No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Effective Auditing and Monitoring: Evaluating Internal Controls at “CAMP”

A Guide to Avoiding Compliance “Bear Traps,” Part 5

by Jim Nortz
June 4, 2020
in Featured, Internal Audit
compliance monitoring and assistance program with silhouette of forest at bottom of image

Jim Nortz details the development and implementation of a highly successful Compliance Assistance and Monitoring Program (CAMP) used to evaluate internal controls – while enabling compliance to make friends along the way.

A Monster That Had to Be Tamed

Several months after we launched the sales and marketing codes and completed our initial live training sessions at Bausch & Lomb, our internal audit team supplemented their routine, countrywide anti-corruption audits with an examination of the existence and adequacy of internal controls mandated by the codes. In so doing, they employed their standard auditing protocols. They reviewed the country’s books and records, interviewed employees and evaluated the adequacy of internal controls. Pursuant to longstanding company policy, when the auditors found control weaknesses or possible violations of the law, they were instructed by the law department to withhold such findings from country managers and immediately report to senior management at company headquarters.

The first two audits conducted in China and Spain did not go well. In both cases, the internal audit team found that many mandatory sales and marketing code controls were either inadequate or nonexistent. They also discovered potential violations of industry ethics standards and the law. After calling headquarters and sounding the alarm, the CEO, CFO and General Counsel scheduled conference calls with the country managers to discuss the findings. Understandably, the country managers were furious about being blindsided and having to defend themselves and their operations to senior management without having had the opportunity to first discuss the issues directly with the audit team. They were also anxious about keeping their jobs, which heightened tensions in a way that was not productive. This resulted in many lengthy and emotionally charged telephone conferences between country management, the audit team and senior executives.

After devoting weeks to addressing the audit findings in Spain, our CEO asked the compliance department to intervene and “fix” these audits to avoid the havoc they caused. I was put in charge of making this happen.

Building Our CAMP

I commenced the work our CEO commissioned by drafting a detailed project charter, stating that our purpose was to:

  1. Supplement compliance audits by providing company management a broader, more comprehensive view of the current state of key compliance controls in company operations around the world;
  2. Assist country management in implementing effective compliance controls where such assistance is required; and
  3. Monitor key compliance control performance over the long term.

For several months, I led a multidisciplinary team comprised of compliance department professionals, internal audit staff and business executives to develop an audit protocol to achieve these objectives in a manner that was more productive and less contentious than past practices. The end product of this initiative was an audit protocol and a collection of supporting documents we dubbed the Compliance Assistance and Monitoring Program, or CAMP.

The CAMP audit protocol included detailed instructions regarding:

  • planning;
  • pre-fieldwork data gathering and conference calls;
  • fieldwork;
  • audit techniques;
  • sample sizes based on the frequency of control activities;
  • audit documents and templates that included:
    • a country self-assessment,
    • review procedures,
    • a scoping and testing plan template,
    • an audit report template and
    • an audit team debrief template; and
  • post-fieldwork activities

Going to CAMP

All CAMP audits began by assembling the audit team and developing a detailed plan defining, roles, responsibilities and a timeline. We then notified country management of the pending audit and sent them a self-assessment tool that listed mandatory control elements associated with each section of the sales and marketing code, asked country management to indicate whether the control element existed and offered an opportunity to provide comments if desired. We also requested documents associated with the controls. After receipt of these materials, we scheduled a series of conference calls with members of the country management team. Taking all this information into account, the audit team developed a game plan for the fieldwork.

During the first week of fieldwork, the internal audit team reviewed the country’s financial records with the assistance of local auditors from a public accounting firm. The auditors prepared a summary of their findings that they shared with my team and I when we arrived in country at the beginning of the second week. For the following two weeks, the internal audit team and the compliance team reviewed documents and interviewed members of country management. This work culminated in a draft audit report that we completed while in country before the end of the third week, detailing our findings and recommended corrective actions.

The CAMP audits we conducted in India and Italy were spectacularly successful. They revealed many opportunities for improvement and, at the same time, achieved a consensus between country management and the corporate office on a timeline for completing specified corrective actions. In both cases, instead of causing turmoil, the audits generated trust and a productive partnership between the audit department, compliance department and country management.

