Categories
Blog

Day 20 of One Month to More Effective Internal Controls – Assessing Compliance Internal Controls Under COSO

Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls.” It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting, and compliance.” Moreover, two over-arching requirements can only be met through such a structured post. First, each of the five components is present and functioning. Second, are the five components “operating together in an integrated approach.” One of the most critical components of the COSO Framework is that it sets internal control standards against those you can audit to assess the strength of your compliance with internal control. As the COSO 2013 Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. If you have a multi-country or business unit organization, you must determine how your internal compliance controls are interrelated up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward. The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2). There should be a component evaluation. Here you need to evaluate any deficiencies you may have more deeply and whether there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO 2013 Framework does not prescribe “specific controls that must be selected, developed and deployed,” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log, so they are addressed on a structured basis. Another way to think through the approach could be to consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principal evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment would examine whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This process would then lend itself to an ongoing evaluation. If business models, laws, regulations, or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment. The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially, it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It defined‘ major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” A major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective internal control system.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.” Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have, at a minimum, the categories of policies laid out in the FCPA 2012 Guidance, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments,” also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls by the Framework.”  However, what steps should you take if there are no objective criteria, as laid out in the FCPA 2012 Guidance, evaluate your company’s compliance with internal controls? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation, or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature are critical in any best practices anti-corruption or anti-bribery compliance program, whether based upon the FCPA, UK Bribery Act, or some other regulation. With the Illustrative Guide, COSO has given the compliance practitioner a handy road map to begin an analysis of your company’s internal compliance controls. When the SEC comes knocking, they will look for this type of evidence to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. First are some general definitions that you need to consider in your evaluation. An internal compliance control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  An internal compliance control functions if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

Three Key Takeaways:

  1. An effective internal controls system provides reasonable assurance of the entity’s objectives relating to operations, reporting, and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components is present and functional. Second are the five components operating together in an integrated approach.
  3. You can use the Tem Hallmarks of an Effective Compliance Program for an anti-corruption compliance program as your guide to testing against.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. The COSO model can be used to structure your assessment of internal controls.

Categories
Everything Compliance

Everything Compliance-Episode 14

Show Notes for Everything Compliance-Episode 14 

Topics from Matt:

  1. Trump Administration & FCPA enforcement— we have two declinations now; maybe a compare-and-contrast and speculation on what a tough Trump Admin enforcement WOULD look like;
  2. EU’s GDPR— Do EU regulators know what they want to do with the enforcement of this law; if they follow the lead of the anti-competition people whacking Google, it could be a big deal;
  3. Hui Chen’s departure from the Justice Department, both her public rebuke of Trump and the substance of how she believes her guidance has been misinterpreted; and
  4. Ethical leadership and the lack thereof; the menace of abusing perks and privilege, connecting my posts about Uber’s leaders and Chris Christie vacationing on a closed beach.

Topics from Jay:

  1. How do the Campaign Finance Laws mirror/or differ from the FCPA?
  2. Will the Russian Collusion Investigation reveal the ultimate FCPA violation?
  3. Regarding Walter Shaub’s departure from the Office of Governmental Ethics (OGE), does it matter? What is OGE supposed to do, and why did it work for the past 40+ years but fall on deaf ears with the Trump administration?
  4. Dovetailing with Matt’s question about a slow H1 for FCPA enforcement and in light of the just-released Gibson Dunn FCPA Mid-Year Report, does the current climate (and lack of vigorous enforcement) provide a perfect storm for companies to look the other way if they fall off the E&C wagon, or do we think that companies are still being vigilant despite a perception of decreased enforcement?

Rants follow this week’s episode. What do the two declinations in 2017 mean? The Everything Compliance panel of experts weighs in.

