Introducing...CCI Magazine: a digest for today's GRC professional. It's your HQ for GRC happenings, headlines and "heard on the street." Enjoy this complimentary copy!
MARCH 2024
A Digest for Today’s Governance, Risk & Compliance Professional
Does your compliance program channel Rube Goldberg? You may be doing too much — or not enough.
Noun or Verb? $ŧɭưƎưƁхШŘƺưǵǠƺƥЩϯхƉļǠşŧǠхǵƉļưхțƺǽхǵƉƎưƢ Cautionary Tale Áfх¢ƺǨǵхɫŘŧхŗƺǵŘƉŧǨхƎưǵŧǠưļƥхƎưȔŧǨǵƎƁļǵƎƺư
All that and more in this inaugural issue +
VOLUME 1, ISSUE 1
CCI MEDIA GROUP PUBLISHER Sarah Hadden CCI MEDIA GROUP EDITORIAL DIRECTOR Jennifer L. Gaskin GUEST EDITOR Matt Kelly tº¥TÁº¥ ϯх Shaf Sohail (Forensic Risk Alliance), Aaron Rubens (Kudoboard), Chris Audet (Gartner)
TхǨǽǝǝƺǠǵǨхǵƉŧхƎƮǝƺǠǵļưǵхȕƺǠƢхƺƀх ŘƺƮǝƥƎļưŘŧхǝǠƺƀŧǨǨƎƺưļƥǨхŗțхǝǠƺȔƎşƎưƁхļх ǝƥļǵƀƺǠƮхǵƺхǵƉƺǨŧхȕƉƺхǨǝŧļƢхļưşхȕǠƎǵŧх with courage and authority. We publish original articles, including guest posts, industry whitepapers, podcasts, ȔƎşŧƺǨ and ŧƺƺƢǨ . Columnists and contributing writers are subject matter experts and thought leaders ȕƉƺхǝǠƺȔƎşŧхƎưǨƎƁƉǵϮхƺǝƎưƎƺưхļưşхǵļŘǵƎŘļƥх guidance on topics relating to compliance, ǠƎǨƢϮхƎưǵŧǠưļƥхļǽşƎǵхļưşхƎưƀƺǠƮļǵƎƺưхǨŧŘǽǠƎǵțϭх Our readership also includes boards of şƎǠŧŘǵƺǠǨϮхO¥хļưşхǵƉŧхЗǨǽƎǵŧϭ Our online audience is global, and
readership includes seasoned professionals as well as those who are new to a career in compliance. TƀхțƺǽЩǠŧхȔƎǨƎǵƎưƁхTхƀƺǠхǵƉŧхɭǠǨǵхǵƎƮŧϮх subscribe to get top GRC news in your ƎưŗƺȚхƺưŘŧхļхȕŧŧƢϭ TƀхțƺǽЩǠŧхƎưǵŧǠŧǨǵŧşхƎưхȕǠƎǵƎưƁхƀƺǠхTхƺǠх sharing content, ƉŧǠŧЩǨхƉƺȕхǵƺхşƺхǵƉļǵϭх TƀхțƺǽЩǠŧхǨƉļǠƎưƁхG¥хƎưşǽǨǵǠțхưŧȕǨх ǠŧƁļǠşƎưƁхǝǠƺşǽŘǵǨϮхǨŧǠȔƎŘŧǨϮхƟƺŗхƺǝŧưƎưƁǨх ƺǠхŧȔŧưǵǨϮхƉŧǠŧхļǠŧхȕļțǨхǵƺх connect with TЩǨхļǽşƎŧưŘŧ . ǽƁƁŧǨǵƎƺưǨϮхǟǽŧǠƎŧǨхļưşхƀŧŧşŗļŘƢхƺƀхļưțх ƢƎưşϴх Drop us a line.
CCI Media Group is an independent news organization with a mission to educate and encourage informed interaction within the global GRC community. Founded in 2010, Corporate Compliance Insights.com is the ŘƺƮǝļưțЩǨхɮļƁǨƉƎǝхŧưǵŧǠǝǠƎǨŧϮх a global online news source ļưşхƢưƺȕƥŧşƁŧЗǨƉļǠƎưƁхƀƺǠǽƮϭх CCI Media Group is the parent company of CCI Press and publisher of CCI Magazine.
Introducing
2024
Visit LRN.com for more information and to download the report
@2024 LRN. All rights reserved. All brand, product, service names, and logos are trademarks and/or registered trademarks of their respective manufacturers and companies.
For more of LRN's insights, please visit LRN.com.
from the publisher W hy a magazine?
Because we thought it would be fun. That’s the absolute truth. It sounded like fun. We took our cue from CCI wellness editor Lisa Beth Lentini Walker, who advises teams to pick a word to serve as an intention or theme for the year. In late December, Jennifer L. Gaskin, CCI’s editorial director and lead designer, suggested “fun.”
Dodging burnout and staying passionate about work comes from learning, growing and exploring, so why not seek a new way to connect with our readers? It occurs to me that producing a magazine in addition to overseeing CCI’s daily operations might not have been what she had in mind. Nevertheless, Jennifer has been the driving force behind this project and her creativity and dedication have shaped the very essence of CCI Magazine. Her ability to curate content that resonates with our audience every week, while pushing the boundaries of what’s possible in digital publishing, is nothing short of remarkable. I am beyond lucky to work alongside someone of her caliber. ;ŁÕĴĴŖñĔÕĆĴÕñ²ÑêŁčʤcŁİţİĴļëŁÕĴļÕÑõļĔİʝ\²ļļSÕĆĆŘʞÕÑõļĔݲčÑ&c Ĕê²Ñõ˲ĆĔČĭĆõ²čËÕʣSčĔŖčêĔİñõĴĴč²İăŘÊŁļõčĴõëñļêŁĆāĔŁİč²ĆõĴČʞ\²ļļ writes with authority and wisdom, bringing a unique voice and perspective to our inaugural issue. Under his editorial guidance, this issue not only tackles critical themes but does so with a depth and clarity that challenge us to think differently. Collaborating with Matt has been an honor, and his contributions have set a high bar for the content we aspire to publish. Luis Moreno Martinez, our artist, has created something truly special here. His original artwork, incorporating a Rube Goldberg machine concept to visually represent the complexities of internal controls, wraps around Matt SÕĆĆŘʿĴ²İļõËĆÕĴõč²Ŗ²Řļñ²ļõĴÊĔļñõččĔŕ²ļõŕÕ²čÑÕčĆõëñļÕčõčëʣVŁõĴʿĴ²ÊõĆõļŘ to translate complex ideas into compelling visual narratives is exceptional. Showcasing original talent like his is a testament to our commitment to creativity and innovation in all forms. ĔļñÕÕčļõİÕļÕ²ČŖñĔĭĔŁİÕÑļñÕõİñÕ²İļĴõčļĔļñõĴĭİĔāÕËļʝļñ²čăŘĔŁʣEļʿĴ been a hell of a good time. Let’s do it again next month, shall we? Sarah Hadden Publisher, CCI Magazine & CCI Media Group Sara Publishe
Welcome
corporatecomplianceinsights.com | 3
CONTENTS
13
6-7 Seen & Heard Keep up with
9 What’s In a Name? ļưхțƺǽхşŧɭưŧх “control?” Are you sure? Matt Kelly, guest editor
Under Control COVER STORY ưхŧɪŧŘǵƎȔŧƥțхŗļƥļưŘŧşх compliance program means threading the needle between “hard” and “soft” controls. Matt Kelly, guest editor
compliance industry, ƮŧşƎļхļưşхƎưɮǽŧưŘŧǠх news
4 | March 2024
CCI Magazine
What else is in this issue? Keep up with compliance career news with rƺȔŧǠǨхҸх ƉļƢŧǠǨх (36-37) хļưşхŧȚǝƥƺǠŧхȔŧưşƺǠх news and more in the GRC News tƺǵŧŗƺƺƢхЉ͵ͺЗ͵ͻЊ . ǠŧşƎǵǨϯхͳϮхͳ͵ЗͳͷϯхhǽƎǨхrƺǠŧưƺхrļǠǵƎưŧȥх ƀƺǠхTхrļƁļȥƎưŧϰхͻϮхͳͳϯх.ƥƎƮŧưşŧх TưļƁŧƥƥļхȔƎļхÁưǨǝƥļǨƉϰхʹͲЗʹͳϯхdŧưưƎƀŧǠх hϭхGļǨƢƎưϮхTхrļƁļȥƎưŧϰхʹͷЗʹϯх GǠļƉļƮхƺǠưŧțхļưşхƥŧưļхØŧļǨŧțхȔƎļх ƉǽǵǵŧǠǨǵƺŘƢϰхʹͻϯхTƮļƁŧхƁŧưŧǠļǵŧşх ǽǨƎưƁхTϰх͵ͲЗ͵ͳϯхØƎļх ƉǽǵǵŧǠǨǵƺŘƢϰх͵͵ϯхTх rŧşƎļхɭƥŧхļǠǵ 20-24 Sarbanes-Oxley Is 20 Years Old. What Have We Learned? Q&A with Brian Tremblay of CFGI who has spent most of his career ǵƉƎưƢƎưƁхļŗƺǽǵхŧɪŧŘǵƎȔŧхƎưǵŧǠưļƥх controls
25-27 Post Mortem A series of internal ƎưȔŧǨǵƎƁļǵƎƺưǨхƀļƎƥǽǠŧǨх ruined hundreds of ƥƎȔŧǨхƎưхǵƉŧхÁfϭх Shaf Sohail of Forensic ¥ƎǨƢхƥƥƎļưŘŧхŧȚǝƥƺǠŧǨх what good faith means in internal probes.
