if you don’t care about performance, employee retention, and the culture of your organization.
If you do care about the performance from your team and retaining your best employees, then it’s time (maybe way past time) to address the mental health of your individual team members. Many of today’s employee’s demand the mental health concern from their employer’s and leaders.
As always, let’s not make it harder than it has to be!
In today’s episode I’m sharing with you two reasons mental health in the workplace must be addressed by leadership, how I experienced the shift in the once taboo topic of mental health, and one practical action step for managers and supervisors to start addressing your team’s mental health.
———-
If you’re looking for tangible action steps and refreshing insights to help ignite the power of your own leadership journey, sign up for my weekly leadership blog HERE.
If your business would benefit from higher-performing leaders, check out more information about the comprehensive leadership development training I do HERE.
If you want to reach out to me directly, email alyson@vanhooser.com.
If you enjoyed this episode, will you please subscribe and leave a review? Your reviews help this show get discovered by more incredible leaders just like you. I’m obsessed with helping leaders ignite their performance results and I’d love to have you help me make an impact! Thank you so much!
P.S. Share and tag me on social — @AlysonVanHooser — and I’ll share your comments and big takeaways on my feed!

Categories
This Week in FCPA

Episode 265 – the Personal Responsibility edition


As Texas’ Governor-Mr. Personal Responsibility-himself comes down with Covid after refusing to engage in ‘personal responsibility’, Tom and Jay are back to look at some of this week’s top compliance and ethics stories which caught their interest on This Week in FCPA in the Personal Responsibility edition. 
Stories

  1. Corruption led to the fall of Afghanistan. Dick Cassin in the FCPA Blog.
  2. Does HSBC facilitate cybercrime. Elfriede Sixt in Risk and Compliance Journal Europe.
  3. The Pearson SEC enforcement action. Matt Kelly in Radical Compliance. Tom and Matt on Compliance into the Weeds. Kevin Lacroix in the D&O Diary.
  4. Trust and the CCO? Jeff Kaplan in Conflict of Interest
  5. Fraud during the pandemic. James Ruotolo in CCI.
  6. Inefficiency in AML enforcement. Maria Evstropova in CCI.
  7. SEC coming after cryptocurrencies. Aaron Nicodemus in Compliance Week.
  8. What Boards need to know before, during and after M&A. Maria Castanon Moats and Leah Malone in Harvard Law School Forum on Corporate Governance.
  9. Who is on your crisis management team? Eden Gillott in com.
  10. CFIUS publishes 2020 report. K2 Integrity Client Alert.

 Podcasts and Events

  1. On Innovation in Compliance this week I interview Dennis Kucinich about his latest book, The Division of Light and Power. Check out the show here.
  2. On The Compliance Life, in August I visit with Kortney Nordrum CCO at Deluxe. In Episode 1, from Red Wing to Israel. In Episode 2, From Freddie Mac to the law.
  3. How do the Greek Eumenes and the Roman Sertorius inform compliance leadership today? Find out as Tom and Richard Lummis continue their exploration of Plutarch’s Lives in this episode of 12 O’Clock High, a podcast on business leadership.
  4. Compliance Week is having an open house this month as they have dropped their firewall. You can check out the entire publication for no charge. Check it out here.
  5. Breaking News features The Compliance Handbook, 2nd edition. Check out the Breaking News feature here. Purchase The Compliance Handbook, 2nd edition here. Find out more about The Compliance Handbook, 2nd edition in an upcoming Zoom webinar, on Wednesday, September 1 at 8:30 AM ET; hosted by the Azevedo Sette law firm and Charles River Associates. To RSVP email tcintra@azevedosette.br

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Categories
Daily Compliance News

August 20, 2021 the No Responsibility edition


In today’s edition of Daily Compliance News:

  • Bitcoin mixer pleads guilty to AML violations. (WSJ)
  • Richard Sackler says family bears no responsibility for Opioid Crisis. (NYT)
  • Navalny calls for greater fight against global corruption. (The Guardian)
  • Largest FCA Taft-Hartley case ever. (Detroit Free Press)