Welcome to CCI Magazine_March
Introducing...CCI Magazine: a digest for today's GRC professional. It's your HQ for GRC happenings, headlines and "heard on the street." Enjoy this complimentary copy!
MARCH 2024
A Digest for Today’s Governance, Risk & Compliance Professional
Does your compliance program channel Rube Goldberg? You may be doing too much — or not enough.
Noun or Verb? $ŧɭưƎưƁхШŘƺưǵǠƺƥЩϯхƉļǠşŧǠхǵƉļưхțƺǽхǵƉƎưƢ Cautionary Tale Áfх¢ƺǨǵхɫŘŧхŗƺǵŘƉŧǨхƎưǵŧǠưļƥхƎưȔŧǨǵƎƁļǵƎƺư
All that and more in this inaugural issue +
VOLUME 1, ISSUE 1
CCI MEDIA GROUP PUBLISHER Sarah Hadden CCI MEDIA GROUP EDITORIAL DIRECTOR Jennifer L. Gaskin GUEST EDITOR Matt Kelly �tº¥T�Áº¥ ϯх Shaf Sohail (Forensic Risk Alliance), Aaron Rubens (Kudoboard), Chris Audet (Gartner)
��TхǨǽǝǝƺǠǵǨхǵƉŧхƎƮǝƺǠǵļưǵхȕƺǠƢхƺƀх ŘƺƮǝƥƎļưŘŧхǝǠƺƀŧǨǨƎƺưļƥǨхŗțхǝǠƺȔƎşƎưƁхļх ǝƥļǵƀƺǠƮхǵƺхǵƉƺǨŧхȕƉƺхǨǝŧļƢхļưşхȕǠƎǵŧх with courage and authority. We publish original articles, including guest posts, industry whitepapers, podcasts, ȔƎşŧƺǨ and ŧ�ƺƺƢǨ . Columnists and contributing writers are subject matter experts and thought leaders ȕƉƺхǝǠƺȔƎşŧхƎưǨƎƁƉǵϮхƺǝƎưƎƺưхļưşхǵļŘǵƎŘļƥх guidance on topics relating to compliance, ǠƎǨƢϮхƎưǵŧǠưļƥхļǽşƎǵхļưşхƎưƀƺǠƮļǵƎƺưхǨŧŘǽǠƎǵțϭх Our readership also includes boards of şƎǠŧŘǵƺǠǨϮхO¥хļưşхǵƉŧх�ЗǨǽƎǵŧϭ Our online audience is global, and
readership includes seasoned professionals as well as those who are new to a career in compliance. TƀхțƺǽЩǠŧхȔƎǨƎǵƎưƁх��TхƀƺǠхǵƉŧхɭǠǨǵхǵƎƮŧϮх subscribe to get top GRC news in your ƎưŗƺȚхƺưŘŧхļхȕŧŧƢϭ TƀхțƺǽЩǠŧхƎưǵŧǠŧǨǵŧşхƎưхȕǠƎǵƎưƁхƀƺǠх��TхƺǠх sharing content, ƉŧǠŧЩǨхƉƺȕхǵƺхşƺхǵƉļǵϭх TƀхțƺǽЩǠŧхǨƉļǠƎưƁхG¥�хƎưşǽǨǵǠțхưŧȕǨх ǠŧƁļǠşƎưƁхǝǠƺşǽŘǵǨϮхǨŧǠȔƎŘŧǨϮхƟƺŗхƺǝŧưƎưƁǨх ƺǠхŧȔŧưǵǨϮхƉŧǠŧхļǠŧхȕļțǨхǵƺх connect with ��TЩǨхļǽşƎŧưŘŧ . ǽƁƁŧǨǵƎƺưǨϮхǟǽŧǠƎŧǨхļưşхƀŧŧşŗļŘƢхƺƀхļưțх ƢƎưşϴх Drop us a line.
CCI Media Group is an independent news organization with a mission to educate and encourage informed interaction within the global GRC community. Founded in 2010, Corporate Compliance Insights.com is the ŘƺƮǝļưțЩǨхɮļƁǨƉƎǝхŧưǵŧǠǝǠƎǨŧϮх a global online news source ļưşхƢưƺȕƥŧşƁŧЗǨƉļǠƎưƁхƀƺǠǽƮϭх CCI Media Group is the parent company of CCI Press and publisher of CCI Magazine.
Introducing
2024
Visit LRN.com for more information and to download the report
@2024 LRN. All rights reserved. All brand, product, service names, and logos are trademarks and/or registered trademarks of their respective manufacturers and companies.
For more of LRN's insights, please visit LRN.com.
from the publisher W hy a magazine?
Because we thought it would be fun. That’s the absolute truth. It sounded like fun. We took our cue from CCI wellness editor Lisa Beth Lentini Walker, who advises teams to pick a word to serve as an intention or theme for the year. In late December, Jennifer L. Gaskin, CCI’s editorial director and lead designer, suggested “fun.”
Dodging burnout and staying passionate about work comes from learning, growing and exploring, so why not seek a new way to connect with our readers? It occurs to me that producing a magazine in addition to overseeing CCI’s daily operations might not have been what she had in mind. Nevertheless, Jennifer has been the driving force behind this project and her creativity and dedication have shaped the very essence of CCI Magazine. Her ability to curate content that resonates with our audience every week, while pushing the boundaries of what’s possible in digital publishing, is nothing short of remarkable. I am beyond lucky to work alongside someone of her caliber. ;ŁÕĴĴ�ŖñĔ�ÕĆĴÕ�ñ²Ñ�êŁčʤ�cŁİ�ţİĴļ�ëŁÕĴļ�ÕÑõļĔİʝ�\²ļļ�SÕĆĆŘʞ�ÕÑõļĔİ�²čÑ��&c� Ĕê�²Ñõ˲Ć��ĔČĭĆõ²čËÕʣ�SčĔŖč�êĔİ�ñõĴ�Ĵč²İăŘ�ÊŁļ�õčĴõëñļêŁĆ�āĔŁİč²ĆõĴČʞ�\²ļļ� writes with authority and wisdom, bringing a unique voice and perspective to our inaugural issue. Under his editorial guidance, this issue not only tackles critical themes but does so with a depth and clarity that challenge us to think differently. Collaborating with Matt has been an honor, and his contributions have set a high bar for the content we aspire to publish. Luis Moreno Martinez, our artist, has created something truly special here. His original artwork, incorporating a Rube Goldberg machine concept to visually represent the complexities of internal controls, wraps around Matt SÕĆĆŘʿĴ�²İļõËĆÕĴ�õč�²�Ŗ²Ř�ļñ²ļ�õĴ�ÊĔļñ�õččĔŕ²ļõŕÕ�²čÑ�ÕčĆõëñļÕčõčëʣ�VŁõĴʿĴ�²ÊõĆõļŘ� to translate complex ideas into compelling visual narratives is exceptional. Showcasing original talent like his is a testament to our commitment to creativity and innovation in all forms. Ĕ�ļñÕ�ÕčļõİÕ�ļÕ²Č�ŖñĔ�ĭĔŁİÕÑ�ļñÕõİ�ñÕ²İļĴ�õčļĔ�ļñõĴ�ĭİĔāÕËļʝ�ļñ²čă�ŘĔŁʣ�EļʿĴ� been a hell of a good time. Let’s do it again next month, shall we? Sarah Hadden Publisher, CCI Magazine & CCI Media Group Sara Publishe
Welcome
corporatecomplianceinsights.com | 3
CONTENTS
13
6-7 Seen & Heard Keep up with
9 What’s In a Name? �ļưхțƺǽхşŧɭưŧх “control?” Are you sure? Matt Kelly, guest editor
Under Control COVER STORY �ưхŧɪŧŘǵƎȔŧƥțхŗļƥļưŘŧşх compliance program means threading the needle between “hard” and “soft” controls. Matt Kelly, guest editor
compliance industry, ƮŧşƎļхļưşхƎưɮǽŧưŘŧǠх news
4 | March 2024
CCI Magazine
What else is in this issue? Keep up with compliance career news with rƺȔŧǠǨхҸх ƉļƢŧǠǨх (36-37) хļưşхŧȚǝƥƺǠŧхȔŧưşƺǠх news and more in the GRC News tƺǵŧŗƺƺƢхЉ͵ͺЗ͵ͻЊ . �ǠŧşƎǵǨϯхͳϮхͳ͵ЗͳͷϯхhǽƎǨхrƺǠŧưƺхrļǠǵƎưŧȥх ƀƺǠх��TхrļƁļȥƎưŧϰхͻϮхͳͳϯх.ƥƎƮŧưşŧх TưļƁŧƥƥļхȔƎļхÁưǨǝƥļǨƉϰхʹͲЗʹͳϯхdŧưưƎƀŧǠх hϭхGļǨƢƎưϮх��TхrļƁļȥƎưŧϰхʹͷЗʹϯх GǠļƉļƮх�ƺǠưŧțхļưşх�ƥŧưļхØŧļǨŧțхȔƎļх ƉǽǵǵŧǠǨǵƺŘƢϰхʹͻϯхTƮļƁŧхƁŧưŧǠļǵŧşх ǽǨƎưƁх�Tϰх͵ͲЗ͵ͳϯхØƎļх ƉǽǵǵŧǠǨǵƺŘƢϰх͵͵ϯх��Tх rŧşƎļхɭƥŧхļǠǵ 20-24 Sarbanes-Oxley Is 20 Years Old. What Have We Learned? Q&A with Brian Tremblay of CFGI who has spent most of his career ǵƉƎưƢƎưƁхļŗƺǽǵхŧɪŧŘǵƎȔŧхƎưǵŧǠưļƥх controls
25-27 Post Mortem A series of internal ƎưȔŧǨǵƎƁļǵƎƺưǨхƀļƎƥǽǠŧǨх ruined hundreds of ƥƎȔŧǨхƎưхǵƉŧхÁfϭх Shaf Sohail of Forensic ¥ƎǨƢх�ƥƥƎļưŘŧхŧȚǝƥƺǠŧǨх what good faith means in internal probes.
