Categories
Blog

Design-Centric Internal Controls: The Foundation for Compliance Excellence

The dynamic world of compliance is continually evolving. New regulations, emerging technologies, and changing market conditions demand that organizations remain vigilant and proactive in their compliance efforts. One crucial aspect of this ongoing vigilance is the design and implementation of internal controls. Recently, I had the pleasure of discussing this topic with Adrienne Bellehumeur. In this blog post, we will explore the key insights from our conversation and delve into the importance of design-centric internal controls.

Adrienne is a chartered accountant and entrepreneur in Canada who has advocated for a design-first approach to internal controls for many years. Adrienne says design-centric internal controls are essential because they lay the foundation for effective compliance. She likens this approach to baking a cake: the design is the cake itself, while testing and other compliance activities are the icing. Without a solid foundation, no amount of testing can ensure the effectiveness of internal controls.

The necessity of robust internal controls has never been more critical. With the increasing complexity of regulatory requirements (on both sides of the border) and the rapid advancement of technology, organizations must continuously assess and improve their internal control systems. Adrienne points out that while internal controls have existed for over two decades, many organizations have become complacent. This complacency can lead to outdated processes that may not adequately address current risks and regulatory expectations.

Adrienne outlined five principles to improve and energize control design work:

  1. Think of Design as the Cake and Testing as the Icing: Focus on building solid and well-thought-out processes before jumping into testing. This approach ensures that the foundation is solid and can withstand scrutiny.
  2. Assess the Organization’s Level of Maturity: Tailor the internal control program to the organization’s stage of development. A one-size-fits-all approach is ineffective, as different organizations have varying needs and challenges.
  3. Focus on Habits, Not Theory: Practical, habitual practices are more effective than theoretical concepts. Encourage habits like regular access control reviews and inventory management to embed compliance into the organizational culture.
  4. Support Continuous Improvement: Internal controls should not be static. Regularly review and update controls to ensure they remain effective and relevant. Continuous improvement helps organizations stay ahead of emerging risks and regulatory changes.
  5. Keep It Interesting: Vary the techniques used in internal control assessments to maintain engagement and effectiveness. Workshops, interviews, and creative diagramming can provide fresh perspectives and uncover new insights.

One of the most intriguing aspects of Adrienne’s approach is her use of workshops to discuss and improve internal controls. These workshops involve stakeholders, including internal auditors, compliance officers, and business unit leaders. By fostering open dialogue and collaboration, these sessions can identify inefficiencies, propose improvements, and build stronger relationships between auditors and the internal team.

Adrienne emphasizes that these workshops should occur before external audits. This pre-audit preparation allows organizations to address issues internally, reducing the likelihood of negative findings during the audit. Moreover, involving the internal team in the design process helps build a sense of ownership and commitment to maintaining robust controls.

For the internal auditor, leveraging technology is crucial for adequate internal controls. Adrienne highlighted the decreasing reliance on transactional testing, thanks to automation and data analytics advancements. Modern internal controls must adapt to these changes by incorporating technology that enhances efficiency and accuracy.

AI and data analytics can provide deeper insights into organizational processes, helping identify potential risks and areas for improvement. By integrating these technologies into the internal control framework, organizations can achieve higher precision and responsiveness.

Adrienne’s expertise in documentation is particularly relevant to internal controls. I wholeheartedly agree that good documentation practices are the backbone of any effective compliance program and form the basis of information management. Clear, accurate, accessible documentation supports transparency, accountability, and continuous improvement.

Companies must establish simple rules for naming, classifying, and managing documents. This foundational step ensures that all relevant information is readily available for internal reviews, audits, and regulatory inspections.

The compliance landscape continually evolves, with new challenges like ESG and AI gaining prominence. Adrienne articulated that a back-to-basics approach can help organizations navigate these new areas. Organizations can build a solid foundation that supports emerging compliance requirements by focusing on fundamental principles of good information management and documentation.

For instance, effective ESG reporting relies on accurate and comprehensive data. Similarly, AI systems must be underpinned by robust data management practices to ensure transparency and accountability. By strengthening these foundational elements, organizations can more easily adapt to new regulatory expectations and technological advancements.

Adrienne and I also discussed the role of internal controls in supporting whistleblower programs. With the Department of Justice (DOJ) formulating new rules for financial incentives in whistleblower programs, organizations must ensure their internal controls can detect and address issues before they escalate. Adequate internal controls can help prevent whistleblower claims by identifying and mitigating risks early. For example, strong documentation practices provide a clear audit trail that can validate the organization’s actions and decisions. Additionally, fostering a culture of transparency and accountability encourages employees to report concerns internally, allowing the organization to address them proactively.

Design-centric internal controls are essential for building a robust and effective compliance program. By focusing on the principles outlined by Adrienne Bellehumeur, organizations can enhance their internal control frameworks, support continuous improvement, and stay ahead of emerging compliance challenges. A proactive approach to internal controls is crucial for long-term compliance success, whether through innovative workshops, leveraging technology, or strengthening documentation practices.

