Tag: internal audit

Categories
Blog

PCAOB Proposed Rule on Compliance Audits

In the realm of auditors intersecting compliance and fraud risk audits, a fierce battle of perspectives rages on. Compliance professionals yearn for a bigger role, a seat at the table to tackle potential compliance violations. Yet, as the storm brews, the audit community hesitates, fearing the unfamiliar waters of becoming compliance and legal violation experts. Brace yourselves, for the unexpected outcome lies just beyond the horizon.

Compliance professionals are generally accepting of the idea that audit firms might look for compliance violations, as long as the proposal includes meeting with the chief ethics and compliance officer and reviewing the state of the compliance program with the audit committee. Many auditors do not want the additional responsibility, claiming it is outside their area of expertise and the requirement will increase audit costs.

Other trade and industry groups have weighed in as well. The American Bankers Association said in a letter “With respect to the legal function, auditors may be put into a position to second-guess a company’s own legal counsel regarding whether noncompliance may have occurred.  “With respect to the management function, the requirement that auditors perform ‘enhanced risk assessment procedures’ could result in auditors second-guessing how management allocates the company’s financial and human resources. This would not only blur responsibility between the legal, management and audit functions, but would also divert auditors’ time, attention and resources away from auditing financial statements.”

The group went on to note that  “Various federal and state regulatory authorities in the United States have a responsibility to examine, monitor and, where appropriate, bring enforcement actions against companies that do not adhere to laws and regulations. Moreover, given the many and varied private rights of action available against corporations in the United States, companies are subject to even further scrutiny and liability for noncompliance.”

Stephen Foley, writing in the Financial Times, said that some companies have objected that the implementation of the proposal might negatively impact the attorney/client privilege. He wrote “companies said the new rules could mean more correspondence with their lawyers would have to be shared with auditors, with the result that it loses its legal privilege and could become evidence in litigation.” He cited to Ronald Edmonds, controller at the chemicals group Dow, that “Company personnel could be more hesitant to disclose legal violations to their counsel if they fear that the communication will not be privileged. Attorneys may also hesitate to prepare written analysis for their clients for fear that it would end up non-privileged and ultimately in the hands of a legal adversary.”  Amy Johnson, controller at RTX said “The broad scope and volume of information that would be required to be shared with auditors is likely to encompass sensitive attorney advice.”

Conversely, PCAOB Chair Erica Williams told the FT, “Companies’ non-compliance with laws and regulations, including fraud, can really have devastating consequences for investors. This proposal is simply making sure that the protection investors think they’re getting today matches what the standard requires.” Foley cited to Brandon Rees, the AFL-CIO deputy director who said “All too often when a fraud is exposed, it rarely comes to light from the auditors. Auditing standards should require auditors to have uncomfortable conversations with management.”

The PCAOB will have to consider this feedback from its consultation period before deciding whether to push ahead with the proposal, or to amend or scrap it. Two of the five board members have said they are opposed to the new rules, but a simple majority is all that is needed. What are some of the issues that auditors may face if the proposed rule is enacted?

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

The proposal has the potential to shape how audit firms approach their investigations into client companies, particularly with regard to compliance and legal violations. By requiring auditors to look more closely at non-compliance with laws and regulations, the proposal is intended to deliver more comprehensive audits and prevent financial fraud. However, the incorporation of duties usually performed by legal professionals into the auditing process could complicate the auditors’ role, potentially raising costs and increasing liability.

The proposed rule generates divided opinions between compliance professionals and the audit community. Compliance executives generally support the proposal, provided it includes engagement with the chief ethics and compliance officer, and necessitates a comprehensive review of the compliance program with the audit committee. On the contrary, most auditors, represented by the PCAOB, argue against the implementation of this rule, citing a lack of necessary expertise to identify compliance violations, and increased burden of audit fees.

If auditors are mandated to assume more compliance responsibilities as per the proposal, there may be several challenges to address. One of the primary concerns is whether auditors have the requisite knowledge and training to identify and manage compliance violations efficiently. Furthermore, the elevated costs associated with hiring legal experts, coupled with the increased liability facing auditors can potentially create a barrier to the rule’s successful implementation.