29-35 Leadership & Career First Aaron Rubens of Kudoboard explores the warning signs of a toxic culture. Then, from the CCI ļǠŘƉƎȔŧǨϮхGļǠǵưŧǠЩǨх Chris Audet tells incoming CCOs what they need to do in ǵƉŧƎǠхɭǠǨǵхͳͲͲхşļțǨϭ
In this issue
corporatecomplianceinsights.com | 5
Compliance industry, media ļưşхƎưɮǽŧưŘŧǠхưŧȕǨхŘƺƮǝƎƥŧşх ŗțхǵƉŧхǨǵļɪхƺƀх��TхrļƁļȥƎưŧ ƥļǵŧǠхǵƉƎǨхƮƺưǵƉϭх Fellow CCI Press author Mary Shirley хЉrļǨƎƮƺЊхƉļǨх ƉļǠşƥțхǨŧǵхƉŧǠхƮƎŘǠƺǝƉƺưŧх şƺȕưхǨƎưŘŧхǵƉŧхǠŧƥŧļǨŧхƺƀх hƎȔƎưƁхßƺǽǠх�ŧǨǵх�ƺƮǝƥƎļưŘŧх hƎƀŧхЉ��Tх¢ǠŧǨǨϮхʹͲʹ͵Њ . Her ǨŘƉŧşǽƥŧхƎưŘƥǽşŧǨхƮǽƥǵƎǝƥŧх ǨǝŧļƢƎưƁхŧưƁļƁŧƮŧưǵǨхļưşх ǵȕƺхļşƟǽưŘǵхǝǠƺƀŧǨǨƺǠхƁƎƁǨх (George Mason University ļưşхFƺǠşƉļƮх ŘƉƺƺƥхƺƀхhļȕЊϭх ƉƎǠƥŧțЩǨхƺɪхǵƺх�ƮǨǵŧǠşļƮхƎưх March to address audiences at SCCE’s European Compliance and Ethics Institute and in April, she’ll be in D.C. to lead a book-centric workshop at the �ƺƮǝƥƎļưŘŧхÙŧŧƢхtļǵƎƺưļƥх 2024 conference . The cherry ŗƥƺǨǨƺƮǨхȕƎƥƥхŗŧхƎưхŗƥƺƺƮх then, coordinating rather nicely with her book cover. Coincidence? Surely not. �ưşхǨǝŧļƢƎưƁхƺƀхŧȔŧưǵǨх (and speaking at events), you’ve heard by now that CCI publisher Sarah Hadden is partnering with tƎŘƢхdļƮŧǨ хƺƀх UK-based GRC World Forums ǵƺхƥļǽưŘƉхļхǨŧǠƎŧǨхƺƀхƎưЗǝŧǠǨƺưх GRC events in the United States this year. The collaboration got ǽưşŧǠȕļțхƥļǨǵхƀļƥƥхƎưхhƺưşƺưϮх ļưşхļƥǠŧļşțхǵƉŧхǵŧļƮхƉļǨх launched three U.S. events ƀƺǠхʹͲʹͶхКхŘƺƮǝƥŧǵŧхȕƎǵƉхļх ǨǝļǠƢƥțхǠƺǨǵŧǠхƺƀхǨǝŧļƢŧǠǨхļưşх ǨǝƺưǨƺǠǨϭхG¥�ÙFЩǨхdļƮŧǨхƎǨх widely known as the producer ƺƀх #RISK London , the largest G¥�хŘƺưƀŧǠŧưŘŧхƎưхǵƉŧхÁfϭх�ƥǨƺх ƺɪŧǠƎưƁхǵƉƺǽƁƉǵхƥŧļşŧǠǨƉƎǝх
By now you know that The FCPA Blog has ceased operations. Founded in 2007 By Richard Cassin and later steered by his son, Harry Cassin , the highly respected ŗƥƺƁхȕļǨхǵƉŧхɭǠǨǵхƺưƥƎưŧх resource devoted to the FCPA. TǵхƺɪŧǠŧşхļхǝƥļǵƀƺǠƮхǵƺх writers passionate about anti- corruption, and it created a ǵƎƁƉǵЗƢưƎǵхŘƺƮƮǽưƎǵțхƎưхǵƉŧх process. The blog launched writers, guided law students and helped give a generation ƺƀхŘƺƮǝƥƎļưŘŧхƺɫŘŧǠǨхǵƺƺƥǨхКх ļưşхŘƺǽǠļƁŧхКхǵƺхŗļǵǵƥŧхƀǠļǽşх and corruption . You’ll encounter a dead link ƎƀхțƺǽхǵǠțхǵƺхǠŧļŘƉхǵƉŧхŗƥƺƁх ǵƺşļțϮхŗǽǵхƎƀхțƺǽхȔƎǨƎǵŧşхƎưхƎǵǨх ɭưļƥхȕŧŧƢǨϮхțƺǽхŧưŘƺǽưǵŧǠŧşх poignant epilogues by contributing editors Andy Spalding , Jessica Tillipman , Elizabeth Spahn, Tom Fox , Julie DiMauro , Russell A. Stamets and Richard Bistrong. Last week was perhaps your last chance to copy and save ļưțхƀļȔƺǠƎǵŧхļǠǵƎŘƥŧǨϮхļǨхǵƉŧх Cassins haven’t indicated any plans to preserve a publicly searchable archive and ǠŧǝƺǠǵŧşƥțхşŧŘƥƎưŧşхƺɪŧǠǨхǵƺх ǨŧƥƥхǵƉŧхşƺƮļƎưхƺǠхļǠŘƉƎȔŧǨϮх ƎưŘƥǽşƎưƁхƺưŧхƺɪŧǠхƀǠƺƮхļưх ļŘļşŧƮƎŘхƎưǨǵƎǵǽǵƎƺưϮхǨƺǽǠŘŧǨх say. The blog’s closing is a ǨļşхƀļǠŧȕŧƥƥхǵƺхȕƉļǵхȕļǨх ŘƺưǨƎşŧǠŧşхŗțхƮļưțхǵƺхŗŧх ǵƉŧхɭǠǨǵхļưşхɭưŧǨǵхŧȚļƮǝƥŧх
ƺƀхƎưşŧǝŧưşŧưǵхƟƺǽǠưļƥƎǨƮхƎưх ŘƺƮǝƥƎļưŘŧϭх ǵƉŧǠхǨƉƎƀǵǨхƎưхǵƉŧх�ʹ�хƮŧşƎļх landscape include SCCE CEO GŧǠǠțхéļŘƢ ’s recent ļưưƺǽưŘŧƮŧưǵ that SCCE ȕƎƥƥхşǠƺǝхǵƉŧхǝǠƎưǵхȔŧǠǨƎƺưхƺƀх ƎǵǨхƮŧƮŗŧǠǨЗƺưƥțхƮļƁļȥƎưŧǨϭх �ƺƮǝƥƎļưŘŧхҸх.ǵƉƎŘǨх Professional (CEP ) and HCCA’s Compliance Today хƮļƁļȥƎưŧǨх have converted to digital-only publications. In other GRC blog and content news, Joe Murphy’s “Ideas and �ưǨȕŧǠǨЧŘƺƥǽƮưхƉļǨхŗŧŘƺƮŧх ļхǝƺǝǽƥļǠхɭȚǵǽǠŧхƀƺǠхƉƎǨх ƀƺƥƥƺȕŧǠǨхƺưхhƎưƢŧşƎưϭ Murphy posts tips and advice weekly, and his editorial board includes Kaplan & Walker’s ¥ŧŗŧŘŘļхÙļƥƢŧǠ and dŧɪх Kaplan , who happens to be hard at work these days on a ǠŧȔƎǨŧşхļưşхǽǝşļǵŧşхȔŧǠǨƎƺưхƺƀх his popular eBook, scheduled ƀƺǠхǠŧЗǠŧƥŧļǨŧхƥļǵŧǠхǵƉƎǨхțŧļǠϭх Kaplan’s �ƺƮǝƥƎļưŘŧхļưşх .ǵƉƎŘǨх¥ƎǨƢх�ǨǨŧǨǨƮŧưǵ (CCI, 2104) was also updated in 2019. Another “Ideas and Answers” contributor is Adam Balfour Љ�ǠƎşƁŧǨǵƺưŧх�ƮŧǠƎŘļǨЊϮхƢưƺȕưх ƀƺǠϮхļƮƺưƁхƺǵƉŧǠхǵƉƎưƁǨϮхƉƎǨх #SundayMorning �ƺƮǝƥƎļưŘŧºƎǝǨхƺưхhƎưƢŧşTưх and .ǵƉƎŘǨхҸх�ƺƮǝƥƎļưŘŧхƀƺǠх OǽƮļưǨ (CCI Press, 2023). �ļƥƀƺǽǠЩǨхŗŧŘƺƮƎưƁхļхƀǠŧǟǽŧưǵх speaker on the lecture circuit and is scheduled to address an audience at Caterpillar Inc.
