Tag: Internal Controls

Categories
FCPA Survival Guide

FCPA Survival Guide – Step 9 – Internal Controls

How can you survive an FCPA enforcement action? In this special podcast series, Tom Fox and Nick Gallo outline the Top 10 things you can do to reduce your overall fine and penalty, perhaps down to a complete declination. All of the actions you can take come from recent DOJ prosecutions under the FCPA and speeches from DOJ representatives. This podcast, sponsored by Ethico, is the companion series to the book The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action. Today, we discuss lesson number nine: internal controls.

Tom and Nick delve into the importance of internal controls in compliance, emphasizing the pivotal role they play in business operations. After studying the COSO Framework, Tom shares his transformation into a firm believer in internal controls, underscoring that robust financial controls can cover a significant portion of compliance requirements. They discuss real-world examples, including SAP’s lack of payment process controls and ABB’s successful avoidance of a monitor through proactive measures. The episode highlights the necessity of continuous improvement and collaboration between legal, financial, and business units to ensure the effectiveness of internal controls and the appropriate handling of overrides. The session concludes with a nod to the upcoming episode on speak-up, triage, and internal investigation.

Key Highlights and Issues

  • The Importance of Internal Controls
  • Financial Controls and Compliance
  • Continuous Improvement in Internal Controls
  • Effective Collaboration and Overrides

Resources:

Nick Gallo on LinkedIn

Ethico

The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: Major Cybersecurity Incidents and Regulatory Challenges

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the dismissal of the SEC’s enforcement action against Solar Winds and CrowdStrike cybersecurity failures.

Tom and Matt begin with UnitedHealth’s costly ransomware attack, a federal judge’s ruling against the SEC’s lawsuit over SolarWinds’ cybersecurity practices, and CrowdStrike’s flawed software update impacting global corporations.

The episode explores the regulatory challenges of enforcing effective cybersecurity controls and the implications for companies and their compliance programs. The discussion highlights the need for better IT general controls and the role of different stakeholders, including Congress, regulatory agencies, and audit firms, in addressing these cybersecurity risks.

Key Highlights:

  • UnitedHealth Ransomware Attack Breakdown
  • SolarWinds Cybersecurity Lawsuit
  • Regulatory Challenges and Implications
  • Operational Risk Management and IT Controls
  • Call to Action for Compliance and Audit Professionals

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance: Episode 137, The Boeing Pleads Guilty Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we welcome Karen Moore as a permanent panelist.

We have one topic for this episode, the Boeing guilty plea, which we slice and dice from a variety of perspectives. Karen is joined by Jonathan Marks, Jonathan Armstrong, and Matt Kelly as panelists, all hosted by Tom Fox.

  1. Karen Moore considers that there are multiple stakeholders involved with Boeing and will they be covered in the resolution? She shouts out to the UK for their seamless transition of power after the July 4 election and to the Men’s Football team for making the UEFA Cup Final.
  2. Matt Kelly asks multiple questions about the form of the guilty plea and what it may mean for compliance professionals going forward. He rants about Tractor Supply which ditched its DEI and sustainability efforts based on one Twitter campaign.
  3. Jonathan Armstrong takes a look at the Boeing plea deal from his uniquely British perspective, with 3 takeaways. He shouts out to the new British Prime Minister, Sir Keir Starmer.
  4. Jonathan Marks considers corporate governance and internal control failures. He rants about Board members who do not understand Board governance.
  5. Tom Fox shouts out to Pittsburgh rookie Paul Skenes for his great first season and being named the Starting Pitcher for the All-Star Game.

The members of the Everything Compliance are:

The host, producer, rantor (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Navigating the New Frontier: SEC’s Enforcement Action on RR Donnelley and its Implications for Compliance

In the ever-evolving compliance landscape, the recent enforcement action by the Securities and Exchange Commission (SEC) against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s expanding reach into areas traditionally viewed outside its purview. As compliance professionals, understanding the intricacies of this case is crucial for adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent Compliance into the Weeds episode.