29-35 Leadership & Career First Aaron Rubens of Kudoboard explores the warning signs of a toxic culture. Then, from the CCI ļǠŘƉƎȔŧǨϮхGļǠǵưŧǠЩǨх Chris Audet tells incoming CCOs what they need to do in ǵƉŧƎǠхɭǠǨǵхͳͲͲхşļțǨϭ
In this issue
corporatecomplianceinsights.com | 5
Compliance industry, media ļưşхƎưɮǽŧưŘŧǠхưŧȕǨхŘƺƮǝƎƥŧşх ŗțхǵƉŧхǨǵļɪхƺƀхTхrļƁļȥƎưŧ ƥļǵŧǠхǵƉƎǨхƮƺưǵƉϭх Fellow CCI Press author Mary Shirley хЉrļǨƎƮƺЊхƉļǨх ƉļǠşƥțхǨŧǵхƉŧǠхƮƎŘǠƺǝƉƺưŧх şƺȕưхǨƎưŘŧхǵƉŧхǠŧƥŧļǨŧхƺƀх hƎȔƎưƁхßƺǽǠхŧǨǵхƺƮǝƥƎļưŘŧх hƎƀŧхЉTх¢ǠŧǨǨϮхʹͲʹ͵Њ . Her ǨŘƉŧşǽƥŧхƎưŘƥǽşŧǨхƮǽƥǵƎǝƥŧх ǨǝŧļƢƎưƁхŧưƁļƁŧƮŧưǵǨхļưşх ǵȕƺхļşƟǽưŘǵхǝǠƺƀŧǨǨƺǠхƁƎƁǨх (George Mason University ļưşхFƺǠşƉļƮх ŘƉƺƺƥхƺƀхhļȕЊϭх ƉƎǠƥŧțЩǨхƺɪхǵƺхƮǨǵŧǠşļƮхƎưх March to address audiences at SCCE’s European Compliance and Ethics Institute and in April, she’ll be in D.C. to lead a book-centric workshop at the ƺƮǝƥƎļưŘŧхÙŧŧƢхtļǵƎƺưļƥх 2024 conference . The cherry ŗƥƺǨǨƺƮǨхȕƎƥƥхŗŧхƎưхŗƥƺƺƮх then, coordinating rather nicely with her book cover. Coincidence? Surely not. ưşхǨǝŧļƢƎưƁхƺƀхŧȔŧưǵǨх (and speaking at events), you’ve heard by now that CCI publisher Sarah Hadden is partnering with tƎŘƢхdļƮŧǨ хƺƀх UK-based GRC World Forums ǵƺхƥļǽưŘƉхļхǨŧǠƎŧǨхƺƀхƎưЗǝŧǠǨƺưх GRC events in the United States this year. The collaboration got ǽưşŧǠȕļțхƥļǨǵхƀļƥƥхƎưхhƺưşƺưϮх ļưşхļƥǠŧļşțхǵƉŧхǵŧļƮхƉļǨх launched three U.S. events ƀƺǠхʹͲʹͶхКхŘƺƮǝƥŧǵŧхȕƎǵƉхļх ǨǝļǠƢƥțхǠƺǨǵŧǠхƺƀхǨǝŧļƢŧǠǨхļưşх ǨǝƺưǨƺǠǨϭхG¥ÙFЩǨхdļƮŧǨхƎǨх widely known as the producer ƺƀх #RISK London , the largest G¥хŘƺưƀŧǠŧưŘŧхƎưхǵƉŧхÁfϭхƥǨƺх ƺɪŧǠƎưƁхǵƉƺǽƁƉǵхƥŧļşŧǠǨƉƎǝх
By now you know that The FCPA Blog has ceased operations. Founded in 2007 By Richard Cassin and later steered by his son, Harry Cassin , the highly respected ŗƥƺƁхȕļǨхǵƉŧхɭǠǨǵхƺưƥƎưŧх resource devoted to the FCPA. TǵхƺɪŧǠŧşхļхǝƥļǵƀƺǠƮхǵƺх writers passionate about anti- corruption, and it created a ǵƎƁƉǵЗƢưƎǵхŘƺƮƮǽưƎǵțхƎưхǵƉŧх process. The blog launched writers, guided law students and helped give a generation ƺƀхŘƺƮǝƥƎļưŘŧхƺɫŘŧǠǨхǵƺƺƥǨхКх ļưşхŘƺǽǠļƁŧхКхǵƺхŗļǵǵƥŧхƀǠļǽşх and corruption . You’ll encounter a dead link ƎƀхțƺǽхǵǠțхǵƺхǠŧļŘƉхǵƉŧхŗƥƺƁх ǵƺşļțϮхŗǽǵхƎƀхțƺǽхȔƎǨƎǵŧşхƎưхƎǵǨх ɭưļƥхȕŧŧƢǨϮхțƺǽхŧưŘƺǽưǵŧǠŧşх poignant epilogues by contributing editors Andy Spalding , Jessica Tillipman , Elizabeth Spahn, Tom Fox , Julie DiMauro , Russell A. Stamets and Richard Bistrong. Last week was perhaps your last chance to copy and save ļưțхƀļȔƺǠƎǵŧхļǠǵƎŘƥŧǨϮхļǨхǵƉŧх Cassins haven’t indicated any plans to preserve a publicly searchable archive and ǠŧǝƺǠǵŧşƥțхşŧŘƥƎưŧşхƺɪŧǠǨхǵƺх ǨŧƥƥхǵƉŧхşƺƮļƎưхƺǠхļǠŘƉƎȔŧǨϮх ƎưŘƥǽşƎưƁхƺưŧхƺɪŧǠхƀǠƺƮхļưх ļŘļşŧƮƎŘхƎưǨǵƎǵǽǵƎƺưϮхǨƺǽǠŘŧǨх say. The blog’s closing is a ǨļşхƀļǠŧȕŧƥƥхǵƺхȕƉļǵхȕļǨх ŘƺưǨƎşŧǠŧşхŗțхƮļưțхǵƺхŗŧх ǵƉŧхɭǠǨǵхļưşхɭưŧǨǵхŧȚļƮǝƥŧх
ƺƀхƎưşŧǝŧưşŧưǵхƟƺǽǠưļƥƎǨƮхƎưх ŘƺƮǝƥƎļưŘŧϭх ǵƉŧǠхǨƉƎƀǵǨхƎưхǵƉŧхʹхƮŧşƎļх landscape include SCCE CEO GŧǠǠțхéļŘƢ ’s recent ļưưƺǽưŘŧƮŧưǵ that SCCE ȕƎƥƥхşǠƺǝхǵƉŧхǝǠƎưǵхȔŧǠǨƎƺưхƺƀх ƎǵǨхƮŧƮŗŧǠǨЗƺưƥțхƮļƁļȥƎưŧǨϭх ƺƮǝƥƎļưŘŧхҸх.ǵƉƎŘǨх Professional (CEP ) and HCCA’s Compliance Today хƮļƁļȥƎưŧǨх have converted to digital-only publications. In other GRC blog and content news, Joe Murphy’s “Ideas and ưǨȕŧǠǨЧŘƺƥǽƮưхƉļǨхŗŧŘƺƮŧх ļхǝƺǝǽƥļǠхɭȚǵǽǠŧхƀƺǠхƉƎǨх ƀƺƥƥƺȕŧǠǨхƺưхhƎưƢŧşƎưϭ Murphy posts tips and advice weekly, and his editorial board includes Kaplan & Walker’s ¥ŧŗŧŘŘļхÙļƥƢŧǠ and dŧɪх Kaplan , who happens to be hard at work these days on a ǠŧȔƎǨŧşхļưşхǽǝşļǵŧşхȔŧǠǨƎƺưхƺƀх his popular eBook, scheduled ƀƺǠхǠŧЗǠŧƥŧļǨŧхƥļǵŧǠхǵƉƎǨхțŧļǠϭх Kaplan’s ƺƮǝƥƎļưŘŧхļưşх .ǵƉƎŘǨх¥ƎǨƢхǨǨŧǨǨƮŧưǵ (CCI, 2104) was also updated in 2019. Another “Ideas and Answers” contributor is Adam Balfour ЉǠƎşƁŧǨǵƺưŧхƮŧǠƎŘļǨЊϮхƢưƺȕưх ƀƺǠϮхļƮƺưƁхƺǵƉŧǠхǵƉƎưƁǨϮхƉƎǨх #SundayMorning ƺƮǝƥƎļưŘŧºƎǝǨхƺưхhƎưƢŧşTưх and .ǵƉƎŘǨхҸхƺƮǝƥƎļưŘŧхƀƺǠх OǽƮļưǨ (CCI Press, 2023). ļƥƀƺǽǠЩǨхŗŧŘƺƮƎưƁхļхƀǠŧǟǽŧưǵх speaker on the lecture circuit and is scheduled to address an audience at Caterpillar Inc.