6 | March 2024
Seen & Heard
CCI Magazine
ļưşхŘƺƥƥļŗƺǠļǵƎƺưхǵƺхǵƉƎǨхŧɪƺǠǵх are Michael Rasmussen (GRC Report and GRC 20/20) and the ƀƺƥƢǨхƀǠƺƮх OCEG . ºƉŧхǨŧǠƎŧǨхƢƎŘƢǨхƺɪхȕƎǵƉх GRC Connect in Chicago on April 16-17 ϮхǵƉŧưхƎǵЩǨхƺɪхǵƺх�ǵƥļưǵļх on May 22-23. The series ends with #RISK New York, which ƎǨх$ŧŘϭхʹЗ͵хļǵхǵƉŧхƀļŗǽƥƺǽǨх Metropolitan Pavilion. Popular ǨǝŧļƢŧǠǨхļƥǠŧļşțхǵļǝǝŧşхƀƺǠх ƺưŧхƺǠхƮƺǠŧхŧȔŧưǵǨхƎưхǵƉŧх series are Matt Kelly , Fernanda Beraldi and Gwen Hassan . Are you sensing a surge in ƮƺǠŧхƎưǵƎƮļǵŧϮхǠƎƁƉǵЗǨƎȥŧşх gatherings this year? We’re ƉŧļǠƎưƁхƮƺǠŧхļŗƺǽǵхƉțǝŧǠЗ ƥƺŘļƥхŘƺƮǝƥƎļưŘŧхƮŧŧǵЗǽǝǨϭх �ƺŘƢǵļƎƥǨϮхǽǨǽļƥƥțхКхǨǝŧļƢŧǠǨх ļưşхļƁŧưşļǨϮхǨƺƮŧǵƎƮŧǨϭх rļțŗŧхŘƺƮƎưƁхǨƺƺưхǵƺхļхŘƎǵțх near you? GƎǵļưƟļƥƎх ļƢƉǽƟļ and Amy Mertz Brown recently hosted another social in D.C. (Miller & Chevalier Chartered ƺɪŧǠŧşхǵƉŧƎǠхşƎƁǨхƀƺǠхǵƉŧх party). ļƢƉǽƟļхǠŧƀŧǠǨхǵƺхǵƉŧхǠŧŘǽǠǠƎưƁх ǨƺŘƎļƥǨхļǨхļхЦŘƺƮƮǽưƎǵțх
PHOTO COURTESY GITANJALI SAKHUJA Seen here enjoying the D.C.-area compliance social are Lisa Fine, Rebeka Spires, Ann Sultan, Amy Mertz Brown, Grace Wu De Plaza, Gregory Bates, Mary Markowicz and others.
ƁŧǵЗǵƺƁŧǵƉŧǠǨхƺƀхǵƉŧх ƺǽǵƉŧǠưх �ļƥƎƀƺǠưƎļх�ƺƮǝƥƎļưŘŧхļưşх Ethics Roundtable (SOCCER). Ц ƺƮŧǵƎƮŧǨхǵƉŧхŧȔŧưǵǨхļǠŧх ļŗƺǽǵхƥŧļǠưƎưƁϮхǨƺƮŧǵƎƮŧǨх ƎǵЩǨхƟǽǨǵхƀǽưϮЧхǨļțǨхƺǠƁļưƎȥŧǠх Jay Rosen . Are you hosting ǨƺƮŧǵƉƎưƁхƎưхțƺǽǠхưŧŘƢхƺƀх the woods? Add it to CCI’s calendar here.
bringing together practitioners and students around this ǝǠƺƀŧǨǨƎƺưхȕƉƺхƥƺȔŧхƎǵхļǨхƮǽŘƉх ļǨхȕŧхşƺЧхļưşхļхǝƥļŘŧхǵƺхЦƮŧŧǵх ƺǵƉŧǠǨхȕƉƺхƮƎƁƉǵхǽưŘƺȔŧǠх shared interests, invite ƺǝǝƺǠǵǽưƎǵƎŧǨхƀƺǠхŘƺưȔŧǠǨļǵƎƺưх ļưşхƁŧǵхƎưǵŧưǵƎƺưļƥхƎưхƮļƢƎưƁх connections.” �хǨƎƮƎƥļǠхǨǝƎǠƎǵхƺƀхŘƺưưŧŘǵƎƺư ƎǨхǵƉŧхƉļƥƥƮļǠƢхƺƀхǠŧŘǽǠǠƎưƁх
ÙŧхşƺхļхƥƺǵхƺƀхǵƉƎưƁǨхƀƺǠхƥƺȔŧϭ ¢ǽŗƥƎǨƉƎưƁх��TхƎǨưЩǵхƺưŧхƺƀхǵƉŧƮϭх�şȔŧǠǵƎǨƎưƁхƢŧŧǝǨхǵƉŧх ƥƎƁƉǵǨхƺưхļưşхǝļțǨхƺǽǠхǨƮļƥƥЗŗǽǵЗƮƎƁƉǵțЗǵŧļƮхƺƀхƟƺǽǠưļƥЗ ƎǨǵǨϮхǠŧǨŧļǠŘƉŧǠǨϮхşŧȔŧƥƺǝŧǠǨхļưşхşŧǨƎƁưŧǠǨϭхÙŧЩǠŧхưŧƎǵƉŧǠх ƺȕưŧşхưƺǠхŘƺưǵǠƺƥƥŧşхŗțхļхŘƺǠǝƺǠļǵƎƺưхƺǠхȔŧưşƺǠϮхļưşх ȕŧхşƺưЩǵхƁŧưŧǠļǵŧхƥŧļşǨхƀƺǠхƺǽǠǨŧƥȔŧǨхŗŧŘļǽǨŧхȕŧЩǠŧхưƺǵх ļхŘƺưǨǽƥǵļưŘțхƺǠхǨŧǠȔƎŘŧхǝǠƺȔƎşŧǠϭхºƉƎǨхƢŧŧǝǨхƺǽǠхŘƺȔŧǠЗ age neutral and independent. And free! Subscriptions ļưşхǝļțȕļƥƥǨхļǠŧưЩǵхǝļǠǵхƺƀхƺǽǠхŗǽǨƎưŧǨǨхƮƺşŧƥϭх ưŧļƢțϮх şŧŘŧǝǵƎȔŧхЦưļǵƎȔŧЧхļşȔŧǠǵƎǨƎưƁхƎǨưЩǵϮхŧƎǵƉŧǠϭхÙƉŧưхȕŧхƉļȔŧх
ļưхļşȔŧǠǵƎǨƎưƁхǠŧƥļǵƎƺưǨƉƎǝхȕƎǵƉхļхŘƺưǵŧưǵхŘƺưǵǠƎŗǽǵƺǠϮхȕŧх şƎǨŘƥƺǨŧхƎǵϭхTƀхȕŧхƎưȔƎǵŧхțƺǽхǵƺхŘƥƎŘƢхƺưхļхƥƎưƢхǵƉļǵхȕƺǽƥşх ǝǠƺȔƎşŧхǽǨхȕƎǵƉхļхŘƺƮƮƎǨǨƎƺưϮхȕŧхşƎǨŘƥƺǨŧхƎǵϭхTƀхȕŧхǨǽƁЗ ƁŧǨǵхțƺǽхşƺȕưƥƺļşхļхǠŧǝƺǠǵхļưşхȕŧЩǠŧхǝƥļưưƎưƁхǵƺхǨƉļǠŧх țƺǽǠхŧƮļƎƥхļşşǠŧǨǨхȕƎǵƉхļхǵƉƎǠşЗǝļǠǵțϮхȕŧхşƎǨŘƥƺǨŧхƎǵхКх ļưşхȕŧхǨŧŘǽǠŧхțƺǽǠхǝŧǠƮƎǨǨƎƺưϭхǽǠхşļǵļхǝǠƎȔļŘțхļưşхşļǵļх ƁƺȔŧǠưļưŘŧхǨǵļưşļǠşǨхļǠŧхƎƮǝŧŘŘļŗƥŧϮхŗŧŘļǽǨŧхȕŧхȕƺǠƢх in compliance , yeah? Read our ǝǠƎȔļŘțхǝƺƥƎŘț to learn more.
Have a tip to share? Got the inside scoop on the next big trend in the compliance world? Share the details of your compliance industry news or events by emailing editor@corporatecomplianceinsights.com.
