Third parties are still perceived as the most prominent high risk for companies. Other than bribery and corruption — modern slavery/human trafficking, data privacy, information and cybersecurity, anti-money laundering, and other areas are requiring third-party integrated risk assessment and planning.

Compliance and data privacy law thought leader Kristy Grant-Hart, CEO of Spark Compliance Consulting, offers an innovative approach and inspiring perspective in this conversation.

Major takeaways discussed in the episode:

  • Bribery and Corruption: This remains the most significant problem since the general business population’s perception that what a third party does on your behalf isn’t your problem. Because some countries have laws like that, this built the sensibility that “if I didn’t do it, then it doesn’t matter.”
  • Due Diligence Integration: Every company is different; however, it is crucial to apply a comprehensive and consistent approach to conducting due diligence in all categories in appointing and maintaining relationships with third parties.
  • Scoping: By defining the degree of risk to be reviewed and identifying the highest probable risk scenario, this will be based on the quantitative things that we know, like the CPI score, like the Trafficking in-person report. That’s where you try to start so that you’re looking at the right risk with the right tools.
  • Digital Assets: Many parts of the business are not working together to have that third-party onboarding. The problem is that they don’t want to work together necessarily. Using various technology-enabled solutions for your clients will enable you to clearly and effectively see across the entire risk spectrum.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan 

The first chapter of this unique work lays out a succinct yet thorough 31-day approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, the chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.

Understanding Compliance Responsibility Across the Organization

The Compliance Handbook also takes a close look at all professionals’ roles with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals.

In-Depth Treatment of Hot Topics and Trends

The Handbook provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:

• Compliance and business ventures

• Third-party risk management

• The Board’s Role in Compliance

• Continuous improvement

• Compliance innovation

• And much more

Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.

http://www.lexisnexis.com/fox25

 

The Human Resources and Compliance departments play a crucial role in building a healthy workplace culture to stay relevant and succeed.

Many organizations face significant structural deficiencies that fail to bridge the gap between Compliance and H.R. In terms of structure, most often, there is a failure in defining roles and responsibilities that tends to be confusing to the management, which looks inefficient or redundant.

Like a well-oiled machine, a company functions seamlessly if both H.R. and compliance functions are synched and compatible when power, resources, and procedures are strategically set without overlapping.

To further explore this underutilized program, I spoke with one of the unique people in the compliance space. An executive coach, strategic advisor, and keynote speaker described by Forbes as “one of the top coaches for legal and compliance executives.”

Amii Barnard – Bahn will add transparency as an H.R. professional to the compliance function to help accelerate compliance and legal executives’ success.

Major takeaways discussed in the episode:

  • Compliance officers should be aware of the Human Resource functions, like recruitment, employee annual life cycle, performance reviews, and compensation. Being involved in the process ensures that the company is getting the right people and ensuring strong ethical standards. If unchecked, conflict of interests is embedded even in the employment application that goes unchecked.
  • Set up a Helpline instead of a hotline which is friendlier and less scary. Doing so gives people the confidence to speak up comfortably, raise questions and report misconduct without fear. Encouraging transparency in the workplace creates a belief that the company takes action. More calls mean more confidence that organizational justice can be served.
  • Positional authority isn’t the way to go and will not be useful in the future workplace. The pandemic has shown how the dynamics have changed, and good leadership and influence skills will get things done. Compliance officers should be critical of this going forward.
  • Modern workers stay long in a company that they’re proud of and that they feel is doing good work. The compliance department should look at strategies and steps towards reaching out and connecting with their employees and participating if not taking a stand involving necessary and impactful causes.

DOWNLOAD the FREE Promotability Index® by Amii Barnard-Bahn. 

Text number is 44-222. The word is PROMOTEME.

About Thomas Fox: 

Thomas Fox, the Compliance Evangelist®, is one of the leading writers, thinkers, and commentators on anti-bribery and anti-corruption compliance. In this latest edition of The Compliance Handbook, he continues to arm seasoned compliance professionals and those new to the realm with the practical, actionable guidance and tools needed to design, create, implement and continually enhance a best practices compliance program.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan 

This chapter of this unique work lays out a succinct yet thorough one month approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, each chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.

Understanding Compliance Responsibility Across the Organization

The Compliance Handbook also takes a close look at all professionals’ roles with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals.

