We are back to consider the next five stories from The Casebook of Sherlock Holmes, mining each story for themes and lessons related to the compliance professional, leadership and business ethics. In this week’s second offering, I consider The Problem of Thor Bridge. From this story we take the Holmes utterance “We must look for consistency. Where there is want of it, we must suspect deception”. This informs our discussion on monitoring controls.

In this story, Neil Gibson, the Gold King approaches Holmes to investigate the murder of his wife Maria in order to clear his children’s governess, Grace Dunbar, of the crime. Maria Gibson was found lying in a pool of blood on Thor Bridge with a bullet through the head and note from the governess, agreeing to a meeting at that location, in her hand. A recently discharged revolver with one shot fired is found in Miss Dunbar’s wardrobe. Holmes agrees to look at the situation in spite of the damning evidence.

From the outset, Holmes observes some rather odd things about the case. How could Miss Dunbar so coolly and rationally have planned and carried out the murder and then carelessly tossed the murder weapon into her wardrobe? What was the strange chip on the underside of the bridge’s stone balustrade? Why was Mrs. Gibson clutching the note from Miss Dunbar when she died? If the murder weapon was one of a matched pair of pistols, why couldn’t the other one be found in Mr. Gibson’s collection?

Holmes uses his powers of deduction to solve the crime, and demonstrates, using Watson’s revolver, how it was perpetrated: Mrs. Gibson, outraged and jealous of Miss Dunbar’s relationship with her husband, resolved to end her own life and frame her rival for the crime. After arranging a meeting with Miss Dunbar, requesting her to leave her response in a note, Mrs. Gibson tied a rock on a piece of string to the end of a revolver, and shot herself, the rock pulling the revolver over the side of the bridge; the revolver found in Miss Dunbar’s wardrobe was the other pistol of the pair, which had been fired off in the woods earlier, and the chip in the bridge was caused by the pistol hitting the stonework as it was pulled off by the rock. Holmes’s reconstruction reproduces the damage to the balustrade of the bridge. He asks the police to drag the lake for the revolvers of Watson and Gibson.

How do you determine that want of consistency? Monitoring controls is one key. The fifth and final Objective from the COSO [Committee of Sponsoring Organizations of the Treadway Commission]2013 Internal Control Framework is Monitoring Activities. The Framework Volume says:

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

However, as with all other components of the COSO Cube, Monitoring Activitiesare part of an inter-related whole and cannot be taken singularly. Dr . Larry E. Rittenberg states this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the Chief Compliance Officer (CCO) or compliance practitioner, Monitoring Activitieshas been growing in importance over the past few years and will continue to do so in the future as is reinforced in the COSO 2013 Internal Controls Framework.

In a 2014 Corporate Compliance Insights article, entitled “Implementing COSO’s 2013: 10 Questions that Need to be Answered”, Ron Kral explained it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activitiesobjective consists of two principles: 1) The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning; and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.

Principle 16: Ongoing evaluation.Your monitoring should be ongoing as noted in the recently released Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, 2019 Guidance. The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, that being monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated.

Principle 17: Evaluation and communication of deficiencies.This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.”

For this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the Board or Compliance Committee, correct and then monitor the corrective action going forward. I would urge that every key internal compliance control in support of the 17 Principles should, as noted by Kral, be reviewed “by management in terms of their adequacy of design and operating efficiency.”

Discussion. Monitoring Activitiesshould bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring a) recognizes the dynamics of change within an organization, and b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

The most important item to note is that all the controls need to be sustainable. You cannot just build one-off controls and not have a process in place to help you monitor all the controls that you need to cover. Controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.

There must also be a mechanism in place for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediategoing forward.

Join us tomorrow as we consider The Adventure of the Creeping Man.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019