��TхrļƁļȥƎưŧхǨǵļɪхǠŧǝƺǠǵǨ
corporatecomplianceinsights.com | 7
guest editor’s note Welcome; ƥŧǵЩǨхƁŧǵхȕƺǠƢƎưƁ Matt Kelly Guest Editor, Editor & CEO, Radical Compliance W
hen Corporate Compliance Insights asked me to be guest editor of õļĴ�ţİĴļʴÕŕÕİ�Ñõëõļ²Ć�Č²ë²şõčÕʞ�ČŘ�ţİĴļ�İÕ²ËļõĔč�Ŗ²Ĵʞ�Ĕê�ËĔŁİĴÕʞ�ļĔ� feel honored. Then I was pleased, because this honor gives me the opportunity to put some of the tough questions about corporate compliance front and center. For example, why do so many compliance programs struggle? "Ĕčʿļ�ëÕļ�ČÕ�ŖİĔčëʣ��ĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ŖĔİă�ñ²İÑ�ļĔ�ÊŁõĆÑ�ļñÕ�ÊÕĴļ� compliance programs they can. At the same time, we keep seeing one example after another of compliance program failures. Something breaks down between the program on paper , with the wonderfully crafted policies and the resoundingly rich tone at the top; and the program in practice ʞ�Ŗõļñ�İÕÑ�Ť²ëĴ� ignored or controls overridden or violations undetected. Too often, that thing breaking down is a company’s internal controls. So that’s what I wanted to examine in this inaugural edition of the magazine. Our cover story unpacks the various types of internal controls a compliance ĭİĔëݲČ�Čõëñļ�ŁĴÕ�²čÑ�ñĔŖ�²�ËĔČĭĆõ²čËÕ�ĔêţËÕİ�˲č�ţëŁİÕ�ĔŁļ�ļñÕ�İõëñļ� combination for maximum effectiveness, while a Q&A with a seasoned internal auditor offers some SOX insights and a top 10 list helps identify common internal controls pitfalls and how to avoid them (my personal fave is No. 6). In between, the magazine will also have other news, analysis, graphics and ČŁĆļõČÕÑõ²�ëĔĔÑõÕĴ�ļĔ�ñÕĆĭ�ËĔİĭĔݲļÕ�ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ŁčÑÕİĴļ²čÑ�Ŗñ²ļʿĴ� ëĔõčë�Ĕč�õč�ĔŁİ�ţÕĆÑ�²čÑ�ñĔŖ�ļñÕŘ�˲č�ÊŁõĆÑ�²�ÊÕļļÕİ�ËĔČĭĆõ²čËÕ�ĭİĔëݲČʣ We hope you enjoy this issue — the team plans to bring you more throughout the year. Now let’s get to work. — Matt Kelly
8 | March 2024
Guest editor’s welcome
CCI Magazine
OPINION
One of my most mortifying moments as a compliance commentator happened one day in July 2018. I was speaking at an ethics and compliance event in Houston, and another speaker stumped everyone — me included — with a deceptively simple question: What is a control? A êļÕİ�²ĆĆʞ�ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ļ²Ćă�²ÊĔŁļ�ËĔčļİĔĆĴ� ËĔčĴļ²čļĆŘʣ�&êêÕËļõŕÕ�ËĔčļİĔĆĴ�²İÕ�ļñÕ�ĆõêÕÊĆĔĔÑ� of what makes a compliance program work. Most of us can rattle off examples of controls, or recognize a control when we see one. Then my fellow speaker had to get all philosophical on ŁĴʝ�¥ñ²ļ is a control? Nobody dared answer. We all were suddenly uncertain ļñ²ļ�ŖÕ�ËĔŁĆÑ�ÑÕţčÕ�²�ËĔčļİĔĆ�ËĔİİÕËļĆŘʣ The speaker who posed this question, Jonathan Marks , õĴ�²�ĭİĔĆõţË�ļñõčăÕİ�Ĕč�²ĆĆ�ļñõčëĴ�êĔİÕčĴõËĴʞ�²ŁÑõļ�²čÑ� internal control. Marks has a shtick of asking audit and ËĔČĭĆõ²čËÕ�²ŁÑõÕčËÕĴ�ļĔ�ÑÕţčÕ�²�ËĔčļİĔĆ�ʲ�²čÑ�ļĔ�ñõĴ�
�ĔčļİĔĆʝ� Noun or
Verb? Getting philosophical on internal controls
Matt Kelly Guest Editor
Opinion | Internal controls
corporatecomplianceinsights.com | 9
An internal control is a process of interlocking activities that use properly designed policies and procedures .
control. It is as follows. “A process of interlocking
dismay, most people can’t. Before I give you Marks’
of internal controls to the door of some weak business process like İÕĆõÕê�ŖĔİăÕİĴ�²õİʴÑİĔĭĭõčë�ĴŁĭĭĆõÕĴ� onto a suffering population. That’s not what really happens, however. What really happens is that we adjust the weak business process to (ideally) make it stronger. If the process is particularly bad — one might even call it materially weak — we make multiple adjustments at once. That’s what Marks captures in his ĔĭÕčõčë�ĆõčÕʝ��č�õčļÕİč²Ć�ËĔčļİĔĆ�õĴ�²� process rather than a thing, and the raw materials the process uses are policies and procedures. The mission of the audit or compliance executive is to see that those raw materials are properly designed so that they work together effectively and the internal ËĔčļİĔĆ�ļñÕč�êŁĆţĆĆĴ�õļĴ�ČõĴĴõĔčʣ ǵƉŧǠхŘƺưǵǠƺƥхşŧɭưƎǵƎƺưǨ \²İăĴʿ�ÑÕţčõļõĔč�Ĕê�õčļÕİč²Ć� control didn’t emerge from a vacuum. The COSO framework for internal control and federal securities law have their own ÑÕţčõļõĔčĴʞ�ļĔĔʨ�²čÑ�ļñĔĴÕ� ÑÕţčõļõĔčĴ�ĆĔčë�ĭİÕËÕ ded Marks. For example, Section 13(b)(2)(B) of the Exchange Act �ÑÕţčÕĴ�êĔİ� ÕĆÕČÕčļĴ�Ĕê�õčļÕİč²Ć�ËĔčļİĔĆʝ • System of internal accounting
ÑÕţčõļõĔčʞ�ĆÕļ�ČÕ� offer what raced through my head when he put the įŁÕĴļõĔč�ļĔ�ČÕʝ��č�õčļÕİč²Ć�ËĔčļİĔĆ� is something a company uses that’s intended to reduce the chance of an unwanted risk outcome. E�ÑÕĆõÊÕݲļÕĆŘ�ăÕĭļ�ČŘ�ÑÕţčõļõĔč� broad, because a control can take Č²čŘ�êĔİČĴʝ�²�ĴĔêļŖ²İÕ�İĔŁļõčÕ�ļñ²ļ� blocks a payment to unapproved ĭ²İļõÕĴʨ�²�ĭĔĆõËŘ�ʰŖõļñ�ËÕİļõţ˲ļõĔč� required) against bribing foreign ëĔŕÕİčČÕčļ�ĔêţËõ²ĆĴʨ�²�ĴĭÕÕËñ�êİĔČ� ļñÕ��&c�²ĴĴŁİõčë� employees that it’s better to miss your monthly Ĵ²ĆÕĴ�įŁĔļ²�ļñ²č�ţŗ�²�ËĔčļݲËļʣ Those examples are all different in form and substance — but controls they all are. In sequence, they are a transaction control (block the payment), a process control (train employees) and an entity control (senior executive issues guidance on corporate priorities). They all work together toward the objective of reducing corruption risk. ļõĆĆʞ�ČŘ�ÑÕţčõļõĔč�õĴ�ʲĴÕÑ�Ĕč� examples more than anything else. I know a control when I see it — but is that the same as understanding the abstract concept of a control and how ĔčÕ�ţļĴ�õčļĔ�²�ËĔČĭĆõ²čËÕ�ĭİĔëݲČʤ Enter the Marks şŧɭưƎǵƎƺư Over the years, Marks has êĔİČ²ĆõşÕÑ�ñõĴ�ĔŖč�ÑÕţčõļõĔč�Ĕê�²�
activities that use properly designed policies and procedures which are preventive, corrective, directive, corroborative, along with training and continuous monitoring, to assure the achievement of an organization’s objectives in operational effectiveness and ÕêţËõÕčËŘʞ�ëÕčÕݲļõčë�İÕĆõ²ÊĆÕ� (complete and accurate) books and records in compliance with laws, regulations and policies, which ultimately reduces risk of fraud, waste and abuse.” ñ²ļ�ÑÕţčõļõĔč�õĴ�²�ČĔŁļñêŁĆʞ� but it hits on all the right points, including the most important one right in the top line. An internal control is a process of interlocking activities that use properly designed policies and procedures . The rest is all correct but is more about helping you to understand what a control does. His opening lines explain what an õčļÕİč²Ć�ËĔčļİĔĆ�õĴʝ�EļʿĴ�²�ĭİĔËÕĴĴʣ�Eļ� does something. That might be why people hesitate to ÑÕţčÕ�²�ËĔčļİĔĆʣ�cŁİ� ÊݲõčĴ�ñÕ²İ�ʼÑÕţčÕ�²�ËĔčļİĔĆʽ�²čÑ� instinctively we envision a noun — a thing unto itself. In everyday language, we say sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process,” as if we could deliver an extra shipment
ËĔčļİĔĆĴ�ĴŁêţËõÕčļ�ļĔ�ĭİĔŕõÑÕ� reasonable assura čËÕĴ�ļñ²ļʝ
• Transactions are executed
with management’s general or
10 | March 2024
Opinion
CCI Magazine
operations • ÕĆõ²ÊõĆõļŘ�Ĕê�ţč²čËõ²Ć�İÕĭĔİļõčë • Compliance with applicable laws and regulations \²İăĴʿ�ÑÕţčõļõĔč�ËĆÕ²İĆŘ�ÑÕĴËÕčÑĴ� from COSO’s concept. COSO’s ÑÕţčõļõĔč�õĴ�ČĔİÕ�ŕÕİĴ²ļõĆÕ�ļñ²č�ļñÕ� Ĵļ²ļŁļĔİŘ�ÑÕţčõļõĔč�õč�ļñÕ�&ŗËñ²čëÕ� Act. Still … Useful elements ¥ñ²ļ�E�ĆõăÕ�²ÊĔŁļ�\²İăĴʿ�ÑÕţčõļõĔč� is that it frames internal control as interlocking activities — that is, multiple steps the company takes, all reinforcing each other to reduce a risk to some acceptable level. That’s something compliance ĔêţËÕİĴ�˲č�Õ²ĴõĆŘ�ëݲĴĭʣ�&ĴĭÕËõ²ĆĆŘ� if you are, say, rolling out a new policy stressing ethical values, while implementing new documentation requirements for approval of overseas intermediaries and training employees on the importance of using the whistleblower hotline. All of those things are supposed to work together ļĔŖ²İÑ�²�ĴõčëĆÕ�ëĔ²Ćʝ�İÕÑŁËõčë�ŘĔŁİ� company’s FCPA risk. Marks also stresses the importance of properly designed policies and procedures. That point matters, ÕĴĭÕËõ²ĆĆŘ�ļĔ�ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ŖñĔ� come from a legal background and might not be as versed in control design as someone from an audit background. We use shorthand phrases in ethics and compliance all the time, “internal control” perhaps more than any other. It’s good to know what that phrase actually means before we go putting it to use in organizations all over the place.
ĴĭÕËõţË�²ŁļñĔİõş²ļõĔčʣ • Transactions are recorded as necessary (i) to permit preparation Ĕê�ţč²čËõ²Ć�Ĵļ²ļÕČÕčļĴ�õč� conformity with generally accepted accounting principles or any other criteria applicable to such statements and (ii) to maintain accountability for assets. Access to assets is permitted only in accordance with management’s ëÕčÕݲĆ�Ĕİ�ĴĭÕËõţË�²ŁļñĔİõş²ļõĔčʣ The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Those four elements are good as far as they go, but they pertain only ļĔ�ţč²čËõ²Ć�İÕĭĔİļõčë�²čÑ�²ËËĔŁčļõčë� êݲŁÑʣ�"Ĕ�ļñÕŘ�ŖĔİă�êĔİ�ÊĔĔăĴʴ²čÑʴ records expectations around the Foreign Corrupt Practices Act? Yes, although you have to beware of Č²ļÕİõ²ĆõļŘ�ļñİÕĴñĔĆÑĴʝ�¥ñ²ļʿĴ�Č²ļÕİõ²Ć� êĔİ�ËĔİĭĔݲļÕ�ţč²čËõ²Ć�Ĵļ²ļÕČÕčļĴ�ʰ²� few percentage points of a line item’s total value) will generally be much larger than a bribe that could lead to FCPA enforcement. The greater problem with the &�ʿĴ�ÑÕţčõļõĔč�õĴ�ļñ²ļ�õļ�²ĭĭĆõÕĴ�ļĔ� ţč²čËõ²Ć�ËĔčËÕİčĴ� only . It won’t be ČŁËñ�ñÕĆĭ�ļĔ�ÑÕţčÕ�õčļÕİč²Ć�ËĔčļİĔĆ� for, say, cybersecurity, harassment or reputation risk — although effective internal control is crucial for all three. COSO, meanwhile, has this ÑÕţčõļõĔč�êİĔČ�õļĴ�õčļÕİč²Ć�ËĔčļİĔĆ� êݲČÕŖĔİă ʝ A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the êĔĆĆĔŖõčë�˲ļÕëĔİõÕĴʝ • &êêÕËļõŕÕčÕĴĴ�²čÑ�ÕêţËõÕčËŘ�Ĕê�
Control: Noun or Verb?
corporatecomplianceinsights.com | 11
ADVERTISEMENT
2024 Top 10 Risk and Compliance Trends Expert Predictions & Guidance
Get the eBook
ctrl+ OƺȕхļхƮļǠƢŧǵхǨǝƺƺɭưƁхǨŘļưşļƥх underscores the gap between ŘƥŧȔŧǠхŘƺƮǝƥƎļưŘŧхǝƥļưǨх ļưşхǠŧļƥЗȕƺǠƥşхǝǠļŘǵƎŘŧ
Matt Kelly Guest Editor
Internal controls make the modern corporation succeed in meeting its compliance obligations. But lean too far into hard, technical controls and you risk alienating your people. Rely too heavily on soft controls and your compliance function may end up toothless. Oh, and you need to make sure your controls, both hard and soft, can integrate into your corporate culture.
S ometimes profound lessons about corporate compliance emerge from obscure places. Such was the case in ]ĔŕÕČÊÕİʞ�ŖñÕč�²�ĴÕËŁİõļõÕĴ�ţİČ� was sanctioned for dabbling in a trading practice most compliance ĔêţËÕİĴ�ñ²ŕÕ�ĭİĔʲÊĆŘ�čÕŕÕİ�ñÕ²İÑ� of. ñÕ�ţİČ�õč�įŁÕĴļõĔč�Ŗ²Ĵ��²čă�Ĕê� �ČÕİõ˲�ÕËŁİõļõÕĴʞ�ţčÕÑ�ˇɿʁ�ČõĆĆõĔč� by FINRA, the principal regulator for ÊİĔăÕİʴÑÕ²ĆÕİ�ţİČĴʣ�ñÕ�õČĭİĔĭÕİ� ËĔčÑŁËļ�Ŗ²Ĵ�ʼĴĭĔĔţčëʞʽ�ŖñÕİÕ�²� trader places bogus orders he has čĔ�ĭĆ²čĴ�ļĔ�êŁĆţĆĆʞ�ļĔ�ÑÕËÕõŕÕ�ĔļñÕİ� market participants into trading at a time, price or amount that they otherwise wouldn’t. In this case, two Bank of America traders ŖÕİÕ�ĴĭĔĔţčë�ļñÕ�Č²İăÕļ�êĔİ�ʣʣ� Treasury securities for years. Bank of America did have written policies and procedures against ĴĭĔĔţčëʨ�õļ�āŁĴļ�ÑõÑčʿļ�õČĭĆÕČÕčļ� proper surveillance or supervisory İÕŕõÕŖĴ�êĔİ�ĴĭĔĔţčë�êĔİ�ŘÕ²İĴʣ�¥ñÕč� õļ�ţč²ĆĆŘ�ÑõÑʞ�ļñĔĴÕ�ĴŁİŕÕõĆĆ²čËÕ�²čÑ� review measures didn’t match how
employees could actually trade on Bank of America platforms. So what’s the profound lesson ñÕİÕʤ�EļʿĴ�čĔļ�²ÊĔŁļ�ĴĭĔĔţčë�ĭÕİ� se but rather about how Bank of America had weak internal controls to enforce its policies and procedures. Time and again, in one industry after another, that’s the issue for ËĔČĭĆõ²čËÕ�ĔêţËÕİĴʣ�§ĔŁİ�ËĔČĭ²čŘ� has policies and procedures that look great (Bank of America’s did), but the controls to put those policies and procedures into force don’t work as intended. Maybe the controls were designed poorly. Maybe you have too many of one type of control and not enough of another. Maybe the nature of your transactions or technology raced ahead of what your controls can do. Regardless of the exact reason, internal controls are where ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�čÕÕÑ�ļĔ�êĔËŁĴ� their attack. Internal controls are what makes the modern corporation succeed at its compliance obligations.
14 | March 2024
Cover story
CCI Magazine
business a miserable place to ŖĔİăʣ�&ČĭĆĔŘÕÕĴ�ĴĭÕčÑ�ČĔİÕ�ļõČÕ� chasing down documentation and approvals, rather than closing sales or developing products. When people sneer at the compliance function as the Department of No or a cost center — this is one of the reasons why. “If you muck up the process, what ends up happening is that people override the internal controls,” Marks says. “There needs ëİĔŁĭ�Ĕê�õčļÕİč²Ć�ËĔčļİĔĆĴʝ�ʼĴĔêļʽ� controls, such as a code of conduct, written policies, ethics training, internal reporting hotlines and the like. These controls are meant to encourage employees toward certain standards of behavior, although they can’t stop an employee from doing anything. Only hard controls do that. The challenge, of course, is to ţëŁİÕ�ĔŁļ�ļñÕ�İõëñļ�Ê²Ć²čËÕ�Ĕê�ñ²İÑ� and soft controls for your business and corporate culture. to be some balance there.” That brings us to another
hasn’t submitted a complete set of due diligence documentation. An obvious question arises here. Couldn’t — shouldn’t, even — companies rely on technical controls to enforce compliance standards? That is, you could combine extensive documentation requirements with technical ËĔčļİĔĆĴ�õč�ŘĔŁİ�ËĔČĭ²čŘʿĴ�&|� systems to choke off suspicious payments. Or you could block access to certain IP addresses to prevent cybersecurity attacks. Or you could decline to process transactions for customers that haven’t provided complete onboarding documentation. The theme in all those scenarios (and others) is that compliance is boiled down to a binary state of affairs, which lets your IT system act as an automatic gatekeeper. In theory, that’s a neat idea; it’s scalable, auditable and cheaper than using humans. On the other hand, too many technical controls makes your
“Clearly the role of compliance ĔêţËÕİĴ�õĴ�ÕŕĔĆŕõčëʞʽ�Ĵ²ŘĴ�QĔč²ļñ²č� Marks, a partner at BDO who has spent years thinking and writing about what internal controls should be able to do. “Designing business processes that incorporate compliance controls, so that you can identify violations — that requires a deep understanding of both the legal landscape and your organization’s operational framework.” Oh. Is that all? Striking the right balance of internal controls Internal controls can be divided õčļĔ�ļŘĭÕĴʣ�Eč�ĔčÕ�˲Čĭ�²İÕ�ĴĔʴ called “hard” controls (also known as technical controls), embedded directly into a company’s IT systems to prevent certain transactions êİĔČ�ñ²ĭĭÕčõčë�ŁčĆÕĴĴ�ĭİÕʴÑÕţčÕÑ� conditions are met. For example, ËĔčţëŁİõčë�ŘĔŁİ�ËĔČĭ²čŘʿĴ� accounting software to block payment to any third party that
ctrl +
corporatecomplianceinsights.com | 15
Boles worries that too many ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ʰʼčÕŖ� ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�õč�ĭ²İļõËŁĆ²İʽʱ� err on the side of hard controls õč�ļñÕõİ�Ĕİë²čõş²ļõĔčʣ�ñÕŘ�ţčÑ� a risk and impose a control to ÊĆĔËă�õļʞ�ŖõļñĔŁļ�ţİĴļ�ĭ²ŁĴõčë�ļĔ� consider whether a softer, more ÕČĭĆĔŘÕÕʴêİõÕčÑĆŘ�²ĭĭİĔ²Ëñ�Čõëñļ� achieve the same result without the uncompromising message that hard controls send. “They don’t embed themselves in the culture; they embed themselves in the job — and that’s the confusion,” she says. Now we’re getting somewhere. ñÕ�ËĔČĭĆõ²čËÕ�ĔêţËÕİ�ÕČÊÕÑÑõčë� into the culture, controls that work to foster employee trust — that sounds a lot like the “culture of compliance” ideal that the U.S. Department of Justice and other regulators say they want to see.
“When you say ‘more controls,’ you’re basically saying, ‘We trust you less,’” says Leslie Boles, who runs healthcare compliance ËĔčĴŁĆļõčë�ţİČ�ÕŕŁ�AÕ²Ćļñ˲İÕ� and previously ran audit and compliance for WCP Healthcare. “The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Boles raises a subtle but important point. Soft controls are more about fostering trust between employee and employer. They encourage the employee to behave in certain ways, with the implied threat of disciplinary action; but they still treat employees as part of the solution as the company strives toward its ethics and compliance objectives. Hard controls treat employees as, at least potentially, part of the problem.
Hard vs. soft controls �ƺƮǝƥƎļưŘŧхǝǠƺƁǠļƮǨхƉļȔŧхǵȕƺхƮļƎưхŘƺưǵǠƺƥхƺǝǵƎƺưǨϮхƉļǠşхļưşхǨƺƀǵϭх Hard controls consist of tangible processes, often automated, to force employees to follow certain laws, regulations or internal procedures. Soft ŘƺưǵǠƺƥǨϮхƺưхǵƉŧхƺǵƉŧǠхƉļưşϮхļǠŧхƮƺǠŧхƺƀǵŧưхŗŧƉļȔƎƺǠļƥϮхŧưŘƺǽǠļƁƎưƁхŗǽǵх ưƺǵхƮļưşļǵƎưƁхŘŧǠǵļƎưхŗŧƉļȔƎƺǠǨϭ Hard controls ¥ƺƥŧЗŗļǨŧşхļŘŘŧǨǨхŘƺưǵǠƺƥ Encryption Transaction monitoring Physical security Segregation of duties Purchase limits Multifactor authentication Email filtering Application whitelisting $ļǵļŗļǨŧхļŘǵƎȔƎǵțхƮƺưƎǵƺǠƎưƁ Soft controls Code of conduct/code of ethics Compliance training & awareness Tone at the top ¢ŧŧǠхǨǽǝǝƺǠǵхưŧǵȕƺǠƢǨ Mentorship programs ÙŧƥƥЗŗŧƎưƁхļǵхȕƺǠƢ ¢ŧǠƀƺǠƮļưŘŧхŧȔļƥǽļǵƎƺưǨ Employee assistance programs Unconscious bias training Integrity hotlines
16 | March 2024
Internal controls
CCI Magazine
“When you say ‘more controls,’ you’re basically saying, ‘We trust you less.’ The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Кх Leslie Boles х¥ŧȔǽхOŧļƥǵƉŘļǠŧхǝļǠǵưŧǠ
on different days. So the company might have a policy that doesn’t take into account all these breakdowns in the operational process.” It’s yet another example of how compliance programs can look great on paper and still not work in reality. �хɭưļƥхȕƺǠşхƺưхǵƉŧх humans There is one way in which hard controls, soft controls and corporate culture all come together. As we keep moving to a digitally transformed world full of ²ŁļĔČ²ļÕÑ�ŖĔİăŤĔŖĴʞ�ŖñÕİÕ�ñ²İÑ� controls are baked directly into business processes — that’s going to throw off data about the controls performance. Some manager somewhere in your organization will need to review that data about the control’s performance and decide whether everything is following the compliance program’s plan; or raise alerts when something isn’t. A successful management review control, however, rests on ļŖĔ�²ĴĴŁČĭļõĔčĴʝ�ʰɾʱ�ļñÕ�Č²č²ëÕİ� knows what anomalies he or she is ĴŁĭĭĔĴÕÑ�ļĔ�ĆĔĔă�êĔİʨ�²čÑ�ʰɿʱ�ļñ²ļ�
&İõË�§ĔŁčë�Ĕê�;ŁõÑÕĭĔĴļ�ĔĆŁļõĔčĴʞ� who spent many years as chief ËĔČĭĆõ²čËÕ�ĔêţËÕİ�²ļ��]|�|²İõʲĴʞ� Q|�\Ĕİë²čʞ���²čÑ�ĔļñÕİ�ţč²čËõ²Ć� ţİČĴʣ� “There needs to be coordinated risk assessments, plus testing, priorities, scope and scheduling,” he says. For example, internal audit teams might only review compliance programs once every few years, or they may have a different set of priorities about which controls to review. And if you want to use internal audit more as ²č�õčʴñĔŁĴ e consultant, helping to analyze business processes, some audit teams might get fussy about whether that undermines their independence. Boles says much the same. Internal audit teams typically have an audit plan and want to follow it, she says, but that plan might not connect to the company’s compliance risks or the chief ËĔČĭĆõ²čËÕ�ĔêţËÕİʿĴ�ĴÕčĴÕ�Ĕê�Ŗñ²ļʿĴ� important. Auditors struggle with diverse processes, she warns. Too often, “we don’t understand the process. It’s broken down by different areas, by different managers’ personalities,
So really, building an effective system of internal controls is about analyzing business processes and corporate culture and then deciding where to place which controls (hard or soft) for maximum effect. It’s a matter of studying business operations to identify where, and how, controls make the most sense. “If you don’t understand the barriers, obstacles and hurdles to achieve the objective of the control, then the control is not designed appropriately,” Marks says. cSʞ�ĴĔ�ñĔŖ�˲č�ËĔČĭĆõ²čËÕ� ĔêţËÕİĴ�ÑĔ�ļñ²ļʤ� Working with internal audit This is where an internal audit function can be invaluable, since assessing business processes for risk and recommending improvements is what they do. As we keep moving into a highly regulated world, where internal controls will need to be embedded into business processes, collaboration between compliance and internal audit will become a more crucial ingredient for success. That can be easier said than done at large organizations, says
Cover story
corporatecomplianceinsights.com | 17
BEHIND THE HEADLINES Bank of America’s $24M fine
the manager actually cares about strong compliance program performance. Well, isn’t that a matter of training and incentivizing the manager to care about ethics and compliance? Isn’t it a matter of forging strong bonds with the manager, so that they want the whole organization to succeed — and succeed the right way — as much as the manager wants to succeed personally? So maybe, as much as we need to focus on the challenges of effective internal control, those effective internal controls still need a strong corporate culture to succeed. Funny how that point keeps cropping up. Matt Kelly is editor and CEO of Radical Compliance and formerly ȕļǨхŧşƎǵƺǠхƺƀх�ƺƮǝƥƎļưŘŧхÙŧŧƢϭ
şƎşхưƺǵхƉļȔŧхļхǨǽǝŧǠȔƎǨƺǠțхǨțǨǵŧƮх ǵƺхşŧǵŧŘǵхǨǝƺƺɭưƁхƎưхºǠŧļǨǽǠƎŧǨх ǽưǵƎƥхtƺȔŧƮŗŧǠхʹͲͳͷϰхǽưǵƎƥхƮƎşЗ ʹͲͳͻϮхǵƉļǵхǨțǨǵŧƮхȕļǨхşŧɭŘƎŧưǵх in that it was designed to detect ǨǝƺƺɭưƁхŗțхǵǠļşƎưƁхļƥƁƺǠƎǵƉƮǨϮхưƺǵх ƮļưǽļƥхǨǝƺƺɭưƁхŗțхƎǵǨхǵǠļşŧǠǨϮхƥƎƢŧх the 717 instances addressed in the settlement. In addition, until at least $ŧŘŧƮŗŧǠхʹͲʹͲϮх�ƺƀ�х ŧŘǽǠƎǵƎŧǨЩх ǨǽǠȔŧƎƥƥļưŘŧхşƎşхưƺǵхŘļǝǵǽǠŧхƺǠşŧǠǨхƎǵǨх traders entered into certain systems ǝǠƺȔƎşŧşхŗțхŧȚǵŧǠưļƥхȔŧưǽŧǨϭхhļǨǵƥțϮх �ƺƀ�х ŧŘǽǠƎǵƎŧǨхşƎşхưƺǵхǨǽǝŧǠȔƎǨŧхƀƺǠх ǝƺǵŧưǵƎļƥхŘǠƺǨǨЗǝǠƺşǽŘǵхǨǝƺƺɭưƁхƎưх Treasuries through September 2022.” BofA Securities settled with FINRA, though it did not admit nor deny the charges, and in a statement ǵƺх¥ŧǽǵŧǠǨхǵƉŧхŗļưƢхǨļƎşхƎǵхȕļǨх ƎƮǝǠƺȔƎưƁхǨǽǠȔŧƎƥƥļưŘŧхļưşхǵǠļƎưƎưƁϭ The junior trader, Tyler Forbes, was accused of placing 194 spoof trades before being fired in 2019, Reuters reported, and he later pleaded guilty to manipulating Treasury prices and was sentenced to two țŧļǠǨхƺƀхǨǽǝŧǠȔƎǨŧşхǠŧƥŧļǨŧϭхºƉŧх ƀƺǠƮŧǠхǨǽǝŧǠȔƎǨƺǠϮх ƎşưŧțхhŧŗŧưǵļƥϮх ȕļǨхļŘŘǽǨŧşхƺƀхǝƥļŘƎưƁхͷʹ͵хǨǝƺƺƀх ǵǠļşŧǨϭхOŧхƥŧƀǵх�ļưƢхƺƀх�ƮŧǠƎŘļхƎưх 2021 and faces a FINRA disciplinary proceeding.
