Boles worries that too many ËĔČĭĆõ²čËÕĔêţËÕİĴʰʼčÕŖ ËĔČĭĆõ²čËÕĔêţËÕİĴõčĭ²İļõËŁĆ²İʽʱ err on the side of hard controls õčļñÕõİĔİë²čõş²ļõĔčʣñÕŘţčÑ a risk and impose a control to ÊĆĔËăõļʞŖõļñĔŁļţİĴļĭ²ŁĴõčëļĔ consider whether a softer, more ÕČĭĆĔŘÕÕʴêİõÕčÑĆŘ²ĭĭİĔ²ËñČõëñļ achieve the same result without the uncompromising message that hard controls send. “They don’t embed themselves in the culture; they embed themselves in the job — and that’s the confusion,” she says. Now we’re getting somewhere. ñÕËĔČĭĆõ²čËÕĔêţËÕİÕČÊÕÑÑõčë into the culture, controls that work to foster employee trust — that sounds a lot like the “culture of compliance” ideal that the U.S. Department of Justice and other regulators say they want to see.
“When you say ‘more controls,’ you’re basically saying, ‘We trust you less,’” says Leslie Boles, who runs healthcare compliance ËĔčĴŁĆļõčëţİČÕŕŁAÕ²Ćļñ˲İÕ and previously ran audit and compliance for WCP Healthcare. “The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Boles raises a subtle but important point. Soft controls are more about fostering trust between employee and employer. They encourage the employee to behave in certain ways, with the implied threat of disciplinary action; but they still treat employees as part of the solution as the company strives toward its ethics and compliance objectives. Hard controls treat employees as, at least potentially, part of the problem.
Hard vs. soft controls ƺƮǝƥƎļưŘŧхǝǠƺƁǠļƮǨхƉļȔŧхǵȕƺхƮļƎưхŘƺưǵǠƺƥхƺǝǵƎƺưǨϮхƉļǠşхļưşхǨƺƀǵϭх Hard controls consist of tangible processes, often automated, to force employees to follow certain laws, regulations or internal procedures. Soft ŘƺưǵǠƺƥǨϮхƺưхǵƉŧхƺǵƉŧǠхƉļưşϮхļǠŧхƮƺǠŧхƺƀǵŧưхŗŧƉļȔƎƺǠļƥϮхŧưŘƺǽǠļƁƎưƁхŗǽǵх ưƺǵхƮļưşļǵƎưƁхŘŧǠǵļƎưхŗŧƉļȔƎƺǠǨϭ Hard controls ¥ƺƥŧЗŗļǨŧşхļŘŘŧǨǨхŘƺưǵǠƺƥ Encryption Transaction monitoring Physical security Segregation of duties Purchase limits Multifactor authentication Email filtering Application whitelisting $ļǵļŗļǨŧхļŘǵƎȔƎǵțхƮƺưƎǵƺǠƎưƁ Soft controls Code of conduct/code of ethics Compliance training & awareness Tone at the top ¢ŧŧǠхǨǽǝǝƺǠǵхưŧǵȕƺǠƢǨ Mentorship programs ÙŧƥƥЗŗŧƎưƁхļǵхȕƺǠƢ ¢ŧǠƀƺǠƮļưŘŧхŧȔļƥǽļǵƎƺưǨ Employee assistance programs Unconscious bias training Integrity hotlines
16 | March 2024
Internal controls
CCI Magazine
Made with FlippingBook Ebook Creator