Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls-COSO Objective I-Control Environment

Both Board of Directors’ independence and Compliance Committee (or other applicable committees) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable that this requirement is met. Finally, there must be evidence that the company has appropriate disclosure controls because that is central to the objective. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor. Under Principle 3, structures in reporting lines, authority, and responsibility are essential to recognizing revenue. There are processes in an entity’s internal controls or financial reporting details. There are policies, and there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.

Under Principle 4, a business must attract, develop, and retain competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing; one of the reasons that companies have said they do not have money to reinvest in the deep dive study and process improvement necessary to implement it [the 2013 Framework] is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company’s disclosures. You must ensure the team can access the right level of technical accounting talent and business process and controls talent to make the judgments.” All these leads, of course, tie into Principle 5, which mandates that individuals be held responsible. This requires someone to document that they have made a judgment based upon the evidence they have accumulated, that the company has analyzed that evidence, and has gone through the process of comparing this to the COSO 2013 Framework and the spirit of the standard. Howell said, “those individuals are being held responsible for doing that properly. When you tie all that back together, when you get to the control environment, the COSO principle number one is that it can be completely tied back to what is required.” 

Three Key Takeaways:

  1. What controls do you have in place to measure conduct at the top?
  2. Reporting lines must be clear and functioning.
  3. You must provide the right personnel with the right resources.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

 

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Mapping Internal Controls

The SEC has continued to emphasize the accounting provisions of the FCPA, specifically the internal controls provisions. The reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and continued SEC enforcement emphasis? You should begin with an exercise where you map the internal controls your company has in place to the indicia of the Hallmarks of an Effective Compliance Program, as set out in the 2020 FCPA Resource Guide. While most compliance practitioners are familiar with the Hallmarks, you may not be as familiar with standards for internal controls. Here, begin with the COSO 2013 Internal Controls Framework as your starting point.

As a CCO or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box” program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three key takeaways:

1. Learn the internal controls your company currently has in place.

2. Map your compliance internal controls to the COSO 2013 Internal Controls Framework.

3. Use your gap analysis as a basis for remediation.

Categories
Compliance Into the Weeds

Compliance into the Weeds-Episode 9 COSO ERM Framework

Draft ERM Framework is Here! Get Started
Go to Norman Marks’ blog post, We need to review and provide feedback on the COSO ERM Exposure Draft
[tweet_box design=”default” url=”http://wp.me/p6DnMo-2CB” float=”none”]How the COSO ERM Framework will change corporate governance[/tweet_box]]]>