Tag: compliance programs

Categories
Blog

Day 19 of 30 Days to a Better Compliance Program, Compliance Expertise on the Board

Office of Inspector General (OIG) has called for greater compliance expertise at the Board level. The OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding to the Board, a compliance member. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations. Mike Volkov looked at it from both a practical and business perspective and has stated, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.” Roy Snell sees it through the prism of the compliance profession and has said, “If you ask most companies if they have compliance expertise on their Board… most would say yes. When asked who the compliance expert is they typically point to a lawyer, auditor, risk manager, or an ethicists. None of these professions are automatically compliance experts. All lawyers have different specialties.” He goes on to state that what regulators want to see is specific compliance expertise at the Board level. He noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise. Hui Chen, the DOJ Compliance Counsel, has continually talked about the need for companies to operationalize their compliance programs. She intones businesses must work to literally burn compliance into the fabric and DNA of their organization. Having a Board member with specific compliance expertise, heading a Board level Compliance Committee can provide a level of oversight and commitment to achieving this goal. It will not be long before the DOJ and SEC begin to require this step in any FCPA enforcement action resolution. This means that when your company is evaluated by Chen, under the factors set out in Prong Three of the FCPA Pilot Program, to retrospectively determine if your company had a best practices compliance program in place at the time of any violation, you need to have not only the structure of the Board level Compliance Committee but also the specific subject matter expertise on the Board and on that committee.

Key Takeaways

  1. Boards must have compliance expertise.
  2. Government regulators and shareholder groups have both called for greater compliance expertise at the Board.
  3. Compliance expertise at the Board works up and down as such expertise can be a resource to both the CCO and compliance department.

For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Both government regulators and shareholder groups have both called for greater compliance expertise at the Board.]]>

Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 350, Linda Justice and Her Nancy Drew Approach

Categories
FCPA Compliance Report - International Edition

Compliance Report-International Edition-Tim Khasanov on Compliance in post Soviet states

Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States.  Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine.  He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.
Tim has also recently released the first two installment of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.
We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions
1: Can we define this region as a single territory for the Compliance program structuring?
2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?
3: What is the biggest challenge in embedding corporate Compliance program in this region?
4:  Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?
5: Is it legally permissible to deploy our FCPA/UKBA programmes in the countries of the region?
6: What is the most effective way to deliver training in this part of the world?
7: If there are any important things to remember when imposing penalties for misconduct on local personnel?
8: Do people on the ground appreciate compliance & ethics efforts?
 
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3tv” float=”none”]
What are some key compliance considerations in post-Soviet states?
[/tweet_box]
 ]]>

Categories
Blog

Day 2 of One Month to More Effective Continuous Improvement-the Compliance Audit

Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur, and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board regularly? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Interestingly, Foreign Corrupt Practices Act (FCPA) compliance follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became the mainstays of any company’s best practices in the area of safety. These techniques inform any anti-corruption best practices compliance program under the FCPA, UK Bribery Act, or any other anti-corruption regime. Indeed, audits are delineated explicitly in the 2012 FCPA Guidance to assist in continuously monitoring your compliance regime. Such an audit can be thought of as a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. Three factors are critical for a compliance audit to have a chance for success: (1) an effective audit program that specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. Auditing can take several different forms in an anti-compliance program. Of course, you should audit the compliance program in your organization. A forensic audit can collect and analyze accounting and internal-control evidence in your compliance regime. This information can produce a fact-based report informing the decision-making process in inquiries, investigations, and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur.

Further, an internal audit can review compliance processes to determine if employees follow prescribed procedures or internal controls. In addition to collecting and analyzing evidence, an auditor’s objective is to attest to the credibility of assertions under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. One of the functions of such an audit is to determine if further investigation is warranted. Once again, this situation points out the difference between having a paper compliance program and the actual doing of compliance. Even with an appropriate oversight structure, you must do the work in the future. Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties, below are some of the areas you may wish to consider reviewing:

  • Contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review the compliance training program for any third party, both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so, how are such reports maintained? Review any reports of compliance violations or issues that arose through an anonymous hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so, have any employees been disciplined for any compliance violations? If yes, review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel, and entertainment that were provided to or for foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer, to whom, and how does that compliance officer report? How is the third-party vendor’s compliance program designed to identify risks, and what has resulted from any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • Concerning any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and use analytical procedures and testing.

