Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective V: Monitoring Activities

The fifth and final Objective is Monitoring Activities. As with all other components of the COSO Cube, Monitoring Activities are part of an interrelated whole and cannot be taken singularly. Monitoring Activities have grown in importance for the CCO or compliance practitioner over the past few years. They will continue to do so in the future, as is reinforced in the COSO 2013 Internal Controls Framework.

The Monitoring Activities objective consists of two principles: 1) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning, and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.

Principle 16: Ongoing evaluation.
Principle 17: Evaluation and communication of deficiencies.

Monitoring Activities should bring together your entire compliance program and tell you whether it is running properly. The CCO and compliance practitioner should use both ongoing monitoring and auditing in support of this objective.
The most important item is that all the controls must be sustainable. You cannot just build one-off controls and not have a process to help you monitor all the controls you need to cover. Controls cannot just be a one-and-done. Many companies will find that their initial approach to this is one-and-done.
There must also be a mechanism to communicate controls that do not work or can readily be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
Three key takeaways:

  1. Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
  2. Monitoring activities helps to ensure that all controls are present and functioning.
  3. Monitoring Activities should bring together your entire compliance program and tell you whether it is running properly.
Categories
Creativity and Compliance

Do It Right Rick and Creating a Custom Character

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the award-winning Compliance Podcast Network.

Ronnie’s company, Learnings and Entertainment, utilizes the entertainment devices people use to consume information in their everyday, non-work lives and apply it to important topics around compliance and ethics. It is not only about being funny. It is about changing the tone of your compliance communications and messaging to make your compliance program, policies, and resources more accessible.

In this episode, Tom and Ronnie visit with Katherine Hill, Legal Compliance Manager at Ferguson Enterprises. We discussed the compliance program rebranding that Ronnie and his creative team at Learnings & Entertainment helped Katherine put together. They discuss the unique challenges for a blue-collar workforce and how Learnings & Entertainment was able to help Katherine and her team drive engagement through the creation of ‘Do It Right, Rick.’

Highlights include:

  • Why a Custom Character?
    • Improving the image
    • putting a friendly face on the program
    • highly customized messaging
  • What was involved?
    • Brainstorming and coming up with the ideas
  • How is it being deployed?
  • Lessons Learned.

Resources:

  • Learnings & Entertainments (Website)
  • Compliance Confessions – inspired by “Mean Tweets,” these 90-second commercials address misconceptions and excuses to promote speak-up culture and the E&C team as positive and helpful.
  • E&C Training Jams – a soulful singer banters with ethics & compliance, explaining policies, sharing examples, and debunking excuses. 
  • Tales from the Hotline – Real speak-up-themed stories about workplace behavior gone wrong.
  • Workplace Tonight Show! – E&C meets SNL Weekend Update explaining corporate risk topics and why employees should care.
  • 60-Second Communication & Awareness Shorts – A variety of short, customizable, music and multimedia, quick-hitter “commercials” promoting integrity, compliance, speaking up, and the E&C team as helpful advisors and coaches.
  • Custom Live & Digital Programming – Custom creative programming that balances the seriousness of the subject matter with a more engaging delivery. After all, you can’t bore people into learning.
Categories
GalloCast

Gallocast – Episode 7

Welcome to the GalloCast. You have heard of the Manningcast in football. Now we have the GalloCast in compliance. The two top brothers in compliance, Nick and Gio Gallo, come together for a free-form exploration of compliance topics. It is a great insight on compliance brought to you by the co-CEOs of ComplianceLine. Fun, witty, and insightful with a dash of the two brothers throughout. It’s like listening to the Brothers Gallo talk compliance at the dinner table. Hosted by Tom Fox, the Voice of Compliance.

Tom Fox peppers questions to Nick Gallo and Gio Gallo from Ethico with topics like what companies should consider doing business in Ukraine and how to identify great business risks. They also provide an understanding of compliance, changing human behavior, and techniques to get around ethical controls. Topics are spiced up with references to the recent Pope’s speech and technological advancements. Be sure to tune in, and don’t miss out on the brothers’ educational insights and witty dialogue.