6 | March 2024
Seen & Heard
CCI Magazine
ļưşхŘƺƥƥļŗƺǠļǵƎƺưхǵƺхǵƉƎǨхŧɪƺǠǵх are Michael Rasmussen (GRC Report and GRC 20/20) and the ƀƺƥƢǨхƀǠƺƮх OCEG . ºƉŧхǨŧǠƎŧǨхƢƎŘƢǨхƺɪхȕƎǵƉх GRC Connect in Chicago on April 16-17 ϮхǵƉŧưхƎǵЩǨхƺɪхǵƺхǵƥļưǵļх on May 22-23. The series ends with #RISK New York, which ƎǨх$ŧŘϭхʹЗ͵хļǵхǵƉŧхƀļŗǽƥƺǽǨх Metropolitan Pavilion. Popular ǨǝŧļƢŧǠǨхļƥǠŧļşțхǵļǝǝŧşхƀƺǠх ƺưŧхƺǠхƮƺǠŧхŧȔŧưǵǨхƎưхǵƉŧх series are Matt Kelly , Fernanda Beraldi and Gwen Hassan . Are you sensing a surge in ƮƺǠŧхƎưǵƎƮļǵŧϮхǠƎƁƉǵЗǨƎȥŧşх gatherings this year? We’re ƉŧļǠƎưƁхƮƺǠŧхļŗƺǽǵхƉțǝŧǠЗ ƥƺŘļƥхŘƺƮǝƥƎļưŘŧхƮŧŧǵЗǽǝǨϭх ƺŘƢǵļƎƥǨϮхǽǨǽļƥƥțхКхǨǝŧļƢŧǠǨх ļưşхļƁŧưşļǨϮхǨƺƮŧǵƎƮŧǨϭх rļțŗŧхŘƺƮƎưƁхǨƺƺưхǵƺхļхŘƎǵțх near you? GƎǵļưƟļƥƎх ļƢƉǽƟļ and Amy Mertz Brown recently hosted another social in D.C. (Miller & Chevalier Chartered ƺɪŧǠŧşхǵƉŧƎǠхşƎƁǨхƀƺǠхǵƉŧх party). ļƢƉǽƟļхǠŧƀŧǠǨхǵƺхǵƉŧхǠŧŘǽǠǠƎưƁх ǨƺŘƎļƥǨхļǨхļхЦŘƺƮƮǽưƎǵțх
PHOTO COURTESY GITANJALI SAKHUJA Seen here enjoying the D.C.-area compliance social are Lisa Fine, Rebeka Spires, Ann Sultan, Amy Mertz Brown, Grace Wu De Plaza, Gregory Bates, Mary Markowicz and others.
ƁŧǵЗǵƺƁŧǵƉŧǠǨхƺƀхǵƉŧх ƺǽǵƉŧǠưх ļƥƎƀƺǠưƎļхƺƮǝƥƎļưŘŧхļưşх Ethics Roundtable (SOCCER). Ц ƺƮŧǵƎƮŧǨхǵƉŧхŧȔŧưǵǨхļǠŧх ļŗƺǽǵхƥŧļǠưƎưƁϮхǨƺƮŧǵƎƮŧǨх ƎǵЩǨхƟǽǨǵхƀǽưϮЧхǨļțǨхƺǠƁļưƎȥŧǠх Jay Rosen . Are you hosting ǨƺƮŧǵƉƎưƁхƎưхțƺǽǠхưŧŘƢхƺƀх the woods? Add it to CCI’s calendar here.
bringing together practitioners and students around this ǝǠƺƀŧǨǨƎƺưхȕƉƺхƥƺȔŧхƎǵхļǨхƮǽŘƉх ļǨхȕŧхşƺЧхļưşхļхǝƥļŘŧхǵƺхЦƮŧŧǵх ƺǵƉŧǠǨхȕƉƺхƮƎƁƉǵхǽưŘƺȔŧǠх shared interests, invite ƺǝǝƺǠǵǽưƎǵƎŧǨхƀƺǠхŘƺưȔŧǠǨļǵƎƺưх ļưşхƁŧǵхƎưǵŧưǵƎƺưļƥхƎưхƮļƢƎưƁх connections.” хǨƎƮƎƥļǠхǨǝƎǠƎǵхƺƀхŘƺưưŧŘǵƎƺư ƎǨхǵƉŧхƉļƥƥƮļǠƢхƺƀхǠŧŘǽǠǠƎưƁх
ÙŧхşƺхļхƥƺǵхƺƀхǵƉƎưƁǨхƀƺǠхƥƺȔŧϭ ¢ǽŗƥƎǨƉƎưƁхTхƎǨưЩǵхƺưŧхƺƀхǵƉŧƮϭхşȔŧǠǵƎǨƎưƁхƢŧŧǝǨхǵƉŧх ƥƎƁƉǵǨхƺưхļưşхǝļțǨхƺǽǠхǨƮļƥƥЗŗǽǵЗƮƎƁƉǵțЗǵŧļƮхƺƀхƟƺǽǠưļƥЗ ƎǨǵǨϮхǠŧǨŧļǠŘƉŧǠǨϮхşŧȔŧƥƺǝŧǠǨхļưşхşŧǨƎƁưŧǠǨϭхÙŧЩǠŧхưŧƎǵƉŧǠх ƺȕưŧşхưƺǠхŘƺưǵǠƺƥƥŧşхŗțхļхŘƺǠǝƺǠļǵƎƺưхƺǠхȔŧưşƺǠϮхļưşх ȕŧхşƺưЩǵхƁŧưŧǠļǵŧхƥŧļşǨхƀƺǠхƺǽǠǨŧƥȔŧǨхŗŧŘļǽǨŧхȕŧЩǠŧхưƺǵх ļхŘƺưǨǽƥǵļưŘțхƺǠхǨŧǠȔƎŘŧхǝǠƺȔƎşŧǠϭхºƉƎǨхƢŧŧǝǨхƺǽǠхŘƺȔŧǠЗ age neutral and independent. And free! Subscriptions ļưşхǝļțȕļƥƥǨхļǠŧưЩǵхǝļǠǵхƺƀхƺǽǠхŗǽǨƎưŧǨǨхƮƺşŧƥϭх ưŧļƢțϮх şŧŘŧǝǵƎȔŧхЦưļǵƎȔŧЧхļşȔŧǠǵƎǨƎưƁхƎǨưЩǵϮхŧƎǵƉŧǠϭхÙƉŧưхȕŧхƉļȔŧх
ļưхļşȔŧǠǵƎǨƎưƁхǠŧƥļǵƎƺưǨƉƎǝхȕƎǵƉхļхŘƺưǵŧưǵхŘƺưǵǠƎŗǽǵƺǠϮхȕŧх şƎǨŘƥƺǨŧхƎǵϭхTƀхȕŧхƎưȔƎǵŧхțƺǽхǵƺхŘƥƎŘƢхƺưхļхƥƎưƢхǵƉļǵхȕƺǽƥşх ǝǠƺȔƎşŧхǽǨхȕƎǵƉхļхŘƺƮƮƎǨǨƎƺưϮхȕŧхşƎǨŘƥƺǨŧхƎǵϭхTƀхȕŧхǨǽƁЗ ƁŧǨǵхțƺǽхşƺȕưƥƺļşхļхǠŧǝƺǠǵхļưşхȕŧЩǠŧхǝƥļưưƎưƁхǵƺхǨƉļǠŧх țƺǽǠхŧƮļƎƥхļşşǠŧǨǨхȕƎǵƉхļхǵƉƎǠşЗǝļǠǵțϮхȕŧхşƎǨŘƥƺǨŧхƎǵхКх ļưşхȕŧхǨŧŘǽǠŧхțƺǽǠхǝŧǠƮƎǨǨƎƺưϭхǽǠхşļǵļхǝǠƎȔļŘțхļưşхşļǵļх ƁƺȔŧǠưļưŘŧхǨǵļưşļǠşǨхļǠŧхƎƮǝŧŘŘļŗƥŧϮхŗŧŘļǽǨŧхȕŧхȕƺǠƢх in compliance , yeah? Read our ǝǠƎȔļŘțхǝƺƥƎŘț to learn more.
Have a tip to share? Got the inside scoop on the next big trend in the compliance world? Share the details of your compliance industry news or events by emailing editor@corporatecomplianceinsights.com.