Categories
Uncategorized

FCPA Compliance Report-Episode 332, Marc Bohn on the Kokesh Decision

Kokesh v. SEC, the US Supreme Court held the profit disgorgements operate as a penalty under the Securities and Exchange Act of 1934, as amended. As such “any claim for disgorgement in an SEC enforcement action must be commenced within five years of the date the claim accrued.” The position of the Securities and Exchange Commission (SEC) at the Supreme Court and in all other matters involving this issue was that profit disgorgement were not punitive, hence not a penalty but rather remedial in nature so the SEC could clawback all monies generated as a result of the illegal action. The decision, authored by Justice Sotomayor, was a 9-0 opinion which in the rarified world of Supreme Court decisions is about as clear a message as one can get. The Court first determined that profit disgorgement met the definition of a “penalty” under two basis, “First, whether a sanction represents a penalty turns in part on “whether the wrong sought to be redressed is a wrong to the public, or a wrong to the individual.” Second, a pecuniary sanction operates as a penalty if it is sought “for the purpose of punishment, and to deter others from offending in like manner” rather than to compensate victims.” [citations omitted] Thus, if a statute provided a compensatory remedy for a private wrong, it should not be characterized as penalty. For additional thoughts from Marc, see his piece on the FCPA Blog. For additional thoughts from myself, see my piece on the FCPA Compliance and Ethics Blog. [tweet_box design=”default” url=”http://wp.me/p6DnMo-3kd” float=”none”]The Kokesh decision has significant implications for FCPA enforcement going forward.[/tweet_box]]]>

Categories
Everything Compliance

Everything Compliance-Episode 10, first 100 day of the Trump Administration

This episode is dedicated to the chaotic (at best) first 100 days of the Trump administration related to compliance.

  1. Jonathan Armstrong leads a discussion of the Trump administration’s devolution of Privacy Shield, GDPR, and what they mean for American companies doing business in the UK and EU. He discusses the key differences in the DOJ’s Evaluation of Corporate Compliance Programs in an FCPA analysis and under the Bribery Act, differences in the EU approach to conflict minerals, and under the Trump Administration, and concludes by giving us his thoughts on what Brexit means for compliance.

For the Cordery Compliance client alerts, see the following:
EU conflicts minerals compliance legislation 
DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010?
BREXIT Glossary

  1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the business response he has observed to Trump administrations steps and miss-steps, the comments made by DOJ representatives at Q1 conferences, and the vibe of compliance conference attendees.

For Jay’s posts, see,
 Still in the Enforcement Business and Evaluation of Corporate Compliance Programs
“It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength”
 Matt Kelly opens with a discussion of regulatory enforcement under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, and industry responses to deregulation issues and lays down some markers around compliance issues under the new administration.
For Matt Kelly’s posts, see:
Compliance in the Trump Era: More Markers Placed
Trump Administration Whacks Telco Firm for $892 Million
Drone Industry Pan Trump’s Regulatory
Trump Risk Disclosures Start Rolling In
First SEC Whistleblower Award of the Trump Era
Sessions Dodges, Weaves, Promises on FCPA

  1. Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program, and DOJ Compliance Counsel Hui Chen.

For Mike Volkov’s posts, see the following:
Yates, AG Sessions and Individual Criminal Prosecutions
New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance
FCPA Remediation Focus on Supervisory Personnel
FPCA Pilot Program Motors On
For Tom Fox’s posts on the Trump administration’s first 100 days, see the following:
The Trump Administration-Kaos is Bad for Business
The Trump Administration-Failures in Leadership and Management
The Trump Administration-Preparing for a Catastrophe
The Trump Administration-the Business Response
DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration
The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

[tweet_box design=”default” url=”http://wp.me/p6DnMo-3eF” float=”none”]What has the Trump effect meant for FCPA? The experts weigh in.[/tweet_box]]]>

Categories
Everything Compliance

Everything Compliance – Episode 10, first 100 days of the Trump Administration

  • Jonathan Armstrong discusses the Trump administration’s devolution of Privacy Shield, GDPR, and what they mean for American companies doing business in the UK and EU. He discusses the key differences in the DOJ’s Evaluation of Corporate Compliance Programs in an FCPA analysis, under the Bribery Act, in the EU approach to conflict minerals, and under the Trump Administration. He concludes by giving us his thoughts on what Brexit means for compliance.

For the Cordery Compliance client, alerts see the following: EU conflicts minerals compliance legislation  DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010? BREXIT Glossary

  1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the business response he has observed to Trump administrations steps and miss-steps, the comments made by DOJ representatives at Q1 conferences, and the vibe of compliance conference attendees.

For Jay’s posts, see,  Still, in the Enforcement Business and Evaluation of Corporate Compliance Programs “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is StrengthMatt Kelly opens with a discussion of regulatory enforcement; under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, industry responses to deregulation issues and lays down some markers around compliance issues under the new administration. For Matt Kelly’s posts, see Compliance in the Trump Era: More Markers Placed Trump Administration Whacks Telco Firm for $892 Million Drone Industry Pan Trump’s Regulatory Trump Risk Disclosures Start Rolling In First SEC Whistleblower Award of Trump Era Sessions Dodges, Weaves, Promises on FCPA.

  1. Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program, and DOJ Compliance Counsel Hui Chen.

For Mike Volkov’s posts, see the following: Yates, AG Sessions and Individual Criminal Prosecutions New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance FCPA Remediation Focus on Supervisory Personnel FPCA Pilot Program Motors On For Tom Fox’s posts on the Trump administration’s first 100 days see the following: The Trump Administration-Kaos is Bad for Business The Trump Administration-Failures in Leadership and Management The Trump Administration-Preparing for a Catastrophe The Trump Administration-the Business Response DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com.
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.
Categories
This Week in FCPA

This Week in FCPA-Episode 46, the On the Rode to Prague Edition

  • Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
  • Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
  • Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
  • Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
  • Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
  • What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
  • Jay previews his weekend report.
  • Jay Rosen new contact information:
    Jay Rosen, CCEP
    Vice President, Business Development
    Monitoring Specialist
    Affiliated Monitors, Inc.
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3aD” float=”none”]How can the use of data help to operationalize your compliance program?[/tweet_box]]]>

    Categories
    Everything Compliance

    Everything Compliance-Episode 7

  • Jonathan Armstrong leads a discussion of the Trump administrations devolution towards Privacy Shield and what it may portend for American companies doing business in the UK and EU. He highlights the recent opening of a new trial in Ireland brought by Max Schrems and also discussed the putative Muslim refugee ban in the context of broader business implications.
  • For the Cordery Compliance client alert on Privacy Shield, see here

    1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the Tech sector response to the Muslim refugee ban and the more general business response to the first few weeks of the Trump administation.

    For Jay’s post see, Where Do Politics End and Ethics & Compliance Begin?

    1. Matt Kelly opens with a discussion of the management process practices of the Trump administration in issuing Executive Orders and lays down some markers around compliance and regulatory issues under the new administration.

    For Matt Kelly’s posts see the following:
    Compliance in the Trump Era: More Markers Placed
    Five Questions for SEC Nominee Jay Clayton
    Yes Government Ethics is Happening
    Dodd-Frank Reform Starts Coming into View
     For Tom Fox’s posts on these topics see the following:
    The Trump Administration-Kaos is Bad for Business
    The Trump Administration-Part II, Failures in Leadership and Management
    The Trump Administration-Part III-Preparing for a Catastrophe
    The Trump Administration-Part IV-the Business Response
    The members of the Everything Compliance panel include:

    • Jay Rosen (Mr. Translations) – Jay is Vice President of Legal & Corporate Language Solutions at United Language Group. Rosen can be reached at rosen@ulgroup.com.
    • Mike Volkov – One of the top FCPA commentators and practitioners around and is the Chief Executive Officer (CEO) and owner of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
    • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of the noted Compliance Week Kelly can be reached at mkelly@radicalcompliance.com
    • Jonathan Armstrong – Rounding out is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

