The compliance and audit community have pored over PCAOB inspection data on audit firms for five years now. What does the data tell us, really? This week Compliance Week begins a special series looking at the insights that the inspection process can give—starting with how much value the disclosure of “deficiency rates” brings at all. “Does it mean the profession has gotten worse or the PCAOB has gotten better?” asks Joe Carcello of the University of Tennessee. Inside, a look at the rise and fall of audit failure rates.
The crash of Germanwings Flight 9525 demonstrates the most difficult choices in risk management that businesses, policymakers, and society ever have to make: how we handle people like Andreas Lubitz, the troubled co-pilot who deliberately crashed the plane—how we identify and handle persons who might potentially cause enormous damage to others. Compliance Week editor Matt Kelly has more inside.
Few companies so far have addressed the audit requirement in the SEC’s Conflict Minerals Rule, although that will likely change as the June deadline for your second year’s filings approaches. The good news: the audit doesn’t actually assess whether you did a good job or not, says Michael Rohwer of the Conflict-Free Sourcing Initiative. “It is really only auditing whether your program comports to the framework.” More inside.
The National Labor Relations Board has churned out an extensive piece of guidance on what makes a company policy lawful or not, on everything from making disparaging comments (often can’t be forbidden) to talking with the media or regulators (forget about forbidding it) and many more. “The memo is intended to put the NLRB’s position all in one place,” says Steve Lyman of the law firm Hall Render. Details inside.
A final rule from OSHA has smoothed the path for employees to file whistleblower retaliation claims under the Sarbanes-Oxley and Dodd-Frank acts and put companies in a more difficult spot to defend themselves. “The final rule reinforces that these types of anti-retaliation provisions are here to stay,” says Daniel Turinsky of the law firm DLA Piper. More inside about the current state of “whistleblower risk” and how to respond to it.
As the regulatory focus on data security expands, companies that offer customer loyalty programs should review them for red flags. How the data is stored, protected, and segmented is ripe for scrutiny, experts warn. Poorly designed loyalty programs could run afoul of antitrust laws, torpedo a merger, violate HIPAA, or lead to class-action lawsuits, to name just a few risks. More inside.
One criticism of the Three Lines of Defense model is that it dwells too much on risk mitigation, and too little on risk opportunity. If you connect the Three Lines model to the COSO framework for internal control, however, a more elegant appreciation of risk management emerges. Inside, columnist Jose Tabuena describes how the role of objective-setting in the new COSO framework can be applied to complement the Three Lines of Defense, to address both risk avoidance and value creation.