TхrļƁļȥƎưŧхǨǵļɪхǠŧǝƺǠǵǨ
corporatecomplianceinsights.com | 7
guest editor’s note Welcome; ƥŧǵЩǨхƁŧǵхȕƺǠƢƎưƁ Matt Kelly Guest Editor, Editor & CEO, Radical Compliance W
hen Corporate Compliance Insights asked me to be guest editor of õļĴţİĴļʴÕŕÕİÑõëõļ²ĆČ²ë²şõčÕʞČŘţİĴļİÕ²ËļõĔčŖ²ĴʞĔêËĔŁİĴÕʞļĔ feel honored. Then I was pleased, because this honor gives me the opportunity to put some of the tough questions about corporate compliance front and center. For example, why do so many compliance programs struggle? "ĔčʿļëÕļČÕŖİĔčëʣĔČĭĆõ²čËÕĔêţËÕİĴŖĔİăñ²İÑļĔÊŁõĆÑļñÕÊÕĴļ compliance programs they can. At the same time, we keep seeing one example after another of compliance program failures. Something breaks down between the program on paper , with the wonderfully crafted policies and the resoundingly rich tone at the top; and the program in practice ʞŖõļñİÕÑŤ²ëĴ ignored or controls overridden or violations undetected. Too often, that thing breaking down is a company’s internal controls. So that’s what I wanted to examine in this inaugural edition of the magazine. Our cover story unpacks the various types of internal controls a compliance ĭİĔëݲČČõëñļŁĴÕ²čÑñĔŖ²ËĔČĭĆõ²čËÕĔêţËÕİ˲čţëŁİÕĔŁļļñÕİõëñļ combination for maximum effectiveness, while a Q&A with a seasoned internal auditor offers some SOX insights and a top 10 list helps identify common internal controls pitfalls and how to avoid them (my personal fave is No. 6). In between, the magazine will also have other news, analysis, graphics and ČŁĆļõČÕÑõ²ëĔĔÑõÕĴļĔñÕĆĭËĔİĭĔݲļÕËĔČĭĆõ²čËÕĔêţËÕİĴŁčÑÕİĴļ²čÑŖñ²ļʿĴ ëĔõčëĔčõčĔŁİţÕĆѲčÑñĔŖļñÕŘ˲čÊŁõĆѲÊÕļļÕİËĔČĭĆõ²čËÕĭİĔëݲČʣ We hope you enjoy this issue — the team plans to bring you more throughout the year. Now let’s get to work. — Matt Kelly
8 | March 2024
Guest editor’s welcome
CCI Magazine
OPINION
One of my most mortifying moments as a compliance commentator happened one day in July 2018. I was speaking at an ethics and compliance event in Houston, and another speaker stumped everyone — me included — with a deceptively simple question: What is a control? A êļÕݲĆĆʞËĔČĭĆõ²čËÕĔêţËÕİĴļ²Ćă²ÊĔŁļËĔčļİĔĆĴ ËĔčĴļ²čļĆŘʣ&êêÕËļõŕÕËĔčļİĔĆĴ²İÕļñÕĆõêÕÊĆĔĔÑ of what makes a compliance program work. Most of us can rattle off examples of controls, or recognize a control when we see one. Then my fellow speaker had to get all philosophical on ŁĴʝ¥ñ²ļ is a control? Nobody dared answer. We all were suddenly uncertain ļñ²ļŖÕËĔŁĆÑÑÕţčÕ²ËĔčļİĔĆËĔİİÕËļĆŘʣ The speaker who posed this question, Jonathan Marks , õĴ²ĭİĔĆõţËļñõčăÕİĔč²ĆĆļñõčëĴêĔİÕčĴõËĴʞ²ŁÑõļ²čÑ internal control. Marks has a shtick of asking audit and ËĔČĭĆõ²čËÕ²ŁÑõÕčËÕĴļĔÑÕţčÕ²ËĔčļİĔĆʲ²čÑļĔñõĴ
ĔčļİĔĆʝ Noun or
Verb? Getting philosophical on internal controls
Matt Kelly Guest Editor
Opinion | Internal controls
corporatecomplianceinsights.com | 9
An internal control is a process of interlocking activities that use properly designed policies and procedures .
control. It is as follows. “A process of interlocking
dismay, most people can’t. Before I give you Marks’
of internal controls to the door of some weak business process like İÕĆõÕêŖĔİăÕİĴ²õİʴÑİĔĭĭõčëĴŁĭĭĆõÕĴ onto a suffering population. That’s not what really happens, however. What really happens is that we adjust the weak business process to (ideally) make it stronger. If the process is particularly bad — one might even call it materially weak — we make multiple adjustments at once. That’s what Marks captures in his ĔĭÕčõčëĆõčÕʝčõčļÕİč²ĆËĔčļİĔĆõĴ² process rather than a thing, and the raw materials the process uses are policies and procedures. The mission of the audit or compliance executive is to see that those raw materials are properly designed so that they work together effectively and the internal ËĔčļİĔĆļñÕčêŁĆţĆĆĴõļĴČõĴĴõĔčʣ ǵƉŧǠхŘƺưǵǠƺƥхşŧɭưƎǵƎƺưǨ \²İăĴʿÑÕţčõļõĔčĔêõčļÕİč²Ć control didn’t emerge from a vacuum. The COSO framework for internal control and federal securities law have their own ÑÕţčõļõĔčĴʞļĔĔʨ²čÑļñĔĴÕ ÑÕţčõļõĔčĴĆĔčëĭİÕËÕ ded Marks. For example, Section 13(b)(2)(B) of the Exchange Act ÑÕţčÕĴêĔİ ÕĆÕČÕčļĴĔêõčļÕİč²ĆËĔčļİĔĆʝ • System of internal accounting
ÑÕţčõļõĔčʞĆÕļČÕ offer what raced through my head when he put the įŁÕĴļõĔčļĔČÕʝčõčļÕİč²ĆËĔčļİĔĆ is something a company uses that’s intended to reduce the chance of an unwanted risk outcome. EÑÕĆõÊÕݲļÕĆŘăÕĭļČŘÑÕţčõļõĔč broad, because a control can take Č²čŘêĔİČĴʝ²ĴĔêļŖ²İÕİĔŁļõčÕļñ²ļ blocks a payment to unapproved ĭ²İļõÕĴʨ²ĭĔĆõËŘʰŖõļñËÕİļõţ˲ļõĔč required) against bribing foreign ëĔŕÕİčČÕčļĔêţËõ²ĆĴʨ²ĴĭÕÕËñêİĔČ ļñÕ&c²ĴĴŁİõčë employees that it’s better to miss your monthly Ĵ²ĆÕĴįŁĔļ²ļñ²čţŗ²ËĔčļݲËļʣ Those examples are all different in form and substance — but controls they all are. In sequence, they are a transaction control (block the payment), a process control (train employees) and an entity control (senior executive issues guidance on corporate priorities). They all work together toward the objective of reducing corruption risk. ļõĆĆʞČŘÑÕţčõļõĔčõĴʲĴÕÑĔč examples more than anything else. I know a control when I see it — but is that the same as understanding the abstract concept of a control and how ĔčÕţļĴõčļĔ²ËĔČĭĆõ²čËÕĭİĔëݲČʤ Enter the Marks şŧɭưƎǵƎƺư Over the years, Marks has êĔİČ²ĆõşÕÑñõĴĔŖčÑÕţčõļõĔčĔê²
activities that use properly designed policies and procedures which are preventive, corrective, directive, corroborative, along with training and continuous monitoring, to assure the achievement of an organization’s objectives in operational effectiveness and ÕêţËõÕčËŘʞëÕčÕݲļõčëİÕĆõ²ÊĆÕ (complete and accurate) books and records in compliance with laws, regulations and policies, which ultimately reduces risk of fraud, waste and abuse.” ñ²ļÑÕţčõļõĔčõĴ²ČĔŁļñêŁĆʞ but it hits on all the right points, including the most important one right in the top line. An internal control is a process of interlocking activities that use properly designed policies and procedures . The rest is all correct but is more about helping you to understand what a control does. His opening lines explain what an õčļÕİč²ĆËĔčļİĔĆõĴʝEļʿĴ²ĭİĔËÕĴĴʣEļ does something. That might be why people hesitate to ÑÕţčÕ²ËĔčļİĔĆʣcŁİ ÊݲõčĴñÕ²İʼÑÕţčÕ²ËĔčļİĔĆʽ²čÑ instinctively we envision a noun — a thing unto itself. In everyday language, we say sentences like, “This control isn’t working” or “We need stronger internal controls in our accounting process,” as if we could deliver an extra shipment
ËĔčļİĔĆĴĴŁêţËõÕčļļĔĭİĔŕõÑÕ reasonable assura čËÕĴļñ²ļʝ
• Transactions are executed
with management’s general or
10 | March 2024
Opinion
CCI Magazine
operations • ÕĆõ²ÊõĆõļŘĔêţč²čËõ²ĆİÕĭĔİļõčë • Compliance with applicable laws and regulations \²İăĴʿÑÕţčõļõĔčËĆÕ²İĆŘÑÕĴËÕčÑĴ from COSO’s concept. COSO’s ÑÕţčõļõĔčõĴČĔİÕŕÕİĴ²ļõĆÕļñ²čļñÕ Ĵļ²ļŁļĔİŘÑÕţčõļõĔčõčļñÕ&ŗËñ²čëÕ Act. Still … Useful elements ¥ñ²ļEĆõăÕ²ÊĔŁļ\²İăĴʿÑÕţčõļõĔč is that it frames internal control as interlocking activities — that is, multiple steps the company takes, all reinforcing each other to reduce a risk to some acceptable level. That’s something compliance ĔêţËÕİĴ˲čÕ²ĴõĆŘëݲĴĭʣ&ĴĭÕËõ²ĆĆŘ if you are, say, rolling out a new policy stressing ethical values, while implementing new documentation requirements for approval of overseas intermediaries and training employees on the importance of using the whistleblower hotline. All of those things are supposed to work together ļĔŖ²İѲĴõčëĆÕëĔ²ĆʝİÕÑŁËõčëŘĔŁİ company’s FCPA risk. Marks also stresses the importance of properly designed policies and procedures. That point matters, ÕĴĭÕËõ²ĆĆŘļĔËĔČĭĆõ²čËÕĔêţËÕİĴŖñĔ come from a legal background and might not be as versed in control design as someone from an audit background. We use shorthand phrases in ethics and compliance all the time, “internal control” perhaps more than any other. It’s good to know what that phrase actually means before we go putting it to use in organizations all over the place.
