In this blog post I conclude my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, (herein ‘the Illustrative Guide’) as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Activities and Information and Communication.
One of the things the Illustrated Guide makes clear is the inter-related nature of internal controls. Simply because there may be a deficiency in one specific Principle or even if controls are not present around such a Principle, a company can consider its overall internal controls to effect the principles. For the compliance practitioner I think this is significant because you may have one Principle present and function in the context of another Principle. An example from the Illustrated Guide is the situation where Principle 8, Assessing Fraud Risk is not present yet if other Principles such as Principle 3 Establishing Structure, Authority and Responsibility and Principle 5, Enforcing Accountability adequately address the issue from a control perspective then a deficiency is handled. At the end of the day, unless a major deficiency is noted, it is up to senior management to assess the “severity of an internal control deficiency or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and the components are operating together, and ultimately in determining the effectiveness of the entity’s system of internal control.” So this would also be true from the compliance internal control perspective.
I. Control Activity
Under the objective of Control Activity there are three principles which you will need to assess. The three principles are:
Principle 10 states that “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” Your entity must demonstrate that it integrates its compliance function around its risk assessment. You must demonstrate more than simply an ‘out of the box’ compliance solution but that your company has considered specific factors to it, including its relevant business processes, an evaluation of a mix of control activity types and consideration of at what level such compliance controls are applied. Finally there must be evidence that your company has addressed segregation of duties from the compliance perspective.
Principle 11 states that “The organization selects and develops general control activities over technology to support the achievement of the objectives.” Here a company must determine the dependency between the use of technology in business process and technology general controls. Then there must be evidence that it has established relevant technology acquisition, development, and maintenance process control activities over this technology. There must be evidence of the establishment of relevant technology infrastructure control activities and relevant security management process control activities.
Principle 12 states that “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.” This Principle management to put sufficient compliance policies and procedures in place to support the company’s anti-corruption compliance mandates and requires training of employees on these compliance policies and procedures with testing to determine the adequacy of such compliance training. It also requires evidence that sufficient incentives have been put in place for employees to follow the compliance regime with timely discipline administered for those employees who failed to do so. Finally it requires evidence of period re-assessments of the policies and procedures.
II. Information and Communication
This objective has three Principles that require assessment. They are (numbers follow the COSO Framework):
Principle 13 states that “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.” This means that from the compliance perspective you must identify information requirements for your compliance program and then capture that data via internal and external sources. If you cannot do so you must explain why you cannot do so. You must process the information and use it in your compliance function going forward and document that use.
Principle 14 states that “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” Under this Principle you must be able to demonstrate that your company communicates compliance internal control information with not only senior management but also appropriate employees and your board of directors. It re-emphasizes the need for separate lines of communications and there is documented consideration to show the reason for selection of the relevant method of communication.
Principle 15 states that “The organization communicates with external parties regarding matters affecting the functioning of internal control.” This Principle relates to your communications to third parties so you will need to demonstrate internal controls around your compliance communications with parties external to your company. You will also be required to show compliance internal controls inbound to your organization from third parties.
III. Monitoring Activities
The Monitoring Activities objective consists of two principles that require assessment. They are (numbers follow the COSO Framework):
Principle 16 states that an “organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” This requires you to have employees knowledgeable in your business processes who can review it on an ongoing basis. You must show that there is a compliance internal controls which, in an objective manner evaluates rates of compliance changes, with an understanding of the baseline and projected business changes. All of this must be integrated with business processes with appropriate adjustments in scope and frequency.
Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” Under this Principle you must be able to demonstrate that from the compliance perspective your results were assessed, any deficiencies were communicated to the appropriate parties and finally there was corrective action which was appropriately monitored.
I regularly say that the three most important about FCPA compliance is Document Document Document. I believe the COSO 2013 Framework puts that point into practice, particularly with the auditing requirement. As Ron Kral noted in his article, “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered” you must “Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively.”
The auditing process should also work to determine not only if your compliance internal controls are are properly designed, operating effectively but also that the five components are operating together. Kral believes that “This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders.” To which I agree. By going through the auditing exercise, you will have created a framework to operate, assess and update your compliance internal controls to meet the ever-evolving nature of FCPA and other anti-corruption compliance programs.
