Categories
Blog

Auditors and Compliance: Part 2 – Ten Key Takeaways for Compliance Professionals

The PCAOB’s recent information release, SPOTLIGHT Auditor Responsibilities for Detecting, Evaluating, and Making  Communications About Illegal Acts, is a critical guide for compliance professionals. The SPOTLIGHT sets out the role of auditors in assessing a company’s compliance with laws and regulations, particularly how auditors must identify, evaluate, and communicate potential illegal acts. However, for compliance officers, the SPOTLIGHT highlights areas where compliance and audit functions intersect and emphasizes collaboration’s importance to maintaining regulatory adherence and upholding financial integrity. Yesterday, we reviewed the roles and duties assigned to auditors. Today, we will dive into the 10 key takeaways for compliance professionals, outlining what they need to know to align their efforts with audit processes and effectively support their organization’s commitment to compliance.

  • Understand the Auditor’s Role in Identifying Illegal Acts

Auditors have a duty to detect and evaluate illegal acts that could materially impact a company’s financial statements. This includes assessing the potential effect of any illegal activity on the company’s financials and reporting these issues to management, the audit committee, and sometimes to the SEC. Compliance professionals need to understand this role to support auditors in fulfilling these obligations, especially by maintaining a strong compliance program that actively monitors regulatory adherence. Compliance should ensure that internal policies align with PCAOB standards and legal requirements, helping auditors conduct a thorough risk assessment as part of their evaluation.

  • Maintain Transparent and Open Communication Channels

Transparency and open communication are vital for a successful compliance-audit relationship. Auditors depend on information from management, the audit committee, and legal counsel to identify and evaluate potential violations. Compliance professionals should facilitate open communication with auditors and provide timely access to relevant information. This includes documentation from internal investigations, responses to auditor inquiries, and any corrective actions taken to address potential illegal acts. Proactively sharing information about compliance efforts demonstrates a commitment to ethical practices and supports auditors’ work to provide an accurate assessment of the company’s financial statements.

  • Foster a Strong Internal Reporting Culture

Auditors must inquire about complaints and tips, including those from whistleblower programs. For compliance professionals, this highlights the importance of fostering an internal reporting culture where employees feel safe raising concerns. A robust whistleblower program and other internal reporting mechanisms help identify potential illegal acts early, allowing the company to take action before issues escalate. Compliance teams should ensure employees know how to report concerns confidentially and clearly communicate that the company prohibits retaliation against whistleblowers. This can help create a steady pipeline of information that aids both compliance and audit functions in proactively addressing potential issues.

  • Document Document Document

Thorough documentation is crucial in every compliance arena, whether regulatory reporting, high-value transactions, or industry-specific regulations. (The Tom Fox Mantra Document Document Document.) Compliance professionals should maintain clear records of all compliance activities, internal investigations, and responses to auditor inquiries. By providing auditors with well-documented information, companies can help auditors assess whether any potential illegal acts are isolated incidents or indicative of broader compliance concerns. Such documentation facilitates the audit process and demonstrates to regulators a serious commitment to compliance.

  • Prioritize High-Risk Areas with Targeted Monitoring

Auditors focus on high-risk areas in their evaluations, such as transactions or activities with greater potential for legal violations. Compliance professionals should proactively monitor these high-risk areas to detect and mitigate issues before they escalate. For instance, compliance in industries with high regulatory scrutiny should ensure that the organization adheres to all industry-specific legal requirements. Regularly evaluating high-risk areas through targeted monitoring helps create a solid foundation for internal and external financial statement audits, reducing the chance of undetected illegal acts.

  • Be Prepared to Act on Auditor Findings Promptly

When auditors identify potential illegal acts, it is essential for compliance to respond swiftly and decisively. This involves conducting a thorough internal investigation and determining any required disclosures or corrective actions. From there, you should perform a Root Cause Analysis and then proactively address any concerns from auditors to help the organization maintain transparency and avoid further regulatory scrutiny. A prompt response strengthens the relationship between the compliance and audit functions and demonstrates to auditors and regulators a proactive approach to managing and mitigating compliance risks.