ĴĭÕËõţ˲ŁļñĔİõş²ļõĔčʣ • Transactions are recorded as necessary (i) to permit preparation Ĕêţč²čËõ²ĆĴļ²ļÕČÕčļĴõč conformity with generally accepted accounting principles or any other criteria applicable to such statements and (ii) to maintain accountability for assets. Access to assets is permitted only in accordance with management’s ëÕčÕݲĆĔİĴĭÕËõţ˲ŁļñĔİõş²ļõĔčʣ The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Those four elements are good as far as they go, but they pertain only ļĔţč²čËõ²ĆİÕĭĔİļõčë²čѲËËĔŁčļõčë êݲŁÑʣ"ĔļñÕŘŖĔİăêĔİÊĔĔăĴʴ²čÑʴ records expectations around the Foreign Corrupt Practices Act? Yes, although you have to beware of Č²ļÕİõ²ĆõļŘļñİÕĴñĔĆÑĴʝ¥ñ²ļʿĴČ²ļÕİõ²Ć êĔİËĔİĭĔݲļÕţč²čËõ²ĆĴļ²ļÕČÕčļĴʰ² few percentage points of a line item’s total value) will generally be much larger than a bribe that could lead to FCPA enforcement. The greater problem with the &ʿĴÑÕţčõļõĔčõĴļñ²ļõļ²ĭĭĆõÕĴļĔ ţč²čËõ²ĆËĔčËÕİčĴ only . It won’t be ČŁËññÕĆĭļĔÑÕţčÕõčļÕİč²ĆËĔčļİĔĆ for, say, cybersecurity, harassment or reputation risk — although effective internal control is crucial for all three. COSO, meanwhile, has this ÑÕţčõļõĔčêİĔČõļĴõčļÕİč²ĆËĔčļİĔĆ êݲČÕŖĔİă ʝ A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the êĔĆĆĔŖõčë˲ļÕëĔİõÕĴʝ • &êêÕËļõŕÕčÕĴĴ²čÑÕêţËõÕčËŘĔê
Control: Noun or Verb?
corporatecomplianceinsights.com | 11
ADVERTISEMENT
2024 Top 10 Risk and Compliance Trends Expert Predictions & Guidance
Get the eBook
ctrl+ OƺȕхļхƮļǠƢŧǵхǨǝƺƺɭưƁхǨŘļưşļƥх underscores the gap between ŘƥŧȔŧǠхŘƺƮǝƥƎļưŘŧхǝƥļưǨх ļưşхǠŧļƥЗȕƺǠƥşхǝǠļŘǵƎŘŧ
Matt Kelly Guest Editor
Internal controls make the modern corporation succeed in meeting its compliance obligations. But lean too far into hard, technical controls and you risk alienating your people. Rely too heavily on soft controls and your compliance function may end up toothless. Oh, and you need to make sure your controls, both hard and soft, can integrate into your corporate culture.
S ometimes profound lessons about corporate compliance emerge from obscure places. Such was the case in ]ĔŕÕČÊÕİʞŖñÕč²ĴÕËŁİõļõÕĴţİČ was sanctioned for dabbling in a trading practice most compliance ĔêţËÕİĴñ²ŕÕĭİĔʲÊĆŘčÕŕÕİñÕ²İÑ of. ñÕţİČõčįŁÕĴļõĔčŖ²Ĵ²čăĔê ČÕİõ˲ÕËŁİõļõÕĴʞţčÕÑˇɿʁČõĆĆõĔč by FINRA, the principal regulator for ÊİĔăÕİʴÑÕ²ĆÕİţİČĴʣñÕõČĭİĔĭÕİ ËĔčÑŁËļŖ²ĴʼĴĭĔĔţčëʞʽŖñÕİÕ² trader places bogus orders he has čĔĭĆ²čĴļĔêŁĆţĆĆʞļĔÑÕËÕõŕÕĔļñÕİ market participants into trading at a time, price or amount that they otherwise wouldn’t. In this case, two Bank of America traders ŖÕİÕĴĭĔĔţčëļñÕČ²İăÕļêĔİʣʣ Treasury securities for years. Bank of America did have written policies and procedures against ĴĭĔĔţčëʨõļāŁĴļÑõÑčʿļõČĭĆÕČÕčļ proper surveillance or supervisory İÕŕõÕŖĴêĔİĴĭĔĔţčëêĔİŘÕ²İĴʣ¥ñÕč õļţč²ĆĆŘÑõÑʞļñĔĴÕĴŁİŕÕõĆĆ²čËÕ²čÑ review measures didn’t match how
employees could actually trade on Bank of America platforms. So what’s the profound lesson ñÕİÕʤEļʿĴčĔļ²ÊĔŁļĴĭĔĔţčëĭÕİ se but rather about how Bank of America had weak internal controls to enforce its policies and procedures. Time and again, in one industry after another, that’s the issue for ËĔČĭĆõ²čËÕĔêţËÕİĴʣ§ĔŁİËĔČĭ²čŘ has policies and procedures that look great (Bank of America’s did), but the controls to put those policies and procedures into force don’t work as intended. Maybe the controls were designed poorly. Maybe you have too many of one type of control and not enough of another. Maybe the nature of your transactions or technology raced ahead of what your controls can do. Regardless of the exact reason, internal controls are where ËĔČĭĆõ²čËÕĔêţËÕİĴčÕÕÑļĔêĔËŁĴ their attack. Internal controls are what makes the modern corporation succeed at its compliance obligations.
14 | March 2024
Cover story
CCI Magazine
business a miserable place to ŖĔİăʣ&ČĭĆĔŘÕÕĴĴĭÕčÑČĔİÕļõČÕ chasing down documentation and approvals, rather than closing sales or developing products. When people sneer at the compliance function as the Department of No or a cost center — this is one of the reasons why. “If you muck up the process, what ends up happening is that people override the internal controls,” Marks says. “There needs ëİĔŁĭĔêõčļÕİč²ĆËĔčļİĔĆĴʝʼĴĔêļʽ controls, such as a code of conduct, written policies, ethics training, internal reporting hotlines and the like. These controls are meant to encourage employees toward certain standards of behavior, although they can’t stop an employee from doing anything. Only hard controls do that. The challenge, of course, is to ţëŁİÕĔŁļļñÕİõëñļÊ²Ć²čËÕĔêñ²İÑ and soft controls for your business and corporate culture. to be some balance there.” That brings us to another
hasn’t submitted a complete set of due diligence documentation. An obvious question arises here. Couldn’t — shouldn’t, even — companies rely on technical controls to enforce compliance standards? That is, you could combine extensive documentation requirements with technical ËĔčļİĔĆĴõčŘĔŁİËĔČĭ²čŘʿĴ&| systems to choke off suspicious payments. Or you could block access to certain IP addresses to prevent cybersecurity attacks. Or you could decline to process transactions for customers that haven’t provided complete onboarding documentation. The theme in all those scenarios (and others) is that compliance is boiled down to a binary state of affairs, which lets your IT system act as an automatic gatekeeper. In theory, that’s a neat idea; it’s scalable, auditable and cheaper than using humans. On the other hand, too many technical controls makes your
“Clearly the role of compliance ĔêţËÕİĴõĴÕŕĔĆŕõčëʞʽĴ²ŘĴQĔč²ļñ²č Marks, a partner at BDO who has spent years thinking and writing about what internal controls should be able to do. “Designing business processes that incorporate compliance controls, so that you can identify violations — that requires a deep understanding of both the legal landscape and your organization’s operational framework.” Oh. Is that all? Striking the right balance of internal controls Internal controls can be divided õčļĔļŘĭÕĴʣEčĔčÕ˲Čĭ²İÕĴĔʴ called “hard” controls (also known as technical controls), embedded directly into a company’s IT systems to prevent certain transactions êİĔČñ²ĭĭÕčõčëŁčĆÕĴĴĭİÕʴÑÕţčÕÑ conditions are met. For example, ËĔčţëŁİõčëŘĔŁİËĔČĭ²čŘʿĴ accounting software to block payment to any third party that
ctrl +
corporatecomplianceinsights.com | 15
Boles worries that too many ËĔČĭĆõ²čËÕĔêţËÕİĴʰʼčÕŖ ËĔČĭĆõ²čËÕĔêţËÕİĴõčĭ²İļõËŁĆ²İʽʱ err on the side of hard controls õčļñÕõİĔİë²čõş²ļõĔčʣñÕŘţčÑ a risk and impose a control to ÊĆĔËăõļʞŖõļñĔŁļţİĴļĭ²ŁĴõčëļĔ consider whether a softer, more ÕČĭĆĔŘÕÕʴêİõÕčÑĆŘ²ĭĭİĔ²ËñČõëñļ achieve the same result without the uncompromising message that hard controls send. “They don’t embed themselves in the culture; they embed themselves in the job — and that’s the confusion,” she says. Now we’re getting somewhere. ñÕËĔČĭĆõ²čËÕĔêţËÕİÕČÊÕÑÑõčë into the culture, controls that work to foster employee trust — that sounds a lot like the “culture of compliance” ideal that the U.S. Department of Justice and other regulators say they want to see.