Categories
FCPA Compliance Report

FCPA Compliance Report: Adrienne Bellehumeur on Design – Centric Approaches to Internal Controls

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance.

In this edition of the FCPA Compliance Report, Tom Fox welcomes back Adrienne Bellehumeur, a chartered accountant and expert in internal controls and documentation.

Adrienne discusses her recent article on design-centric internal control and emphasizes the importance of focusing on design as the foundation for effective control programs. She outlines five key principles for improving control design and details her approach to challenging processes and governance systems. The conversation also touches on the necessity of continuously updating controls to adapt to evolving business and regulatory environments.

Adrienne shares tips on fostering better design through workshops, effective interviewing, and continuous improvement, while also addressing new developments such as AI and ESG. The episode finishes with insights into how internal controls can support whistleblower programs and the importance of back-to-basics documentation and information management.

Highlights in this Episode:

  • Professional Background
  • Design-Centric Approach to Internal Controls
  • Challenges and Importance of Good Design
  • Principles for Improving Control Design
  • Back to Basics: Adapting to New Business Developments
  • Whistleblower Programs and Internal Controls

 Resources:

Adrienne Bellehumeur on LinkedIn

Risk Oversight

New Approaches to Control Design

Tom Fox

Instagram

Facebook

YouTube

Categories
FCPA Compliance Report

FCPA Compliance Report – Adrienne Bellehumeur on The 24-Hour Rule: Mastering Dynamic Documentation

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Join Tom Fox, the host of FCPA Compliance Report, as he speaks with Adrienne Bellehumeur, a consultant specializing in business analysis, audit, internal control programs, and effective documentation. In this episode of the FCPA Compliance Report, they discuss the secrets to smarter organizations and the importance of the 24-hour rule for documenting and retaining information. Adrienne, author of “The 24-Hour Rule,” provides practical and comprehensive techniques for dynamic documentation and pushes individuals and organizations forward through a six-step process. The discussion also covers the challenges of managing information in communication tools like Slack and WhatsApp and the need for clear repositories for future value and legal purposes. Take advantage of this informative episode and get your hands on Adrienne’s book now!

Key Highlights:

· The 24-Hour Rule: Importance of Documentation

· Dynamic documentation for managers and directors

· Mastering Successful Documentation: The Six Steps

· Effective Documentation and Data Governance

· Effective Information Management in Communication Tools

Notable Quotes:

“The 24-hour rule is what I think is the golden rule of documentation, and it’s very simple.”

“All documentation should drive back to actually pushing you personally or your organization or your team forward into a forward state to take forward action.”

“Documentation is about, and I actually believe, it’s a problem-solving technique.”

“My book is effectively a framework for better documentation where companies can assess where they’re at, look through what they have, look at I have standards I’ve developed as well.”

Resources

Adrienne Bellehumeur on LinkedIn

The 24-Hour Rule

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Entrepreneurship and Risk Management with Adrienne Bellehumeur

Tom Fox’s guest in this episode of Innovation In compliance is Adrienne Bellehumeur. They discuss the significance of gap analysis in the design of internal controls, and why having a thorough understanding of design is critical to the success of gap analysis. They emphasize the importance of continuous improvement and avoiding a “pass-fail” approach to internal control programs. Adrienne also shares her five principles for creating high-value compliance programs.

Adrienne Bellehumeur is the Director and Co-owner of Risk Oversight, a firm specializing in internal controls, internal audit, and compliance programs. She has written a book called The 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation, which is set to be published on March 7th and is geared towards managers who are seeking solutions through documentation. This book aims to provide a fun and foundational approach to documentation for the modern knowledge workforce and is the first mass-market book on documentation best practices.

 

Some of the key points discussed during the show include:

  • Adrienne’s background and current role at her company, Risk Oversight, which specializes in delivering services to mid-sized oil and gas companies in the engineering sectors.
  • The purpose of gap analysis is to identify areas for improvement in processes and controls to support operational effectiveness.
  • Adrienne’s belief that internal controls should focus on good habits, accountability, and continuous improvement rather than just ticking boxes.
  • How Risk Oversight helps companies fulfill their obligation of oversight by providing entity-level control review and understanding best practices in governance.
  • The two best practices for board minutes, the “Goldilocks principle” and the “business judgment rule.”
  • The Caremark doctrine in Delaware and the importance of documentation of major risk management decisions.
  • Adrienne’s book The 24-Hour Rule, which is a mass-market book on documentation aimed at managers looking to solve problems through documentation and is applicable to various industries.

 

KEY QUOTATION:

“Risk management is about action.” – Adrienne Bellehumeur 

 

Resources 

Adrienne Bellehumeur | LinkedIn | Twitter 

Risk OversightThe 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation