and soft controls — are review controls. MK: What do you mean by that? ʝ That’s where somebody, some individual, has the responsibility to look at the performance of a hard control — a report or something like that, for example — to make sure that the outcomes are what the company is expecting. So you have a hard control producing a result, or a person performing a control, and you also have somebody else reviewing and making sure that those controls work appropriately. That can be someone responsible for tone at the top,
compliance professionals learn êİĔČɿɽŘÕ²İĴĔê²İʲčÕĴʴ Oxley compliance? To explore that question, I talked with Brian Tremblay, who is a managing director at CFGI, a ËĔčĴŁĆļõčëţİČļñ²ļŖĔİăĴĔč audit and compliance issues (among many other things). Tremblay previously held jobs as a corporate internal audit executive, compliance practice ĆÕ²ÑÕݲļ²ËŘÊÕİĴÕËŁİõļŘţİČ ²čÑõëʁ²ŁÑõļ²ĴĴĔËõ²ļÕʣ\ĔĴļ importantly, he has plenty to say about effective internal controls. Matt Kelly: Ethics and ËĔČĭĆõ²čËÕĔêţËÕİĴĔêļÕčļñõčăõč terms of “hard controls,” such as ERP systems blocking payments
to third parties that haven’t been properly onboarded, and “soft controls,” such as tone at the top, policies, codes of conduct and so forth. Do you, coming from the audit side, see internal controls in the same way? İõ²čİÕČÊĆ²Řʝ I agree with the concept of hard controls and soft controls, although I might say that “hard” controls are “technical” controls, where technology enforces them, and “soft” controls are tone at the top and whistleblower hotlines and all those things that most companies have. The other thing that came to mind, however — the thing that sits between hard controls
Matt Kelly + Brian Tremblay
corporatecomplianceinsights.com | 21
Made with FlippingBook Ebook Creator