of a sales employee “for the sake of the business.” Maybe it’s fraud, maybe it’s not, but wouldn’t you want to know this exists so you can investigate? So if I were thinking like a compliance professional, my goals ŖĔŁĆÑÊÕţİĴļʞļĔČ²ăÕĴŁİÕŘĔŁ have a strong base of technical controls, because that’s the starting point. You want a set of strong automated controls, so you’re reviewing exceptions rather than reviewing everything manually. But second, put a lot more scrutiny on the people who review the output of those automated controls. MK: You just emphasized “a lot.” Clearly you believe this is important. ʝ It’s probably one of the single biggest areas where I’ve seen lack of attention to detail and even outright laziness — just checking the box and pushing something through. Failure of a review control is still failure of a control that might reasonably have detected a fraud, FCPA violation or some other compliance violation. MK: Wouldn’t documentation
such as a senior executive; but in many cases it’s not. MK: Let’s pull on that thread, because so often we see companies with a compliance program that looks great on paper, but employees disregard all the paper-based, soft controls. So what’s a better way to attack the problem: more attention to review controls, more technical controls, or something else? ʝ The paper program and soft controls are important because they share management’s view of the organization to the employee base; ļñÕŘİÕŤÕËļñĔŖļñÕĆÕ²ÑÕİĴñõĭ team wants to run the business. On the other hand, I’m not sure what more we can ask of a technical control. For example, you could have a technical control to restrict changes to vendor bank accounts, so someone who doesn’t have permission to change vendor bank accounts but keeps trying to do so; or someone who makes one ĴĭÕËõţËËñ²čëÕêĔݲŕ²ĆõÑİÕ²ĴĔč — wouldn’t we like to know that has happened? Because maybe the accounting department employee is making a change at the request
requirements solve a lot of this? Meaning, the employee must submit enough documentation that the reviewer can’t ignore it, because the misconduct would stick out like a sore thumb? ʝ You’re making one huge ĭİÕĴŁČĭļõĔčʝļñ²ļļñÕČ²č²ëÕİ doing the review has the discipline and competence to review all ļñ²ļÑĔËŁČÕčļ²ļõĔč²čÑŤ²ëļñÕ potential issue. Think of travel and entertainment fraud, for example. You can have an employee who might book an international trip, ask for and receive reimbursement and then never take the trip; they cancel the ticket and pocket the airline’s travel credit. Then that same employee books another long international trip, airfare plus hotel — and a smaller trip within that long trip … MK: This isn’t a hypothetical, is it? ʝ No. This is an actual audit I performed years ago, where the employee committed at least one êݲŁÑŖõļñļñ²ļţİĴļ˲čËÕĆÕÑļİõĭ and questionable travel practices on the second trip. (Where the ÕČĭĆĔŘÕÕŖ²ĴŤŘõčë²İĔŁčÑõčĴõÑÕ
“If I were thinking like a compliance professional, my ëĔ²ĆĴŖĔŁĆÑÊÕţİĴļʍļĔČ²ăÕĴŁİÕŘĔŁñ²ŕÕ²ĴļİĔčëʲĴÕ of technical controls, because that’s the starting point. You want a set of strong automated controls, so you’re reviewing exceptions rather than reviewing everything manually. But second, put a lot more scrutiny on the people who review the
output of those automated controls. Кх Brian Tremblay managing director, CFGI
22 | March 2024
Internal controls
CCI Magazine
Made with FlippingBook Ebook Creator