Auditing is a more limited review that targets a specific business component, region, or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, and everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Three Key Takeaways

  1. Auditing takes a deep dive into your high-risk compliance areas.
  2. Internal audits should test your key FCPA risk areas as a part of their regular auditor rotation.
  3. The findings uncovered in an audit must be used in your compliance regime.

The compliance audit is a key component in the continuous improvement of a compliance program. [/tweet_box] For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor, Affiliated Monitors, at www.affiliatedmonitors.com.

Categories
Blog

Day 1 Of One Month to More Effective Continuous Improvement-Continuous Improvement in a Compliance Program

Continuous improvement requires you to audit and monitor whether employees are staying with the compliance program. In addition to the language in the FCPA Guidance, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to misconduct allegations. These three activities are vital components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It notes that small and medium-sized enterprises likely will have different risk profiles and, therefore, different attendant compliance programs than large multinational corporations.

Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ but is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

Ongoing monitoring is one handy tool often misused or misunderstood in the continuous improvement cycle. This can come from the confusion about the differences between monitoring and auditing. Monitoring involves reviewing and detecting compliance variances in real-time and reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program regularly and consistently across a broad spectrum of data and information. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, mainly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although the protocol is unique, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to investigate the issue further. Your company should establish a regular monitoring system to address problems. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should check in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. These ongoing efforts demonstrate that your company is serious about compliance. What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement by using the following:

  • Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. The “Keep it Simple, Sir” or KISS method is best for moving forward. This would suggest that there should be a simple and straightforward plan for each compliance goal to ensure that the goal in question is being addressed.
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representative to put these in place and then mandate a reporting requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. There should be a regular review of the process. It allows any problems that may arise to be detected and corrected more quickly than if meetings are held less frequently.

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will implement a mechanism to demonstrate your company’s commitment to compliance by following through on the intentions outlined in your strategic plan. Continuous improvement through monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would help if you built a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complementary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

Continuous improvement is a key component of a best practices compliance program. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor, Affiliated Monitors, at www.affiliatedmonitors.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 344 – Virginia Suveiu

Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program and the Contract Management Certificate Program. She has published articles on various business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum. Every corporation and compliance practitioner faces a wide variety of risks. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to the over-arching concept of risk management or if the approach needs to be fined tuned by an organization. We discuss the Legal Risk Management Specialized Studies Certificate Program, including the program benefits and who should attend. We explore the approach to teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk. In this episode, I discuss with Virginia Suveiu the theories of risk and the process of risk management.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Episode 47

SEC Chair Clayton Talks Compliance Costs. Will the new administration gut SOX and Dodd-Frank compliance requirements?

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 343 – James Koukios on Morrison & Foerster’s Top Ten International Anti-Corruption Developments for May 2017

Top Ten International Anti-Corruption Developments for May 2017. Our topics include:

  1. FCPA Assistant Chief BJ Stieglitz has been selected for detail to UK Financial Enforcement Authorities. We discuss how a prosecutor works overseas, what this might mean for prosecutions going forward in the US and UK, and the relationship of the DOJ with its British counterparts.
  2. The DOJ has moved to terminate its DPA over Hewlett-Packard. We discuss what it means to have a DPA terminated and the DOJ’s role in this phase. We also consider the decision-making process if a DPA has to be extended due to continued or new conduct by a company under such an agreement.
  3. Finally, we consider some of the difficulties of the DOJ’s Challenges in Obtaining Foreign Evidence through a recent ruling in the Civil Forfeiture Case. On May 9, 2017, In the case of United States v. Prevezon Holdings Ltd., Southern District of New York Judge William H. Pauley III ruled that certain evidence obtained by prosecutors from foreign sources was admissible in a civil asset forfeiture case, notwithstanding that the documents lacked the requisite certifications under the Federal Rules of Evidence. We consider the process for getting information from overseas; why it takes so long, and what happens if it does not meet US evidentiary or even admissibility standards?

Click here to see a full copy of the firm’s Top Ten International Anti-Corruption Developments publication for May 2017. James Koukios returns to discuss MoFo’s Top Ten International Anti-Corruption Developments for May 2017. 

