business a miserable place to ŖĔİăʣ&ČĭĆĔŘÕÕĴĴĭÕčÑČĔİÕļõČÕ chasing down documentation and approvals, rather than closing sales or developing products. When people sneer at the compliance function as the Department of No or a cost center — this is one of the reasons why. “If you muck up the process, what ends up happening is that people override the internal controls,” Marks says. “There needs ëİĔŁĭĔêõčļÕİč²ĆËĔčļİĔĆĴʝʼĴĔêļʽ controls, such as a code of conduct, written policies, ethics training, internal reporting hotlines and the like. These controls are meant to encourage employees toward certain standards of behavior, although they can’t stop an employee from doing anything. Only hard controls do that. The challenge, of course, is to ţëŁİÕĔŁļļñÕİõëñļÊ²Ć²čËÕĔêñ²İÑ and soft controls for your business and corporate culture. to be some balance there.” That brings us to another
hasn’t submitted a complete set of due diligence documentation. An obvious question arises here. Couldn’t — shouldn’t, even — companies rely on technical controls to enforce compliance standards? That is, you could combine extensive documentation requirements with technical ËĔčļİĔĆĴõčŘĔŁİËĔČĭ²čŘʿĴ&| systems to choke off suspicious payments. Or you could block access to certain IP addresses to prevent cybersecurity attacks. Or you could decline to process transactions for customers that haven’t provided complete onboarding documentation. The theme in all those scenarios (and others) is that compliance is boiled down to a binary state of affairs, which lets your IT system act as an automatic gatekeeper. In theory, that’s a neat idea; it’s scalable, auditable and cheaper than using humans. On the other hand, too many technical controls makes your
“Clearly the role of compliance ĔêţËÕİĴõĴÕŕĔĆŕõčëʞʽĴ²ŘĴQĔč²ļñ²č Marks, a partner at BDO who has spent years thinking and writing about what internal controls should be able to do. “Designing business processes that incorporate compliance controls, so that you can identify violations — that requires a deep understanding of both the legal landscape and your organization’s operational framework.” Oh. Is that all? Striking the right balance of internal controls Internal controls can be divided õčļĔļŘĭÕĴʣEčĔčÕ˲Čĭ²İÕĴĔʴ called “hard” controls (also known as technical controls), embedded directly into a company’s IT systems to prevent certain transactions êİĔČñ²ĭĭÕčõčëŁčĆÕĴĴĭİÕʴÑÕţčÕÑ conditions are met. For example, ËĔčţëŁİõčëŘĔŁİËĔČĭ²čŘʿĴ accounting software to block payment to any third party that
ctrl +
corporatecomplianceinsights.com | 15
Made with FlippingBook Ebook Creator