TưхtƺȔŧƮŗŧǠϮхFTt¥�хļưưƺǽưŘŧşхƎǵх ƉļşхƀƎưŧşхļхǽưƎǵхƺƀх�ļưƢхƺƀх�ƮŧǠƎŘļх $24 million, alleging that two ƀƺǠƮŧǠхǵǠļşŧǠǨхǨǝŧưǵхțŧļǠǨхǵļƢƎưƁх ļşȔļưǵļƁŧхƺƀхƎưŧƀƀŧŘǵƎȔŧхƎưǵŧǠưļƥх controls systems. The two traders, one a junior trader and the other ļхǨǽǝŧǠȔƎǨƺǠхļǵх�ļưƢхƺƀх�ƮŧǠƎŘļх Securities, conducted more than 700 spoof trades between 2014 and 2021, FINRA said. ǝƺƺɭưƁхƎǨхļхǵțǝŧхƺƀхƀǠļǽşǽƥŧưǵх ǵǠļşƎưƁхƎưȔƺƥȔƎưƁхǵƉŧхǽǨŧхƺƀхƺǠşŧǠǨхǵƉļǵх ǵƉŧхǵǠļşŧǠхşƺŧǨưЩǵхƎưǵŧưşхǵƺхļŘǵǽļƥƥțх execute, creating a false appearance ƺƀхļŘǵƎȔƎǵțхƺưхƺưŧхǨƎşŧхƺƀхǵƉŧхƮļǠƢŧǵх to induce trades other participants would not otherwise execute. BofA Securities was accused of cascading compliance failures, ƎưŘƥǽşƎưƁхƀƎǠǨǵхưƺǵхƉļȔƎưƁхļưțхǨțǨǵŧƮх for detecting spoofing and then designing a system that was easily gamed by the two former traders, ƺưŧхƺƀхȕƉƺƮхǠŧŘŧƎȔŧşхŘǠƎƮƎưļƥх ǝŧưļƥǵƎŧǨхƀƺǠхƉƎǨхļŘǵƎƺưǨϭхFTt¥�хǨļƎşϯ “From at least October 2014 through September 2022, BofA Securities failed to establish and maintain ļхǨǽǝŧǠȔƎǨƺǠțхǨțǨǵŧƮхǠŧļǨƺưļŗƥțх şŧǨƎƁưŧşхǵƺхşŧǵŧŘǵхǨǝƺƺɭưƁхƎưхÁϭ ϭх ºǠŧļǨǽǠțхƮļǠƢŧǵǨϭх�ƺƀ�х ŧŘǽǠƎǵƎŧǨх
Independent internal investigation services When you need a third-party investigator for internal investigation, leverage our seasoned expertise to help you manage the path forward. We have global experience conducting investigations on six continents.
CONFIDENTIAL DISCRETE
THOROUGH
™
LUMEN-WE.COM
Visit
to learn more.
18 | March 2024
Internal controls | ctrl+
CCI Magazine
Ten Ways Your Internal Controls Go Wrong �ǽƎƥşƎưƁхļưхŧƀƀŧŘǵƎȔŧхǨțǨǵŧƮхƺƀхƎưǵŧǠưļƥхŘƺưǵǠƺƥхКхƀƺǠхƀƎưļưŘƎļƥхǠŧǝƺǠǵƎưƁϮхǝǠƎȔļŘțϮхļưǵƎЗ ŘƺǠǠǽǝǵƎƺưϮхǨǽǝǝƥțхŘƉļƎưхƮļưļƁŧƮŧưǵхƺǠхļưțǵƉƎưƁхŧƥǨŧхКххƎǨхưƺхŧļǨțхǵļǨƢϭх�ŧƥƺȕхļǠŧхͳͲхŗļşх ƉļŗƎǵǨхǵƉļǵхŘƺƮǝƥƎļưŘŧхƺƀƀƎŘŧǠǨхǨƉƺǽƥşхļȔƺƎşϮхŧƎǵƉŧǠхȕƉƎƥŧхşŧǨƎƁưƎưƁхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨхƺǠхǽǨƎưƁх them to execute your compliance program on an ongoing basis.
Your policies are written in a generic way. When a regulation says your company must adopt
ºƉŧхƮļưļƁŧǠǨхǠŧȔƎŧȕƎưƁх controls aren’t ǨǽƀƀƎŘƎŧưǵƥțхǨƢƎƥƥŧşхƺǠх trained to spot fraud.
Too many controls are in the wrong place. Internal controls first arose in the finance and accounting functions, but modern organizations need internal controls across IT and operations as well. For example, you might ƉļȔŧхưǽƮŧǠƺǽǨхļǝǝǠƺȔļƥхŘƺưǵǠƺƥǨх ƀƺǠхǝļțƮŧưǵǨхКхŗǽǵхưƺǵхŧưƺǽƁƉх IT controls to stop someone from ļƥǵŧǠƎưƁхǨƺƀǵȕļǠŧхǵƺхŘƎǠŘǽƮȔŧưǵх ǵƉŧхŘƺưǵǠƺƥϭхǠхțƺǽхƮƎƁƉǵхƉļȔŧх ǝƥŧưǵțхƺƀхǝǠƺŘŧǨǨЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉǨǽŘƉхļǨхşǽŧхşƎƥƎƁŧưŘŧхǝƺƥƎŘƎŧǨЊх ŗǽǵхǵƺƺхƀŧȕхŧưǵƎǵțЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉļǽşƎǵǨхǵƺхŘƺưƀƎǠƮхǵƉļǵхļх ǨǽŗǨƎşƎļǠțхƎǨưЩǵхǨƎƮǝƥțхƺȔŧǠǠƎşƎưƁх those policies). 8
1
5
written policies and procedures, şƺưЩǵхǨƎƮǝƥțхŘƺǝțхǵƉŧхƥļưƁǽļƁŧх of the rule, paste it into your employee manual, and declare it a policy. Policies should be written to reflect how employees ļǵхțƺǽǠхƺǠƁļưƎȥļǵƎƺưхļŘǵǽļƥƥțхȕƺǠƢϭ
rļưļƁŧǠǨхЉŧǨǝŧŘƎļƥƥțхƀƎǠǨǵЗǵƎƮŧх managers or managers new to țƺǽǠхŘƺƮǝļưțЊхƮƎƁƉǵхưƺǵхƢưƺȕх how to identify the seemingly endless number of fraud or corruption schemes employees ƮƎƁƉǵхŘƺưŘƺŘǵϭх�ŧхǨǽǠŧхǵƉŧțхƉļȔŧх the training they need or that ļưǵƎЗƀǠļǽşхǵŧļƮǨхşƺǽŗƥŧЗŘƉŧŘƢх ǵƉŧƎǠхȕƺǠƢϭ
You fail to consider the şƎȔŧǠǨƎǵțхƺƀхǝǠƺŘŧǨǨŧǨх across your enterprise. �ưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨх
2
You fail update controls when the enterprise or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧǨϭх As companies expand or
6
ǵƉļǵхȕƺǠƢǨхƎưхțƺǽǠхtƺǠǵƉх�ƮŧǠƎŘļх şƎȔƎǨƎƺưхƮƎƁƉǵхưƺǵхȕƺǠƢхƎưхțƺǽǠх much smaller Latin America şƎȔƎǨƎƺưϰхļхşǽŧхşƎƥƎƁŧưŘŧхǝǠƺŘŧşǽǠŧх ǵƉļǵЩǨхǨǵǠļƎƁƉǵƀƺǠȕļǠşхƎưх.r.�х ƮƎƁƉǵхŗŧхƎƮǝǠļŘǵƎŘļƥхƎưх�ǨƎļЗ¢ļŘƎɭŘϭх ºƉƎưƢхļŗƺǽǵхƉƺȕхşƎɪŧǠŧưǵхǝļǠǵǨхƺƀх the enterprise operate, and craft ŘƺưǵǠƺƥǨхǵƉļǵхǠŧɮŧŘǵхǵƉƺǨŧхǠŧļƥƎǵƎŧǨϭ You don’t sufficiently introduce should be accompanied ŗțхǵǠļƎưƎưƁхƺƀхǨƺƮŧхƢƎưşхЉļхƀƺǠƮļƥх ŘƺǽǠǨŧϮхļхǨƉƺǠǵхȔƎşŧƺхƀǠƺƮхǵƉŧх CCO or some other material) that explains why the control is necessary and how employees should interact with it. train employees on controls. .ȔŧǠțхưŧȕх technical control you 3
contract, old internal controls ЉǝƺƥƎŘƎŧǨϮхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨŧǨϮх ƮļưļƁŧƮŧưǵхǠŧȔƎŧȕǨЊхƮƎƁƉǵх no longer fit the business. For ŧȚļƮǝƥŧϮхțƺǽхƮƎƁƉǵхƉļȔŧхļхǵȕƺЗ ǝŧǠǨƺưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨхļưşхǵƉŧưх go through layoffs, consolidating those two roles into one person. ºƉŧхǨƉƺǠǵЗǵŧǠƮхǨƺƥǽǵƎƺưхƎǨх to introduce a compensating ŘƺưǵǠƺƥϮхŗǽǵхşƺưЩǵхƥŧǵхǵƉļǵхŗŧŘƺƮŧх ļхŘǠǽǵŘƉϰхǠŧȔƎŧȕхǵƉŧхşŧǨƎƁưхƺƀх your controls to find and correct ȕŧļƢхǨǝƺǵǨϭ
