Categories
Blog

Day 21 of One Month to More Effective Internal Controls – Revenue Recognition, Internal Controls and Compliance

Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. The amendments become effective for public entities for annual reporting periods beginning after December 15, 2017. In other words, we are now less than six months away from a new Revenue Recognition (“new rev rec”) standard, which may significantly impact the compliance profession, compliance programs, and compliance practitioners. Joe Howell, Executive Vice President (EVP) at Workiva Inc., spoke with me about key changes and how they might impact compliance. FASB recognized that its revenue recognition requirements around the U.S. generally accepted accounting principles (GAAP) differed from those in the International Financial Reporting Standards (IFRS) and that both sets of requirements needed improvement. This led to a project by FASB and the International Accounting Standards Board to jointly clarify the principles for recognizing revenue and to develop a common converged revenue standard for GAAP and IFRS. Hence the new rev rec standard. The implementation will be a massive undertaking. According to Howell, “The accounting standard is 700 pages long, and in the US accounting literature, it replaces over 200 other pieces of accounting guidance on revenue.” The official name is “Revenue from Contracts with Customers,” and Howell noted there are a “lot of surprises, and the things that are true for almost everybody is that they are going to be facing some level of change in the way they account and report revenue. They will most certainly have to change how they disclose their revenue-related things. Included in the revenue standards are over six pages worth of new disclosure requirements.” One of the key differences in this new rev rec standard is that it requires companies to disclose new information beyond data a company might have been required to release in the past. Howell thinks this will pressure auditors “to get comfortable with what the company provided them and which they incorporated into their decision-making process in forming an opinion. This is quite different for disclosure controls because the auditor’s typically not relying on those.” This will create risks for auditors adjusting to the new rev rec standard because as they learn more about it and apply it going forward into 2018, they may have to revisit it before reporting and revising some of it. This is important to the compliance profession and the compliance practitioner because internal controls over financial reporting involved in implementing this new standard are critical to the effective use of implementation and how you implement it. The Securities and Exchange Commission (SEC) has said explicitly in several public statements and through their early comment letters on disclosures made in advance of implementation that companies must inform the SEC about the accounting policies that they are changing and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. Howell believes “The SEC is making it clear that this is a real compliance issue.” Moreover, the SEC has indicated that these disclosures are central to the new rev rec standard. Howell said, “typically, if a company has some sort of failure in their disclosures for an accounting standard, they’re treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting.” While disclosure of internal controls might not typically bring Section 404 scrutiny, they may now do so under the new rev rec standard. Howell articulated that when performing a financial audit, an auditor would usually not rely on a disclosure control in the past. However, under the new rev rec standard, if there is a change during the year in how an auditor views a disclosure control, it could require them “to go back and either figure out if the audit work that they did is tainted and they need to go back and do that work in the form of substantive testing, or they need to go back to see if there were mitigating controls that were in place that still allowed them to rely on the internal control processes to get comfortable with what the company provided them and which they incorporated into their decision-making process in forming an opinion. This is quite different for disclosure control because the auditor’s typically not relying on those.” Of course, this is overlaid with the requirements of effective internal controls under the Foreign Corrupt Practices Act (FCPA) and the lack of materiality standards. One only need to consider the Wells Fargo fraudulent accounts scandal to see how a lack of materiality does not prevent the types of risk from moving forward to become huge public relations disasters, hundreds of millions of dollars in fines and costs estimated at over $1bn for failures of internal controls. Yet there are other tie-ins into compliance that the compliance practitioner needs to understand and prepare for going forward. The prior rev rec standard was rules-based. As a lawyer, that was an approach I was quite comfortable with both from a learning standpoint and communicating with business folks. But now, the standard is much more judgment-based, and when a standard is more judgment based, there can be more room for manipulation. Howell explained the response by compliance is “making sure that you have changes in the business processes necessary to gather the information that has not previously been required to continue to monitor; how that information is factoring into the judgments that managers must make as they report their revenue under the new standard; and that those judgments themselves are properly documented.” This final point demonstrates the convergence and overlap between the compliance profession, compliance programs, and compliance practitioners going forward. Compliance internal controls are in place to both detect and prevent. They can also be used to gather the information that will be presented to auditors under the new rev rec standard. Many professionals are focused on the new rev rec from the auditing and implementation perspective. However, suppose you are a Chief Compliance Officer (CCO). In that case, you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.