In-Depth Treatment of Hot Topics and Trends

The Handbook provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:

  • Compliance and business ventures
  • Third-party risk management
  • The Board’s Role in Compliance
  • Continuous improvement
  • Compliance innovation
  • And much more

Incorporating Current Government Pronouncements

The Second Edition incorporates the most current government pronouncements governing best practices compliance programs, including the 2019 Evaluation of Corporate Compliance Programs released by the Fraud Section of the Department of Justice, and its 2020 Update; the updated FCPA Resource Guide 2nd edition; the Framework for OFAC Compliance Commitments; and the 2019 DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust.

eBooks, CDs, downloadable content, and software purchases are non-cancellable, non-refundable, and non-returnable. Click here for more information about LexisNexis eBooks. The eBook versions of this title may feature links to Lexis + for further legal research options. A valid subscription to Lexis + is required to access this content.

Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.

http://www.lexisnexis.com/fox25

Internal Controls

Internal controls are an organization’s processes, regulations, and practices for maintaining corporate governance’s accuracy in fostering transparency and avoiding fraud. Internal controls may help enhance operating performance by improving the accuracy and reliability of financial statements, in addition to compliance with laws and legislation and discouraging workers from embezzling assets or committing fraud.

In another uber-treat episode of The Compliance Handbook, I’ve invited Karen Woody to talk about internal controls’ role in compliance.

Key takeaways discussed in the chapter:

  • Understand how internal controls are compared to smoke alarms that go off if there’s some wrongdoing happening.
  • Dive deeper into the four keys of internal controls for compliance. Learn how to use each key in your goal to have an ethical company.
  • Get the point that Internal controls can change, evolve, and grow as the bad guys get more sophisticated. Find the solution on how your organization can implement a dynamic policy.
  • Wade through the COSO 2013 Internal Controls Framework and see if the same policies will work for your organization.
  • Have knowledge of how the SEC views internal controls and why we have non-bribery SEC internal control enforcement actions.
  • Make sense of some lessons in failures of internal controls.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan

The first chapter of this unique work lays out a succinct yet thorough 31-day approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, the chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.

Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.

 http://www.lexisnexis.com/fox25

COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I have been exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I conclude with a discussion on Objective V, Monitoring Activities.

The Framework Volume says:

Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.

However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future as is reinforced in the COSO 2013 Internal Controls Framework.

In a 2014 Corporate Compliance Insights article, entitled “Implementing COSO’s 2013: 10 Questions that Need to be Answered”, Ron Kral explained it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activities objective consists of two principles: 1) The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning; and 2) the organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the Board of Directors, as appropriate.

Principle 16: Ongoing evaluation. Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, that being monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated.

Principle 17: Evaluation and communication of deficiencies. This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.

For this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the Board or Compliance Committee, correct and then monitor the corrective action going forward. I would urge that every key internal compliance control in support of the 17 Principles should, as noted by Kral, be reviewed “by management in terms of their adequacy of design and operating efficiency.”

Discussion. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring a) recognizes the dynamics of change within an organization, and b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

The most important item to note is that all the controls need to be sustainable. You cannot just build one-off controls and not have a process in place to help you monitor all the controls that you need to cover. Controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.

There must also be a mechanism in place for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.

I hope you have enjoyed this special five-part series on the COSO Framework for Internal Controls and how it lays out for a compliance program. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2nd edition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021

COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective IV, Information and Communication.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they should be communicated downward in the organization and there should be feedback up the organization regarding this process. Further, Rittenberg notes, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

Principle 13: Use of relevant and quality information. The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. For the CCO or compliance practitioner this means that you need to identify relevant data, which can be both internal and external. The hard part is to move that data to actionable information. The Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”

Principle 14: Communicate internally. This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process.”

Under this Principle you will need to determine whether the Board communicates in a downward mechanism that gets its relevant instructions to the CCO or compliance function, and if the CCO or compliance function communicates upwards with the Board. Note that this principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15: Communicate externally. This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Code of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, this principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls… and regulatory communication.”

Discussion. Obviously, there must be communications up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. A 2014 Corporate Compliance Insight article by Ron Kral, entitled “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13”, relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.

Joe Howell noted “communication internally is how you establish the communications with your sales organization, with your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.”

Join us tomorrow for Objective V, Monitoring Activities. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021