RR Donnelley, a company historically known for its printing services and later for marketing services, faced an SEC enforcement action in November 2021 due to a cybersecurity breach. Hackers accessed and copied confidential corporate customer data, which was later posted on the dark web. The SEC’s main contention was that Donnelley failed to disclose this breach to investors promptly and had inadequate internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were insufficient, leading to unauthorized access to its IT assets. Specifically, the SEC utilized provisions related to internal control over financial reporting to impose sanctions even though no direct accounting fraud or economic loss occurred. This approach represents a novel application of the SEC’s powers, using internal accounting control clauses to address cybersecurity issues.

Matt believes that the SEC’s enforcement hinged on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are appropriately recorded;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation broadens the scope of what compliance professionals must consider under the umbrella of internal controls. Traditionally, internal controls were seen in the context of financial reporting and safeguarding physical assets, most usually cash or cash equivalent. However, it is not simply cash as the only assets these requirements cover but all other corporate assets. Moreover, this case suggests that digital assets and the controls around them are equally critical.

Another critical aspect of the case was the failure to disclose the breach promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not quickly escalate it to senior management. It took an external party’s notification for the CISO and senior executives to become fully aware and take action.

This scenario underscores the importance of having robust internal communication channels and protocols to ensure that significant cybersecurity incidents are promptly reported to senior management. Moreover, it highlights the need for transparency with investors regarding such breaches, aligning with the SEC’s mandate to protect investor interests.

Compliance professionals must now consider cybersecurity an integral part of internal control systems. Ensuring that IT systems are secure and that access to digital assets is tightly controlled should be a priority. This involves regular audits of cybersecurity measures, continuous monitoring of IT systems, and implementing robust access control mechanisms.

The case also highlights the necessity of clear and effective disclosure practices. Compliance teams should ensure that there are well-defined procedures for reporting cybersecurity incidents internally and disclosing them to investors when necessary. This might include setting up rapid response teams and informing senior management immediately of significant breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is vital for creating a comprehensive compliance strategy that addresses traditional financial risks and emerging digital threats.

The SEC’s approach, in this case, signals that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may involve regular training, staying updated with regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case serves as a wake-up call for compliance professionals, emphasizing the need to adapt to an evolving regulatory landscape. By broadening the scope of internal controls to include cybersecurity and enhancing disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and staying vigilant about regulatory trends will be vital to navigating this new frontier in compliance. Perhaps more ominously, Matt, in another blog post on the United Healthcare cyber-attack in Q1 2024, asked, ” If the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth? At this point, we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.”

In other words, Watch This Space.

Categories
Blog

Design-Centric Internal Controls: The Foundation for Compliance Excellence

The dynamic world of compliance is continually evolving. New regulations, emerging technologies, and changing market conditions demand that organizations remain vigilant and proactive in their compliance efforts. One crucial aspect of this ongoing vigilance is the design and implementation of internal controls. Recently, I had the pleasure of discussing this topic with Adrienne Bellehumeur. In this blog post, we will explore the key insights from our conversation and delve into the importance of design-centric internal controls.

Adrienne is a chartered accountant and entrepreneur in Canada who has advocated for a design-first approach to internal controls for many years. Adrienne says design-centric internal controls are essential because they lay the foundation for effective compliance. She likens this approach to baking a cake: the design is the cake itself, while testing and other compliance activities are the icing. Without a solid foundation, no amount of testing can ensure the effectiveness of internal controls.

The necessity of robust internal controls has never been more critical. With the increasing complexity of regulatory requirements (on both sides of the border) and the rapid advancement of technology, organizations must continuously assess and improve their internal control systems. Adrienne points out that while internal controls have existed for over two decades, many organizations have become complacent. This complacency can lead to outdated processes that may not adequately address current risks and regulatory expectations.