  • Strengthen Leadership’s Commitment to Compliance

The PCAOB emphasizes the importance of a “tone at the top” in its guidance, noting that auditors consider a company’s commitment to compliance when assessing potential illegal acts. Compliance teams should work with executive leadership to promote a strong culture of ethics and compliance, as this can significantly impact employee behavior and organizational practices. A commitment to compliance at the leadership level signals to employees that ethical conduct is a priority, supporting the organization’s overall compliance efforts. When leadership promotes compliance, employees are more likely to report concerns, and auditors can rely on the company’s internal controls and integrity.

  • Prepare for Potential Notification

If auditors discover a material illegal act and management fails to take appropriate action, the auditor may be required to notify the SEC or DOJ. For compliance professionals, this highlights the importance of swift and transparent responses to any findings of illegal activity. Working closely with auditors to address material findings and avoid potential SEC/DOJ notification is crucial. When the compliance function demonstrates a proactive approach to addressing auditor findings, it helps maintain the organization’s reputation, strengthens auditor relationships, and reduces the likelihood of regulatory intervention.

  • Regularly Review and Update Compliance Training

Auditors also assess a company’s internal compliance functions, including how well employees understand and adhere to compliance obligations. Regular compliance training ensures that employees are informed about identifying and reporting illegal acts, understand whistleblower protections, and know the resources available to them. Compliance professionals should review and update training programs frequently to address any changes in laws or regulations and any emerging risks specific to the company’s industry. Effective training reinforces employees’ commitment to ethical behavior and supports the company’s internal controls, bolstering the compliance-audit relationship.

  • Emphasize Materiality Assessments in Compliance Evaluations

When auditors evaluate the impact of illegal acts, they consider both quantitative and qualitative materiality. Compliance teams should adopt a similar approach when assessing potential violations. For instance, even a small illegal payment could be material if it raises ethical concerns or results in contingent liabilities. By considering potential violations’ financial and reputational implications, compliance teams can better assess the materiality of issues and take appropriate corrective action. This approach aligns with auditor standards and helps create a thorough and effective compliance environment.

Strengthening Compliance and Audit Collaboration

The PCAOB’s guidance reminds compliance professionals that a proactive approach to detecting, evaluating, and addressing potential illegal acts is essential. By understanding the auditor’s role and aligning compliance practices with PCAOB and SEC standards, compliance teams can effectively support auditors and contribute to a thorough evaluation of the organization’s adherence to laws and regulations.

A corporate compliance function plays a crucial role in creating a transparent, accountable organization where employees feel empowered to raise concerns and management responds promptly to address potential issues. Strong compliance-audit collaboration enables companies to build trust with regulators and stakeholders, demonstrating a commitment to ethical business practices. By implementing these takeaways and fostering a culture of compliance, companies can better navigate regulatory requirements and mitigate the risk of material misstatements or regulatory penalties, upholding the integrity of their financial statements and safeguarding their reputation in an increasingly scrutinized environment.

Categories
Blog

Auditors and Compliance: Part 1 – Auditors and Illegal Acts

Regarding compliance, one area that requires heightened attention is the role of auditors in detecting, evaluating, and communicating illegal acts. Recently, the PCAOB issued a document entitled SPOTLIGHT Auditor Responsibilities for Detecting, Evaluating, and Making  Communications About Illegal Acts. It outlines public auditors’ responsibilities when assessing a company’s compliance with laws and regulations. These responsibilities have far-reaching implications for corporate compliance professionals, as they directly influence how auditors evaluate and report on potential illegal acts that can impact financial statements and overall corporate integrity.

Over the next couple of blog posts, I will review this  SPOTLIGHT. In today’s blog post, we will unpack the auditor’s responsibilities for a compliance program, including the steps for identifying illegal acts, the evaluation process, and the requirements for reporting findings to management, audit committees, and possibly the SEC. Tomorrow, I will set out 10 key takeaways for the compliance professional regarding their role in interacting with auditors for compliance regimes.

Detecting Illegal Acts: A Critical Component of the Audit Process

Auditors must design and execute procedures that ensure reasonable assurance of detecting illegal acts that could materially affect a company’s financial statements. This duty is rooted in federal securities laws, specifically Section 10A of the Securities Exchange Act of 1934, which mandates that auditors remain vigilant to possible violations of laws and regulations during audits.

Detecting illegal acts is more than due diligence—it’s essential to safeguarding shareholder interests and preserving the integrity of financial markets. This underscores the importance of robust systems that actively monitor and report on regulatory adherence across business operations for compliance officers.