You don’t audit your controls sufficiently. Internal controls should be tested often to be sure
9
that they are designed properly ļưşхȕƺǠƢхļǨхƎưǵŧưşŧşϭхºŧǨǵƎưƁх should happen at least annually, and after any major technology or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧϭх Leadership doesn’t unaddressed send the signal ǵƉļǵхƮļưļƁŧƮŧưǵхşƺŧǨưЩǵхŘļǠŧх about rigorous internal controls КхǨƺхțƺǽǠхȕŧļƢхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨх ŘƺưǵƎưǽŧхǵƺхƀŧǨǵŧǠϮхļưşхƥƺȕŧǠЗƥŧȔŧƥх employees are more tempted ǵƺхǵļƢŧхļşȔļưǵļƁŧхƺƀхǵƉļǵхǝƺƺǠх ŘƺưǵǠƺƥхŧưȔƎǠƺưƮŧưǵϭхºƉŧхǵƺǝх şƺŧǨưЩǵхƟǽǨǵхưŧŧşхǵƺхǨŧǵхļхƁƺƺşх ǵƺưŧϰхƎǵхưŧŧşǨхǵƺхǵļƢŧхļŘǵƎƺưϮхǵƺƺϭ stress the importance of controls remediation. Audit findings left 10
Your segregation of duties is flawed. This ƮŧļưǨхǵƉļǵхțƺǽхƉļȔŧưЩǵх ƺǠƁļưƎȥŧşхțƺǽǠхŘƺƮǝļưțЩǨх
7
ßƺǽǠхƮļưļƁŧƮŧưǵхǠŧȔƎŧȕх controls are inefficient. rļưļƁŧƮŧưǵхǠŧȔƎŧȕх ŘƺưǵǠƺƥǨхǨƉƺǽƥşхƉļȔŧхļх
ȕƺǠƢƀƥƺȕǨхǝǠƺǝŧǠƥțϮхǨƺхǨƺƮŧх ǠƺƥŧǨхƮƎƁƉǵхƉļȔŧхƺȔŧǠƥļǝǝƎưƁх duties that allow people to commit fraud or corruption. Try ǨŧŧƢƎưƁхƉŧƥǝхƀǠƺƮхƎưǵŧǠưļƥхļǽşƎǵϮх your external auditor or some other analyst who could identify those conflicting duties and help țƺǽхǨŧǝļǠļǵŧхǵƉŧƮхǵƺхǠŧşǽŘŧхǠƎǨƢϭ
4
ƮļưļƁŧǠхǠŧȔƎŧȕхŧȚŘŧǝǵƎƺưǨхǵƺх ǝƺƥƎŘțхƺǠхǵƉŧхƺȔŧǠļƥƥхǝŧǠƀƺǠƮļưŘŧх of automated controls. If the ƮļưļƁŧǠхƮǽǨǵхǠŧȔƎŧȕхŧȔŧǠțх ǵǠļưǨļŘǵƎƺưϮхǵƉŧțхȕƎƥƥхǟǽƎŘƢƥțхŗŧх ƺȔŧǠȕƉŧƥƮŧşхļưşхŗŧхƮƺǠŧхƥƎƢŧƥțх ǵƺхǠǽŗŗŧǠЗǨǵļƮǝхŧȔŧǠțхǠŧǟǽŧǨǵϭх
Top 10 list by Matt Kelly
corporatecomplianceinsights.com | 19
20 YEARS of SOX Compliance
S ome corporate compliance professionals might be too young to remember it, but many moons ago — actually, more like ɿɽɽʁ�ʲ�ļñÕ�ŖĔİÑ�ʼËĔČĭĆõ²čËÕʽ�ţİĴļ�²čÑ� êĔİÕČĔĴļ�ČÕ²čļ�ţč²čËõ²Ć�ËĔČĭĆõ²čËÕʞ�Ŗõļñ�ļñÕ� čÕŖĆŘ�Õč²ËļÕÑ�²İʲčÕĴʴcŗĆÕŘ��Ëļʣ�EčļÕİč²Ć� controls were all about tracking revenue and expenses, who accessed which accounts at what time and how managers could really know that corporate assets were used as management intended. Since then, the scope of corporate compliance ñ²Ĵ�Õŗĭ²čÑÕÑ�ÕčĔİČĔŁĴĆŘ�ļĔ�õčËĆŁÑÕ�²čļõʴ ËĔİİŁĭļõĔčʞ�ËŘÊÕİĴÕËŁİõļŘʞ�Ѳļ²�ĭİõŕ²ËŘʞ�ļñõİÑʴ party risk management and more. At the heart of all those issues, however, the goal is still the Ĵ²ČÕʝ�ļĔ�ÊŁõĆÑ�²�ĴÕļ�Ĕê�õčļÕİč²Ć�ËĔčļİĔĆĴ�ļñ²ļ� can assure employees follow the rules and use corporate assets as intended. So what lessons can today’s ethics and
Ethics & compliance lessons from two decades ƺƀх ļǠŗļưŧǨЗȚƥŧț
Matt Kelly Guest Editor
20 | March 2024
Q&A: 20 years of SOX compliance
CCI Magazine
and soft controls — are review controls. MK: What do you mean by that? �ʝ� That’s where somebody, some individual, has the responsibility to look at the performance of a hard control — a report or something like that, for example — to make sure that the outcomes are what the company is expecting. So you have a hard control producing a result, or a person performing a control, and you also have somebody else reviewing and making sure that those controls work appropriately. That can be someone responsible for tone at the top,
compliance professionals learn êİĔČ�ɿɽ�ŘÕ²İĴ�Ĕê�²İʲčÕĴʴ Oxley compliance? To explore that question, I talked with Brian Tremblay, who is a managing director at CFGI, a ËĔčĴŁĆļõčë�ţİČ�ļñ²ļ�ŖĔİăĴ�Ĕč� audit and compliance issues (among many other things). Tremblay previously held jobs as a corporate internal audit executive, compliance practice ĆÕ²ÑÕİ�²ļ�²�ËŘÊÕİĴÕËŁİõļŘ�ţİČ� ²čÑ��õë�ʁ�²ŁÑõļ�²ĴĴĔËõ²ļÕʣ�\ĔĴļ� importantly, he has plenty to say about effective internal controls. Matt Kelly: Ethics and ËĔČĭĆõ²čËÕ�ĔêţËÕİĴ�ĔêļÕč�ļñõčă�õč� terms of “hard controls,” such as ERP systems blocking payments
to third parties that haven’t been properly onboarded, and “soft controls,” such as tone at the top, policies, codes of conduct and so forth. Do you, coming from the audit side, see internal controls in the same way? �İõ²č�İÕČÊĆ²Řʝ� I agree with the concept of hard controls and soft controls, although I might say that “hard” controls are “technical” controls, where technology enforces them, and “soft” controls are tone at the top and whistleblower hotlines and all those things that most companies have. The other thing that came to mind, however — the thing that sits between hard controls
Matt Kelly + Brian Tremblay
corporatecomplianceinsights.com | 21
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Page 11
Page 12
Page 13
Page 14
Page 15
Page 16
Page 17
Page 18
Page 19
Page 20
Page 21
Page 22
Page 23
Page 24
Page 25
Page 26
Page 27
Page 28
Page 29
Page 30
Page 31
Page 32
Page 33
Page 34
Page 35
Page 36
Page 37
Page 38
Page 39
Page 40
www.corporatecomplianceinsights.com
Made with FlippingBook Ebook Creator