“When you say ‘more controls,’ you’re basically saying, ‘We trust you less,’” says Leslie Boles, who runs healthcare compliance ËĔčĴŁĆļõčëţİČÕŕŁAÕ²Ćļñ˲İÕ and previously ran audit and compliance for WCP Healthcare. “The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Boles raises a subtle but important point. Soft controls are more about fostering trust between employee and employer. They encourage the employee to behave in certain ways, with the implied threat of disciplinary action; but they still treat employees as part of the solution as the company strives toward its ethics and compliance objectives. Hard controls treat employees as, at least potentially, part of the problem.
Hard vs. soft controls ƺƮǝƥƎļưŘŧхǝǠƺƁǠļƮǨхƉļȔŧхǵȕƺхƮļƎưхŘƺưǵǠƺƥхƺǝǵƎƺưǨϮхƉļǠşхļưşхǨƺƀǵϭх Hard controls consist of tangible processes, often automated, to force employees to follow certain laws, regulations or internal procedures. Soft ŘƺưǵǠƺƥǨϮхƺưхǵƉŧхƺǵƉŧǠхƉļưşϮхļǠŧхƮƺǠŧхƺƀǵŧưхŗŧƉļȔƎƺǠļƥϮхŧưŘƺǽǠļƁƎưƁхŗǽǵх ưƺǵхƮļưşļǵƎưƁхŘŧǠǵļƎưхŗŧƉļȔƎƺǠǨϭ Hard controls ¥ƺƥŧЗŗļǨŧşхļŘŘŧǨǨхŘƺưǵǠƺƥ Encryption Transaction monitoring Physical security Segregation of duties Purchase limits Multifactor authentication Email filtering Application whitelisting $ļǵļŗļǨŧхļŘǵƎȔƎǵțхƮƺưƎǵƺǠƎưƁ Soft controls Code of conduct/code of ethics Compliance training & awareness Tone at the top ¢ŧŧǠхǨǽǝǝƺǠǵхưŧǵȕƺǠƢǨ Mentorship programs ÙŧƥƥЗŗŧƎưƁхļǵхȕƺǠƢ ¢ŧǠƀƺǠƮļưŘŧхŧȔļƥǽļǵƎƺưǨ Employee assistance programs Unconscious bias training Integrity hotlines
16 | March 2024
Internal controls
CCI Magazine
“When you say ‘more controls,’ you’re basically saying, ‘We trust you less.’ The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Кх Leslie Boles х¥ŧȔǽхOŧļƥǵƉŘļǠŧхǝļǠǵưŧǠ
on different days. So the company might have a policy that doesn’t take into account all these breakdowns in the operational process.” It’s yet another example of how compliance programs can look great on paper and still not work in reality. хɭưļƥхȕƺǠşхƺưхǵƉŧх humans There is one way in which hard controls, soft controls and corporate culture all come together. As we keep moving to a digitally transformed world full of ²ŁļĔČ²ļÕÑŖĔİăŤĔŖĴʞŖñÕİÕñ²İÑ controls are baked directly into business processes — that’s going to throw off data about the controls performance. Some manager somewhere in your organization will need to review that data about the control’s performance and decide whether everything is following the compliance program’s plan; or raise alerts when something isn’t. A successful management review control, however, rests on ļŖĔ²ĴĴŁČĭļõĔčĴʝʰɾʱļñÕČ²č²ëÕİ knows what anomalies he or she is ĴŁĭĭĔĴÕÑļĔĆĔĔăêĔİʨ²čÑʰɿʱļñ²ļ
&İõ˧ĔŁčëĔê;ŁõÑÕĭĔĴļĔĆŁļõĔčĴʞ who spent many years as chief ËĔČĭĆõ²čËÕĔêţËÕݲļ]||²İõʲĴʞ Q|\Ĕİë²čʞ²čÑĔļñÕİţč²čËõ²Ć ţİČĴʣ “There needs to be coordinated risk assessments, plus testing, priorities, scope and scheduling,” he says. For example, internal audit teams might only review compliance programs once every few years, or they may have a different set of priorities about which controls to review. And if you want to use internal audit more as ²čõčʴñĔŁĴ e consultant, helping to analyze business processes, some audit teams might get fussy about whether that undermines their independence. Boles says much the same. Internal audit teams typically have an audit plan and want to follow it, she says, but that plan might not connect to the company’s compliance risks or the chief ËĔČĭĆõ²čËÕĔêţËÕİʿĴĴÕčĴÕĔêŖñ²ļʿĴ important. Auditors struggle with diverse processes, she warns. Too often, “we don’t understand the process. It’s broken down by different areas, by different managers’ personalities,
So really, building an effective system of internal controls is about analyzing business processes and corporate culture and then deciding where to place which controls (hard or soft) for maximum effect. It’s a matter of studying business operations to identify where, and how, controls make the most sense. “If you don’t understand the barriers, obstacles and hurdles to achieve the objective of the control, then the control is not designed appropriately,” Marks says. cSʞĴĔñĔŖ˲čËĔČĭĆõ²čËÕ ĔêţËÕİĴÑĔļñ²ļʤ Working with internal audit This is where an internal audit function can be invaluable, since assessing business processes for risk and recommending improvements is what they do. As we keep moving into a highly regulated world, where internal controls will need to be embedded into business processes, collaboration between compliance and internal audit will become a more crucial ingredient for success. That can be easier said than done at large organizations, says
Cover story
corporatecomplianceinsights.com | 17
BEHIND THE HEADLINES Bank of America’s $24M fine
the manager actually cares about strong compliance program performance. Well, isn’t that a matter of training and incentivizing the manager to care about ethics and compliance? Isn’t it a matter of forging strong bonds with the manager, so that they want the whole organization to succeed — and succeed the right way — as much as the manager wants to succeed personally? So maybe, as much as we need to focus on the challenges of effective internal control, those effective internal controls still need a strong corporate culture to succeed. Funny how that point keeps cropping up. Matt Kelly is editor and CEO of Radical Compliance and formerly ȕļǨхŧşƎǵƺǠхƺƀхƺƮǝƥƎļưŘŧхÙŧŧƢϭ
şƎşхưƺǵхƉļȔŧхļхǨǽǝŧǠȔƎǨƺǠțхǨțǨǵŧƮх ǵƺхşŧǵŧŘǵхǨǝƺƺɭưƁхƎưхºǠŧļǨǽǠƎŧǨх ǽưǵƎƥхtƺȔŧƮŗŧǠхʹͲͳͷϰхǽưǵƎƥхƮƎşЗ ʹͲͳͻϮхǵƉļǵхǨțǨǵŧƮхȕļǨхşŧɭŘƎŧưǵх in that it was designed to detect ǨǝƺƺɭưƁхŗțхǵǠļşƎưƁхļƥƁƺǠƎǵƉƮǨϮхưƺǵх ƮļưǽļƥхǨǝƺƺɭưƁхŗțхƎǵǨхǵǠļşŧǠǨϮхƥƎƢŧх the 717 instances addressed in the settlement. In addition, until at least $ŧŘŧƮŗŧǠхʹͲʹͲϮхƺƀх ŧŘǽǠƎǵƎŧǨЩх ǨǽǠȔŧƎƥƥļưŘŧхşƎşхưƺǵхŘļǝǵǽǠŧхƺǠşŧǠǨхƎǵǨх traders entered into certain systems ǝǠƺȔƎşŧşхŗțхŧȚǵŧǠưļƥхȔŧưǽŧǨϭхhļǨǵƥțϮх ƺƀх ŧŘǽǠƎǵƎŧǨхşƎşхưƺǵхǨǽǝŧǠȔƎǨŧхƀƺǠх ǝƺǵŧưǵƎļƥхŘǠƺǨǨЗǝǠƺşǽŘǵхǨǝƺƺɭưƁхƎưх Treasuries through September 2022.” BofA Securities settled with FINRA, though it did not admit nor deny the charges, and in a statement ǵƺх¥ŧǽǵŧǠǨхǵƉŧхŗļưƢхǨļƎşхƎǵхȕļǨх ƎƮǝǠƺȔƎưƁхǨǽǠȔŧƎƥƥļưŘŧхļưşхǵǠļƎưƎưƁϭ The junior trader, Tyler Forbes, was accused of placing 194 spoof trades before being fired in 2019, Reuters reported, and he later pleaded guilty to manipulating Treasury prices and was sentenced to two țŧļǠǨхƺƀхǨǽǝŧǠȔƎǨŧşхǠŧƥŧļǨŧϭхºƉŧх ƀƺǠƮŧǠхǨǽǝŧǠȔƎǨƺǠϮх ƎşưŧțхhŧŗŧưǵļƥϮх ȕļǨхļŘŘǽǨŧşхƺƀхǝƥļŘƎưƁхͷʹ͵хǨǝƺƺƀх ǵǠļşŧǨϭхOŧхƥŧƀǵхļưƢхƺƀхƮŧǠƎŘļхƎưх 2021 and faces a FINRA disciplinary proceeding.
