Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 15 – Monitoring and Improvement of Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law, such as Sarbanes-Oxley (SOX)? Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped? What are the levels of approvals that you have and what is your documentation? What are the reasons? And are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous control monitoring.

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

Revelo emphasized that it is not simply identifying the issues but remedying them as well, “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there, you can conduct a root cause analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “You need to really do that in an in-depth manner and then remediate.”

Three key takeaways:

1. An internal control override is not necessarily a bad thing if proper procedure is followed.

2. Internal controls are not set in stone.

3. The key is to have a process for monitoring the controls and taking input, literally from each line of defense.

To obtain a free White Paper from our sponsor, Ethico, on key compliance issues from 2023, click here.

Categories
31 Days to More Effective Compliance Programs

Day 23 – Assessing Compliance Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law, such as Sarbanes-Oxley (SOX)? Cristina Revelo said she would start with questions like “How often would something be manually approved? How often are controls skipped, what is the level of approvals that you have, and what is your documentation? What are the reasons, and are you documenting how often a certain department requires those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls must be evaluated and recalibrated. In the FCPA Resource Guide and the Update to the Evaluation of Corporate Compliance Programs, the Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, a co-founder of Visual Risk IQ, calls it continuous controls monitoring.

However, many compliance professionals, particularly lawyers, think once control is in place, it’s set in stone and there forever. This derives from the unfortunate fact that, once again, many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program, can and should be continually monitored and improved based on information such as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

 Three key takeaways:

1. An internal control override is not necessarily bad if proper procedure is followed.
2. Internal controls are not set in stone.

3. The key is to have a process for monitoring the controls, taking input literally from each line of defense.

Categories
Blog

Continuous Improvement of Internal Controls

Cristina Revelo is the Deputy Director, Corporate Monitoring at Affiliated Monitors, Inc (AMI). Her academic background is in Master of Science and Bachelor of Science in Accountancy from the University of Illinois. Her professional background is in forensic accounting and internal controls. I visited with her about internal controls in practice inside a corporation.
Revelo said that internal controls are essentially any process that someone has to execute in order for the company to meet their objectives, whatever those objectives might be. In a corporate compliance department, the process procedure protocols you have in place that someone has to execute, can be an internal control. It could be an individual who inputs data into a system, or it could be automated or an individual who has to physically do something in order for you to meet your goal within your overall process.
We moved to a couple of terms which often cause confusion around internal controls. The first is compensating controls and the second is control override. Revelo explained that a compensating control is “essentially an alternative control. You set in place a manual control versus an automated. If your control system breaks down, you are compensating for your control in a different way.” However, she emphasized the key is that you are still following your normal process of executing your controls.
Next was control override. A control override is an override of a compliance internal control, a negative from an accounting perspective or even violation of the Foreign Corrupt Practices Act (FCPA). She explained that a control override should be the exception and not the rule for any corporate compliance or finance function. There must be a business reason and it must be documented, Revelo stated, “We definitely don’t advertise having to override controls, but we understand that there are emergency instances where you need to override a control that should be properly documented.”
However, what happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities which violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Revelo said she would start out with some basic questions such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your document? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice (DOJ) calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.
However, many compliance professionals, and particularly lawyers think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based upon the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.
We then turned to how to assess and then update or enhance your internal controls. Companies should also think about updating and reviewing their controls at least annually. In this manner, they can identify any violations of their internal controls. It also allows a deep dive into any specific areas of control failures. Another approach would be more robust through greater monitoring of your controls, for example, you could review them quarterly to allow you to spot any trends that are moving in the wrong direction. You can even start out by having your compliance function perform a self-review of its controls and  test exemplar transactions. This is not a full-blown audit but simply desktop testing to make sure controls were properly followed. Once again simply because there is a control override or excessive use of a compensating control does not mean something is illegal. It may mean that the control is not working as it was designed.
Revelo said it could be an instance of “too short of an approval time period and they need a little bit longer because depending on their industry or how business works. This also helps to both  identify frustrations from employees where there is a control, but every time I need to execute, it is impossible for me to do, or it’s impossible for me to comply with it a hundred percent. These are the reasons.” These quarterly reviews can then be collated into an annual report for review and assessment and the report can form the basis of an annual report to the Compliance Committee of the Board of Directors or even the full Board.
The key is to have a process for monitoring the controls, taking input, literally from each line of defense. If a control is overridden too often, you need to change it. If a control is ineffective, you can use that information to craft a new internal control. Internal controls are not static, but dynamic and, with proper oversight, you can set up internal controls and literally improve them with appropriate documentation. (Hint” Document, Document, and Document)
Revelo emphasized it is not simply identifying the issues “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there you can conduct a root cause in that analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “you need to really do that in depth and then remediate it.”
Interestingly, Revelo noted that a Board of Directors has a significant role to play with internal controls. It is because all compliance literally starts with the very top of an organization and this is true when it comes to internal controls. She said, “probably the most important aspect of establishing a really great foundation for great execution of internal controls is with the Board. It all starts with the Board; with the way they advise the company with their priorities of the year and objectives for the year.” The importance of a corporate compliance program should be communicated throughout their organization and highlight the company’s commitment to compliance.
When I talk about internal controls to lawyers, I still see about half of them roll their eyes up inside their heads. However, that is a huge improvement from 10 years ago when all the lawyers had the same reaction. By using some of the strategies Revelo recommends for continuous monitoring and continuous improvement of internal controls, you have not only robust internal controls but more importantly effective internal controls.