Adrienne outlined five principles to improve and energize control design work:

  1. Think of Design as the Cake and Testing as the Icing: Focus on building solid and well-thought-out processes before jumping into testing. This approach ensures that the foundation is solid and can withstand scrutiny.
  2. Assess the Organization’s Level of Maturity: Tailor the internal control program to the organization’s stage of development. A one-size-fits-all approach is ineffective, as different organizations have varying needs and challenges.
  3. Focus on Habits, Not Theory: Practical, habitual practices are more effective than theoretical concepts. Encourage habits like regular access control reviews and inventory management to embed compliance into the organizational culture.
  4. Support Continuous Improvement: Internal controls should not be static. Regularly review and update controls to ensure they remain effective and relevant. Continuous improvement helps organizations stay ahead of emerging risks and regulatory changes.
  5. Keep It Interesting: Vary the techniques used in internal control assessments to maintain engagement and effectiveness. Workshops, interviews, and creative diagramming can provide fresh perspectives and uncover new insights.

One of the most intriguing aspects of Adrienne’s approach is her use of workshops to discuss and improve internal controls. These workshops involve stakeholders, including internal auditors, compliance officers, and business unit leaders. By fostering open dialogue and collaboration, these sessions can identify inefficiencies, propose improvements, and build stronger relationships between auditors and the internal team.

Adrienne emphasizes that these workshops should occur before external audits. This pre-audit preparation allows organizations to address issues internally, reducing the likelihood of negative findings during the audit. Moreover, involving the internal team in the design process helps build a sense of ownership and commitment to maintaining robust controls.

For the internal auditor, leveraging technology is crucial for adequate internal controls. Adrienne highlighted the decreasing reliance on transactional testing, thanks to automation and data analytics advancements. Modern internal controls must adapt to these changes by incorporating technology that enhances efficiency and accuracy.

AI and data analytics can provide deeper insights into organizational processes, helping identify potential risks and areas for improvement. By integrating these technologies into the internal control framework, organizations can achieve higher precision and responsiveness.

Adrienne’s expertise in documentation is particularly relevant to internal controls. I wholeheartedly agree that good documentation practices are the backbone of any effective compliance program and form the basis of information management. Clear, accurate, accessible documentation supports transparency, accountability, and continuous improvement.

Companies must establish simple rules for naming, classifying, and managing documents. This foundational step ensures that all relevant information is readily available for internal reviews, audits, and regulatory inspections.

The compliance landscape continually evolves, with new challenges like ESG and AI gaining prominence. Adrienne articulated that a back-to-basics approach can help organizations navigate these new areas. Organizations can build a solid foundation that supports emerging compliance requirements by focusing on fundamental principles of good information management and documentation.

For instance, effective ESG reporting relies on accurate and comprehensive data. Similarly, AI systems must be underpinned by robust data management practices to ensure transparency and accountability. By strengthening these foundational elements, organizations can more easily adapt to new regulatory expectations and technological advancements.

Adrienne and I also discussed the role of internal controls in supporting whistleblower programs. With the Department of Justice (DOJ) formulating new rules for financial incentives in whistleblower programs, organizations must ensure their internal controls can detect and address issues before they escalate. Adequate internal controls can help prevent whistleblower claims by identifying and mitigating risks early. For example, strong documentation practices provide a clear audit trail that can validate the organization’s actions and decisions. Additionally, fostering a culture of transparency and accountability encourages employees to report concerns internally, allowing the organization to address them proactively.

Design-centric internal controls are essential for building a robust and effective compliance program. By focusing on the principles outlined by Adrienne Bellehumeur, organizations can enhance their internal control frameworks, support continuous improvement, and stay ahead of emerging compliance challenges. A proactive approach to internal controls is crucial for long-term compliance success, whether through innovative workshops, leveraging technology, or strengthening documentation practices.

Categories
FCPA Compliance Report

FCPA Compliance Report: Adrienne Bellehumeur on Design – Centric Approaches to Internal Controls

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance.

In this edition of the FCPA Compliance Report, Tom Fox welcomes back Adrienne Bellehumeur, a chartered accountant and expert in internal controls and documentation.