Auditors rely on multiple techniques and resources to identify potential illegal acts, such as:

  • Inquiries-They often begin by questioning management, the audit committee, and internal or external legal counsel.
  • Document Review-Auditors frequently review board minutes, regulatory correspondence, SEC filings, legal counsel letters, and other corporate documents that could reveal legal non-compliance.
  • Risk Assessments-Auditors must understand the company’s industry, regulatory environment, and external factors that could signal legal risks. This assessment helps them target high-risk areas where violations are more likely.

Auditors also investigate complaints and tips, including those from internal whistleblower programs. They may examine unusual transactions or related-party dealings that could indicate red flags. For compliance professionals, it’s crucial to maintain open channels for employees to report concerns without fear of retaliation and promptly address any issues flagged by auditors or internal investigations.

Evaluating Potential Illegal Acts: Procedures and Standards

Once an auditor becomes aware of a possible illegal act, they must determine whether it could materially impact the company’s financial statements. This evaluation requires auditors to understand the incident’s nature and context, often involving management and sometimes higher-level personnel who can provide insight into the situation.

The PCAOB standards and Section 10A mandate that auditors not only detect but also evaluate the likelihood that an illegal act has occurred. Here’s how they proceed:

  1. Gathering Evidence. Auditors may examine relevant documents—such as invoices, contracts, and payment records—to verify the facts surrounding the incident. They might also consult the auditing firm’s legal counsel or senior personnel for additional perspectives.
  2. Materiality Assessment. Materiality is a cornerstone of evaluating illegal acts. Auditors assess whether the potential violation is significant enough to warrant disclosure, focusing on quantitative and qualitative factors. For example, a small illegal payment may be deemed material if it could result in contingent liabilities or raise ethical concerns that affect the company’s reputation.
  3. Assessing Impact on Financial Statements. Auditors must evaluate how the illegal act impacts financial statement amounts, including the need for possible contingent liabilities, fines, or penalties. If senior management is implicated, this raises additional questions about the reliability of other information provided by the company.

This underscores the importance for compliance teams to maintain clear documentation and open communication channels with auditors. Keeping a well-documented trail of internal investigations, responses to auditor inquiries, and corrective actions can help ensure that potential illegal acts are evaluated accurately and comprehensively.

Communicating Illegal Acts: Auditor Obligations for Disclosure

Auditors have specific obligations to communicate illegal acts that come to their attention. The PCAOB and Section 10A set out requirements for notifying management, the audit committee, and, in some cases, the SEC. Here is what companies need to know:

  • Communication with Management and the Audit Committee. If an auditor identifies an illegal act, they must inform the appropriate management level and ensure that the audit committee is aware. This notification must occur as soon as possible before issuing the auditor’s report. The goal is to allow management and the audit committee to take corrective action and disclose any potential impacts to shareholders.
  • Reporting to the Board and the SEC. If the illegal act is deemed material and management fails to take timely and appropriate action, the auditor has a duty to report to the company’s board of directors. Under Section 10A, the auditor must notify the SEC if the board fails to remedy the situation within a specified timeframe. This step underscores the importance of accountability in corporate governance and compliance, as it introduces potential regulatory consequences for inaction.
  • Impact on Auditor Opinion. The auditor may issue a qualified or adverse opinion if the illegal act materially affects the financial statements and is not adequately disclosed or corrected. In cases where the auditor cannot obtain sufficient evidence to assess the impact of the illegal act, they may even disclaim an opinion. In extreme cases, the auditor may consider resigning from the engagement if the company does not take appropriate remedial actions.

This means that prompt and transparent responses to potential illegal acts are crucial for companies. Failing to address issues raised by auditors can lead to negative audit opinions, regulatory investigations, and significant reputational damage.

