Categories
Blog

Day 16 of One Month to More Effective Internal Controls-COSO Objective II: Risk Assessments

Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful; however, the COSO Framework requires a component of management input and oversight that was not as well understood. The Framework Volume says, “Management specifies objectives within the category relating to operations, reporting, and compliance with such clarity to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider internal and external changes that can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services, which could increase the risk of running afoul of these laws. 

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are: Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.” Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Principle 8 – “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Principle 9 – “The organization identifies and assesses changes that could significantly impact the internal control system.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, management is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis for your risk assessments.

Principle 7 – Identifies And Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third-party contracting and payments, and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered an important risk analysis. Any company must follow the flow of money, and if the Fraud Triangle is present, management is placed around such risk.

Principle 9 – Identifies And Analyzes Significant Change

It is true that if there is one constant in business, there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external and promptly assess the risks and approaches to mitigate the risk.” 

Discussion 

The SEC has clarified that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should see new risks that they need to address because of the changes brought about by the new standard. Howell noted that “in the internal control arena, fraud risk, in particular, has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks give concessions to customers that are not reflected in their understanding of the contract and its accounting.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level that the concessions are being given at the backend for return that isn’t being reported back into how that affects the estimate of cheap revenue going forward. Finally, risks that a company has misstated or underestimated require determining whether revenue should be recognized over time or estimated what that period is to recognize the revenue if it is a rolling time frame. Howell stated, “For example, the period could be longer, which means that your revenue would be recognized over a longer period. There’s always the risk that revenue could be recognized too early and that cost could be pushed out and spread over too long. As we begin to think about these new judgments that are required, we get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls and have the plan to respond if they discover that the risk has happened and they have a failure.” 

Three Key Takeaways:

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and almost all other best practices compliance programs.
  2. Look at your risks across your organization rather than in a siloed manner.
  3. Risks, determination, and management change over time, so be cognizant of changes in business practices on the ground.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and all other compliance regimes.

Categories
Blog

Day 14 of One Month to More Effective Internal Controls – What is the COSO Framework?

Internal Control–Integrated Framework”, herein ‘the Framework volume.’ The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls,” herein ‘the Illustrative Guide,’ which discusses how best to assess your internal control regime and provides forms and worksheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary.’ All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program. In the 2013 update, the basic framework was retained with substantial support from user companies, and 3 specific objectives were added:

  1. Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss
  2. Reporting Objectives – internal and external financial reporting
  3. Compliance Objectives – adherence to laws and regulations to which the entity is subject

According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance that the organization, among other things, complies with applicable laws, rules, regulations, and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations. The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will explore throughout this series. Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework,” said that the original COSO framework from 1992 has stood the test of time “because it was built as a conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based on four general principles, which include the following: 

(1) the updated Framework should be conceptual, which allows for updating as internal controls [and compliance programs] evolve; 

(2) internal controls are a process which is designed to help businesses achieve their business goals; 

(3) internal controls apply to more than simply accounting controls, it applies to compliance controls and operational controls; and 

(4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” 

This final statement is significant for the compliance practitioner because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not simply rely upon a company’s accounting, finance, or internal audit function to do so. The primary objective is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have unique knowledge that a compliance officer has that would impact all the framework elements. The compliance officer’s role is to provide input to the Chief Financial Officer (CFO) and others involved in the implementation to be sure that there is a proper focus on the risks that are part of the compliance world. This primarily comes through risk assessment, control activities, and monitoring. Companies typically do risk assessments from an operational standpoint, address business risks going forward, and then develop the controls that deal with those risks, such as project financial results, doing business in certain countries, strategic decisions, and similar issues. This puts the compliance function in the unique position to be the fulcrum on many issues that will come up with a COSO-based analysis or implementation. The updated Framework retained the core definition of internal controls: control environment, risk assessment, control activities, information and communication, and monitoring activities.

Further, the well-known three-dimensional “COSO Cube” visually represents these five operational concepts. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, the emphasis on the principles is new to the 2013 Framework. Joe Howell noted that the COSO Framework could be seen as a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one-off things that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function sustainably throughout the organization. 

Three Key Takeaways:

  1. You must use the COSO Framework or a similar source for your internal control structure.
  2. The 2013 Framework identifies the following areas: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring.
  3. Your internal controls must be sustainable.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO 2013 Framework for Internal Controls is a great guide for the internal controls required in a compliance regime. 

Categories
Blog

Day 12 of One Month to More Effective Internal Controls-Board Oversight as an Internal Control

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
  6. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.