The major focus of discussions around internal control for the last several years has been on internal control over financial reporting (ICFR), especially for SOX compliance purposes.
But, ICFR is not the only compliance requirement organizations need to worry about — and ensure that their internal controls are sufficient to address.
In this post, I am going to discuss how I advise organizations to assess whether their system of internal control is adequate as it relates to compliance risk (i.e., the risk that they will fail to comply with applicable laws and regulations). I will summarize the process and then review two pieces of key guidance that supports the approach, one from the U.S. and one from the U.K. Finally, I will comment on how this is addressed in the latest draft guidance from COSO.
In my recent post,
How to Assess the System of Internal Control, I spelled out my overall process:
"An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories". (COSO Internal Controls Framework (ICF) updated 2012 draft, paragraph ¶86)
In order to achieve this, you need:
- Clearly defined objectives.
- A well-executed risk assessment that defines the risks to achievement of objectives.
- Definition (which is preferably formal) of the level of risk that management and the board are willing to accept.
- A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels.
- An efficient combination of controls.
Every reputable organization will have an objective to comply with applicable laws and regulations. They will be willing to accept only a minimal likelihood of failing to comply — and that is their acceptable level of risk. That takes care of items (1) and (3) above.
My process is to:
- Perform a risk assessment that defines the risks to compliance.
- Identify and assess the adequacy of the combination of controls that provides reasonable assurance that compliance risks are at an acceptable, minimal, level.
In other words, I follow the same process as I do for all other categories of objectives and risks. For each area of compliance, I identify what could happen that would lead to non-compliance, and then I identify the combination of controls that provides
reasonable assurance that the likelihood of non-compliance is minimal. It is not possible to obtain
perfect assurance, because we are always subject to human error and do not have unlimited funds with which to fund compliance programs. So, some minimal level of risk has to be accepted by the organization.
Official Guidance on Compliance
So, let's look at two pieces of guidance (the italics are added by me for emphasis).
The first is the
2011 U.S. Federal Sentencing Guidelines (PDF). These official guidelines instruct courts in the US how to sentence individuals and organizations that are found guilty of violating federal law. Chapter Eight – Sentencing of Organizations is relevant to our discussion, as it details how an organization can mitigate punishment for violations:
The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an
effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.
Section §8B2.1, explains what is considered "an effective compliance and ethics program":
(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall —
(1) exercise due diligence to prevent and detect criminal conduct; and
(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.
Such compliance and ethics program shall be
reasonably designed, implemented, and enforced so that the program is
generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.
The key for our discussion in this post is that the Guidelines require a
(c) In implementing subsection (b), the organization shall periodically assess the
risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.
The above is explained in the
Application Notes that follow the text:
To meet the requirements of subsection (c), an organization shall:
(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:
i. The nature and seriousness of such criminal conduct.
The likelihood that certain criminal conduct may occur because of the nature of the organization's business. If, because of the nature of an organization's business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take
reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.
iii. The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.
(B) Prioritize periodically, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b), in order to focus on preventing and detecting the criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.
(C) Modify, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b)
to reduce the risk of criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.
So, the U.S. Federal Sentencing Guidelines support my approach, which is to identify risks to compliance and assess whether the system of internal control provides reasonable assurance that those risks are at acceptable levels.
Now, let's turn to the
Ministry of Justice's Guidance to the U.K. Bribery Act of 2010 (PDF). The Introduction states:
As the principles make clear commercial organisations should adopt a
risk-based approach to managing bribery risks.
Procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A
risk-based approach will, however, serve to focus the effort where it is needed and will have most impact. A risk-based approach recognizes that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions.
Details are found in Section 7: Failure of commercial organizations to prevent bribery
A commercial organisation will be liable to prosecution if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organisation. As set out above, the commercial organisation will have a full defence if it can show that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing. In accordance with established case law, the standard of proof which the commercial organisation would need to discharge in order to prove the defence, in the event it was prosecuted, is the
balance of probabilities.
Note that last phrase: "balance of probabilities."
The UK guidance consists of six principles. The first, Principle 1, is "Proportionate Procedures" and states:
A commercial organisation's procedures to prevent bribery by persons associated with it
are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation's activities. They are also clear, practical, accessible, effectively implemented and enforced.
The Commentary section explains:
The procedures put in place to implement an organisation's bribery prevention policies should be
designed to mitigate identified risks as well as to prevent deliberate unethical conduct on the part of associated persons.
There are some who don't like the risk-based approach to ensuring compliance. I do, because resources are limited and perfect assurance is not possible.
Turning to the updated COSO ICF, you will not find much detail on how to assess the adequacy of the system of internal control as it relates to compliance risks.
- Paragraph ¶88 states that: "When internal control is determined to be effective, senior management and the board of directors have reasonable assurance, that the organization…..[c]omplies with applicable laws and regulations."
- Paragraph ¶103 includes the sentence: "Regulators, standard-setting bodies, and other relevant third parties may establish criteria for evaluating the severity and corresponding classification and reporting of deficiencies relating to external reporting objectives, operations, and compliance objectives." It continues with "The Framework does not prescribe such criteria, but recognizes and accommodates the authority and responsibility of those other parties that interact with the entity to issue such laws, rules, regulations, and standards for conducting assessments and classifications."
As we have seen from a review of two key pieces of official guidance, the regulators generally do not spell out in complete detail all the internal controls needed to satisfy them. That's not surprising, since every organization has different business practices, processes, and controls. Instead, a risk-based approach is recommended.
When I comment on the updated COSO ICF draft, I will recommend that this topic be revisited.
What do you think?
Do you agree with my approach? Can you point to where the regulators have defined what consitituted adequate internal control for compliance?