TưхtƺȔŧƮŗŧǠϮхFTt¥хļưưƺǽưŘŧşхƎǵх ƉļşхƀƎưŧşхļхǽưƎǵхƺƀхļưƢхƺƀхƮŧǠƎŘļх $24 million, alleging that two ƀƺǠƮŧǠхǵǠļşŧǠǨхǨǝŧưǵхțŧļǠǨхǵļƢƎưƁх ļşȔļưǵļƁŧхƺƀхƎưŧƀƀŧŘǵƎȔŧхƎưǵŧǠưļƥх controls systems. The two traders, one a junior trader and the other ļхǨǽǝŧǠȔƎǨƺǠхļǵхļưƢхƺƀхƮŧǠƎŘļх Securities, conducted more than 700 spoof trades between 2014 and 2021, FINRA said. ǝƺƺɭưƁхƎǨхļхǵțǝŧхƺƀхƀǠļǽşǽƥŧưǵх ǵǠļşƎưƁхƎưȔƺƥȔƎưƁхǵƉŧхǽǨŧхƺƀхƺǠşŧǠǨхǵƉļǵх ǵƉŧхǵǠļşŧǠхşƺŧǨưЩǵхƎưǵŧưşхǵƺхļŘǵǽļƥƥțх execute, creating a false appearance ƺƀхļŘǵƎȔƎǵțхƺưхƺưŧхǨƎşŧхƺƀхǵƉŧхƮļǠƢŧǵх to induce trades other participants would not otherwise execute. BofA Securities was accused of cascading compliance failures, ƎưŘƥǽşƎưƁхƀƎǠǨǵхưƺǵхƉļȔƎưƁхļưțхǨțǨǵŧƮх for detecting spoofing and then designing a system that was easily gamed by the two former traders, ƺưŧхƺƀхȕƉƺƮхǠŧŘŧƎȔŧşхŘǠƎƮƎưļƥх ǝŧưļƥǵƎŧǨхƀƺǠхƉƎǨхļŘǵƎƺưǨϭхFTt¥хǨļƎşϯ “From at least October 2014 through September 2022, BofA Securities failed to establish and maintain ļхǨǽǝŧǠȔƎǨƺǠțхǨțǨǵŧƮхǠŧļǨƺưļŗƥțх şŧǨƎƁưŧşхǵƺхşŧǵŧŘǵхǨǝƺƺɭưƁхƎưхÁϭ ϭх ºǠŧļǨǽǠțхƮļǠƢŧǵǨϭхƺƀх ŧŘǽǠƎǵƎŧǨх
Independent internal investigation services When you need a third-party investigator for internal investigation, leverage our seasoned expertise to help you manage the path forward. We have global experience conducting investigations on six continents.
CONFIDENTIAL DISCRETE
THOROUGH
™
LUMEN-WE.COM
Visit
to learn more.
18 | March 2024
Internal controls | ctrl+
CCI Magazine
Ten Ways Your Internal Controls Go Wrong ǽƎƥşƎưƁхļưхŧƀƀŧŘǵƎȔŧхǨțǨǵŧƮхƺƀхƎưǵŧǠưļƥхŘƺưǵǠƺƥхКхƀƺǠхƀƎưļưŘƎļƥхǠŧǝƺǠǵƎưƁϮхǝǠƎȔļŘțϮхļưǵƎЗ ŘƺǠǠǽǝǵƎƺưϮхǨǽǝǝƥțхŘƉļƎưхƮļưļƁŧƮŧưǵхƺǠхļưțǵƉƎưƁхŧƥǨŧхКххƎǨхưƺхŧļǨțхǵļǨƢϭхŧƥƺȕхļǠŧхͳͲхŗļşх ƉļŗƎǵǨхǵƉļǵхŘƺƮǝƥƎļưŘŧхƺƀƀƎŘŧǠǨхǨƉƺǽƥşхļȔƺƎşϮхŧƎǵƉŧǠхȕƉƎƥŧхşŧǨƎƁưƎưƁхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨхƺǠхǽǨƎưƁх them to execute your compliance program on an ongoing basis.
Your policies are written in a generic way. When a regulation says your company must adopt
ºƉŧхƮļưļƁŧǠǨхǠŧȔƎŧȕƎưƁх controls aren’t ǨǽƀƀƎŘƎŧưǵƥțхǨƢƎƥƥŧşхƺǠх trained to spot fraud.
Too many controls are in the wrong place. Internal controls first arose in the finance and accounting functions, but modern organizations need internal controls across IT and operations as well. For example, you might ƉļȔŧхưǽƮŧǠƺǽǨхļǝǝǠƺȔļƥхŘƺưǵǠƺƥǨх ƀƺǠхǝļțƮŧưǵǨхКхŗǽǵхưƺǵхŧưƺǽƁƉх IT controls to stop someone from ļƥǵŧǠƎưƁхǨƺƀǵȕļǠŧхǵƺхŘƎǠŘǽƮȔŧưǵх ǵƉŧхŘƺưǵǠƺƥϭхǠхțƺǽхƮƎƁƉǵхƉļȔŧх ǝƥŧưǵțхƺƀхǝǠƺŘŧǨǨЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉǨǽŘƉхļǨхşǽŧхşƎƥƎƁŧưŘŧхǝƺƥƎŘƎŧǨЊх ŗǽǵхǵƺƺхƀŧȕхŧưǵƎǵțЗƥŧȔŧƥхŘƺưǵǠƺƥǨх ЉļǽşƎǵǨхǵƺхŘƺưƀƎǠƮхǵƉļǵхļх ǨǽŗǨƎşƎļǠțхƎǨưЩǵхǨƎƮǝƥțхƺȔŧǠǠƎşƎưƁх those policies). 8
1
5
written policies and procedures, şƺưЩǵхǨƎƮǝƥțхŘƺǝțхǵƉŧхƥļưƁǽļƁŧх of the rule, paste it into your employee manual, and declare it a policy. Policies should be written to reflect how employees ļǵхțƺǽǠхƺǠƁļưƎȥļǵƎƺưхļŘǵǽļƥƥțхȕƺǠƢϭ
rļưļƁŧǠǨхЉŧǨǝŧŘƎļƥƥțхƀƎǠǨǵЗǵƎƮŧх managers or managers new to țƺǽǠхŘƺƮǝļưțЊхƮƎƁƉǵхưƺǵхƢưƺȕх how to identify the seemingly endless number of fraud or corruption schemes employees ƮƎƁƉǵхŘƺưŘƺŘǵϭхŧхǨǽǠŧхǵƉŧțхƉļȔŧх the training they need or that ļưǵƎЗƀǠļǽşхǵŧļƮǨхşƺǽŗƥŧЗŘƉŧŘƢх ǵƉŧƎǠхȕƺǠƢϭ
You fail to consider the şƎȔŧǠǨƎǵțхƺƀхǝǠƺŘŧǨǨŧǨх across your enterprise. ưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨх
2
You fail update controls when the enterprise or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧǨϭх As companies expand or
6
ǵƉļǵхȕƺǠƢǨхƎưхțƺǽǠхtƺǠǵƉхƮŧǠƎŘļх şƎȔƎǨƎƺưхƮƎƁƉǵхưƺǵхȕƺǠƢхƎưхțƺǽǠх much smaller Latin America şƎȔƎǨƎƺưϰхļхşǽŧхşƎƥƎƁŧưŘŧхǝǠƺŘŧşǽǠŧх ǵƉļǵЩǨхǨǵǠļƎƁƉǵƀƺǠȕļǠşхƎưх.r.х ƮƎƁƉǵхŗŧхƎƮǝǠļŘǵƎŘļƥхƎưхǨƎļЗ¢ļŘƎɭŘϭх ºƉƎưƢхļŗƺǽǵхƉƺȕхşƎɪŧǠŧưǵхǝļǠǵǨхƺƀх the enterprise operate, and craft ŘƺưǵǠƺƥǨхǵƉļǵхǠŧɮŧŘǵхǵƉƺǨŧхǠŧļƥƎǵƎŧǨϭ You don’t sufficiently introduce should be accompanied ŗțхǵǠļƎưƎưƁхƺƀхǨƺƮŧхƢƎưşхЉļхƀƺǠƮļƥх ŘƺǽǠǨŧϮхļхǨƉƺǠǵхȔƎşŧƺхƀǠƺƮхǵƉŧх CCO or some other material) that explains why the control is necessary and how employees should interact with it. train employees on controls. .ȔŧǠțхưŧȕх technical control you 3
contract, old internal controls ЉǝƺƥƎŘƎŧǨϮхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨŧǨϮх ƮļưļƁŧƮŧưǵхǠŧȔƎŧȕǨЊхƮƎƁƉǵх no longer fit the business. For ŧȚļƮǝƥŧϮхțƺǽхƮƎƁƉǵхƉļȔŧхļхǵȕƺЗ ǝŧǠǨƺưхļǝǝǠƺȔļƥхǝǠƺŘŧǨǨхļưşхǵƉŧưх go through layoffs, consolidating those two roles into one person. ºƉŧхǨƉƺǠǵЗǵŧǠƮхǨƺƥǽǵƎƺưхƎǨх to introduce a compensating ŘƺưǵǠƺƥϮхŗǽǵхşƺưЩǵхƥŧǵхǵƉļǵхŗŧŘƺƮŧх ļхŘǠǽǵŘƉϰхǠŧȔƎŧȕхǵƉŧхşŧǨƎƁưхƺƀх your controls to find and correct ȕŧļƢхǨǝƺǵǨϭ
