Opinion on the cause of bad behavior in organizations can range between two extremes. The first is that there are people who are inherently bad and cannot be changed. The second is that people need good influences to guide them to do the right thing. Like most things in life, the truth is somewhere in between. Even the best compliance programs cannot always prevent rogue employees from breaking the rules

Still, while bad apples are a fact of life, it has become less credible as an excuse for harmful corporate behavior. Not only do regulators wonder why a compliance system failed, but why was it not detected sooner and/or allowed to continue as long as it did. Is it realistic to believe that a single employee could create a slush fund for the payment of bribes in an FCPA case, or that it was only a few engineers at Volkswagen who masterminded and implemented fraudulent emissions testing?

When questioned there have been bad actors who will confirm that no amount of compliance training would have stopped their behavior. Such individuals have admitted perceiving such training as a click-through annoyance that informs of process work-arounds that may be needed. While compliance training is essential, especially in highly regulated environments when the rules are unclear and confusing, it is clear that more is needed. 

Obviously internal controls are critical. Convicted fraudsters have also noted that greater controls and limits upon their discretionary and financial authority may have thwarted the illegal activity or at least have led to its earlier detection. Short of ensuring that your company only hires ethical employees (correct but useless advice), an effective compliance program can provide the broad oversight and the specific monitoring for a balanced set of controls that can more likely prevent major non-compliance.

What are internal controls?

Reviewing internal controls is what auditors do. But what exactly is an internal control? To the audit professional it seems to be a basic concept but the concept can be vague and ambiguous to the non-auditor.

How much agreement is there on the meaning of internal controls in your audit shop, company, and business partners? Experienced auditors recognize that if auditors, compliance, and other internal control professionals could not agree, then they could not readily explain controls to non-auditors. Stating that internal controls help the company and management meet its objectives is too broad and abstract. Simple examples can help; one often used is segregation of duties—the person who deposits the cash or pays the bills shouldn’t be the one reconciling the bank statement—a flaw that is still a common cause of company fraud.

Compliance “program” controls

Beyond the U.S. Sentencing Guidelines, there are standards and approaches available to the internal audit and compliance professional with regard to evaluating controls that specifically address the risk of violations of law and non-compliance. The following control frameworks and criteria are useful guides for evaluating the compliance program itself as a control:

Committee of Sponsoring Organizations (COSO) Integrated Control Framework

Sarbanes-Oxley Act (SOX) of 2002 and related SEC rules

Public Company Accounting Oversight Board (PCAOB) Auditing Standard No. 5 on Internal Control Over Financial Reporting

Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit

New York Stock Exchange (NYSE) and NASDAQ Corporate Governance Listing Standard Criteria

Each of these standards establishes criteria evaluating the compliance program and related controls from a particular perspective. The Federal Sentencing Guidelines were established to address what courts look for in determining whether organizations have exercised due diligence in the establishment of programs to prevent and detect violations of law (and have been adapted by prosecutors for deciding whether to charge an organization). The COSO Framework establishes criteria for internal control over financial reporting which form the basis of management and auditor obligations under SOX 404. And the NYSE and NASDAQ corporate governance listing requirements define certain control standards, such as audit committee independence, in greater detail.

It is reasonable to infer from these frameworks that compliance programs and controls are those that management establishes to prevent and detect violations of law. This would include company level controls for which prevention or detection of legal violations is a component objective (e.g., the audit committee, code of conduct, hotline, employee background checks, discipline, investigations, etc.), as well as more specific process level controls for which prevention or detection of non-compliance is a primary objective (e.g., technology in the claims submission process to detect erroneous codes and charges that can lead to violations of the False Claims Act).

The evaluation of a compliance program and compliance process controls is not a check the box exercise. Nor is it a purely qualitative narrative of observations impressions. It requires an approach and level of rigor that extends beyond a purely legal analysis. A systematic methodology with true metrics is needed.

Accountants and auditors are also familiar with guidance that is directed at reducing fraud risk. It is important to note that the control elements referenced in antifraud guidance bear a strong resemblance to the types of controls required under the federal sentencing criteria for an effective program to prevent and detect violations of law. Most large companies in the U.S. by now have designed their company-level controls based on the federal sentencing guidelines framework.

Effectiveness

In evaluating any particular element of internal control over compliance, it is important remember that the overarching requirement is effectiveness. The prevailing question when evaluating any control is whether it has been designed and implemented in a manner that achieves an optimum level of effectiveness. Essentially, no checklist or procedure can replace the sound professional judgment and skepticism required in forming an opinion on control effectiveness. Simply because a control element exists, one should not automatically conclude that it is effective. Conversely, just because a control element does not exist, one should not automatically conclude that the objective is not being met because other compensating controls may be relevant. Ultimately, the evaluator is responsible for reaching any conclusions on control effectiveness.

In evaluating the compliance program and related controls, particular types of control weakness may be identified. The PCAOB audit standard on internal control provides a useful context and defines these weaknesses as follows:

A control deficiency exists when the design or operation of a control does not allow management or employees, in the course of performing their assigned functions, to prevent or detect misstatements on a timely basis.

A deficiency in design exists when (a) a control necessary to meet the control objective is missing or (b) an existing control is not properly designed so that, even if the control operates as designed, the control objective is not always met.

A deficiency in operation exists when a properly-designed control does not operate as designed, or when the person performing the control does not possess the necessary authority or qualifications to perform the control effectively.

Compliance process controls

In the Three Lines of Defense Model, each line of business owns the risks inherent in its operations and is accountable for maintaining effective internal controls to safeguard the company. Risk and control functions (the second line), including compliance, support the ongoing monitoring of the design and operation of controls in the first line of defense. Compliance provides advice and facilitates risk-management activities in the Second Line including monitoring specific risks such as noncompliance with applicable laws and regulations.

Internal audit in the third line then evaluates elements of the internal control framework, which includes: the control environment (such the compliance program) and the effectiveness of oversight over compliance with laws, regulations, policies, and procedures.

However, internal auditors should maintain professional judgment and not go overboard on recommending process controls. Commentators have observed that SOX led to an onslaught of internal controls over financial reporting as the centerpiece of audit, compliance, governance, and risk management programs, but many controls have proved to be mostly ineffective. Brian Barnier with ValueBridge Advisors has pointed out that these controls, “are difficult to implement, maintain, and use and often don’t work.” They can even be harmful, Barnier adds, since they can offer a false sense of security.

Management override of internal controls

Delegation of duties policies and authorization rules can prevent fraud and other violations by requiring higher levels of management approval for larger expenditures. A basic example is the ability of an employee to create a vendor in the payable system—an accounts payable individual should not have the authority to create a new vendor without approval from a manger at least one level higher in the organization as a control against fraud.

But even when internal controls may appear to be well-designed and effective, those that are otherwise effective can in the end be overridden by management. When the opportunity to override internal controls is combined with powerful incentives to meet financial objectives, senior management may engage in fraudulent and unethical behavior. Many major corporate frauds have been perpetrated by intentional override by senior management of what might otherwise appear to be effective controls.

A useful resource for the internal auditor and compliance professional is the publication Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention, from the American Institute of Certified Public Accountants (AICPA). The guide is intended to facilitate the audit committee’s consideration of the risk of management override of internal controls.

Notably, the publication includes as fraud deterrents, an appropriate tone at the top, implementation of a code of conduct/ethics, training programs, expanded auditing and reporting on the effectiveness of internal controls, and enhanced penalties. Sounds familiar? Much of the guide is an abridged version of the Federal Sentencing Guidelines and the criteria of an effective compliance program.

The AICPA outlines several actions an audit committee can take actions to address the risk of management override of controls that is also useful in assessing a compliance program:

Maintaining Skepticism – The auditor should consider control assertions made by management, and the potential reality behind those assertions—e.g., The CEO enforces reinforces ethics and culture in key speeches, but employees in the trenches are told to “do whatever it takes” to meet unrealistic targets, etc.

Strengthening Understanding of the Business – A solid knowledge of the industry and business forms the foundation for effective oversight. For the auditor, a deep understanding of business processes and relevant controls aids in analyzing in whether it works or not.

Brainstorming to Identify Fraud Risks – This is akin to the regular compliance risk assessment expected of an effective compliance program. One way to consider high impact risks is through scenario planning, which can augment statistical models and help companies prepare for specific events.

Using the Code of Conduct to Assess Culture – The company can use the code of conduct as a benchmark for assessing whether the culture or “tone at the top” and management’s actions are those required to maintain the highest levels of integrity under pressure and opportunity for misconduct. The code also facilitates the reporting of inappropriate conduct by delineating the types of conduct the organization deems unacceptable.

Cultivating a Vigorous Whistleblower Program – The audit committee can assist in creating strong antifraud controls by encouraging the development of a culture in which employees view whistleblowing as a valuable contribution to a workplace of integrity.

Communications with the Compensation Committee – it is important for the audit committee (and management) to understand the performance incentives and possible unintended consequences that could lead to fraudulent conduct and violations of law.   

When considering the compliance program as a broad control and evaluating program elements, keep in mind the value of technical expertise. While internal auditors have expertise in the methodology of program evaluation (a valuable skill), subject matter expertise is just as important. It does occur that auditors miss a significant problem because the evaluation approach was structurally blind to the problem because members of the review team did not truly understand the details of “how it works.” And often technical folks are nudged outside their core expertise such as in audit and professional services team striving for high utilization of its staff. Have a fraud specialist on the team when auditing financial controls, and definitely have a compliance specialist when evaluating a compliance program.

The evaluation of a compliance program and compliance process controls is not a check the box exercise. Nor is it a purely qualitative narrative of observations impressions. It requires an approach and level of rigor that extends beyond a purely legal analysis. A systematic methodology with true metrics is needed.

Although a robust review of the compliance program and processes will not guarantee that an organization will prevent, deter, or detect all violations of law, it should result in more effective oversight of management and operations. Perhaps most importantly, it can help prevent the question following a major compliance failure as to, “Where was the compliance program?”