npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

Transcription

1 IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION EUROS (US $1.15 BILLION) BY EUROPEAN UNION REGULATORS for failing to comply with a 2004 antitrust order. The previous year, DaimlerChrysler paid a US $30 million fine for failing to meet U.S. federal fuel-efficiency standards. And that same year, York International Corp. agreed to pay US $12 million in connection with violations of the U.S. Foreign Corrupt Practices Act of In fact, media reports about companies incurring significant fines for regulatory noncompliance have become increasingly common. Today's organizations face greater regulatory scrutiny than ever before due to the proliferation of laws and regulations in number and complexity as well as increased regulatory oversight and audit activity. Companies with global Auditing for npliance SUSAN BURCH, CIA, CISA SENIOR MANAGER, INTERNAL AUDIT RTI INTERNATIONAL By auditing the organization's corporate compliance program, internal auditors can heip reduce regulatory violations and keep their board informed. 53 O K t M B t R ;(in» I N T E R N A L A U D I T O R

2 54 operations take on additional regulatory challenges, given their need to consider varying regulatory environments and cultures with different generally acceptable business practices. Because of the heightened risks associated with noncompliance, executive management and boards are under increased scrutiny not only from regulators, but also from customers, clients, stockholders, and business partners to ensure internal controls are in place to address compliance with laws and regulations. In response, many organizations are taking an integrated approach to implementing a regulatory compliance framework, which involves developing and establishing a compliance methodology, policies, procedures, and a training program. Responsibility for implementing such a framework generally falls on the chief compliance officer. Such an approach leads to myriad benefits, including corporate oversight and guidance for compliance activities, improved efficiencies and effectiveness, increased employee awareness of regulatory compliance requirements and issues, and the minimization or mitigation of legal, reputational, or financial risks. As part of their overall risk assessment, internal auditors should assess compliance risk and incorporate compliance auditing into their audit plans. One approach to auditing regulatory compliance is to test adherence to various regulations during each audit as it is conducted. Although this approach effectively assesses adherence to specific regulations, it does not provide executive management or the board with an enterprisewide view of the organization's compliance infrastructure. A better approach is to conduct a comprehensive entity-level audit of the organization's corporate compliance program. If an organization does not have a formal corporate compliance program, internal auditing can be a catalyst for the development of one by auditing compliance activities, identifying gaps, and recommending ways to improve efficiencies and make compliance activities more effective. KEY PROGRAM COMPONENTS There are several internal control frameworks that can help organizations implement appropriate internal controls to ensure compliance with laws and regulations (see "Common Internal Control Frameworks" on page 55 for an overview INTERNAL AUDITOR DECEMBER 2008 of some of the more widely used frameworks). An organization's management should select a framework or combination of frameworks that is best suited to its business based on industry, size, complexity, culture, and global reach. For example, an organization may select The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control-Integrated Framework as a guide in establishing a compliance program. COSO's rriodel includes an objective to ensure compliance with laws and regulations. Beginning with the control environment, the organí2ation would define its integrity and ethical values in a code of conduct as well as define authorities, responsibilities, and organizational structure. The organization would also conduct a compliance and/or fraud risk assessment as part of an overall enterprisewide risk assessment. Control activities would be developed and implemented to help ensure compliance, and regular communication channels would be established to inform employees and management about the organization's state of compliance. Additionally, monitoring mechanisms, such as regular compliance reviews, would be implemented and results reported to management. Regardless of the framework used, several key duties should be performed as part of the compliance Assign overau responsibility for overseeing compliance with established standards, policies, and procedures to a specific high-level individual within the organization, such as a compliance officer. Q Establish compliance standards, policies, and procedures to be followed by employees and other company representatives such as subcontractors, consultants, and vendors who are capable of reducing the possibility of regulatory violations. B Effectively communicate compliance standards, policies, and procedures to all employees and other company representatives. B Establish compliance training programs to ensure employees and other company representatives are aware of their compliance responsibilities. a Ensure substantial discretionary authority is delegated to trustworthy individuals, not persons whom the organization knew (or should have known through the exercise of due diligence) are likely to engage in illegal activity. s Maintain monitoring and auditing systems that are based on a compliance risk assessment and are designed to detect intentional or unintentional regulatory compliance violations by employees and other company representatives. a Maintain and publicize a whistleblower hotline and account whereby individuals can report potential regulatory compliance violations by employees and other company representatives confidentially and without fear of reprisal. a Consistently enforce compliance standards, policies, and procedures through appropriate, case-specific disciplinary mechanisms, including discipline of individuals responsible for the failure to detect a violation. H Take all reasonable steps to respond appropriately to violations that have been detected and to prevent future similar occurrences, including making any necessary modifications to the compliance program. Implementation of these key components should reduce the instances of noncompliance with regulations as well as reduce the impact to the organization should an instance occur. In addition, many regulatory agencies consider an organization's overall approach to compliance when assessing monetary fmes and penalties and may assess a lower fine if the organization has a strong corporate compliance program. TESTING THE PROGRAM Internal auditors should use a variety of audit techniques to test whether an organization has implemented an effective corporate compliance program and kept it up-to-date. The audit should include a review of formal policy, procedure, and program documents as well as interviews with employees, management, and relevant external parties such as consultants and vendors. Auditors should also conduct substantive testing on the following elements of the corporate compliance program to assess the program's effectiveness. ORGANIZATIONAL STRUCTURE AND ALIGNMENT Internal auditing should ensure that