Compliance professionals and the audit community clash over a proposed rule on auditors reporting compliance violations. As tensions rise and perspectives collide, can these two groups find common ground or will they remain at odds, leaving the fate of the proposal uncertain?

Categories
Blog

Auditing AI

The recent kerfuffle over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian has raised important questions about how to audit AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Matt Kelly recently wrote a blog post on this topic on Radical Compliance. I thought it would make a great podcast so this week’s episode of Compliance into the Weeds is dedicated to it. I also thought it was so important that I should blog about it as well.

It started when MIT grad student Rona Wang tested an AI tool called Playground AI to modify a photo of herself wearing an MIT T-shirt to look ‘more professional’. Rather than replacing the T-shirt she was wearing with more professional business attire to achieve a more professional look, the AI tool interpreted the instruction to make her look more professional as making her look Caucasian. Wang posted a before and after comparison of her photo on Twitter, which caused a big kerfuffle in the AI world about how this happened. The CEO of Playground AI responded to Wang on Twitter saying “We’re quite displeased with this and hope to solve it”.

We began with a discussion of the implications of implicit bias in AI code. Matt suggested that the code in the AI app may have been influenced by the disproportionate number of white people on LinkedIn. It may not be the fault of the AI program, but rather a result of structural bias and racism in the world. Matt believes that at this point, it is impossible for a human to audit the code of AI programs like Chat GPT, which evaluates data according to 1.76 trillion different parameters. Unfortunately, it is not possible to eliminate implicit bias in AI code by simply correcting a few parameters. Matt compared it to the difficulty of eliminating implicit bias in AI code to the difficulty of eliminating racism in the human brain.

AI can handle 1.7 trillion parameters of data, but it is difficult to audit for an ethical outcome. AI can misinterpret structural racism and inequities that exist in the world. AI can be used to filter out images that are not representative of the population as a whole. Auditing AI is difficult because there are few people who know how to design and audit these programs. AI decisions may have life and death consequences, but there is no way to audit them yet.

Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem. Additionally, there is a risk of implicit bias when someone must define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI.

Auditing AI code for implicit bias is a complex process. AI tools used in the hiring process can range from keyword matching to Chat GPT. While it is important for companies to audit their AI tools, it is also important to consider the data that is being used to train the AI. If the data is biased, the AI will be biased as well. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

The Wang incident over an AI tool misinterpreting instructions to make a woman look more professional as making her look Caucasian is a reminder of the importance of auditing AI code to avoid undesirable outcomes. AI instruments are behaving in a fundamentally different way than most other types of apps and systems, and auditing AI code for implicit bias is not yet feasible. Companies using AI in the hiring process must consider whether they will scrap the AI tool and use another, use human HR people and recruiters, or have auditors and coders sit down and try and figure out the problem.

Finally, there is a risk of implicit bias when someone has to define the pool of data that the AI is looking at. New York City has a regulation requiring employers to audit AI tools used in the hiring process at least annually, but this is only a small step towards addressing the issue of implicit bias in AI. To ensure that AI tools are not biased, companies should consider using a diverse set of data and conducting regular audits of the AI tools.

For the complete discussion of this issue check out this week’s episode of Compliance into the Weeds.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Auditing AI For Compliance

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt consider the current difficulties for auditors to perform an audit on AI.

The use of AI in the tech world has brought with it a new concern: implicit bias. Auditing AI code is necessary to ensure that AI applications are free from bias and secure from cyber threats. This complex process involves examining the code of AI programs to ensure that they are functioning as intended and are not producing biased or unethical outcomes. In addition to auditing code, employers must also audit the outcomes of AI tools, and consider ethical considerations when defining the data that the AI is looking at. As AI hiring audits become increasingly necessary, it is more important than ever to ensure that AI applications are free from bias and secure from cyber threats.

 Key Highlights

·      AI Implicit Bias

·      Auditing AI Code

·      AI Hiring Audits

 Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: PCAOB: Expanding Audit Duties – The Impact and Concerns

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!

