What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based on the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

How do you assess and then update your internal controls? Companies should also think about updating and reviewing their controls at least annually. In this manner, they can identify any violations of their internal controls. It also allows a deep dive into any specific areas of control failures. Another approach would be more robust controls through greater monitoring of your controls. For example, you could review your controls quarterly to allow you to spot any trends that are moving in the wrong direction. You can even start out by having your compliance function perform a self-review of its controls and test exemplar transactions. This is not a full-blown audit but simply desktop testing to make sure controls are being properly followed. Once again, simply because there is a control override or excessive use of a compensating control does not mean something is illegal. It may mean that the control is not working as it was designed.

Revelo said it could be an instance of “too short an approval time period and employees need a little bit longer because depending on their industry or how business works. This also helps to both identify frustrations from employees where there is a control, but every time it needs to be executed, it is impossible for me to do, or it’s impossible for me to comply with it a hundred percent.” These quarterly reviews can then be collated into an annual report for review and assessment and the report can form the basis of an annual report to the Compliance Committee of the Board of Directors or even the full Board.

The key is to have a process for monitoring the controls and taking input, literally from each line of defense. If a control is overridden too often, you need to change it. If a control is ineffective, you can use that information to craft a new internal control. Internal controls are not static, but dynamic and, with proper oversight, you can set up internal controls and literally improve them with appropriate documentation. (Hint-Document, Document, and Document.)

Revelo emphasized that it is not simply identifying the issues but remedying them as well “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there you can conduct a root cause in that analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “you need to really do that in an in-depth manner and then remediate.”