3 A U D I T I N G FOR C O M P L I A N C E Common Internal Control Frameworks Internal Control Framework The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control- Integrated Framework Canadian Institute of Chartered Accountants' (CiCA's) Criteria of Control Framewotk (CoCo) The Basel Committee on Banking Supervision's Framewori< for Internal Control Systems Control Objectives for information and Related Technology (COBIT) international Organization for Standardization (iso) Standards for internal Control in the U.S. Federal Government Summary COSO's Internal Control - Integrated Framework was introduced in 1992 as guidance on how to establish better controls so companies can achieve their objectives with minimal surprises. COSO categorizes entity-level objectives into operations, financial reporting, and compliance. The framewori< includes more than 20 basic principles representing the fundamental concepts associated with its five components: control environment, risi< assessment, control activities, information and communication, and monitoring. Some of the principles include key elements for compliance, such as integrity and ethical values, authorities and responsibilities, policies and procedures, and reporting deficiencies. CoCo was introduced in 1992 with the objective of improving organizational performance and decision-making with better controls, risk management, and corporate governance. In 1995, Guidance on Control was produced and described the CoCo framework and defining controls. The framework includes 20 criteria for effective control in four areas of an organization: purpose (direction), commitment (identity and values), capability (competence), and monitoring and learning (evolution). The Basel Committee on Banking Supervision, which includes supervisory authorities from Belgium, Canada, France, Germany, Italy, Japan, Luxembourg, the Netherlands, Sweden, Switzerland, the United Kingdom, and the United States, introduced the Framework for Internal Control Systems in Regulatory compliance is an integral part of the framework. The five elements of internal control are: management oversight and control culture, risk recognition and assessment, control activities and segregation of duties, information and communication, and monitoring activities and correcting deficiencies. The effective functioning of these five elements is key to an organization achieving its performance, information, and compliance objectives. COBIT is an internationally accepted controls-based framework for IT governance that was first released by ISACA in COBIT has 34 high-level processes that cover 210 control objectives categorized in four domains: planning and organization, acquisition and implementation, delivery and support, and monitoring and evaluation. The framework guides an organization on how to use IT resources (i.e., applications, information, infrastructure, and people) to manage IT domains, processes, and activities to respond to business requirements, which include compliance, effectiveness, efficiency, confidentiality, integrity, availability, and reliability. Well-governed IT practices can assist businesses in complying with laws, regulations, and contractual arrangements. ISO has developed more than 16,000 international standards for stakeholders such as industry and trade associations, science and academia, consumers and consumer associations, governments and regulators, and societal and other interest groups. The ISO 9000 series focuses on quality management systems, including ensuring controls are in place to comply with applicable regulatory requirements. The ISO series focuses on environmental management systems, including complying with applicable environmental regulatory requirements. ISO 9001 (introduced in 2000) and ISO (introduced in 1996) have been implemented by organizations in more than 160 countries. The ISO series focuses on information security management systems. The series helps organizations establish information security standards that meet business needs while ensuring compliance with regulatory and contractual requirements. The U.S. Government Accountability Office issued the Standards for Internal Control in the Federal Government in The standards provide guidance on assessing risks and internal controls in programmatic, financial, and compliance operations. They are similar to COSO's 1992 framework. DECEMBER 2008 INTERNAL AUDITOR

