Welcome to CCI Magazine_March
business a miserable place to ŖĔİăʣ�&ČĭĆĔŘÕÕĴ�ĴĭÕčÑ�ČĔİÕ�ļõČÕ� chasing down documentation and approvals, rather than closing sales or developing products. When people sneer at the compliance function as the Department of No or a cost center — this is one of the reasons why. “If you muck up the process, what ends up happening is that people override the internal controls,” Marks says. “There needs ëİĔŁĭ�Ĕê�õčļÕİč²Ć�ËĔčļİĔĆĴʝ�ʼĴĔêļʽ� controls, such as a code of conduct, written policies, ethics training, internal reporting hotlines and the like. These controls are meant to encourage employees toward certain standards of behavior, although they can’t stop an employee from doing anything. Only hard controls do that. The challenge, of course, is to ţëŁİÕ�ĔŁļ�ļñÕ�İõëñļ�Ê²Ć²čËÕ�Ĕê�ñ²İÑ� and soft controls for your business and corporate culture. to be some balance there.” That brings us to another
hasn’t submitted a complete set of due diligence documentation. An obvious question arises here. Couldn’t — shouldn’t, even — companies rely on technical controls to enforce compliance standards? That is, you could combine extensive documentation requirements with technical ËĔčļİĔĆĴ�õč�ŘĔŁİ�ËĔČĭ²čŘʿĴ�&|� systems to choke off suspicious payments. Or you could block access to certain IP addresses to prevent cybersecurity attacks. Or you could decline to process transactions for customers that haven’t provided complete onboarding documentation. The theme in all those scenarios (and others) is that compliance is boiled down to a binary state of affairs, which lets your IT system act as an automatic gatekeeper. In theory, that’s a neat idea; it’s scalable, auditable and cheaper than using humans. On the other hand, too many technical controls makes your
“Clearly the role of compliance ĔêţËÕİĴ�õĴ�ÕŕĔĆŕõčëʞʽ�Ĵ²ŘĴ�QĔč²ļñ²č� Marks, a partner at BDO who has spent years thinking and writing about what internal controls should be able to do. “Designing business processes that incorporate compliance controls, so that you can identify violations — that requires a deep understanding of both the legal landscape and your organization’s operational framework.” Oh. Is that all? Striking the right balance of internal controls Internal controls can be divided õčļĔ�ļŘĭÕĴʣ�Eč�ĔčÕ�˲Čĭ�²İÕ�ĴĔʴ called “hard” controls (also known as technical controls), embedded directly into a company’s IT systems to prevent certain transactions êİĔČ�ñ²ĭĭÕčõčë�ŁčĆÕĴĴ�ĭİÕʴÑÕţčÕÑ� conditions are met. For example, ËĔčţëŁİõčë�ŘĔŁİ�ËĔČĭ²čŘʿĴ� accounting software to block payment to any third party that
ctrl +
corporatecomplianceinsights.com | 15
Made with FlippingBook Ebook Creator