Three Key Takeaways

  1. We are less than six months away from a new revenue recognition standard. Are you ready?
  2. This new revenue recognition standard is much more judgment-based; when a standard is more judgment-based, there can be more room for manipulation.
  3. Compliance internal controls can now gather the information presented to auditors under the new rev rec standard.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
Blog

Day 20 of One Month to More Effective Internal Controls – Assessing Compliance Internal Controls Under COSO

Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting, and compliance.” Moreover, two over-arching requirements can only be met through such a structured post. First, each of the five components is present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO Framework is that it sets internal control standards against those you can audit to assess the strength of your compliance with internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. If you have a multi-country or business unit organization, you must determine how your internal compliance controls are interrelated up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2). There should be a component evaluation. Here you need to evaluate any deficiencies you may have more deeply and whether there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed,” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log, so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principal evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment would examine whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This process would then lend itself to an ongoing evaluation. If business models, laws, regulations, or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially, it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It defined‘ major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” A major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective internal control system.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have, at a minimum, the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments,” also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls by the Framework.”  However, what steps should you take if there are no objective criteria, as laid out in the FCPA 2012 Guidance, evaluate your company’s compliance with internal controls? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation, or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature are critical in any best practices anti-corruption or anti-bribery compliance program, whether based upon the FCPA, UK Bribery Act, or some other regulation. With the Illustrative Guide, COSO has given the compliance practitioner a handy road map to begin an analysis of your company’s internal compliance controls. When the SEC comes knocking, they will look for this type of evidence to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. An internal compliance control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  An internal compliance control functions if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

Three Key Takeaways:

  1. An effective internal controls system provides reasonable assurance of the entity’s objectives relating to operations, reporting, and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components is present and functional. Second are the five components operating together in an integrated approach.
  3. You can use the Tem Hallmarks of an Effective Compliance Program for an anti-corruption compliance program as your guide to testing against.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO model can be used to structure your assessment of internal controls.

Categories
Everything Compliance

Everything Compliance-Episode 14

Show Notes for Everything Compliance-Episode 14 

Topics from Matt:

  1. Trump Administration & FCPA enforcement— we have two declinations now; maybe a compare-and-contrast and speculation on what a tough Trump Admin enforcement WOULD look like;
  2. EU’s GDPR— Do EU regulators know what they want to do with the enforcement of this law; if they follow the lead of the anti-competition people whacking Google, it could be a big deal;
  3. Hui Chen’s departure from the Justice Department, both her public rebuke of Trump and the substance of how she believes her guidance has been misinterpreted; and
  4. Ethical leadership and the lack thereof; the menace of abusing perks and privilege, connecting my posts about Uber’s leaders and Chris Christie vacationing on a closed beach.

Topics from Jay:

  1. How do the Campaign Finance Laws mirror/or differ from the FCPA?
  2. Will the Russian Collusion Investigation reveal the ultimate FCPA violation?
  3. Regarding Walter Shaub’s departure from the Office of Governmental Ethics (OGE), does it matter? What is OGE supposed to do, and why did it work for the past 40+ years but fall on deaf ears with the Trump administration?
  4. Dovetailing with Matt’s question about a slow H1 for FCPA enforcement and in light of the just-released Gibson Dunn FCPA Mid-Year Report, does the current climate (and lack of vigorous enforcement) provide a perfect storm for companies to look the other way if they fall off the E&C wagon, or do we think that companies are still being vigilant despite a perception of decreased enforcement?

Rants follow this week’s episode. What do the two declinations in 2017 mean? The Everything Compliance panel of experts weighs in.

Categories
Blog

Day 19 of One Month to More Effective Internal Controls – COSO Objective V: Monitoring Activities

Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different entity levels, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on the assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management, and the board of directors. Deficiencies are communicated to management and the board of direc­tors as appropriate.” However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control. The nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities have been growing in importance over the past few years and will continue to do so in the future. The Five Principles of an Effective Compliance Program, Principle 5, includes ongoing monitoring, reinforced in the 2013 COSO Framework. In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is essential to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to conclude that its ICFR is effective safely. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

I. Objective-Monitoring Activities The Monitoring Activities objective consists of two principles. They are: Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing Evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle expects your organization to oversee, monitor, and audit. For the CCO or compliance practitioner, you will need to consider several different areas and concepts going forward. A current risk assessment or other evaluation of business changes should be based on some baseline understanding of your underlying compliance risk. Whatever you select will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments, and objectively evaluated.

Principle 17 – Evaluation And Communication Of Deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3, What did you do when you found out about it? I do not know what it does. Therefore, under this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the weaknesses up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

II. Discussion Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use to support this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it also allows you to evaluate the effectiveness of that corrective action. The most important thing is that all the controls need to be sustainable. You cannot just build one-off controls that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one-and-done. There must also be a mechanism for communicating controls that do not work or can be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect, and remediate.

Three Key Takeaways:

  1. Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
  2. Monitoring activities helps to ensure that all controls are present and functioning.
  3. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Ongoing monitoring of your internal controls helps to endure they are sustainable and not overridden.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Episode 46 – The Potted Plant Edition

HSBC v. Moore

In this case, a federal district court had ordered the release of a redacted monitor’s report in the HSBC money-laundering Deferred Prosecution Agreement (DPA) based upon the request of an interested citizen. Both the Department of Justice (DOJ) and HSBC appealed the order, and the Court of Appeals supported their position in overturning the trial court’s decision. The case is about a hook, line, and sinker overturning of any trial court jurisdiction one can have. The district court tried to claim it did not have the same role as a “potted plant,” but the Court of Appeals left no doubt that is the only role it sees for any district court where a DPA is filed. We discuss the implications for the compliance practitioner, FCPA enforcement, and potential future changes. Are district court’s simply potted plants when it comes to DPA oversight?

