“When you say ‘more controls,’ you’re basically saying, ‘We trust you less.’ The biggest factor we miss when we talk about the implementation of controls is employee education. It’s equally important.” Кх Leslie Boles х¥ŧȔǽхOŧļƥǵƉŘļǠŧхǝļǠǵưŧǠ
on different days. So the company might have a policy that doesn’t take into account all these breakdowns in the operational process.” It’s yet another example of how compliance programs can look great on paper and still not work in reality. хɭưļƥхȕƺǠşхƺưхǵƉŧх humans There is one way in which hard controls, soft controls and corporate culture all come together. As we keep moving to a digitally transformed world full of ²ŁļĔČ²ļÕÑŖĔİăŤĔŖĴʞŖñÕİÕñ²İÑ controls are baked directly into business processes — that’s going to throw off data about the controls performance. Some manager somewhere in your organization will need to review that data about the control’s performance and decide whether everything is following the compliance program’s plan; or raise alerts when something isn’t. A successful management review control, however, rests on ļŖĔ²ĴĴŁČĭļõĔčĴʝʰɾʱļñÕČ²č²ëÕİ knows what anomalies he or she is ĴŁĭĭĔĴÕÑļĔĆĔĔăêĔİʨ²čÑʰɿʱļñ²ļ
&İõ˧ĔŁčëĔê;ŁõÑÕĭĔĴļĔĆŁļõĔčĴʞ who spent many years as chief ËĔČĭĆõ²čËÕĔêţËÕݲļ]||²İõʲĴʞ Q|\Ĕİë²čʞ²čÑĔļñÕİţč²čËõ²Ć ţİČĴʣ “There needs to be coordinated risk assessments, plus testing, priorities, scope and scheduling,” he says. For example, internal audit teams might only review compliance programs once every few years, or they may have a different set of priorities about which controls to review. And if you want to use internal audit more as ²čõčʴñĔŁĴ e consultant, helping to analyze business processes, some audit teams might get fussy about whether that undermines their independence. Boles says much the same. Internal audit teams typically have an audit plan and want to follow it, she says, but that plan might not connect to the company’s compliance risks or the chief ËĔČĭĆõ²čËÕĔêţËÕİʿĴĴÕčĴÕĔêŖñ²ļʿĴ important. Auditors struggle with diverse processes, she warns. Too often, “we don’t understand the process. It’s broken down by different areas, by different managers’ personalities,
So really, building an effective system of internal controls is about analyzing business processes and corporate culture and then deciding where to place which controls (hard or soft) for maximum effect. It’s a matter of studying business operations to identify where, and how, controls make the most sense. “If you don’t understand the barriers, obstacles and hurdles to achieve the objective of the control, then the control is not designed appropriately,” Marks says. cSʞĴĔñĔŖ˲čËĔČĭĆõ²čËÕ ĔêţËÕİĴÑĔļñ²ļʤ Working with internal audit This is where an internal audit function can be invaluable, since assessing business processes for risk and recommending improvements is what they do. As we keep moving into a highly regulated world, where internal controls will need to be embedded into business processes, collaboration between compliance and internal audit will become a more crucial ingredient for success. That can be easier said than done at large organizations, says
Cover story
corporatecomplianceinsights.com | 17
Made with FlippingBook Ebook Creator