Strengthening Compliance Programs to Address Auditor Requirements

The PCAOB’s recent guidance emphasizes robust compliance programs’ role in facilitating audits and managing risks related to illegal acts. Compliance professionals should take the following steps to align their programs with PCAOB and SEC expectations:

  1. Develop Clear Policies and Reporting Mechanisms. Ensure that your compliance policies explicitly address legal requirements relevant to your industry and geographic region. Implement reporting mechanisms that allow employees to raise concerns anonymously, fostering a culture of transparency and accountability.
  2. Conduct Regular Risk Assessments. Just as auditors assess risk during their engagements, compliance teams should regularly evaluate areas prone to legal violations. High-risk areas like financial transactions, related-party dealings, and regulatory filings should be monitored closely.
  3. Provide Comprehensive Training. Equip employees with the knowledge to identify and report illegal acts. Include training on whistleblower protections and internal reporting mechanisms, ensuring all employees understand their role in upholding legal and ethical standards.
  4. Enhance Documentation and Transparency. Documenting compliance efforts is crucial, especially for areas that could attract auditor scrutiny. Keep detailed records of internal investigations, management’s responses to auditor inquiries, and any corrective actions to address potential violations.
  5. Establish a Strong Tone at the Top. Finally, fostering a culture of compliance begins with leadership. Management should demonstrate a clear commitment to legal and ethical standards, providing resources and support to compliance teams. When leadership prioritizes compliance, employees are more likely to report concerns, which can ultimately prevent illegal acts from going undetected.

The Path Forward

The PCAOB’s SPOTLIGHT is a valuable checkpoint for companies to evaluate their internal controls and compliance programs. Auditors play a vital role in identifying illegal acts, but the responsibility for maintaining legal compliance ultimately rests with the company. Companies can navigate this complex landscape and mitigate the risk of material misstatements or regulatory penalties by implementing a strong compliance program, fostering transparency, and responding promptly to auditor inquiries.

The bottom line? Even under the incoming second Trump Administration, a proactive approach to compliance is not simply best practice; it is an essential core of doing business ethically and in compliance. Compliance professionals should work closely with auditors, ensuring the company is prepared to detect, evaluate, and address any potential legal issues that could impact financial reporting. The goal is a collaborative effort where compliance and audit functions work together to uphold the integrity of the financial statements and the trust of stakeholders.

Join us tomorrow, where we will consider the 10 key takeaways for compliance professionals from SPOTLIGHT.

Categories
Blog

Leveraging Machine Learning with the Right Internal Audit Solution

Visitors face an ever-expanding landscape of challenges and opportunities in today’s world. Machine learning (ML) represents a transformative force, offering new ways to enhance audit quality, efficiency, and insight. But how can internal auditors effectively integrate this technology into their workflows? The key lies in choosing the right internal audit solution that seamlessly incorporates ML capabilities, ensuring auditors are equipped to tackle today’s complexities while preparing for tomorrow’s challenges.

Machine learning (ML) is a subset of artificial intelligence that focuses on developing systems that can learn from and make decisions based on data. In internal auditing, ML can automate repetitive tasks, identify patterns in large datasets, and even predict future trends. This not only speeds up the audit process but also enhances the accuracy and depth of audit insights.

Key Applications of Machine Learning in Internal Audits:

  • Risk Assessment: ML algorithms can analyze vast amounts of data to identify risk patterns and anomalies, helping auditors focus on areas with the highest risk.
  • Control Testing: Automated ML tools can test controls more frequently and thoroughly than manual processes, increasing the likelihood of detecting control failures.
  • Fraud Detection: ML can help predict and identify fraudulent activities based on historical audit data, thereby reducing potential losses.
  • Predictive Analytics: ML can forecast potential non-compliances or areas where controls might fail, allowing auditors to be proactive rather than reactive.

Selecting the right software solution is crucial when integrating ML into internal auditing. There are some critical factors to consider. The ML-powered audit solution must seamlessly integrate with IT infrastructure and data systems. This integration ensures auditors can leverage ML capabilities without disrupting existing workflows or data integrity. As organizations grow and data volumes increase, the ML solution should be able to scale accordingly. This includes handling more extensive datasets and adapting to new audits and compliance requirements.

ML can be complex, but the user interface of the audit solution should be different. A user-friendly interface that simplifies complex processes allows auditors to utilize ML features effectively without needing specialized training. Your chosen solution should offer advanced data analytics features, including data visualization tools, which help auditors make sense of the patterns and anomalies detected by ML algorithms. These tools are crucial for translating ML insights into actionable audit decisions. Any ML solution must comply with relevant data protection regulations, such as GDPR in the European Union or HIPAA in the United States. Additionally, the solution should have robust security measures to protect sensitive audit data from unauthorized access or breaches.