Key Highlights

·       Logistical Challenges of Working in Ukraine –[00:04:00]

·       Compliance as an Opportunity to Manage Business Risk – [00:07:20]

·       The Role of Persuasion in Ethics and Compliance -[00:10:40]

·        US Semiconductor Industry Moves Away from Supply Chains – [00:13:43]

·        Risk Assessment and Crowdsourcing -[00:17:00]

·       The Ineffectiveness of Risk Assessment Strategies – [00:20:30]

·       Behavioral Psychology in Compliance Programs and Compliance Discipline -[00:23:50]

·       CEO Understanding of Compliance and Its Impact on Budgeting -[00:27:00]

·       The Benefits of Exploring Different Perspectives Through Reading -[00:29:52]

·       The Ethical Implications of AI-Generated Content – [00:36:25]

·       The Impact of Technology on the Economy – [00:39:37]

·       The Power of Simplifying Your Policy with Technology –[00:42:40]

·       Pope’s Condemnation of Corruption – [00:46:02]

Resources

Nick Gallo on LinkedIn

Gio Gallo on LinkedIn

Ethico

Categories
Daily Compliance News

February 24, 2023 – The Just Say No—To Drag Shows Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • The State of Tennessee seeks to restrict drag shows. (Reuters)
  • After the assassination attempt, the Eskom chief fired. (FT)
  • Mom is always there when you need her. (FT)
  • Not a bribe, just an open-ended loan that was never repaid. (Ohio Capital Journal)
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective IV: Information and Communication

As with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs vertically and horizontally.

Principle 13: Use of relevant and quality information.
Principle 14: Communicate internally.
Principle 15: Communicate externally.

There must be communications up and down from the Board and within an organization to disseminate the appropriate compliance-related information. The CCO or compliance practitioner should also evaluate the communication lines to third parties for this principle. As noted, this communication can flow both ways with compliance obligations to third parties and information in the form of compliance issues back from third parties.

Internal communication is how you establish communications with your sales organization and your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, your internal auditors, your external auditors, and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.

Three key takeaways:

  1. Consider the use of relevant and quality information.
  2. You need to document your internal communications so auditors can review the audit trail.
  3. This objective relates to your third-party compliance program.
Categories
Everything Compliance

Episode 113 – The Replika AI Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quartet of Jay Rosen, Jonathan Armstrong, Karen Woody, and Matt Kelly who discuss a potpourri of issues. We conclude with our fan fav Shout Outs and Rants section.

1. Matt Kelly looks at ChatGPT and raises several questions for the compliance professional. He rants about Facebook and its layoffs and performance reviews.

2. Jonathan Armstrong comes in smoking on the Replika AI imbroglio in Italy and discusses his collection of comments by users of the service. He shouts out to the British Navy for the Altmark Incident in 1940, the last recorded English naval battle fought with cutlasses.

3. Tom Fox shouts out  Valentine’s Day and all those hopeless romantics out there.

4. Karen Woody looks at the new rules promulgated by the SEC on insider trading. She shouts out to the Netflix show Cunk on Earth.

5. Jay Rosen looks at the First Energy corruption scandal and the current trial of former Ohio House speaker Larry Householder. He shouts out to Stevie Van Zandt donating a do rag to California Representative Jamie Raskin to wear during his cancer treatment.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Daily Compliance News

February 23, 2023 – The Self-Disclosure Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day we consider four stories from the business world, compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition of Daily Compliance News:

  • US states seek to block ESG investing rules. (Reuters)
  • Judge allows Wexner subpoena by mail in Epstein lawsuit. (FT)
  • Ohio speaker alleged to have used bribes money to pay for physical assaults. (Ohio Capital Journal)
  • US attorneys want more self-disclosure. (Bloomberg)
Categories
Blog

Using Data Analytics to Create an Effective Compliance Program-Part 3

In this conclusion of a three-part blog post series, we are considering how to create an effective compliance program through the use of data analytics. I am joined in this exploration by Vince Walden, CEO of Kona AI and we are considering the requirements laid out by the Department of Justice (DOJ) in their recent pronouncements on best practices, as well as the key trends and lessons learned from enforcement actions. Finally, we will consider the speech by Kenneth Polite on the changes to the Corporate Enforcement Policy and how to meet those requirements using data analytics. Walden articulated 10 steps you need to follow:

  1. Assess a company’s conduct;
  2. Self-disclose;
  3. Know quickly if there is a problem or not;
  4. Have access to relevant sources of data;
  5. Conduct monitoring at the beginning and throughout the lifespan of the relationship
  6. Have an on-premise application;
  7. Look up vendors and transactions quickly;
  8. Run data through a library of corruption and fraud tests;
  9. Look at a predictive model and see if it meets the profile of an improper payment; and
  10. Have visibility into data almost at their fingertips.