You don’t audit your controls sufficiently. Internal controls should be tested often to be sure
9
that they are designed properly ļưşхȕƺǠƢхļǨхƎưǵŧưşŧşϭхºŧǨǵƎưƁх should happen at least annually, and after any major technology or ȕƺǠƢƀƺǠŘŧхŘƉļưƁŧϭх Leadership doesn’t unaddressed send the signal ǵƉļǵхƮļưļƁŧƮŧưǵхşƺŧǨưЩǵхŘļǠŧх about rigorous internal controls КхǨƺхțƺǽǠхȕŧļƢхƎưǵŧǠưļƥхŘƺưǵǠƺƥǨх ŘƺưǵƎưǽŧхǵƺхƀŧǨǵŧǠϮхļưşхƥƺȕŧǠЗƥŧȔŧƥх employees are more tempted ǵƺхǵļƢŧхļşȔļưǵļƁŧхƺƀхǵƉļǵхǝƺƺǠх ŘƺưǵǠƺƥхŧưȔƎǠƺưƮŧưǵϭхºƉŧхǵƺǝх şƺŧǨưЩǵхƟǽǨǵхưŧŧşхǵƺхǨŧǵхļхƁƺƺşх ǵƺưŧϰхƎǵхưŧŧşǨхǵƺхǵļƢŧхļŘǵƎƺưϮхǵƺƺϭ stress the importance of controls remediation. Audit findings left 10
Your segregation of duties is flawed. This ƮŧļưǨхǵƉļǵхțƺǽхƉļȔŧưЩǵх ƺǠƁļưƎȥŧşхțƺǽǠхŘƺƮǝļưțЩǨх
7
ßƺǽǠхƮļưļƁŧƮŧưǵхǠŧȔƎŧȕх controls are inefficient. rļưļƁŧƮŧưǵхǠŧȔƎŧȕх ŘƺưǵǠƺƥǨхǨƉƺǽƥşхƉļȔŧхļх
ȕƺǠƢƀƥƺȕǨхǝǠƺǝŧǠƥțϮхǨƺхǨƺƮŧх ǠƺƥŧǨхƮƎƁƉǵхƉļȔŧхƺȔŧǠƥļǝǝƎưƁх duties that allow people to commit fraud or corruption. Try ǨŧŧƢƎưƁхƉŧƥǝхƀǠƺƮхƎưǵŧǠưļƥхļǽşƎǵϮх your external auditor or some other analyst who could identify those conflicting duties and help țƺǽхǨŧǝļǠļǵŧхǵƉŧƮхǵƺхǠŧşǽŘŧхǠƎǨƢϭ
4
ƮļưļƁŧǠхǠŧȔƎŧȕхŧȚŘŧǝǵƎƺưǨхǵƺх ǝƺƥƎŘțхƺǠхǵƉŧхƺȔŧǠļƥƥхǝŧǠƀƺǠƮļưŘŧх of automated controls. If the ƮļưļƁŧǠхƮǽǨǵхǠŧȔƎŧȕхŧȔŧǠțх ǵǠļưǨļŘǵƎƺưϮхǵƉŧțхȕƎƥƥхǟǽƎŘƢƥțхŗŧх ƺȔŧǠȕƉŧƥƮŧşхļưşхŗŧхƮƺǠŧхƥƎƢŧƥțх ǵƺхǠǽŗŗŧǠЗǨǵļƮǝхŧȔŧǠțхǠŧǟǽŧǨǵϭх
Top 10 list by Matt Kelly
corporatecomplianceinsights.com | 19
20 YEARS of SOX Compliance
S ome corporate compliance professionals might be too young to remember it, but many moons ago — actually, more like ɿɽɽʁʲļñÕŖĔİÑʼËĔČĭĆõ²čËÕʽţİĴļ²čÑ êĔİÕČĔĴļČÕ²čļţč²čËõ²ĆËĔČĭĆõ²čËÕʞŖõļñļñÕ čÕŖĆŘÕč²ËļÕѲİʲčÕĴʴcŗĆÕŘËļʣEčļÕİč²Ć controls were all about tracking revenue and expenses, who accessed which accounts at what time and how managers could really know that corporate assets were used as management intended. Since then, the scope of corporate compliance ñ²ĴÕŗĭ²čÑÕÑÕčĔİČĔŁĴĆŘļĔõčËĆŁÑÕ²čļõʴ ËĔİİŁĭļõĔčʞËŘÊÕİĴÕËŁİõļŘʞѲļ²ĭİõŕ²ËŘʞļñõİÑʴ party risk management and more. At the heart of all those issues, however, the goal is still the Ĵ²ČÕʝļĔÊŁõĆѲĴÕļĔêõčļÕİč²ĆËĔčļİĔĆĴļñ²ļ can assure employees follow the rules and use corporate assets as intended. So what lessons can today’s ethics and
Ethics & compliance lessons from two decades ƺƀх ļǠŗļưŧǨЗȚƥŧț
Matt Kelly Guest Editor
20 | March 2024
Q&A: 20 years of SOX compliance
CCI Magazine
and soft controls — are review controls. MK: What do you mean by that? ʝ That’s where somebody, some individual, has the responsibility to look at the performance of a hard control — a report or something like that, for example — to make sure that the outcomes are what the company is expecting. So you have a hard control producing a result, or a person performing a control, and you also have somebody else reviewing and making sure that those controls work appropriately. That can be someone responsible for tone at the top,
compliance professionals learn êİĔČɿɽŘÕ²İĴĔê²İʲčÕĴʴ Oxley compliance? To explore that question, I talked with Brian Tremblay, who is a managing director at CFGI, a ËĔčĴŁĆļõčëţİČļñ²ļŖĔİăĴĔč audit and compliance issues (among many other things). Tremblay previously held jobs as a corporate internal audit executive, compliance practice ĆÕ²ÑÕݲļ²ËŘÊÕİĴÕËŁİõļŘţİČ ²čÑõëʁ²ŁÑõļ²ĴĴĔËõ²ļÕʣ\ĔĴļ importantly, he has plenty to say about effective internal controls. Matt Kelly: Ethics and ËĔČĭĆõ²čËÕĔêţËÕİĴĔêļÕčļñõčăõč terms of “hard controls,” such as ERP systems blocking payments
to third parties that haven’t been properly onboarded, and “soft controls,” such as tone at the top, policies, codes of conduct and so forth. Do you, coming from the audit side, see internal controls in the same way? İõ²čİÕČÊĆ²Řʝ I agree with the concept of hard controls and soft controls, although I might say that “hard” controls are “technical” controls, where technology enforces them, and “soft” controls are tone at the top and whistleblower hotlines and all those things that most companies have. The other thing that came to mind, however — the thing that sits between hard controls
Matt Kelly + Brian Tremblay
corporatecomplianceinsights.com | 21
Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40www.corporatecomplianceinsights.com
Made with FlippingBook Ebook Creator