If there is one overlap between ML and traditional internal audit, it is that solutions for internal audit are not static, and ML is no different. ML continuously learns from new data and auditing experiences. This capability ensures that the system evolves and improves its accuracy and effectiveness. Finally, tech support is critical, especially when deploying complex technologies like ML. The right solution provider should offer comprehensive support and training, helping audit teams fully understand and leverage ML capabilities.

Successfully implementing an ML-powered audit solution involves more than just selecting the right software; you should have a planned strategy for an effective implementation. Some strategies for effective implementation include engaging relevant stakeholders early in the process, including IT, compliance, and executive teams, to ensure alignment and address any concerns. Test before implementation so that pilot tests of the ML solution can be conducted in specific audit areas before a full rollout. This helps identify any issues and refine the system for better performance. Training on any new system is critical, especially with an advanced ML solution. You should provide extensive training and support to audit staff to help them adapt to the latest tools and processes.  But as with any new rollout, it does not stop with implementation, as there should be continuous monitoring and continuous improvement as warranted.  Change management practices can facilitate a smoother transition and higher adoption rates.

As the complexity of business environments and regulations continues to grow, the role of internal audit becomes increasingly critical. Leveraging machine learning within audit solutions offers a path forward to keep pace with these changes and stay ahead of them. By choosing the right ML-powered internal audit solution and implementing it thoughtfully, audit departments can transform operations, delivering more value and stronger organizational compliance. The future of internal auditing is not just about adapting to changes—it’s about leading the charge with innovation and insight.

Categories
FCPA Compliance Report

FCPA Compliance Report: Adrienne Bellehumeur on Design – Centric Approaches to Internal Controls

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance.

In this edition of the FCPA Compliance Report, Tom Fox welcomes back Adrienne Bellehumeur, a chartered accountant and expert in internal controls and documentation.

Adrienne discusses her recent article on design-centric internal control and emphasizes the importance of focusing on design as the foundation for effective control programs. She outlines five key principles for improving control design and details her approach to challenging processes and governance systems. The conversation also touches on the necessity of continuously updating controls to adapt to evolving business and regulatory environments.

Adrienne shares tips on fostering better design through workshops, effective interviewing, and continuous improvement, while also addressing new developments such as AI and ESG. The episode finishes with insights into how internal controls can support whistleblower programs and the importance of back-to-basics documentation and information management.

Highlights in this Episode:

  • Professional Background
  • Design-Centric Approach to Internal Controls
  • Challenges and Importance of Good Design
  • Principles for Improving Control Design
  • Back to Basics: Adapting to New Business Developments
  • Whistleblower Programs and Internal Controls

 Resources:

Adrienne Bellehumeur on LinkedIn

Risk Oversight

New Approaches to Control Design

Tom Fox

Instagram

Facebook

YouTube

Categories
Compliance Into the Weeds

Compliance Into The Weeds: The SAP Foreign Corrupt Practices Act Enforcement Action

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into the recent Foreign Corrupt Practices Act (FCPA) enforcement action involving the ERP software giant SAP.

The recent $220 million fine imposed on German software giant SAP for violations of the FCPA underscores the critical role of internal audits in maintaining corporate compliance. Despite having a comprehensive FCPA compliance program, SAP’s lack of control over its subsidiaries led to bribery activities, a situation that Tom and Matt believe could have been prevented with a robust internal audit function. Fox emphasized the need for strong internal audits to identify and address issues within different parts of an organization. Similarly, Kelly underscored the importance of internal audits in identifying and rectifying control lapses. To delve deeper into this topic and understand the implications of the SAP case, join Tom Fox and Matt Kelly on this episode of Compliance into the Weeds. 

Key Highlights:

  • The bribery schemes and geographic scope
  • What is culture?
  • Third parties and corruption risks
  • The fine and penalty
  • The comeback
  • Lessons learned for the compliance professional

Resources:

Matt on Radical Compliance

Tom 

Tom on the FCPA Compliance and Ethics Blog

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
FCPA Compliance Report

FCPA Compliance Report – Frank Orlowski on Navigating Challenges in Operating in Emerging Markets

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Frank Orlowski.