The 7th step involves having an on-premise application for data analytics. This is an important step, as it allows companies to keep their data secure, while still being able to use predictive analytics and other compliance monitoring tools. You should consider a platform designed to be hosted and managed as a service, meaning that companies can utilize the platform without having to move large amounts of data around each month.

Under steps 8 & 9, you should run your data through a variety of libraries and test but a key is doing so without compromising their data privacy. Using data analytics to identify anomalous payments that may be indicative of corruption or fraudulent activities. This will help your organization to meet the DOJ’s expectations for an effective compliance program. It helps improve business processes, increase transparency, and reduce the risk of improper payments. Additionally, such a data analytics platform can be used to benchmark an individual company’s compliance program by identifying attributes of an improper payment.

Finally under Step 10, your organization should use a tool which also supports data visualization and dashboards that help companies analyze their compliance data in real time by quickly identifying any irregularities or anomalies that could be indicative of corruption or fraudulent activity. Your system should also provides support for automated reporting, allowing companies to easily generate reports on their compliance program. This can help companies identify areas of improvement, as well as any potential issues that should be addressed. Such visibility can extend up to the Board of Directors level which will enhance your reporting up the organization and facilitate the Board’s requirement for oversight under the Caremark Doctrine.

This approach can be used to facilitate risk assessments, helping companies to ensure that their compliance programs are up to the standards set by the DOJ. Through ongoing monitoring, it can be  used to track activities and progress in compliance over time, providing companies with a better understanding of their compliance processes, ensuring an effective way to demonstrate your compliance program is up to the standards set by the DOJ.

Data driven compliance decisions are essential for companies to meet the expectations of the DOJ This includes having access to relevant sources of data, conducting monitoring at the start and throughout the lifespan of a relationship, having an on-premise application, and self-disclosing any potential violations to the DOJ. A data analytics platform that can help companies meet these expectations, as it will provide advanced analytics and compliance monitoring that allow companies to quickly identify areas of risk and anomalies in their data. Additionally, the platform can be used to collaborate with other companies to gain insights into attributes of an improper payments to prevent fraud or even simple over-payment of vendor invoices.

Perhaps there is no better example of a data driven approach to compliance in meeting the DOJ expectations than in the 2022 ABB, Foreign Corruption Practices Act enforcement action. In it, ABB had notified the DOJ it wanted to meet and had scheduled a meeting but before ABB could come in and self-disclose, the story of ABB corruption in South Africa broke in the local news. However the DOJ credited ABB for detecting the violations and notifying the DOJ it was coming in. This went a long way towards the excellent result ABB was able to achieve in its resolution with the DOJ.

Listen to Vince Walden on Data Driven Compliance

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls: COSO Objective III: Control Activities

In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” They should be performed at all levels in an organization’s process cycle.

Principle 10: Select and develops control activities.
Principle 11: Selects and develops general controls over technology.
Principle 12: Control activities established through policies and procedures.

While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the interrelatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. The Control Activities objective lays the groundwork for a living, breathing compliance program going forward.

This objective requires new ways of capturing, gathering, and confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the necessary policies and procedures are an important consideration going forward.

Three key takeaways:

  1. Think of a “second set of eyes” as a primary control activity.
  2. SODs must always be employed.
  3. Control Activities should be performed at all levels in the business process cycle, which speaks directly to operationalizing your compliance program.
Categories
Hill Country Authors

Marilyne Cizmich – Lessons from Sonia the Cat

Welcome to the award-winning The Hill Country Authors Podcast. In this podcast, Hill Country resident Tom Fox visits with authors who live in and write up the Texas Hill Country. In this episode, I visit with the children’s author and Hill Country resident Marilyne Cizmich.

Highlights include:

●      Growing up in the Bay Area

●       Traveling around North America

●       The Kerrville Folk Festival

●      Getting a Nursing Degree

●      School Nursing in Alaska

●       A trip to Ukraine and Sonia the Cat

●       Relocating to the Hill Country

Why your business needs a podcast?

Find out at this Lunch Workshop why your business needs a podcast. The Texas Hill Country Podcast Network hosts the podcast, which will be held on Friday, March 3, from 11:30 AM CT to 1:00 PM CT at the Kroc Center. For information and registration, click here.