Welcome to CCI Magazine_March
changes, and its location changes from the United States to somewhere in Asia. Clearly, you should have a control for when a whole third party changes jurisdiction. Well, SOX people have a control for vendor changes, but they’re not thinking about it from a jurisdiction perspective; SOX systems will just Ĵ²Řʞ�ʼ¥ñ²ļÕŕÕİʞ�ļñ²ļʿĴ�čĔļ�ţč²čËõ²ĆĆŘ� relevant. We only care about bank accounts or email addresses.” But changing a vendor’s whole country — that should throw up some other ļŘĭÕ�Ĕê�ËĔČĭĆõ²čËÕ�Ť²ë�ÕŕÕč�õê�õļʿĴ� čĔļ�ţč²čËõ²ĆĆŘ�İÕĆÕŕ²čļʣ� All the while, however, somebody had to make that jurisdiction change, and somebody probably had to approve it. But the accounts payable team isn’t thinking about that from an FCPA perspective. MK: How has thinking about internal control changed over the past 20 years, when we started Ŗõļñ�c¦�ËĔČĭĆõ²čËÕ�²čÑ�ţč²čËõ²Ć� controls, and now it’s so much more? �ʝ� When SOX compliance ţİĴļ�ÊÕ˲ČÕ�²�ļñõčë�ɿɽ�ŘÕ²İĴ� ago, technology was so different. You might have had a mainframe Ĕİ�ËÕčļݲĆ�ĴÕİŕÕİ�Ŗõļñ�ţč²čËõ²Ć� õčêĔİČ²ļõĔčʞ�ĭĆŁĴ�ĆĔļĴ�Ĕê�čĔčʴ technical information that was analyzed and reviewed. Now we have everything in the cloud, either your IT infrastructure or your own. Controls are changing to keep pace with that new technology — but they’re not changing fast enough. The technology has evolved in a way that controls haven’t. We have an enormous amount of controls that Ĵõļ�õč�ţč²čËÕ�²čÑ�²ËËĔŁčļõčëʣ MK: How should controls evolve?
China as part of one long trip to China.) But this all happened because a manager just pushed all that paperwork through — and that’s what you can’t control. You can’t control somebody just pushing the button on an expense report and pushing it through. When I ţč²ĆĆŘ�êĔŁčÑ�õļʞ�õļ�ļĔĔă�ČÕ�ĆÕĴĴ�ļñ²č� 10 minutes to spot the fraud, but this employee had been exploiting weak review controls for about 18 months. MK: Let’s bring all this back to ĭÕİñ²ĭĴ�ËĔČĭĆõ²čËÕ�ĔêţËÕİĴʮ�ļĔĭ� concern, violations of the Foreign Corrupt Practices Act. How would you, an auditor, look at an FCPA violation? What goes wrong with internal controls to let that violation happen? �ʝ� ¥õļñõč�²İʲčÕĴʴcŗĆÕŘʞ�ļñÕİÕ� are guaranteed to be controls over ²ËËÕĴĴ�ļĔ�ļñÕ�ŕÕčÑĔİ�Č²ĴļÕİ�ţĆÕʞ� access to purchase orders, access ļĔ�Ëñ²čëÕ�ļñÕ�ŕÕčÑĔİ�Č²ĴļÕİ�ţĆÕ� or purchase orders and so forth. All these controls should be in place for any mature — and even ²č�õČČ²ļŁİÕ�ʲ�&|�ʮÕčļÕİĭİõĴÕ� resource planning] software system. So I’d ask compliance professionals, what is the difference between an FCPA violation and a fraudulent payment made to a vendor? What’s different in the control set for those two risks? MK: Nothing, right? �ʝ� Nothing. In both cases, we’re talking about access to certain data, changes to certain data and procedures that may have been perfectly followed but ultimately that resulted in a payment to a third ĭ²İļŘ�Ĕİ�²�ëĔŕÕİčČÕčļ�ĔêţËõ²Ć�ļñ²ļ� never should have been made.
MK: So how are compliance ĔêţËÕİĴ�ĴŁĭĭĔĴÕÑ�ļĔ�ļñõčă�²ÊĔŁļ� that? Should they be thinking, “Yikes, we have an FCPA violation, we need better policies and a stronger tone at the top,” or thinking, “Yikes, we need to redesign our access controls to the vendor Č²ĴļÕİ�ţĆÕʬʔ� �ʝ� We need to step back and understand that the controls set for a compliance violation is probably not that different — is probably identical, really — to the control set for SOX compliance, but nobody’s looking at transactions that would qualify as compliance violations through the lens of controls that should already be in place. MK: OK, you lost me. Can you give a more tangible example? �ʝ� Sure. It’s a lot like SOX compliance and cybersecurity. They would seem to be very different ţÕĆÑĴʞ�ÊŁļ�ËŘÊÕİĴÕËŁİõļŘ�ļñİÕ²ļĴ�²İÕ� trying to get improper access and make unauthorized changes to your systems. Well, IT controls for SOX are supposed to assure that only authorized users make authorized changes, which are then reviewed independently by someone else. It’s really all the same. FCPA, ²İʲčÕĴʴcŗĆÕŘʞ�Ѳļ²�ĭİõŕ²ËŘʞ� cybersecurity — for all of them, you need to take a step back and say, “Do we have the robust access controls in place to manage these risks? And if we do, how do we review those technical access controls — and there’s our management review issue again — so that we can detect suspicious activities?” MK: I’d still like an even more tangible example. �ʝ� Say that a vendor name
Q&A: 20 years of SOX compliance
corporatecomplianceinsights.com | 23
Made with FlippingBook Ebook Creator