Categories
Blog

Day 16 of One Month to More Effective Internal Controls-COSO Objective II: Risk Assessments

Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful; however, the COSO Framework requires a component of management input and oversight that was not as well understood. The Framework Volume says, “Management specifies objectives within the category relating to operations, reporting, and compliance with such clarity to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider internal and external changes that can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services, which could increase the risk of running afoul of these laws. 

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are: Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.” Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Principle 8 – “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Principle 9 – “The organization identifies and assesses changes that could significantly impact the internal control system.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, management is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis for your risk assessments.

Principle 7 – Identifies And Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third-party contracting and payments, and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered an important risk analysis. Any company must follow the flow of money, and if the Fraud Triangle is present, management is placed around such risk.

Principle 9 – Identifies And Analyzes Significant Change

It is true that if there is one constant in business, there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external and promptly assess the risks and approaches to mitigate the risk.” 

Discussion 

The SEC has clarified that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should see new risks that they need to address because of the changes brought about by the new standard. Howell noted that “in the internal control arena, fraud risk, in particular, has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks give concessions to customers that are not reflected in their understanding of the contract and its accounting.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level that the concessions are being given at the backend for return that isn’t being reported back into how that affects the estimate of cheap revenue going forward. Finally, risks that a company has misstated or underestimated require determining whether revenue should be recognized over time or estimated what that period is to recognize the revenue if it is a rolling time frame. Howell stated, “For example, the period could be longer, which means that your revenue would be recognized over a longer period. There’s always the risk that revenue could be recognized too early and that cost could be pushed out and spread over too long. As we begin to think about these new judgments that are required, we get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls and have the plan to respond if they discover that the risk has happened and they have a failure.” 

Three Key Takeaways:

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and almost all other best practices compliance programs.
  2. Look at your risks across your organization rather than in a siloed manner.
  3. Risks, determination, and management change over time, so be cognizant of changes in business practices on the ground.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and all other compliance regimes.

Categories
Blog

Day 14 of One Month to More Effective Internal Controls – What is the COSO Framework?

Internal Control–Integrated Framework”, herein ‘the Framework volume.’ The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls,” herein ‘the Illustrative Guide,’ which discusses how best to assess your internal control regime and provides forms and worksheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary.’ All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program. In the 2013 update, the basic framework was retained with substantial support from user companies, and 3 specific objectives were added:

  1. Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss
  2. Reporting Objectives – internal and external financial reporting
  3. Compliance Objectives – adherence to laws and regulations to which the entity is subject

According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance that the organization, among other things, complies with applicable laws, rules, regulations, and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations. The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will explore throughout this series. Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework,” said that the original COSO framework from 1992 has stood the test of time “because it was built as a conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based on four general principles, which include the following: 

(1) the updated Framework should be conceptual, which allows for updating as internal controls [and compliance programs] evolve; 

(2) internal controls are a process which is designed to help businesses achieve their business goals; 

(3) internal controls apply to more than simply accounting controls, it applies to compliance controls and operational controls; and 

(4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” 

This final statement is significant for the compliance practitioner because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not simply rely upon a company’s accounting, finance, or internal audit function to do so. The primary objective is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have unique knowledge that a compliance officer has that would impact all the framework elements. The compliance officer’s role is to provide input to the Chief Financial Officer (CFO) and others involved in the implementation to be sure that there is a proper focus on the risks that are part of the compliance world. This primarily comes through risk assessment, control activities, and monitoring. Companies typically do risk assessments from an operational standpoint, address business risks going forward, and then develop the controls that deal with those risks, such as project financial results, doing business in certain countries, strategic decisions, and similar issues. This puts the compliance function in the unique position to be the fulcrum on many issues that will come up with a COSO-based analysis or implementation. The updated Framework retained the core definition of internal controls: control environment, risk assessment, control activities, information and communication, and monitoring activities.

Further, the well-known three-dimensional “COSO Cube” visually represents these five operational concepts. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, the emphasis on the principles is new to the 2013 Framework. Joe Howell noted that the COSO Framework could be seen as a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one-off things that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function sustainably throughout the organization. 

Three Key Takeaways:

  1. You must use the COSO Framework or a similar source for your internal control structure.
  2. The 2013 Framework identifies the following areas: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO 2013 Framework for Internal Controls is a great guide for the internal controls required in a compliance regime. 

Categories
FCPA Compliance Report - International Edition

Compliance Report-International Edition-Carlos Ayers on Tropicalizing Your Compliance Program

Categories
Blog

Day 12 of One Month to More Effective Internal Controls-Board Oversight as an Internal Control

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
  6. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 337 – James Gellert on Assessing 3rd Party Financial Health for Compliance

In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk. 

For more information on RapidRatings, check out their website by clicking here.