Categories
Blog

Day 22 Of One Month to More Effective Internal Controls-Lessons in Failures of Internal Controls

Cease and Desist Order also covered former employee Jeannot Lorenz, and the SEC spelled out a bribery scheme facilitated by both a failure and override of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise. According to the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period. However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses to satisfy content requirements.” Halliburton’s prior work on local content was deemed insufficient, and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. Under this backdrop, the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton. In each of these attempts, the company bumped up against its internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent.” In this initial attempt, internal control was held as the business folks abandoned their efforts to contract with the Angolan agent. The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria). Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t] he is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.” In other words, the internal controls held and were not circumvented or overoverriddene Angolan agent was then moved from commercial agent status to supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel, and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team could contract with the Angolan agent for these services in September 2009 and increase the contract price without the Angolan agent going through the internal procurement controls. A second internal control overridden was the procurement requirement that the supplier procurement process begins with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backward, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, a separate internal control required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or overoverriddent. This arrangement was not deemed sufficient local content by Sonangol officials. After all of this and further negotiations, Halliburton entered into another agreement with the Angolan agent, where the company would lease commercial and residential real estate and then sublease the properties back to Halliburton at a substantial markup and also provide real estate transaction management consulting services (the “Real Estate” contract). This Real Estate contract also had to go through an internal control process. Initially, there were questions the company about the Real Estate contract as a single source for the procurement function, the upfront payment terms to the Angolan agent, the high costs, and the rationale for entering into subleases for properties that would cost less if leased directly from the landlord. Indeed, “One Finance & Accounting reviewer at headquarters noted that he could not think of any legitimate reason to pay the local Angolan company over $13 million under the Real Estate Transaction Management Agreement and that it would not have cost that much to run Halliburton’s entire real estate department in Angola.” Halliburton’s internal controls required that it had to be justified when the company used a single source. This justification would require a showing of preference for quality, technical, execution, or other reasons, none of which were demonstrated by the Angolan agent. Finally, if such a single source was used, the reasons had to be documented in Halliburton’s internal controls language “identified and justified.” The company documented none. Finally, as the internal controls were either circumvented or over-ridden, “As a consequence, internal audit was kept in the dark about the transactions, and its late 2010 yearly review did not examine them.” This was yet another internal control failure built on the previous failures noted above. So how many internal controls failures can you spot? Whatever the number, the lesson for the compliance practitioner is that you must do more than have internal controls. They must be followed and be effective. If you are doing business in high-risk regions, you have to test the controls and back up your testing by seeing if payments are being made in those regions. Perhaps the best concept would be Reaganian, trust but verify.  

Three Key Takeaways

  1. Internal controls must be shown to be effective.
  2. Circumvention and management override of internal controls must be documented to pass muster.
  3. Internal controls must be tested, and that testing must be verified with an independent source of investigation.

Internal controls must be tested and verified to demonstrate effectiveness. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
Blog

Day 20 of One Month to More Effective Internal Controls – Assessing Compliance Internal Controls Under COSO

Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting, and compliance.” Moreover, two over-arching requirements can only be met through such a structured post. First, each of the five components is present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO Framework is that it sets internal control standards against those you can audit to assess the strength of your compliance with internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. If you have a multi-country or business unit organization, you must determine how your internal compliance controls are interrelated up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2). There should be a component evaluation. Here you need to evaluate any deficiencies you may have more deeply and whether there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed,” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log, so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principal evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment would examine whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This process would then lend itself to an ongoing evaluation. If business models, laws, regulations, or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially, it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It defined‘ major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” A major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective internal control system.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have, at a minimum, the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments,” also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls by the Framework.”  However, what steps should you take if there are no objective criteria, as laid out in the FCPA 2012 Guidance, evaluate your company’s compliance with internal controls? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation, or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature are critical in any best practices anti-corruption or anti-bribery compliance program, whether based upon the FCPA, UK Bribery Act, or some other regulation. With the Illustrative Guide, COSO has given the compliance practitioner a handy road map to begin an analysis of your company’s internal compliance controls. When the SEC comes knocking, they will look for this type of evidence to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. An internal compliance control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  An internal compliance control functions if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

Three Key Takeaways:

  1. An effective internal controls system provides reasonable assurance of the entity’s objectives relating to operations, reporting, and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components is present and functional. Second are the five components operating together in an integrated approach.
  3. You can use the Tem Hallmarks of an Effective Compliance Program for an anti-corruption compliance program as your guide to testing against.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO model can be used to structure your assessment of internal controls.