Categories
Compliance Into the Weeds

Compliance into the Weeds: COSO Fraud Risk Management Framework

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

Get ready to dive into the fraud risk management and prevention world with Compliance into the Weeds, hosted by Tom Fox and Matt Kelly. In this episode, they break down the recently released fraud risk framework by COSO and the Association of Certified Fraud Examiners and how it’s necessary for today’s cyber-based fraud and cryptocurrency. They stress the importance of data analytics and internal hotlines to prevent fraud and that all employees need to be trained to detect and prevent fraud in their industry. The hosts also discuss how financial reporting controls may not always detect fraud and how anti-fraud controls are essential. With the rise of new types of fraud like ESG and greenwashing, the hosts recommend the fraud risk report for audit and compliance professionals to stay informed about risks swirling around corporations today. Take advantage of this informative and fascinating podcast. Tune in to Compliance into the Weeds now.

Key Highlights:

·      Fraud Risk Management: COSO Report 2nd Edition

·      Effective Fraud Prevention Training for Employees

·      Importance of Anti-Fraud Controls in Fighting Fraud

·      COSO Fraud Risk Guidance and the Fraud Pentagon

Notable Quotes:

“But when you think about it, we have a lot of external factors, such as the rise of cryptocurrency, which is riddled with fraud and corruption risk. New methods of cyber-based fraud, which didn’t exist, say, 2016, the 2010s before that. Rise of ransomware in particular, which wasn’t quite a big thing back then that it is all over the place now.”

“Most frauds, you the risk management function, you might never catch them. By looking for them, you’ll have to depend on somebody else coming to you from the enterprise, say, I think this person over here is doing something sketchy.”

“Fraud is having a moment. And fraud risk is on the forefront of many people’s minds from many different areas.”

“We need to do better at finding ways to assess and understand your fraud risk and then implementing new controls as necessary to push that risk down to acceptable levels.”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

COSO Framework for Sustainability Controls and Reporting

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, join Tom and Matt as they discuss a new sustainability framework that companies can use to improve their sustainability efforts. The document emphasizes the importance of data governance and using a recognized control framework for effective financial reporting, similar to COSO. The hosts explore the challenges of collecting and managing sustainability data, while highlighting the need for organizations to have a Chief Data Governance Officer and an in-house data committee. They discuss the importance of competent leadership, effective communication, and the role of vendors offering sustainability supporting solutions. Tune in to discover how the right oversight mechanisms can save organizations money by streamlining IT vendors and why sustainability data reporting is the new challenge of achieving Sarbanes Oxley compliance in the 2000s.

 Key Highlights

·      COSO Internal Control Framework for Sustainability Disclosures

·      Comparing Sustainability and Ethics/Compliance Frameworks

·      Challenges in Sustainability Data Collection

·      Importance of Data Governance in Large Enterprises

 Notable Quotes

1.     “ESG and sustainable business information, on the other hand, tends to be longer term and more qualitative.”

2.     Revenue numbers are in dollar returns and carbon emissions are not.

3.    Radically different sorts of disclosures and data there, but you have to think through.

4.    You’re going to have to make sure that the data governance mechanisms you have? Do you have a Chief Data Governance Officer? Some organizations do. Do you have an in house data committee to think about are we collecting all of this data?

 Resources

Matt  on LinkedIn

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective II: Risk Assessments

Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood.

The objective of Risk Assessment consists of four principles.

Principle 6: Suitable objectives.

Principle 7: Identifies and analyzes risk.

Principle 8: Fraud risk.

Principle 9: Identifies and analyzes significant change.

The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Three key takeaways:

  1. Risk assessments are required under the COSO 2013 Internal Controls Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, both determination and management of, changes over time so be cognizant of changes in business practices on the ground.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls-COSO Objective I-Control Environment

Both Board of Directors’ independence and Compliance Committee (or other applicable committees) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable that this requirement is met. Finally, there must be evidence that the company has appropriate disclosure controls because that is central to the objective. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor. Under Principle 3, structures in reporting lines, authority, and responsibility are essential to recognizing revenue. There are processes in an entity’s internal controls or financial reporting details. There are policies, and there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.

Under Principle 4, a business must attract, develop, and retain competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing; one of the reasons that companies have said they do not have money to reinvest in the deep dive study and process improvement necessary to implement it [the 2013 Framework] is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures. You must ensure the team can access the right level of technical accounting talent and business process and controls talent to make the judgments.” All these leads, of course, tie into Principle 5, which mandates that individuals be held responsible. This requires someone to document that they have made a judgment based upon the evidence they have accumulated, that the company has analyzed that evidence, and has gone through the process of comparing this to the COSO 2013 Framework and the spirit of the standard. Howell said, “those individuals are being held responsible for doing that properly. When you tie all that back together, when you get to the control environment, the COSO principle number one is that it can be completely tied back to what is required.” 

Three Key Takeaways:

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

 

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Mapping Internal Controls

The SEC has continued to emphasize the accounting provisions of the FCPA, specifically the internal controls provisions. The reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and continued SEC enforcement emphasis? You should begin with an exercise where you map the internal controls your company has in place to the indicia of the Hallmarks of an Effective Compliance Program, as set out in the 2020 FCPA Resource Guide. While most compliance practitioners are familiar with the Hallmarks, you may not be as familiar with standards for internal controls. Here, begin with the COSO 2013 Internal Controls Framework as your starting point.

As a CCO or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box” program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three key takeaways:

1. Learn the internal controls your company currently has in place.

2. Map your compliance internal controls to the COSO 2013 Internal Controls Framework.

3. Use your gap analysis as a basis for remediation.

Categories
Compliance Into the Weeds

Compliance into the Weeds-Episode 9 COSO ERM Framework

Draft ERM Framework is Here! Get Started
Go to Norman Marks’ blog post, We need to review and provide feedback on the COSO ERM Exposure Draft
[tweet_box design=”default” url=”http://wp.me/p6DnMo-2CB” float=”none”]How the COSO ERM Framework will change corporate governance[/tweet_box]]]>