Categories
Blog

Nicholas Latham on Implementing Frameworks for Effective Risk Management in Organizations

I recently had the opportunity to visit with folks from Diligent. We look down the road at key issues in 2024 in a podcast series sponsored by Diligent entitled Compliance Professionals Adapting to Change: Industries, Regulations, and Beyond. I could chat with Nicholas Latham, Renee Murphy, Jessica Czeczuga, Yee Chow, and Alexander Cotoia. Over this series, we discussed compliance communications in regulated industries, managing conflicts of interest at the Board level, the Board’s role in compliance training and communications, navigating the current ESG landscape, and professional growth and mentorship in compliance. In this first blog post, we discuss accounting and risk management frameworks.

One of the key topics discussed in the episode was the importance of risk assessment frameworks in identifying and mitigating organizational risks. Latham highlighted two widely used frameworks, the COSO Framework for Internal Controls and ISO 31,000, which both provide a comprehensive approach to risk management. These frameworks help organizations establish effective communication processes and gain a holistic view of risk across different departments.

The COSO Framework for Internal Controls focuses on enterprise risk management. It emphasizes the need to assess an organization’s control environment, determine risk appetite, and identify crucial risks for the business’s success. Information and communication processes, including training and monitoring activities, are built around these assessments to ensure effective risk management.

We next discussed the relevance of the “Single Pane of Glass” concept, often associated with the COSO Framework for Internal Controls. This concept provides a unified view of an organization’s operations and risk management, flattening hierarchical structures and promoting transparency. By implementing this approach, executives and leaders can comprehensively understand what is happening across the organization rather than just within individual departments.

We noted the challenges associated with compliance communication issues, particularly in e-communications. Latham emphasized the importance of setting the tone at the top, with executive leadership emphasizing the criticality of compliance and its impact on the organization and its customers. Training plays a crucial role in ensuring compliance, but Latham noted that the amount and frequency of training in today’s environment may not be sufficient. He stressed the need for organizations to step up their training efforts and be prepared for increasingly stringent regulatory scrutiny.

Monitoring e-communications poses a significant challenge due to the sheer volume of interactions. Latham suggested leveraging artificial intelligence (AI) to analyze a larger communications sample and identify potential risks. This approach could help organizations identify improper processes, training gaps, or script issues that may contribute to compliance breaches.

As a compliance professional, your understanding of risk assessment frameworks, such as the COSO Framework for Internal Controls and ISO 31,000, highlights the importance of comprehensive risk management practices. The “Single Pane of Glass” concept and the challenges associated with compliance communication issues provide valuable guidance for organizations navigating the complex risk and compliance landscape. As regulatory scrutiny continues to increase, compliance professional’s expertise will continue to serve as a valuable resource for organizations seeking to enhance their risk management practices and ensure compliance in an ever-evolving technological landscape.

Ready for Purpose-Driven Compliance? Diligent equips leaders with the tools to build, monitor, and maintain an open, transparent ethics and compliance culture. For more information and to book a demo, visit Diligent.com

Join us tomorrow when we consider conflicts of interest at the Board of Directors.

Categories
Compliance Into the Weeds

COSO Framework for Sustainability Controls and Reporting

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, join Tom and Matt as they discuss a new sustainability framework that companies can use to improve their sustainability efforts. The document emphasizes the importance of data governance and using a recognized control framework for effective financial reporting, similar to COSO. The hosts explore the challenges of collecting and managing sustainability data, while highlighting the need for organizations to have a Chief Data Governance Officer and an in-house data committee. They discuss the importance of competent leadership, effective communication, and the role of vendors offering sustainability supporting solutions. Tune in to discover how the right oversight mechanisms can save organizations money by streamlining IT vendors and why sustainability data reporting is the new challenge of achieving Sarbanes Oxley compliance in the 2000s.

 Key Highlights

·      COSO Internal Control Framework for Sustainability Disclosures

·      Comparing Sustainability and Ethics/Compliance Frameworks

·      Challenges in Sustainability Data Collection

·      Importance of Data Governance in Large Enterprises

 Notable Quotes

1.     “ESG and sustainable business information, on the other hand, tends to be longer term and more qualitative.”

2.     Revenue numbers are in dollar returns and carbon emissions are not.

3.    Radically different sorts of disclosures and data there, but you have to think through.

4.    You’re going to have to make sure that the data governance mechanisms you have? Do you have a Chief Data Governance Officer? Some organizations do. Do you have an in house data committee to think about are we collecting all of this data?

 Resources

Matt  on LinkedIn

Matt on Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective V: Monitoring Activities

The fifth and final Objective is Monitoring Activities. As with all other components of the COSO Cube, Monitoring Activities are part of an interrelated whole and cannot be taken singularly. Monitoring Activities have grown in importance for the CCO or compliance practitioner over the past few years. They will continue to do so in the future, as is reinforced in the COSO 2013 Internal Controls Framework.

The Monitoring Activities objective consists of two principles: 1) The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning, and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.

Principle 16: Ongoing evaluation.
Principle 17: Evaluation and communication of deficiencies.

