COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective IV, Information and Communication.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they should be communicated downward in the organization and there should be feedback up the organization regarding this process. Further, Rittenberg notes, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

Principle 13: Use of relevant and quality information. The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. For the CCO or compliance practitioner this means that you need to identify relevant data, which can be both internal and external. The hard part is to move that data to actionable information. The Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”

Principle 14: Communicate internally. This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process.”

Under this Principle you will need to determine whether the Board communicates in a downward mechanism that gets its relevant instructions to the CCO or compliance function, and if the CCO or compliance function communicates upwards with the Board. Note that this principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15: Communicate externally. This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Code of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, this principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls… and regulatory communication.”

Discussion. Obviously, there must be communications up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. A 2014 Corporate Compliance Insight article by Ron Kral, entitled “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13”, relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.

Joe Howell noted “communication internally is how you establish the communications with your sales organization, with your sales operations. How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the Audit Committee of the Board comfort that the company has put in place the right levels of controls.”

Join us tomorrow for Objective V, Monitoring Activities. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021

COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective III, Control Objectives.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Control Activities may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.” The concept of a “second set of eyes” is directly enshrined in this objective. Finally, control activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.

Principle 10: Selects and develops controls activities. Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”

Principle 11: Selects and develops general controls over technology. The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

Principle 12: Control activities established through policies and procedures. This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly, it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

Discussion. While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives and the corporate functions in your organization. It is your control environment and then risk assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.

From a financial reporting perspective, the objective requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets and software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.

Joe Howell has explained in the financial realm, “if you’re dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that it is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.

This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place for the disclosures you need to make for the reconciliation of that disclosure.

This objective requires that you have new ways of capturing, gathering, confirming the accuracy and completeness of the information and the controls reporting it. The Control Activities regarding the policies and procedures needed is certainly an important consideration going forward.

Join us tomorrow for Objective IV, Information and Communications. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2nd edition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021

Companies need to be more innovative when it gets down to compliance. Thus, compliance practitioners should ensure that ethics and compliance are central to the business operation in response to today’s evolving and fast-paced regulatory environment. Consequently, compliance programs should be innovative, behavior-based, yet consistent with organizational systems and policies.

However, one loophole with many compliance officers is they have legal professional backgrounds—the majority proceeds from the general counsel’s office and private practice. Frankly, innovation is not high on the charts for what most compliance officers are taught. Instead, they were familiarized with the Socratic method to read cases and learn how to argue points.

So, how can a Corporate Compliance Officer think about an innovation strategy for any risk management program?

Ben Locwin, a well-known innovator in a wide variety of fields, is here to throw in some light about Innovation in Compliance.

Key takeaways discussed in the episode:

  • Decipher that connecting innovation and compliance is the pursuit of understanding the truth in the false positives and the false negatives.
  • Come to know that there’s a marked difference between innovation and invention. Innovating the compliance infrastructure is always much more straightforward than creating something from scratch.
  • See through the truth that we’re drowning in data but thirsting for information. Updating your beliefs with better data will always lead to better risk management outcomes.
  • Change the way you’re looking at information so that you can position your company at the front edge boundary of what’s accurate and correct.
  • Be reminded that the paradigm is changing; companies don’t stay static, people’s behavior doesn’t stay static. Thus, continuous monitoring leads to constant improvement.

COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. Today, I take up Objective II, Risk Assessments.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Objective II is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful, however the Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume notes, “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

The objective of Risk Assessment consists of four principles.

Principle 6: Suitable objectives. Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis on which your risk assessments are approached.

Principle 7: Identifies and analyzes risk. Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions “Risk identification must be comprehensive.”

Principle 8: Fraud risk. Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense accounts, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9: Identifies and analyzes significant change. It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Discussion. The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Internal Controls Framework. Obviously, risk assessments are a cornerstone of a best practices compliance program as laid out in the 2020 FCPA Resource Guide and in the DOJ’s Evaluation. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.

Join us tomorrow for Objective III, Control Objectives. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021

COSO was adopted in 1992 as a framework for basis to design and then test the effectiveness of internal controls. In 2010, it was deemed necessary to update this framework, to provide a more supportable approach when adversarial third parties challenged whether a company has effective internal controls (such as the SEC). While the COSO 2013 Internal Controls Framework is designed for financial controls, I believe that the SEC will use this to review a company’s compliance internal controls. Over this five-part series, I will be exploring the five COSO Objectives and how they relate to best practices compliance program. In this blog post, I consider Objective I, Control Environment.

The COSO 2013 Internal Controls Framework defines internal controls, from bottom to top, with the following Objectives: a) Control Environment, b) Risk Assessment, c) Control Activities, d) Information and Communication, and e) Monitoring. With the addition of those specific objectives, the COSO 2013 Internal Controls Framework now specifically provides controls to address compliance with laws and regulations. Every compliance professional needs to understand what is required under the COSO 2013 Internal Controls Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

The first of the five objectives is control environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the control environment object are as follows:

Principle 1: Commitment to integrity and ethical values. What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

Principle 2: Board independence and oversight. This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

Principle 3: Structures, reporting lines, authority and responsibility. This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability. 

Principle 4: Attracting, developing and retaining competent individuals. This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns to the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

Principle 5: individuals held accountable. This is the “stick” principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

Discussion. Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight are essential to this objective because the committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under SOX 404(a); as required under Principles 1 and 2. The external auditors must then be satisfied that this requirement is met. Further, there must be evidence the company has appropriate disclosure controls in place because that is central to the objective itself. This is all tested against Board independence and committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.

Under Principle 3, structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.

Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing, as Howell stated, you must put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.

This ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Internal Controls Framework and to the spirit of the standard. Individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.

Join us tomorrow for Objective II, Risk Assessments. For more detailed information about the COSO Framework specifically and internal controls more generally, check out The Compliance Handbook, 2ndedition which is available for presale purchase. Use the code FOX25 and go hereThe Compliance Handbook 2nd edition will be available in both print and eBook editions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2021