Tom Fox and Matt Kelly are back with another thought-provoking episode discussing the proposed new Audit Standard 2405 by the PCAOB. This new proposal requires auditors to evaluate legal violations and noncompliance that could have a material impact on financial statements. While some people believe this is a good idea, others question the cost and whether audit firms are trained for this task. The discussions covered a range of topics, including internal control evaluations, expanding audit duties, Wells Fargo case study, the potential for increased audit fees, and reporting noncompliance to law enforcement. The hosts urge listeners to read the proposal and provide feedback as the final standard is expected to be approved by the SEC. This is a must-listen for compliance professionals who want to stay up-to-date and think critically about the latest audit news.

 Key Highlights 

·      Auditing Process for Legal and Compliance Issues

·      New Standards for Auditors Beyond Financial Reporting

·      Expanding PCAOB’s Legal Obligations for Auditors

·      Expanding Audit Firm Duties: Impact and Concerns

·      Commenting on Proposed Audit Rule

Notable Quotes:

“This seems like a huge expansion of what auditors have done in the past.”

“Certainly, for example, a large FCPA violation if you’re looking at $1,000,000,000 fine, and that would definitely strike me as material.”

“The proposal to expand the duties of audit firms is a dramatic expansion of what they were previously asked to do, and it is unclear whether they are fully equipped to handle this responsibility.”

“Internal auditors and compliance officers may also have concerns.”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

SOX Compliance, PCAOB Inspections and Audits

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. Join Tom Fox and Matt Kelly in the latest “Compliance into the Weeds” episode as they delve into the world of SOX compliance. Matt shares insights from recent webinars and Cornerstone Research studies on class action lawsuits related to accounting issues in this discussion. At the same time, Tom emphasizes the importance of preventing accounting fraud through robust internal control systems.

They shed light on the role of IT controls in ensuring the integrity and security of financial systems and the challenges auditors face in verifying their effectiveness. They discuss how companies can mitigate the risk of fraud by implementing strong access and cybersecurity controls and adapting to new business environments. Don’t miss out on this captivating episode offering practical tips and strategies for compliance officers and industry professionals!

Key Highlights

·      Current SOX compliance priorities

·      The cost of lawsuits involving SOX compliance failures, financial accounting, and financial restatements are going up

·      2023 PCAOB inspection priorities

 Notable Quotes:

“None of those numbers are going in the right direction for SOX compliance officers.”

“A lot of what SOX compliance is and a lot of what auditors are looking at relates to IT controls.”

“We rely so much on IT now to run the accounting system, the accounts payable, the finance function, a lot of what you need to ensure a strong accounting system is really how are you governing software running those apps.”

“That, however, assumes that you’ve got strong cybersecurity and strong access controls around getting into that portal.”

 Resources

Matt  on LinkedIn

Matt’s three articles on Radical Compliance

a.     SOX Compliance

b.     Lawsuits over SOX failures

c.     PCAOB Inspection Priorities

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Entrepreneurship and Risk Management with Adrienne Bellehumeur

Tom Fox’s guest in this episode of Innovation In compliance is Adrienne Bellehumeur. They discuss the significance of gap analysis in the design of internal controls, and why having a thorough understanding of design is critical to the success of gap analysis. They emphasize the importance of continuous improvement and avoiding a “pass-fail” approach to internal control programs. Adrienne also shares her five principles for creating high-value compliance programs.

Adrienne Bellehumeur is the Director and Co-owner of Risk Oversight, a firm specializing in internal controls, internal audit, and compliance programs. She has written a book called The 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation, which is set to be published on March 7th and is geared towards managers who are seeking solutions through documentation. This book aims to provide a fun and foundational approach to documentation for the modern knowledge workforce and is the first mass-market book on documentation best practices.

 

Some of the key points discussed during the show include:

  • Adrienne’s background and current role at her company, Risk Oversight, which specializes in delivering services to mid-sized oil and gas companies in the engineering sectors.
  • The purpose of gap analysis is to identify areas for improvement in processes and controls to support operational effectiveness.
  • Adrienne’s belief that internal controls should focus on good habits, accountability, and continuous improvement rather than just ticking boxes.
  • How Risk Oversight helps companies fulfill their obligation of oversight by providing entity-level control review and understanding best practices in governance.
  • The two best practices for board minutes, the “Goldilocks principle” and the “business judgment rule.”
  • The Caremark doctrine in Delaware and the importance of documentation of major risk management decisions.
  • Adrienne’s book The 24-Hour Rule, which is a mass-market book on documentation aimed at managers looking to solve problems through documentation and is applicable to various industries.

 

KEY QUOTATION:

“Risk management is about action.” – Adrienne Bellehumeur 

 

Resources 

Adrienne Bellehumeur | LinkedIn | Twitter 

Risk OversightThe 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation

Categories
Compliance Into the Weeds

OCC ALJ Slams Ex-Wells Fargo Execs

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, we continue the ongoing saga of Wells Fargo and its fraudulent accounts scandal. Recently an administrative law judge has affirmed that three former audit and risk management executives at Wells Fargo should face millions in penalties for their sloppy oversight during the bank’s fake-account scandal in the 2010s. The defendants were Claudia Russ Anderson, former group risk officer for Wells Fargo’s community banking division; David Julian, former chief auditor; and Paul McLinko, former executive audit director.

Some of the highlights include:

·      The background facts.

·      Will the fallout from the Wells Fargo fake accounts scandal ever end? (Hint-When, our Sun, goes supernova.)

·      What is failure to provide a credible challenge?

·      Why are these execs trying to defend their inaction?

·      Why a clear line of authority is needed in compliance.

·      A root cause analysis is a basic Hallmark of an effective compliance program. Why was it separately called out?

·      What are the lessons learned for compliance?

 Resources

Matt Kelly in Radical Compliance

Categories
Innovation in Compliance

The Agile Audit with Toby DeRoche

Tom Fox’s guest on this week’s show is Toby DeRoche, a professional auditor and Senior Manager of Risk Management at Verizon. He and Tom talk about the importance of risk assessment and how it has changed in recent years. 

Agile Audit

Agile Audit is simply auditing the things that matter at the current moment. It’s an iterative approach, going through the entire audit lifecycle and compressing it down to the essentials. “We’re saying, so here’s everything that I could audit, but here’s what’s most important to the organization today,” Toby tells Tom. “It’s this continual cycle… giving you the answers to what’s the most burning question you have related to risk and control in your organization today.” 

 

Focus on The Highest Risk

If an audit plan isn’t focused on relevant issues, or the highest risk, no one is going to care how well the auditing plan was executed. Focusing on low-risk issues wastes everyone’s time. “We should be focusing on the things that are the highest risk and only those things,” Toby says. If internal auditors aren’t focused on management support, strategic objectives, and challenges, then they aren’t doing their jobs. 

 

Communicating Vs Reporting

Tom asks Toby to differentiate between communicating and reporting results as an internal auditor. Giving reports is not communication, he responds; it’s just regurgitating facts. “A much more effective way of getting the information across is to make it more digestible,” Toby remarks, because it’s much more impactful, and people can more easily grasp what you’re trying to say. 

 

Looking Ahead

Companies in the future will have no choice but to use the concepts of risk assessment, continuous improvement, and continuous risk assessment. Auditing must be part of the company’s objectives. “Anything that we’re doing that’s not focused on what matters to management and the highest risk to them achieving their goals right now, then we’re completely missing the picture,” Toby stresses. 

 

Resources

Toby DeRoche | LinkedIn  

Only Audit What Matters 

Categories
Great Women in Compliance

Joelle Thorne-Peters – Be Audit You Can Be

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

This week we are pleased to feature Joelle Thorne-Peters who is a Compliance Audit expert.  She shares with us her thoughts on what Compliance audit is about, what to look for when hiring audit professionals and commentary on the enjoyable phrase “You don’t have to be a clown to audit the circus”.

She also shares some perennial issues that are always worth keeping in mind as stones to turn over, an emerging risk for our radars, espouses a view on where Compliance audit should sit in the organization and thoughts on how Compliance can better work with internal audit.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Greetings and Felicitations

Great Structures Week III: The Roman Arc and Resourcing Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this episode 3, I consider the Roman Arch and resourcing your compliance program. Highlights include:

  • Why and how was the Roman Arch such an engineering innovation?
  • What other corporate functions can a CCO look to?
  • How does HR help facilitate through all its employee touchpoints?
  • How can IT help a CCO meet its obligations under the 2020 Update to the Evaluation of Corporate Compliance Programs?
  • How can compliance use Internal Audit as a key corporate adjunct?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity,” taught by Professor Stephen Ressler from The Teaching Company.