Monitoring Activities should bring together your entire compliance program and tell you whether it is running properly. The CCO and compliance practitioner should use both ongoing monitoring and auditing in support of this objective.
The most important item is that all the controls must be sustainable. You cannot just build one-off controls and not have a process to help you monitor all the controls you need to cover. Controls cannot just be a one-and-done. Many companies will find that their initial approach to this is one-and-done.
There must also be a mechanism to communicate controls that do not work or can readily be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
Three key takeaways:

  1. Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
  2. Monitoring activities helps to ensure that all controls are present and functioning.
  3. Monitoring Activities should bring together your entire compliance program and tell you whether it is running properly.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective IV: Information and Communication

As with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs vertically and horizontally.

Principle 13: Use of relevant and quality information.
Principle 14: Communicate internally.
Principle 15: Communicate externally.

There must be communications up and down from the Board and within an organization to disseminate the appropriate compliance-related information. The CCO or compliance practitioner should also evaluate the communication lines to third parties for this principle. As noted, this communication can flow both ways with compliance obligations to third parties and information in the form of compliance issues back from third parties.

Internal communication is how you establish communications with your sales organization and your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, your internal auditors, your external auditors, and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.

Three key takeaways:

  1. Consider the use of relevant and quality information.
  2. You need to document your internal communications so auditors can review the audit trail.
  3. This objective relates to your third-party compliance program.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls: COSO Objective III: Control Activities

In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.” They should be performed at all levels in an organization’s process cycle.

Principle 10: Select and develops control activities.
Principle 11: Selects and develops general controls over technology.
Principle 12: Control activities established through policies and procedures.

While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the interrelatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. The Control Activities objective lays the groundwork for a living, breathing compliance program going forward.

This objective requires new ways of capturing, gathering, and confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the necessary policies and procedures are an important consideration going forward.

Three key takeaways:

  1. Think of a “second set of eyes” as a primary control activity.
  2. SODs must always be employed.
  3. Control Activities should be performed at all levels in the business process cycle, which speaks directly to operationalizing your compliance program.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls-COSO Objective I-Control Environment

Both Board of Directors’ independence and Compliance Committee (or other applicable committees) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable that this requirement is met. Finally, there must be evidence that the company has appropriate disclosure controls because that is central to the objective. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor. Under Principle 3, structures in reporting lines, authority, and responsibility are essential to recognizing revenue. There are processes in an entity’s internal controls or financial reporting details. There are policies, and there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.

Under Principle 4, a business must attract, develop, and retain competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing; one of the reasons that companies have said they do not have money to reinvest in the deep dive study and process improvement necessary to implement it [the 2013 Framework] is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures. You must ensure the team can access the right level of technical accounting talent and business process and controls talent to make the judgments.” All these leads, of course, tie into Principle 5, which mandates that individuals be held responsible. This requires someone to document that they have made a judgment based upon the evidence they have accumulated, that the company has analyzed that evidence, and has gone through the process of comparing this to the COSO 2013 Framework and the spirit of the standard. Howell said, “those individuals are being held responsible for doing that properly. When you tie all that back together, when you get to the control environment, the COSO principle number one is that it can be completely tied back to what is required.” 

Three Key Takeaways:

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

 

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – The COSO 2013 Internal Controls Framework

COSO was adopted in 1992 as a framework for a basis to design and test internal controls’ effectiveness. In 2010, updating this more than 20-year-old COSO Framework was deemed necessary to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). , I believe the SEC will use this to review a company’s compliance with internal controls. This means that you need to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. From these five Objectives come 17 Principles which we explore in more detail.
Three key takeaways:

  1. You must use the 2013 Internal Controls Framework or a similar source for your internal controls structure.
  2. The 2013 Internal Controls Framework identifies the following areas: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
Blog

Day 20 of One Month to More Effective Internal Controls- Assessing Compliance Internal Controls Under COSO

Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against which you can audit to assess the strength of your compliance internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment.

(1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.”

(2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating internal controls.

(3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency.

(4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls.

Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”  However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program you can use the Tem Hallmarks of an Effective Compliance Program as your guide to test against.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.]]>

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – COSO Objective II: Risk Assessments

Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood.
The objective of Risk Assessment consists of four principles.
Principle 6: Suitable objectives.
Principle 7: Identifies and analyzes risk.
Principle 8: Fraud risk.
Principle 9: Identifies and analyzes significant change.

The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.
Three key takeaways:

  1. Risk assessments are required under the COSO 2013 Internal Controls Framework, the 2012 FCPA Guidance and almost all other best practices compliance programs.
  2. Look at your risks across your organization and not in a siloed manner.
  3. Risks, both determination and management of, changes over time so be cognizant of changes in business practices on the ground.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

COSO Objective I: Control Environment


The first of the five objectives is control environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the control environment object are as follows:
Principle 1: Commitment to integrity and ethical values.
Principle 2: Board independence and oversight.
Principle 3: Structures, reporting lines, authority and responsibility.
Principle 4: Attracting, developing and retaining competent individuals.
Principle 5: individuals held accountable.
Discussion. Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight are essential to this objective because the committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under SOX 404(a); as required under Principles 1 and 2.
Under Principle 3, structures in reporting lines, authority and responsibility are essential to the recognition of revenue. Under Principle 4, a business must attract and develop, then retaining competent talent. This ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Internal Controls Framework and to the spirit of the standard. 
Three key takeaways:

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.