    [tweet_box design=”default” url=”http://wp.me/p6DnMo-336″ float=”none”]What compliance and business lessons arise from the first 3 weeks of the Trump administration?[/tweet_box]]]>

    Categories
    This Week in FCPA

    This Week in FCPA-Episode 35

    th edition:

    1. Hernandez and Beech FCPA guilty pleas. Hernandez Criminal Information, Beech Criminal Information.
    2. VW guilty plea in emissions-testing scandal. Link to article in New York Times.
    3. VW executive Oliver Schmidt arrested in US. See article on FCPA Compliance and Ethics Blog.
    4. Zimmer Bio-Met in follow-up FCPA enforcement action. See article on FCPA Blog.
    5. Mondelez FCPA enforcement action. See SEC Cease and Desist Order and article on FCPA Compliance and Ethics Blog.
    6. Supreme Court to take up 5 year statute of limitations for profit disgorgement under Securities Act, which applies to FCPA enforcement actions brought by SEC. Article in Law360.
    7. NFL Playoff update on Patriots, Cowboys and Texans.

    [tweet_box design=”default” url=”http://wp.me/p6DnMo-2XB” float=”none”]What were the FCPA matters, issues and lessons from the week ending January 13, 2017? Check out This Week in FCPA.[/tweet_box]]]>

    Categories
    This Week in FCPA

    This Week in FCPA-Episode 34, the Invisible Hand Edition

    In this episode Jay Rosen and I take a dive into the General Cable FCPA enforcement action, consider the ‘Invisible Hand’ of  Justice Department Compliance Counsel Hui Chen and greater regulatory enforcement, corporate response and innovation. We explain how these three factors combine in an ‘Invisible Hand’ to form a continuous improvement loop of compliance program innovation. It leads developments from cutting edge to best practices to becoming a routine part of an effective compliance program. We discuss the upcoming NFL divisional round of playoffs and conclude with Jay previewing the Jay Rosen Weekend Report. For more information on the General Cable FCPA enforcement action, check out my three-part blog post series:
    Part I-the Bribery Schemes
    Part II-the Comeback
    Part III-the Denouement
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-2W9″ float=”none”]How does the invisible hand impact continuous improvement of compliance programs?[/tweet_box]]]>

    Categories
    Everything Compliance

    This Week in FCPA-Episode 32, the not so friendly skies edition

  • United Airlines SEC enforcement action for domestic; the Chairman’s Flight and the US Corrupt Practices Act, for a copy of the Justice Department NPA, click here and for a copy of the SEC Cease and Desist Order, click here.
  • Monetary Authority of Singapore seeks to suspend former Goldman Sachs trader in 1MDB scandal. Link to Fox blog post on Compliance Week.
  • FATF report that US weak on beneficial ownership issues, for a copy of the report, click here.
  • Wal-Mart up to $820MM in pre-settlement FCPA settlement spend, on Radical Compliance.
  • Release of eBook, Trump on Compliance.
  • SEC Director of Enforcement, Andrew Ceresny announces he will leave the SEC. See NYT article, here.
  • GibsonDunn briefing on The Road Ahead: DOJ and Federal Enforcement in the Trump Administration predicts a Southern California centered FCPA matter will be concluded by year end.
  • 10th Annual SEC & DOJ HOT TOPICS 2017 — Current Developments Materially Affecting Corporations, Financial Institutions, Individuals organized by Sandpiper Partners LLP and program developed by PwC, notes GibsonDunn partner Deb Yang listed as potential SEC Commissioner.
  • Jay Rosen weekend report update.
  • Catc[tweet_box design=”default” url=”http://wp.me/p6DnMo-2Tz” float=”none”]h up on the week’s top FCPA compliance and ethics storylines, events and issues with This Week in FCPA.[/tweet_box]]]>