Categories
Innovation in Compliance

Not Your Father’s Monitor-Part 3: Cristina Revelo on E&C Assessment and Internal Controls

In October, Deputy Attorney General (DAG) Lisa O. Monaco gave a Keynote Address at ABA’s 36th National Institute on White Collar Crime (Monaco Speech). Monaco’s remarks should be studied by every compliance professional as they portend a very large change in the way the DOJ will utilize monitors going forward.

Over this podcast series, sponsored by AMI we will consider why DAG Monaco’s remarks herald a new era for monitorships. We will consider Monaco’s remarks from a variety of perspectives. Bethany Hengsbach will consider this change in monitorships from the white-collar enforcement and defense perspective. Mikhail Reider Gordon will look at global aspects of the new DOJ monitor’s focus. Cristina Revelo will discuss how E&C assessments help drive More compliant companies. Jesse Caplan brings his views on the twin topics of antitrust and healthcare compliance. We will conclude our series with AMI founder Vin DiCianni who will look at where monitors monitorships are going in 2022 and beyond. In this Episode 3, Cristina Revelo brings her internal control expertise to analyze for E&C assessments, particularly with monitors and monitorships.

Highlights of this podcast include:

  1. Monitoring skills will be in demand as we see the rise of proactive monitorships / assessments
  2. Compliance and ethical culture are important considerations to review.
  3. E&C Assessments help companies get ahead of what is coming, mitigate risk, ensure compliance and address any gaps that might exist before a regulator comes knocking on their door.

Resources

Cristina Revelo

Affiliated Monitors Inc.

Categories
Blog

Not Your Father’s Monitor – Cristina Revelo, Using Assessments to Drive Compliance