Frank Orlowski is a seasoned professional with a wealth of experience in managing emerging markets in the pharmaceutical industry, having spent over 25 years at Pfizer Pharmaceuticals. His extensive knowledge, particularly in South America, Middle East Asia, and Eastern Europe, where he faced difficulties in compliance, controls, and adhering to US accounting regulations, has shaped his perspective on managing emerging markets. Orlowski emphasizes the importance of understanding different cultures, regulations, and geopolitical issues when working in these markets. After retiring from Pfizer, he founded the Ation Advisory Group, where he leverages his expertise to assist companies in commercializing products in the life science industry. Join Tom Fox and Frank Orlowski on this episode of the FCPA Compliance Report podcast to gain more insights into managing emerging markets in the pharmaceutical industry.

Key Highlight:

  • Frank Orlowski’s Global Financial Expertise
  • Navigating Unique Obstacles in Emerging Markets
  • Navigating Cultural Differences in Emerging Market Compliance
  • Creative Employee Rewards and Engagement Strategies
  • Enhancing Healthcare Through Medtech Innovations
  • The Integrated Legal Division at Pfizer

Resources:

Frank Orlowski on LinkedIn

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Sunday Book Review

Sunday Book Review: August 27, 2023 The Internal Audit Edition

In the Sunday Book Review, I consider books that would interest the compliance professional, the business executive or anyone who might be curious. It could be books about business, compliance, history, leadership, current events or anything else that might interest me. In today’s edition of the Sunday Book Review, I continue my summer exploration of books on crime. Today, look at some of the top books on auditing, both for the audit professional and the compliance professional.

Categories
Blog

PCAOB Proposed Rule on Compliance Audits

In the realm of auditors intersecting compliance and fraud risk audits, a fierce battle of perspectives rages on. Compliance professionals yearn for a bigger role, a seat at the table to tackle potential compliance violations. Yet, as the storm brews, the audit community hesitates, fearing the unfamiliar waters of becoming compliance and legal violation experts. Brace yourselves, for the unexpected outcome lies just beyond the horizon.

Compliance professionals are generally accepting of the idea that audit firms might look for compliance violations, as long as the proposal includes meeting with the chief ethics and compliance officer and reviewing the state of the compliance program with the audit committee. Many auditors do not want the additional responsibility, claiming it is outside their area of expertise and the requirement will increase audit costs.

Other trade and industry groups have weighed in as well. The American Bankers Association said in a letter “With respect to the legal function, auditors may be put into a position to second-guess a company’s own legal counsel regarding whether noncompliance may have occurred.  “With respect to the management function, the requirement that auditors perform ‘enhanced risk assessment procedures’ could result in auditors second-guessing how management allocates the company’s financial and human resources. This would not only blur responsibility between the legal, management and audit functions, but would also divert auditors’ time, attention and resources away from auditing financial statements.”

The group went on to note that  “Various federal and state regulatory authorities in the United States have a responsibility to examine, monitor and, where appropriate, bring enforcement actions against companies that do not adhere to laws and regulations. Moreover, given the many and varied private rights of action available against corporations in the United States, companies are subject to even further scrutiny and liability for noncompliance.”

Stephen Foley, writing in the Financial Times, said that some companies have objected that the implementation of the proposal might negatively impact the attorney/client privilege. He wrote “companies said the new rules could mean more correspondence with their lawyers would have to be shared with auditors, with the result that it loses its legal privilege and could become evidence in litigation.” He cited to Ronald Edmonds, controller at the chemicals group Dow, that “Company personnel could be more hesitant to disclose legal violations to their counsel if they fear that the communication will not be privileged. Attorneys may also hesitate to prepare written analysis for their clients for fear that it would end up non-privileged and ultimately in the hands of a legal adversary.”  Amy Johnson, controller at RTX said “The broad scope and volume of information that would be required to be shared with auditors is likely to encompass sensitive attorney advice.”

Conversely, PCAOB Chair Erica Williams told the FT, “Companies’ non-compliance with laws and regulations, including fraud, can really have devastating consequences for investors. This proposal is simply making sure that the protection investors think they’re getting today matches what the standard requires.” Foley cited to Brandon Rees, the AFL-CIO deputy director who said “All too often when a fraud is exposed, it rarely comes to light from the auditors. Auditing standards should require auditors to have uncomfortable conversations with management.”

