changes, and its location changes from the United States to somewhere in Asia. Clearly, you should have a control for when a whole third party changes jurisdiction. Well, SOX people have a control for vendor changes, but they’re not thinking about it from a jurisdiction perspective; SOX systems will just Ĵ²Řʞʼ¥ñ²ļÕŕÕİʞļñ²ļʿĴčĔļţč²čËõ²ĆĆŘ relevant. We only care about bank accounts or email addresses.” But changing a vendor’s whole country — that should throw up some other ļŘĭÕĔêËĔČĭĆõ²čËÕŤ²ëÕŕÕčõêõļʿĴ čĔļţč²čËõ²ĆĆŘİÕĆÕŕ²čļʣ All the while, however, somebody had to make that jurisdiction change, and somebody probably had to approve it. But the accounts payable team isn’t thinking about that from an FCPA perspective. MK: How has thinking about internal control changed over the past 20 years, when we started Ŗõļñc¦ËĔČĭĆõ²čËÕ²čÑţč²čËõ²Ć controls, and now it’s so much more? ʝ When SOX compliance ţİĴļÊÕ˲ČÕ²ļñõčëɿɽŘÕ²İĴ ago, technology was so different. You might have had a mainframe ĔİËÕčļݲĆĴÕİŕÕİŖõļñţč²čËõ²Ć õčêĔİČ²ļõĔčʞĭĆŁĴĆĔļĴĔêčĔčʴ technical information that was analyzed and reviewed. Now we have everything in the cloud, either your IT infrastructure or your own. Controls are changing to keep pace with that new technology — but they’re not changing fast enough. The technology has evolved in a way that controls haven’t. We have an enormous amount of controls that Ĵõļõčţč²čËÕ²čѲËËĔŁčļõčëʣ MK: How should controls evolve?
China as part of one long trip to China.) But this all happened because a manager just pushed all that paperwork through — and that’s what you can’t control. You can’t control somebody just pushing the button on an expense report and pushing it through. When I ţč²ĆĆŘêĔŁčÑõļʞõļļĔĔăČÕĆÕĴĴļñ²č 10 minutes to spot the fraud, but this employee had been exploiting weak review controls for about 18 months. MK: Let’s bring all this back to ĭÕİñ²ĭĴËĔČĭĆõ²čËÕĔêţËÕİĴʮļĔĭ concern, violations of the Foreign Corrupt Practices Act. How would you, an auditor, look at an FCPA violation? What goes wrong with internal controls to let that violation happen? ʝ ¥õļñõč²İʲčÕĴʴcŗĆÕŘʞļñÕİÕ are guaranteed to be controls over ²ËËÕĴĴļĔļñÕŕÕčÑĔİČ²ĴļÕİţĆÕʞ access to purchase orders, access ļĔËñ²čëÕļñÕŕÕčÑĔİČ²ĴļÕİţĆÕ or purchase orders and so forth. All these controls should be in place for any mature — and even ²čõČČ²ļŁİÕʲ&|ʮÕčļÕİĭİõĴÕ resource planning] software system. So I’d ask compliance professionals, what is the difference between an FCPA violation and a fraudulent payment made to a vendor? What’s different in the control set for those two risks? MK: Nothing, right? ʝ Nothing. In both cases, we’re talking about access to certain data, changes to certain data and procedures that may have been perfectly followed but ultimately that resulted in a payment to a third ĭ²İļŘĔݲëĔŕÕİčČÕčļĔêţËõ²Ćļñ²ļ never should have been made.
MK: So how are compliance ĔêţËÕİĴĴŁĭĭĔĴÕÑļĔļñõčă²ÊĔŁļ that? Should they be thinking, “Yikes, we have an FCPA violation, we need better policies and a stronger tone at the top,” or thinking, “Yikes, we need to redesign our access controls to the vendor Č²ĴļÕİţĆÕʬʔ ʝ We need to step back and understand that the controls set for a compliance violation is probably not that different — is probably identical, really — to the control set for SOX compliance, but nobody’s looking at transactions that would qualify as compliance violations through the lens of controls that should already be in place. MK: OK, you lost me. Can you give a more tangible example? ʝ Sure. It’s a lot like SOX compliance and cybersecurity. They would seem to be very different ţÕĆÑĴʞÊŁļËŘÊÕİĴÕËŁİõļŘļñİÕ²ļĴ²İÕ trying to get improper access and make unauthorized changes to your systems. Well, IT controls for SOX are supposed to assure that only authorized users make authorized changes, which are then reviewed independently by someone else. It’s really all the same. FCPA, ²İʲčÕĴʴcŗĆÕŘʞѲļ²ĭİõŕ²ËŘʞ cybersecurity — for all of them, you need to take a step back and say, “Do we have the robust access controls in place to manage these risks? And if we do, how do we review those technical access controls — and there’s our management review issue again — so that we can detect suspicious activities?” MK: I’d still like an even more tangible example. ʝ Say that a vendor name
Q&A: 20 years of SOX compliance
corporatecomplianceinsights.com | 23
Made with FlippingBook Ebook Creator