IT’S ONE THING TO DRAFT POLICIES intended to keep your company on the straight and narrow. It’s quite another to ensure that everyone from the corporate suite to the mailroom puts them into action. Somehow you have to know what is actually going on inside your enterprise.
For some executives the terms “control activities” and “monitoring” are cumbersome and misunderstood — especially when the focus is on theory. Moreover, implementing technology to automate these aspects of a compliance program seems confusing and costly. In practice, however, these concepts are quite simple, and the application of technology can help to drastically cut near and long-term costs while driving superior program performance.
Control activities ensure that necessary actions are taken to address risks within a company. They occur throughout the organization, at all levels and in all functions, including activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties. In essence, controls help you prevent the things you don’t want to happen, and detect problems early so that you can take the appropriate action.
EFFECTIVE CONTROLS
There are two types of controls; preventive and detective. To illustrate the difference, take the example of a $1.5 billion global chemical company:
Our chief compliance officer is focused on Foreign Corrupt Practices Act risks, especially the risk of bribing foreign officials, and the extensive record keeping and accounting requirements that facilitate compliance. Given the countries where our chemical company is expanding, there’s a high likelihood this risk will materialize and the consequences are dire. Knowing that the materiality threshold for an FCPA violation is ostensibly zero, the CCO employs a suite of preventive and detective controls.
Once implemented, monitoring control activities is critical. This will ensure the controls continue to operate effectively and that the risks they are designed to mitigate have not significantly changed. It also helps meet external reporting requirements.
Ideally, companies should monitor their programs on an ongoing basis so that they are notified of any weaknesses in the system as soon as possible. However, due to costs and complexity, most organizations rely on periodic evaluations of the program via annual (in the case of Sarbanes-Oxley) or bi-annual audits.
But relying solely on periodic evaluations can be a risky proposition. Without ongoing monitoring management is slow to find out when something goes wrong, fines and penalties compound as undetected offenses continue and the impression grows that compliance and control are not continuous concerns of the organization.
Automation can be the solution.
FAST, CHEAP AND AUTOMATIC
There are many advantages to automating control activities. Perhaps the most significant is speed.
Because there is little, if any, lag between event occurrence and automated detection, management is notified immediately. For some legal risks—like violation of antitrust provisions—weeks, days and even hours can mean the difference between getting credit for self-reporting or being on the losing side of collusion.
Another attribute is enforcement. Unlike words on paper or a website, preventive controls embedded within business systems cannot be ignored and are not subject to interpretation. If, for example, access controls are established properly, it becomes very difficult for unauthorized users to access applications. Although there are always ways to circumvent security schemes, they are typically more effective than a handwritten policy taped to the monitor (which, in all seriousness, was a control put in place at a company I will not mention by name).
Well-designed automated controls have the added benefit of being both a control activity and monitoring activity. In this way, an automated control has “built in testing,” which can produce its own documentation and save significant time and expense for both internal and external auditors.
SCOTT L. MITCHELL IS THE CHAIRMAN AND CEO OF OCEG. WWW.OCEG.ORG