4 responsibility for oversight and stewardship of the corporate compliance program is assigned to a chief compliance officer or other appropriate high-level individual who reports to executive leadership. To administer an effective corporate compliance program, the chief compliance officer must have adequate internal staffing and external resources, a depth and breadth of regulatory compliance knowledge and experience, executive management support, and clear and direct access to senior leadership. The chief compliance officer should consider establishing a corporate compliance committee that includes representation from: Internal auditing. Finance. Human resources. Regulatory compliance. Quality assurance. IT. Environmental health and safety. Legal and ethics. Contracts and procurement. Risk management. Corporate security. Operations. The committee, under the direction of the corporate compliance officer, would oversee and administer the corporate compliance program and framework, including developing a charter for the corporate compliance committee, defining goals and objectives of the corporate compliance function, and determining the functional operating structure. The structure should be flexible enough to keep abreast of and address changes in regulations as well as support the organization from a regulatory compliance perspective when entering new markets or countries that represent new regulatory environments. Internal auditing should review the corporate compliance charter to ensure that it adequately defmes the role and responsibilities of the corporate compliance officer and corporate compliance committee. Internal auditing should also review corporate compliance committee meeting agendas and minutes to ensure meetings are held regularly and the goals and objectives of the compliance committee are being met. COMPLIANCE RISK ASSESSMENTS Internal auditing should ensure that the corporate compliance committee performs compliance risk assessments at least annually to identify the organization's level of exposure to compliance requirements specific to its business or industry. The committee should consider working closely with internal auditing and risk management to conduct the risk assessment to ensure a cohesive enterprisewide risk assessment process that minimizes disruptions to the operating business units. The assessment should then be used to identify which laws and regulations are relevant and have the greatest impact on the organization, and the compliance committee should ensure training courses to ensure employees are aware of their responsibilities for compliance with laws and regulations. Some corporate compliance committees also develop and implement separate compliance awareness campaigns. Internal auditing should review compliance training records to ensure employees have completed the required training. Auditors also should consider conducting interviews with a sample of employees who have completed the required compliance training to evaluate the effectiveness of the established training program. Internal auditors should review standards, policies, procedures, and tools used to aid regulatory compliance and ensure tiiey are appropriate to the organization's size and complexity. that there is a system of policies and procedures in place to address compliance with these laws and regulations. STANDARDS, POLICIES, AND PROCEDURES The corporate compliance officer and corporate compliance committee should work together to establish and implement standards, policies, and procedures to ensure compliance with applicable laws and regulations. The organization should have an overarching compliance policy along with procedures on how to comply with specific regulations. Many organizations implement automated solutions, such as a database, to help keep track of and disseminate information on laws and regulations. Internal auditors should review standards, policies, procedures, and tools used to aid regulatory compliance and ensure they are appropriate to the organization's size and complexity. Auditors also should ensure there is a process in place to keep the compliance standards, policies, and procedures updated and ensure any changes in regulations are disseminated to affected areas timely. COMPLIANCE TRAINING The company should provide mandatory compliance CODE OF CONDUCT Internal auditing should ensure the organization has developed and distributed an appropriate code of conduct that aligns with the organization's core values. The code should be reviewed periodically and updated as necessary. Employees should sign an agreement to abide by the code of conduct annually, and mechanisms should be in place to monitor whether all employees have completed the annual acknowledgement. Some organizations have implemented increasingly stricter consequences for not completing the acknowledgment. For example, an organization may elect to send reminder s to"^ delinquent employees and their managers, but if the employees still do not comply, consequences could escalate to disabling their accounts, preventing them from communicating as necessary to do their job until they complete the annual code of conduct acknowledgement. Some organizations also require subcontractors, consultants, and even vendors to adhere to a code of conduct. Internal auditing should perform substantive testing to determine whether management has implemented processes to ensure employees, as well as subcontractors, consultants, and vendors INTERNAL AUDITOR DECEMBER 2008

5 A U D I T I N G FOR C O M P L I A N C E if required are signing the code of conduct annually. WHISTLEBLOWER HOTLINE T h e code of conduct should also include provisions for reporting potential violations of the code to an anonymous hotline or account. Employees must feel free to report potential violations vvrithout fear of retribution. Many public and private companies, as weü. as government organizations, publish their hotline phone number and address so that vendors or citizens can report potential violations. Internal auditors should perform tests to ensure that calls and s are recorded in a database or log. They also should ensure that reports are kept confidential, directed to appropriate individuals to handle the investigation, and investigated and addressed timely. Reports made to the hotline or account should be grouped into categories such as confiicts of interest, employee relations, policies and procedures, and compliance with laws and regulations so they can be analyzed, tracked, and trended. INVESTIGATION POLICIES AND PROCEDURES The corporate compliance officer should ensure documented policies and procedures for ethics and fraud investigations are in place and can be carried out by qualified resources, either internal or external. In many companies, investigations are conducted by internal auditing. However, more complex investigations, such as those dealing with U.S. federal authorities or international authorities like Interpol, may require engaging corporate legal counsel and, in some cases, outside legal counsel. In these instances, representatives from corporate legal, corporate compliance, and internal auditing must work closely with outside resources to ensure a coordinated investigation. If an investigation results in the need for disciplinary action, an independent centralized group, such as legal or human resources, should review the recommended action to ensure consistency, fairness, and equity. Internal auditors should assess whether the organization has documented policies and procedures for conducting ethics and fraud investigations. Additionally, auditors should review workpapers and supporting documentation for a sample of ethics or fraud investigations to ensure cases were documented appropriately, necessary corrective actions were taken, and disciplinary actions were approved correctly. MONITORING MECHANISMS Internal auditing should ensure the corporate compliance committee has established methods to monitor or audit adherence to compliance policies and procedures. The organization should have a process to report the results of the compliance audits or reviews to the appropriate levels of management. The corporate compliance committee must have a process in place to develop corrective actions in response to identified compliance risks and internal control gaps and to monitor progress in completing the corrective actions. Internal auditing should review the corporate compliance committee's policies and procedures for conducting compliance audits to ensure appropriate audit coverage, sampling methodologies, and reporting requirements. Auditors also should review the results of compliance audits or reviews along with supporting workpapers to ensure significant items were reported correctly. Finally, internal auditing should review the corrective action plans to be sure management is addressing compliance risks timely. CONTRACTS AND PURCHASE ORDERS The procurement or purchasing department should incorporate appropriate clauses addressing regulatory compliance into contracts and purchase orders to ensure vendors, business partners, and agents comply with applicable laws and regulations. Contracts and purchase orders should have a "right to audit" clause to preserve the company's right to conduct compliance audits of the subcontractor, consultant, or vendor. Auditors should review contract and purchase order templates to ensure the appropriate "right to audit" clauses are in place. In addition, auditors should determine whether the corporate procurement or purchasing department conducts periodic reviews of vendor activities, and they should examine the procedures and results of such reviews. BACKGROUND CHECKS The organization should require thorough pre-employment background checks that, at a minimum, include criminal record searches, verification of education and certifications, and confirmation of any special requirements necessary for the position. Additional background checks for certain positions or departments such as verification of a valid driver's license, good credit, or medical history may be necessary depending on the position. Background check capabilities can vary depending on the citizenship and location of the individual. International organizations must develop flexible, robust procedures for conducting background checks. In some countries, background checks can take an extensive amount of time, and companies need to develop plans to accommodate these requirements. In addition to reviewing policies and procedures on background checks, auditors should perform substantive testing to ensure the background checks are being conducted according to prescribed policies and procedures. DESIGNATION OF RESPONSIBILITIES Adequate segregation of duties and well-defined delegations of authority are two key components of a strong corporate compliance framework. Internal auditing can play a significant role in helping management evaluate whether adequate segregation of duties exists and whether delegations of authorities have been defined and communicated clearly. In addition to reviewing policies and procedures, internal auditing should interview key staff and independently evaluate whether incompatible duties are segregated appropriately. Moreover, auditors should perform substantive testing to determine the effectiveness of the delegations of authority. A VALUABLE CONTRIBUTION Audit departments can add value to organizational governance processes by auditing the company's corporate compliance framework and program. If an organization has a robust framework and program, it has the foundation to ensure internal controls are in place to comply with laws and regulations. Auditing that framework not only promotes more efficient, collaborative compliance-related processes, but it also ultimately minimizes the instances of noncompliance, enables early identification of systemic issues, and gives executive management, the audit committee, and the board an enterprisewide view of the state of corporate compliance. To comment on this article, the author at susan.burch@theiia.org. DECEMBER 2008 INTERNAL AUDITOR 59

6