Adrienne discusses her recent article on design-centric internal control and emphasizes the importance of focusing on design as the foundation for effective control programs. She outlines five key principles for improving control design and details her approach to challenging processes and governance systems. The conversation also touches on the necessity of continuously updating controls to adapt to evolving business and regulatory environments.

Adrienne shares tips on fostering better design through workshops, effective interviewing, and continuous improvement, while also addressing new developments such as AI and ESG. The episode finishes with insights into how internal controls can support whistleblower programs and the importance of back-to-basics documentation and information management.

Highlights in this Episode:

  • Professional Background
  • Design-Centric Approach to Internal Controls
  • Challenges and Importance of Good Design
  • Principles for Improving Control Design
  • Back to Basics: Adapting to New Business Developments
  • Whistleblower Programs and Internal Controls

 Resources:

Adrienne Bellehumeur on LinkedIn

Risk Oversight

New Approaches to Control Design

Tom Fox

Instagram

Facebook

YouTube

Categories
Compliance Into the Weeds

Compliance into the Weeds: Analyzing The Trump Conviction: Compliance Lessons from an Unprecedented Case

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode of ‘Compliance Into the Weeds’, Tom and Matt take a deep dive into last week’s trial verdict against Donald Trump in NYC and lessons for the compliance professional.

We explore the importance of internal controls, consistent consequence management, and effective leadership. They also delve into how compliance officers can learn from the storytelling strategies used in the trial and emphasize the application of the rule of law.

Key Highlights:

  • Overview of Trump’s Criminal Conviction
  • Internal Controls and Compliance Lessons
  • Consequences Management and Consistent Enforcement
  • Ethical Leadership and Communication
  • Who is your audience? Storytelling in Compliance
  • Final Thoughts and Rule of Law

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Internal Controls and Humans in the Loop: Lessons from Citigroup’s $126 Million Mistake

The Citigroup internal control debacle in compliance and ethics is a glaring reminder of the critical importance of robust, well-designed, functioning, and effective internal controls. The U.K. Financial Conduct Authority fined Citigroup £27.7 million, and the Bank of England’s Prudential Regulation Authority fined Citigroup £33.9 million, and Citigroup’s own internal losses costs added to a total loss of some $126 million. Citigroup’s mistakes underscore the perils of inadequate internal controls and provide many lessons for compliance professionals. Matt Kelly and Tom Fox discussed the matter in the most recent Compliance into the Weeds episode.

A Citigroup trader made a fateful error on a seemingly ordinary Monday (more on this day later) in May 2022. He intended to sell $58 million worth of securities but mistakenly placed the amount in the units field, leading to an order to sell 444 billion units. Although some of Citigroup’s controls caught parts of the error, they did not see the entirety of the Fubar. This mistake led to a flash crash on European stock markets and cost Citigroup $126 million, including fines and losses.

Lesson 1: Simplify and Focus Controls

One of the primary lessons from this incident is the need to consider human nature when designing internal controls. Citigroup had what was termed ‘hard-block controls‘, which blocked $248 billion worth of the order, and those controls could not be overridden. However, there were also ‘soft-block controls’ in the form of a pop-up screen asking the trader if he wanted to move forward. The trader in question faced a warning screen with 711 individual red flags, a list so long that it became impractical to review. This scenario is akin to users scrolling through and ignoring lengthy user agreements—a typical human behavior.

Controls should be designed to be practical and actionable. Instead of presenting an overwhelming list of potential issues, a focused warning on the specific error or most critical issues could be more effective. This approach ensures that users pay attention to the most relevant information, reducing the risk of overlooked mistakes. Moreover, never present a front-line employee with 711 different red flags that they must navigate and try to (1) figure out what they did wrong and (2) remedy the situation.

Lesson 2: Strengthen Automated Controls

As noted, Citigroup had a mix of hard and soft controls. While some automated controls blocked a portion of the erroneous trade, others allowed it to proceed after a mere warning. This differentiation highlights the need for robust automated controls that do not solely rely on human intervention, especially in high-stakes environments. Automated controls should be comprehensive and prevent significant errors without relying exclusively on human review. Complex controls that automatically block erroneous transactions can prevent costly mistakes.

