operations • ÕĆõ²ÊõĆõļŘĔêţč²čËõ²ĆİÕĭĔİļõčë • Compliance with applicable laws and regulations \²İăĴʿÑÕţčõļõĔčËĆÕ²İĆŘÑÕĴËÕčÑĴ from COSO’s concept. COSO’s ÑÕţčõļõĔčõĴČĔİÕŕÕİĴ²ļõĆÕļñ²čļñÕ Ĵļ²ļŁļĔİŘÑÕţčõļõĔčõčļñÕ&ŗËñ²čëÕ Act. Still … Useful elements ¥ñ²ļEĆõăÕ²ÊĔŁļ\²İăĴʿÑÕţčõļõĔč is that it frames internal control as interlocking activities — that is, multiple steps the company takes, all reinforcing each other to reduce a risk to some acceptable level. That’s something compliance ĔêţËÕİĴ˲čÕ²ĴõĆŘëݲĴĭʣ&ĴĭÕËõ²ĆĆŘ if you are, say, rolling out a new policy stressing ethical values, while implementing new documentation requirements for approval of overseas intermediaries and training employees on the importance of using the whistleblower hotline. All of those things are supposed to work together ļĔŖ²İѲĴõčëĆÕëĔ²ĆʝİÕÑŁËõčëŘĔŁİ company’s FCPA risk. Marks also stresses the importance of properly designed policies and procedures. That point matters, ÕĴĭÕËõ²ĆĆŘļĔËĔČĭĆõ²čËÕĔêţËÕİĴŖñĔ come from a legal background and might not be as versed in control design as someone from an audit background. We use shorthand phrases in ethics and compliance all the time, “internal control” perhaps more than any other. It’s good to know what that phrase actually means before we go putting it to use in organizations all over the place.
ĴĭÕËõţ˲ŁļñĔİõş²ļõĔčʣ • Transactions are recorded as necessary (i) to permit preparation Ĕêţč²čËõ²ĆĴļ²ļÕČÕčļĴõč conformity with generally accepted accounting principles or any other criteria applicable to such statements and (ii) to maintain accountability for assets. Access to assets is permitted only in accordance with management’s ëÕčÕݲĆĔİĴĭÕËõţ˲ŁļñĔİõş²ļõĔčʣ The recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences. Those four elements are good as far as they go, but they pertain only ļĔţč²čËõ²ĆİÕĭĔİļõčë²čѲËËĔŁčļõčë êݲŁÑʣ"ĔļñÕŘŖĔİăêĔİÊĔĔăĴʴ²čÑʴ records expectations around the Foreign Corrupt Practices Act? Yes, although you have to beware of Č²ļÕİõ²ĆõļŘļñİÕĴñĔĆÑĴʝ¥ñ²ļʿĴČ²ļÕİõ²Ć êĔİËĔİĭĔݲļÕţč²čËõ²ĆĴļ²ļÕČÕčļĴʰ² few percentage points of a line item’s total value) will generally be much larger than a bribe that could lead to FCPA enforcement. The greater problem with the &ʿĴÑÕţčõļõĔčõĴļñ²ļõļ²ĭĭĆõÕĴļĔ ţč²čËõ²ĆËĔčËÕİčĴ only . It won’t be ČŁËññÕĆĭļĔÑÕţčÕõčļÕİč²ĆËĔčļİĔĆ for, say, cybersecurity, harassment or reputation risk — although effective internal control is crucial for all three. COSO, meanwhile, has this ÑÕţčõļõĔčêİĔČõļĴõčļÕİč²ĆËĔčļİĔĆ êݲČÕŖĔİă ʝ A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the êĔĆĆĔŖõčë˲ļÕëĔİõÕĴʝ • &êêÕËļõŕÕčÕĴĴ²čÑÕêţËõÕčËŘĔê
Control: Noun or Verb?
corporatecomplianceinsights.com | 11
Made with FlippingBook Ebook Creator