In October, Deputy Attorney General (DAG) Lisa O. Monaco gave a Keynote Address at ABA’s 36th National Institute on White Collar Crime (Monaco Speech). Her remarks reframed a discussion about the uses of, reasons for and perceptions on independent monitors and monitorships. I asked Affiliated Monitors Inc. (AMI) founder Vin DiCianni for his thoughts around the remarks on monitors. He said, “For Affiliated Monitors this refreshed approach by DAG Monaco highlights the seriousness which businesses must place on the investment in their programs and in addressing what has for some been a negative experience with a monitor. For those who might be the subject of a monitorship, DAG Monaco recognized that the negativity that has sometimes surrounded monitorships as being punitive, should be seen in a different light bringing value, pointing a way forward and as a solution which has had great success in resolving matters.”
Monaco’s remarks should be studied by every compliance professional as they portend a very large change in the way the Department of Justice (DOJ) will utilize monitors going forward. Over this podcast series, sponsored by AMI, we will consider why DAG Monaco’s remarks herald a new era for monitorships. We will consider Monaco’s remarks from a variety of perspectives. Bethany Hengsbach will consider this change in monitorships from the white-collar enforcement and defense perspective. Mikhail Reider-Gordon will look at global aspects of the new DOJ monitor’s focus. Jesse Caplan brings his views on the twin topics of antitrust and healthcare compliance. We will conclude the series with Vin DiCianni who will look at where monitorships are going in 2022 and beyond. In Part 3, Cristina Revelo, Deputy Director, Corporate Monitoring and Compliance Services at AMI, discusses how ethics and compliance (E&C) assessments help drive more compliant companies.
Revelo has a different professional background than many compliance professionals, having earned both her Master of Science and Bachelor of Science in Accountancy. We began by exploring why a proactive monitorship can be such a valuable tool in a best practices compliance program. With this an independent monitor can help companies review their ethics and compliance programs. AMI’s vast experience in monitorships under different regulators and requirements gives them insights into what the regulators are looking for in this type of project. With this knowledge from prior monitorships AMI can facilitate a very practical assessment. It can highlight to a company what are some gaps within, for example, their anti-corruption program, ethics program, internal controls, or for their entire E&C program.
This type of approach allows AMI to provide recommendations based on what we think the regulars might be looking for. Revelo noted, “These are great because it helps companies get ahead of potential regulators coming, knocking on their door.” It also allows a company to demonstrate they have been proactively working on their E&C program and that they are seeking to close those gaps and enhance their programs.
We then turned to Revelo’s academic and professional background which gives a different perspective from a legally trained compliance professional. As more individuals with different backgrounds, especially with the auditing and forensic background, Revelo feels it really does help in these proactive assessments because she’s looking to “follow the gaps, follow the issues,  use the five whys, digging a little bit deeper as opposed to potentially just checking that there is a law and that we have complied with the law.” A forensic type will inevitably dig a little bit deeper to understand a company’s internal controls, how they implement their controls, whether those internal controls are manual or automated, where there could be a failure, essentially to walk through the entire process.
Revelo emphasized, “conducting a walkthrough of your entire internal controls process, sitting with different individuals, having interviews, really understanding, whoever is implementing that process. This allows you to really pick apart and identify the different failures that could come up throughout the different controls in the process.” It is really looking at things through a different lens. From there you can move to enhance or remediate as needed. These are the types of skills and analysis an accountant or forensic auditor could bring to a proactive E&C assessment.
Turning to a more commercial reason for proactive assessments, Revelo concluded with an observation about culture. In the ever-increasing race for talent acquisition and talent retention, culture has become one of the most critical factors for millennials as they make up most of the workforce now and will be above 50% of the workforce in a few years. Millennials want to have pride in a place they work, they want to be happy, and money is not the driving factors in their equation. Revelo noted, “they want to work for companies that are ethical, that are socially responsible, that are behind the right things that they care about.” As these areas fall directly within the area of E&C, Revelo said, “I think it’s really important for companies in order to attract the right talent and retain that talent because sometimes also you see millennials moving jobs very often. Those employees a company might want to retain are going to care about what you are behind, how ethical you are, how you treat your employees, and all of this has to do with a company culture and the ethical culture.”
Affiliated Monitors
Cristina Revelo

Categories
Great Women in Compliance

Cristina Revelo – Choose Your Adventure and Build Your Career


Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.
Some people consider ethics and compliance officers as risk averse given our roles in organizations.  However, so many people in our professional community have taken risks and evaluated opportunities for both their personal and professional lives.  Today’s guest is one of those people.
Cristina Revelo started her career at KPMG, and then moved WalMart, and also relocated to Arkansas to take on this role.  Today, she is Deputy Director, Corporate Monitoring and Compliance Services at Affiliated Monitors, Inc.
Cristina talks about her experiences when she joined WalMart, and in particular about going to Colombia and taking on an interim country lead role.  She talks about opportunities that she took early on and challenges that she encountered, being less senior than some others and being a woman,
There were also times where she looked at an opportunity and decided it was not the right one, and how she said no, without burning bridges and remaining open to new opportunities.
We also get to hear how it is going at Affiliated Monitors as it is a relatively new role for Cristina, and also talk a bit about our experience at SCCE CEI.  We hope you enjoy this last episode of the summer/fall GWIC series.
Corporate Compliance Insights is a much appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).  Thank you to all those who have taken the time to rate the GWIC podcast and book, it’s much appreciated.
If you’ve already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?
As always, we are so grateful for all of your support and if you have any feedback or suggestions for our line up or would just like to reach out and say hello, we always welcome hearing from our listeners.
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
Join the Great Women in Compliance community on LinkedIn here.