The PCAOB will have to consider this feedback from its consultation period before deciding whether to push ahead with the proposal, or to amend or scrap it. Two of the five board members have said they are opposed to the new rules, but a simple majority is all that is needed. What are some of the issues that auditors may face if the proposed rule is enacted?

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

The proposal has the potential to shape how audit firms approach their investigations into client companies, particularly with regard to compliance and legal violations. By requiring auditors to look more closely at non-compliance with laws and regulations, the proposal is intended to deliver more comprehensive audits and prevent financial fraud. However, the incorporation of duties usually performed by legal professionals into the auditing process could complicate the auditors’ role, potentially raising costs and increasing liability.

The proposed rule generates divided opinions between compliance professionals and the audit community. Compliance executives generally support the proposal, provided it includes engagement with the chief ethics and compliance officer, and necessitates a comprehensive review of the compliance program with the audit committee. On the contrary, most auditors, represented by the PCAOB, argue against the implementation of this rule, citing a lack of necessary expertise to identify compliance violations, and increased burden of audit fees.

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

Compliance professionals and the audit community clash over a proposed rule on auditors reporting compliance violations. As tensions rise and perspectives collide, can these two groups find common ground or will they remain at odds, leaving the fate of the proposal uncertain?

Categories
Blog

Auditing AI

The recent kerfuffle over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian has raised important questions about how to audit AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Matt Kelly recently wrote a blog post on this topic on Radical Compliance. I thought it would make a great podcast so this week’s episode of Compliance into the Weeds is dedicated to it. I also thought it was so important that I should blog about it as well.

It started when MIT grad student Rona Wang tested an AI tool called Playground AI to modify a photo of herself wearing an MIT T-shirt to look ‘more professional’. Rather than replacing the T-shirt she was wearing with more professional business attire to achieve a more professional look, the AI tool interpreted the instruction to make her look more professional as making her look Caucasian. Wang posted a before and after comparison of her photo on Twitter, which caused a big kerfuffle in the AI world about how this happened. The CEO of Playground AI responded to Wang on Twitter saying “We’re quite displeased with this and hope to solve it”.

We began with a discussion of the implications of implicit bias in AI code. Matt suggested that the code in the AI app may have been influenced by the disproportionate number of white people on LinkedIn. It may not be the fault of the AI program, but rather a result of structural bias and racism in the world. Matt believes that at this point, it is impossible for a human to audit the code of AI programs like Chat GPT, which evaluates data according to 1.76 trillion different parameters. Unfortunately, it is not possible to eliminate implicit bias in AI code by simply correcting a few parameters. Matt compared it to the difficulty of eliminating implicit bias in AI code to the difficulty of eliminating racism in the human brain.

AI can handle 1.7 trillion parameters of data, but it is difficult to audit for an ethical outcome. AI can misinterpret structural racism and inequities that exist in the world. AI can be used to filter out images that are not representative of the population as a whole. Auditing AI is difficult because there are few people who know how to design and audit these programs. AI decisions may have life and death consequences, but there is no way to audit them yet.

Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem. Additionally, there is a risk of implicit bias when someone must define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI.

Auditing AI code for implicit bias is a complex process. AI tools used in the hiring process can range from keyword matching to Chat GPT. While it is important for companies to audit their AI tools, it is also important to consider the data that is being used to train the AI. If the data is biased, the AI will be biased as well. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

The Wang incident over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian is a reminder of the importance of auditing AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem.

Finally, there is a risk of implicit bias when someone has to define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

For the complete discussion of this issue check out this week’s episode of Compliance into the Weeds.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Auditing AI For Compliance

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the current difficulties for auditors to perform an audit on AI.

The use of AI in the tech world has brought with it a new concern: implicit bias. Auditing AI code is necessary to ensure that AI applications are free from bias and secure from cyber threats. This complex process involves examining the code of AI programs to ensure that they are functioning as intended and are not producing biased or unethical outcomes. In addition to auditing code, employers must also audit the outcomes of AI tools, and consider ethical considerations when defining the data that the AI is looking at. As AI hiring audits become increasingly necessary, it is more important than ever to ensure that AI applications are free from bias and secure from cyber threats.

 Key Highlights

·      AI Implicit Bias

·      Auditing AI Code

·      AI Hiring Audits

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn