Notes on Effective Internal Controls
Last week I had the chance to moderate a webinar on an issue eternally flummoxing to compliance officers: building effective systems of internal control. We had great speakers who gave great advice, so as usual I took lots of notes to pass along to the rest of you here.
Let’s first appreciate why internal controls can be so challenging for compliance officers. When companies first started paying close attention to internal control 20 years ago (to comply with the Sarbanes-Oxley Act), the issue was very much reliable financial reporting. So corporate internal audit teams went about the business of building effective internal control over financial reporting.
Except, internal controls for financial reporting don’t always fit a compliance officer’s needs. One good example of this is the concept of materiality. If you’re a $3 billion revenue company, $300,000 is not a material amount of money and financial auditors won’t necessarily give such amounts much attention.
If that $300,000 is going to fund bribery payments every year, however, that is a huge FCPA risk. So compliance officers need to work with internal audit and anti-fraud teams to retro-fit financial reporting controls (or develop entirely new controls) for the compliance-centric world that has emerged over the last 20 years. That is seldom easy.
To make matters even more complicated, all this is happening while business technology has raced forward in ways we could barely contemplate when internal control first became a thing 20 years ago. So compliance officers have a second sea-change in the business landscape they need to traverse in addition to the first.
OK, enough history. Let’s get back to the webinar.
Management Review Controls
We spent a fair bit of time talking about how to build effective management review controls, since those controls are becoming more and more common. That is, if technology is enforcing the control itself (“no discounts granted to distributors or resellers until they submit complete documentation for the request”) automatically, then what that control really does is present exceptions for you the human to review (“How did our guy in Uzbekistan end up approved for a discount with no documentation?”).
OK, such controls are a fine idea, but that drives up the importance of managers actually engaging with the work and doing the review. So how do compliance officers assure that attention to detail actually happens?
First is training: managers will need to know what they’re looking at and why it might be suspicious. Second is more training, this time on ethics and good conduct: managers will have to, ya know, give a crap that their employees are violating the control.
This is an important point. If we want managers in the First Line of Defense to “own the risk,” then compliance officers will need to figure out some way to make those managers take their ownership seriously. For example, is there incentive compensation aligned toward ethics, or toward making sales? Because if it’s the latter, then they might turn a blind eye to your guy in Uzbekistan offering discounts without proper documentation.
Meanwhile, auditors — who, let’s remember, have the PCAOB breathing fire down their necks these days — might give you a harder time about what is actually being reviewed. They will want more documentation to prove that the manager actually is reviewing that outlier event, rather than just staring at the screen for a while before hitting “OK” on the computer screen.
Challenging? Yes. Then again, we are not going to un-invent ERP systems and automated controls. This headache is not going away.
Designing Internal Controls
I also asked our panelists about who should be involved in the design of internal controls. To a person, they all agreed that compliance officers should at least consult the employees in the First Line of Defense who will need to follow the control; and the earlier you bring affected employees into that conversation, the better.
Panelist Nick Gallo (co-CEO of Ethico) even likened the situation to taxation without representation: an act sure to leave the affected population unhappy and determined to work against it. Likewise, if you’re an employee just doing your job and an internal control suddenly falls onto your head from on high — a measure that effectively taxes your ability to do your job — you’re going to resent it and look for work-arounds.
What everyone (compliance, internal audit, business unit leaders) really needs is agreement on how the business process should happen. You can do that with techniques such as process mapping or flowcharts of some kind, which will let you fuss over internal control design until you get everything just right. Compliance officers just need to be sure you have all the right people in the room when said fussing begins.
Just imagine you have a bunch of sales executives at your company grumbling about limits on what they can offer clients. You want them to know that their manager participated in deciding to design the control this way. That defuses the “Why are we doing this?” question: “You’re doing it that way because your boss, whom you know, said this makes the most sense. It’s not just a control dropped off by the control fairy.” Make that point clearly and strongly.
Also, always be sure to ask two crucial questions. First, who will be accountable for this control not being executed properly? Second, who will be accountable for the control being overridden? Be clear on both answers; identify the specific role (manager, vice president, compliance officer, or anyone else) who will be accountable if something goes wrong.
And a Word on Artificial Intelligence
Our webinar panelists had a fair bit to say about artificial intelligence, including the notion that AI could ultimately be a big help with effective internal control.
For example, AI will probably make it easier to adjust your internal controls based on evolving levels of risk. Financial firms would love that to, say, help them better manage liquidity risk in times of market volatility; hospital systems might use AI to manage patient safety protocols more precisely during disease outbreaks sweeping a large geographic region. Anti-corruption compliance officers might be able to use it to keep pace with rapidly changing sanctions risk.
Then again, those uses of AI will bring their own challenges, since compliance and technology teams will need to develop new controls over the AI itself as it manages other internal controls for you. That shift from human judgment to model management (which we’ve discussed in this blog before) will not be easy.