Lesson 3: Ensure Adequate Coverage

Remember when I open the tale of the story with the trade happening on an ‘ordinary Monday’? It was not an ordinary Monday as the trade occurred on a U.K. banking holiday, further complicating the situation. The primary monitoring team (Monitoring Team 1) was off due to the Bank Holiday, and the backup team (Monitoring Team 2) did not effectively manage or escalate the issue. Even when another monitoring team (Monitoring Team 3) discovered the error and sent the information back to Monitoring Team 2, the team in charge of the holiday, Monitoring Team 2, has yet to respond.  These lapses point to another critical area: adequate staffing and effective backup procedures.

Companies must ensure adequate staffing to monitor and manage risks always, including during holidays, weekends, and off-hours. Effective backup procedures and cross-training can ensure that critical functions are covered regardless of the timing. Adequate staffing also means competent staffing, with teams understanding how and when to respond.

Lesson 4: Implement Consistent Global Controls

A notable aspect of Citigroup’s failure was the inconsistency in control implementation across regions. While robust controls existed in New York, they were not in Europe. Citigroup had those hard-block controls, which stopped $248 billion worth of orders,  but only for its New York trading desk. Moreover, these hard-block controls had been implemented back in 2013. Yet, for some reason, these hard-block controls had not been implemented at the London trading desk. This discrepancy highlights the importance of consistent global controls. Once a risk is identified and control is implemented in one region, it is crucial to extend that control globally. This consistency ensures that all parts of the organization are equally protected against similar risks, preventing regional disparities in control effectiveness.

Lesson 5: Integrate The Human Element

Citigroup’s failure also demonstrates the need for a vital human element in internal controls. Despite having multiple layers of monitoring, human oversight needed to be improved due to insufficient staffing and ineffective backup systems. While automated controls are essential, they should be complemented with effective human oversight. Regular training and clear protocols can enhance the effectiveness of both human and computerized controls, ensuring a more resilient control environment.

This human element extends to reports of control weaknesses by internal audit, as Citigroup had previously identified internal control weaknesses yet failed to address them adequately. This ongoing neglect resulted in repeated issues and significant penalties. When internal audits flag control weaknesses, it is imperative to address these issues promptly. Delaying remediation can lead to repeated failures and compound risks, as demonstrated by Citigroup’s experience.

The Citigroup incident offers a comprehensive lesson in the importance of robust internal controls, consistent global implementation, and the need for practical, focused warnings. Compliance professionals should take these lessons to heart and ensure that their organizations are equipped to prevent similar costly errors.

By designing effective controls, ensuring adequate staffing, and promptly addressing risks, companies can safeguard against the significant financial and reputational damage resulting from control failures. The Citigroup case is a stark reminder of the high stakes involved, and the critical role that well-designed internal controls play in maintaining the integrity of global financial operations.

Resources

Matt Kelly in Radical Compliance

Categories
Compliance Into the Weeds

Compliance into the Weeds: Of Fat Fingers, Internal Controls and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt delve deep into Citigroup’s $126 million trading error, resulting from poor internal controls.

They discuss how a simple ‘fat finger’ error by a trader led to a major flash crash on European stock exchanges in 2022, and how the failure of Citigroup’s internal controls allowed it to happen. The discussion covers multiple compliance lessons, including the importance of understanding the human element in control design, the need for adequate staffing and monitoring, and the necessity of consistent global risk management.

Fox and Kelly also highlight the importance of addressing findings from internal audits and maintaining urgency in improving internal controls. They emphasize that companies should think creatively about risk management, taking into account various global factors, including holidays and local regulations.

Key Highlights:

  • The Citigroup Internal Control Fiasco
  • Compliance Lessons from Citigroup’s Mistake
  • The Human Element in Compliance and Control Failures
  • Global Consistency in Risk Management

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn