Tag: internal audit

Categories
Compliance Into the Weeds

Compliance into the Weeds: PCAOB: Expanding Audit Duties – The Impact and Concerns

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to fully explore a subject. Looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds!

Tom Fox and Matt Kelly are back with another thought-provoking episode discussing the proposed new Audit Standard 2405 by the PCAOB. This new proposal requires auditors to evaluate legal violations and noncompliance that could have a material impact on financial statements. While some people believe this is a good idea, others question the cost and whether audit firms are trained for this task. The discussions covered a range of topics, including internal control evaluations, expanding audit duties, Wells Fargo case study, the potential for increased audit fees, and reporting noncompliance to law enforcement. The hosts urge listeners to read the proposal and provide feedback as the final standard is expected to be approved by the SEC. This is a must-listen for compliance professionals who want to stay up-to-date and think critically about the latest audit news.

 Key Highlights 

·      Auditing Process for Legal and Compliance Issues

·      New Standards for Auditors Beyond Financial Reporting

·      Expanding PCAOB’s Legal Obligations for Auditors

·      Expanding Audit Firm Duties: Impact and Concerns

·      Commenting on Proposed Audit Rule

Notable Quotes:

“This seems like a huge expansion of what auditors have done in the past.”

“Certainly, for example, a large FCPA violation if you’re looking at $1,000,000,000 fine, and that would definitely strike me as material.”

“The proposal to expand the duties of audit firms is a dramatic expansion of what they were previously asked to do, and it is unclear whether they are fully equipped to handle this responsibility.”

“Internal auditors and compliance officers may also have concerns.”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

SOX Compliance, PCAOB Inspections and Audits

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. Join Tom Fox and Matt Kelly in the latest “Compliance into the Weeds” episode as they delve into the world of SOX compliance. Matt shares insights from recent webinars and Cornerstone Research studies on class action lawsuits related to accounting issues in this discussion. At the same time, Tom emphasizes the importance of preventing accounting fraud through robust internal control systems.

They shed light on the role of IT controls in ensuring the integrity and security of financial systems and the challenges auditors face in verifying their effectiveness. They discuss how companies can mitigate the risk of fraud by implementing strong access and cybersecurity controls and adapting to new business environments. Don’t miss out on this captivating episode offering practical tips and strategies for compliance officers and industry professionals!

Key Highlights

·      Current SOX compliance priorities

·      The cost of lawsuits involving SOX compliance failures, financial accounting, and financial restatements are going up

·      2023 PCAOB inspection priorities

 Notable Quotes:

“None of those numbers are going in the right direction for SOX compliance officers.”

“A lot of what SOX compliance is and a lot of what auditors are looking at relates to IT controls.”

“We rely so much on IT now to run the accounting system, the accounts payable, the finance function, a lot of what you need to ensure a strong accounting system is really how are you governing software running those apps.”

“That, however, assumes that you’ve got strong cybersecurity and strong access controls around getting into that portal.”

 Resources

Matt  on LinkedIn

Matt’s three articles on Radical Compliance

a.     SOX Compliance

b.     Lawsuits over SOX failures

c.     PCAOB Inspection Priorities

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Innovation in Compliance

Entrepreneurship and Risk Management with Adrienne Bellehumeur

Tom Fox’s guest in this episode of Innovation In compliance is Adrienne Bellehumeur. They discuss the significance of gap analysis in the design of internal controls, and why having a thorough understanding of design is critical to the success of gap analysis. They emphasize the importance of continuous improvement and avoiding a “pass-fail” approach to internal control programs. Adrienne also shares her five principles for creating high-value compliance programs.

Adrienne Bellehumeur is the Director and Co-owner of Risk Oversight, a firm specializing in internal controls, internal audit, and compliance programs. She has written a book called The 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation, which is set to be published on March 7th and is geared towards managers who are seeking solutions through documentation. This book aims to provide a fun and foundational approach to documentation for the modern knowledge workforce and is the first mass-market book on documentation best practices.

 

Some of the key points discussed during the show include:

  • Adrienne’s background and current role at her company, Risk Oversight, which specializes in delivering services to mid-sized oil and gas companies in the engineering sectors.
  • The purpose of gap analysis is to identify areas for improvement in processes and controls to support operational effectiveness.
  • Adrienne’s belief that internal controls should focus on good habits, accountability, and continuous improvement rather than just ticking boxes.
  • How Risk Oversight helps companies fulfill their obligation of oversight by providing entity-level control review and understanding best practices in governance.
  • The two best practices for board minutes, the “Goldilocks principle” and the “business judgment rule.”
  • The Caremark doctrine in Delaware and the importance of documentation of major risk management decisions.
  • Adrienne’s book The 24-Hour Rule, which is a mass-market book on documentation aimed at managers looking to solve problems through documentation and is applicable to various industries.

 

KEY QUOTATION:

“Risk management is about action.” – Adrienne Bellehumeur 

 

Resources 

Adrienne Bellehumeur | LinkedIn | Twitter 

Risk OversightThe 24-Hour Rule and Other Secrets for Smarter Organizations: Including the 6 Steps of Dynamic Documentation

Categories
Compliance Into the Weeds

OCC ALJ Slams Ex-Wells Fargo Execs

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more. In this episode, we continue the ongoing saga of Wells Fargo and its fraudulent accounts scandal. Recently an administrative law judge has affirmed that three former audit and risk management executives at Wells Fargo should face millions in penalties for their sloppy oversight during the bank’s fake-account scandal in the 2010s. The defendants were Claudia Russ Anderson, former group risk officer for Wells Fargo’s community banking division; David Julian, former chief auditor; and Paul McLinko, former executive audit director.

Some of the highlights include:

·      The background facts.

·      Will the fallout from the Wells Fargo fake accounts scandal ever end? (Hint-When, our Sun, goes supernova.)

·      What is failure to provide a credible challenge?

·      Why are these execs trying to defend their inaction?

·      Why a clear line of authority is needed in compliance.

·      A root cause analysis is a basic Hallmark of an effective compliance program. Why was it separately called out?

·      What are the lessons learned for compliance?

 Resources

Matt Kelly in Radical Compliance

Categories
Innovation in Compliance

The Agile Audit with Toby DeRoche

Tom Fox’s guest on this week’s show is Toby DeRoche, a professional auditor and Senior Manager of Risk Management at Verizon. He and Tom talk about the importance of risk assessment and how it has changed in recent years. 

Agile Audit

Agile Audit is simply auditing the things that matter at the current moment. It’s an iterative approach, going through the entire audit lifecycle and compressing it down to the essentials. “We’re saying, so here’s everything that I could audit, but here’s what’s most important to the organization today,” Toby tells Tom. “It’s this continual cycle… giving you the answers to what’s the most burning question you have related to risk and control in your organization today.” 

 

Focus on The Highest Risk

If an audit plan isn’t focused on relevant issues, or the highest risk, no one is going to care how well the auditing plan was executed. Focusing on low-risk issues wastes everyone’s time. “We should be focusing on the things that are the highest risk and only those things,” Toby says. If internal auditors aren’t focused on management support, strategic objectives, and challenges, then they aren’t doing their jobs. 

 

Communicating Vs Reporting

Tom asks Toby to differentiate between communicating and reporting results as an internal auditor. Giving reports is not communication, he responds; it’s just regurgitating facts. “A much more effective way of getting the information across is to make it more digestible,” Toby remarks, because it’s much more impactful, and people can more easily grasp what you’re trying to say. 

 

Looking Ahead

Companies in the future will have no choice but to use the concepts of risk assessment, continuous improvement, and continuous risk assessment. Auditing must be part of the company’s objectives. “Anything that we’re doing that’s not focused on what matters to management and the highest risk to them achieving their goals right now, then we’re completely missing the picture,” Toby stresses. 

 

Resources

Toby DeRoche | LinkedIn  

Only Audit What Matters 

Categories
Great Women in Compliance

Joelle Thorne-Peters – Be Audit You Can Be

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

This week we are pleased to feature Joelle Thorne-Peters who is a Compliance Audit expert.  She shares with us her thoughts on what Compliance audit is about, what to look for when hiring audit professionals and commentary on the enjoyable phrase “You don’t have to be a clown to audit the circus”.

She also shares some perennial issues that are always worth keeping in mind as stones to turn over, an emerging risk for our radars, espouses a view on where Compliance audit should sit in the organization and thoughts on how Compliance can better work with internal audit.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Greetings and Felicitations

Great Structures Week III: The Roman Arc and Resourcing Your Compliance Program

Welcome to the Greetings and Felicitations, a podcast where I explore topics that might not seem directly related to compliance but influence our profession. In this special series, I consider many structural engineering concepts are apt descriptors for an anti-corruption compliance program. In this episode 3, I consider the Roman Arch and resourcing your compliance program. Highlights include:

  • Why and how was the Roman Arch such an engineering innovation?
  • What other corporate functions can a CCO look to?
  • How does HR help facilitate through all its employee touchpoints?
  • How can IT help a CCO meet its obligations under the 2020 Update to the Evaluation of Corporate Compliance Programs?
  • How can compliance use Internal Audit as a key corporate adjunct?

Resources

 “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity,” taught by Professor Stephen Ressler from The Teaching Company.

Categories
Blog

Great Structures Week III – The Roman Arch and Resourcing Your Compliance Program

I continue my Great Structures Week with focus on structural engineering innovations from ancient Rome. I am drawing these posts from The Teaching Company course, “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler who said “When I think of Rome, the first image that comes to mind is an arch.” It is present in aqueducts, in the triumphal arches that adorn the city of Rome, in the city gates and even in the Coliseum.

The arch was a major engineering advancement because the prior method for traversing horizontal distance was the beam, which was limited in its use. Ressler notes “because the arch carries its load entirely in compression, its span isn’t limited by the tensile strength of the material, the size of its stones, and it can span greater distances which might be conceived of with stone beams”. The arch itself has two essential characteristics. First it carries an entire load in compression, that is it counter-balances against itself, which allows for construction using the most basic building materials known in the ancient world: stone, brick and concrete.

Yet the second characteristic of the arch is equally significant. An arch requires “both vertical and horizontal reactions to carry a load. The downward load of the arch is balanced by an upward reaction from the base”. Both the Arch of Titus and Pont du Gard aqueduct are still standing and can be seen today as magnificent examples of this Roman innovation.

I wanted to use the dual load system whereby an arch supports not only great weight but also esthetic engineering designs to discuss how a Chief Compliance Officer (CCO) or compliance practitioner might develop resources to implement a best practice anti-corruption compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery law. Funding of a compliance program is always one of the biggest challenges. Short of being in the middle of a worldwide FCPA, UK Bribery Act or other anti-corruption investigation, you are never going to receive all the funding you want or even think that you are going to need.

However, this corporate reality is not going to save you if the government comes knocking. The FCPA Resource Guide 2nd edition, provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

Stephen Martin, CCO at  Skillsoft, often says that an inquiry a prosecutor might make is along the lines of the following. First what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), the next inquiry would be, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. Then the KO punch question would be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, most companies spent far more on Post-It Notes than they were willing to invest into their compliance program.

However this corporate reality will allow you to look to other areas to assist the compliance function. An obvious starting place is Human Resources (HR). There are several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touches every site in the company, globally. HR is generally seen as more approachable than many other departments in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document, and Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert (SME) so you can turn to them for any of your compliance program requirements, which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If your company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

All of these other corporate functions can greatly assist you in the actual doing of compliance. Moreover, in a resource-constrained environment, these other corporate disciplines can be used to strengthen your compliance program, in a manner similar to vertical and transverse integration of structural integrity presented in an arch. Finally, just as the arch utilized some of the most basic construction elements in existence, by using the other corporate disciplines, engaging in precisely their corporate functions, you can create a strong foundation in your compliance program going forward.

Join us tomorrow where we look at the intersection of Gothic Cathedrals and compliance incentives.

Categories
Everything Compliance

Episode 104 – the Back to School Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In 2021, Everything Compliance was honored by W3 as a top talk show in podcasting. In this episode, we have the quartet of Jonathan Marks, Jonathan Armstrong, Jay Rosen and Matt Kelly on a variety of topics. We conclude with our fan Shout Outs and Rants section.

1. Jay Rosen looks at a recent report about the number and quality of SEC whistleblower awards.  Rosen shouts out to scientists who are trying to create Oxygen from CO2 so that life can exist on Mars.

2. Matt Kelly discusses the Mudge whistleblower allegations regarding Twitter.  Kelly shouts out to NASA engineers who scrubbed the space shuttle launch due to safety concerns.

3. Jonathan Marks considers the role of internal audit in M&A work specifically and how the Board should utilize internal audit more generally. Marks shouts out the 30the anniversary of the US Sentencing Guidelines.

4. Tom Fox shouts out the American League leading Houston Astros.

5. Jonathan Armstrong looks at the newly released Lloyd’s regulations around denial of coverage for cyber-attacks made by foreign governments and state actors. He shouts out to the British television show “Have I Got News” for skewering Boris Johnson with his own words.

The members of the Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
FCPA Compliance Report

Claire Worledge on Data Analytic Secrets


In this episode of the FCPA Compliance Report I visit with Claire Worledge. Claire is an internal auditor by professional training. She is the author of Data Analytic Secrets. We visit about her book and her work to bring greater visibility to data analytics to the internal audit profession and the wider compliance profession. Some of the highlights include:
What is data visualization?
What do you see as the role of data analytics in internal audit?
Why Claire wrote Data Analytic Secrets  and the audience for the book.
How can data analytics and visualization be used in fraud prevention?
How about anti-corruption/anti-bribery programs?
How can internal audit be best used in an anti-corruption/anti-bribery program?
What is the intersection of internal audit and internal control?
Resources
Claire Worledge on LinkedIn
Aufinia website