The Secret CAMP Sauce

The primary reason the CAMP approach was so successful is that we worked hard to treat our colleagues with respect. At the beginning of the audit process, we set the tone by explaining to country managers that we understood that the sales and marketing codes were new and that the company had not provided them the resources to develop and implement required controls. We postured ourselves not as policemen bent on finding and punishing wrongdoing, but instead, as colleagues intent on lending a helping hand.

When we found internal control deficiencies, we did not pull any punches. But instead of being critical, we worked with country management to think through how to implement corrective actions. In some cases, we temporarily halted the audit work, rolled up our sleeves and helped country management build needed controls while we were in their offices.

Consistent with our commitment to treat our colleagues respectfully, we also abandoned the “hide the ball” approach internal audit had been required to use in the past. Instead, we took pains to be completely transparent with the country manager and their teams regarding our findings at every stage of the process. This approach helped build trust and significantly reduced the anxiety for the auditors and country managers alike.

When we completed our draft audit report near the end of the third week, we scheduled a meeting with country management to review every word to ensure accuracy and to reach a consensus on the findings and planned corrective actions, completion deadlines and a monitoring schedule to track progress. We also added a new section to our audit reports to applaud country management for any best practices they had that should be replicated elsewhere.

Taking CAMP from Retail to Wholesale

As may be apparent from the description of the CAMP process, it is resource intensive. As a consequence, we only had the capacity to perform four CAMP audits per year, yet we had direct sales operations in over 40 countries around the globe. To remedy this problem, we partnered with the head of finance and accounting in our Asia-Pacific region to develop and implement an in-depth training program for all finance and accounting professionals in the region to help them understand the controls mandated by the sales and marketing codes. We also conducted a “red flag” awareness training session to help them recognize the signs of corrupt business practices by company personnel and third-party intermediaries.

Following this training session, we provided each country finance executive a detailed self-assessment that they completed and returned to the corporate compliance and audit departments. These data were consolidated into a single spreadsheet that gave us a comprehensive, regionwide view of the status of critical internal controls. We were then able to use these data to focus our resources on assisting countries with weak controls and to prioritize audit targets for the following year.

Thus far in this series, we have focused attention on the various elements of a comprehensive compliance program to avoid the “bear traps.” As may be self-evident, these program elements are essential to enable compliance. However, they are insufficient by themselves to ensure compliance. To do this, you must build and sustain a strong ethical culture. This will be the focus of the sixth and final part of this series.


Tags: Internal ControlsMonitoring
Previous Post

Assessing Conflict of Interest Compliance Programs

Next Post

Thomson Reuters Survey: Corporate Tax Departments Must Automate to Achieve Necessary Efficiencies

Jim Nortz

Jim Nortz

Jim NortzJim Nortz is Founder & President of Axiom Compliance & Ethics Solutions LLC, a firm dedicated to driving ethical excellence by helping organizations implement effective compliance and ethics programs. Jim is a nationally recognized expert and thought leader in the field of business ethics and compliance with over a decade of experience serving multinational petrochemical, staffing, business process outsourcing, pharmaceutical and medical device corporations. Jim spent the first 17 years of his career as a criminal and civil litigator and Senior Corporate Counsel before becoming Crompton Corporation’s first Vice President, Business Ethics and Compliance in 2003. Since then, Jim has served as a compliance officer at Crompton and for five other multinational corporations, the most recent of which was as Chief Compliance Officer at Carestream Health. Jim has extensive experience in implementing world-class compliance and ethics programs sufficiently robust to withstand U.S. Department of Justice scrutiny. Jim is a frequent guest lecturer at the University of Rochester’s Simon School of Business, RIT’s Saunders School of Business, St. John Fisher College, Nazareth College and other law schools, universities and organizations around the country. Jim writes the monthly business ethics columns for the Association of Corporate Counsel Docket magazine and the Rochester Business Journal. Jim is a National Association of Corporate Directors Fellow, a member of the International Association of Independent Corporate Monitors and serves on the Board of Directors of the Rochester Chapter of Conscious Capitalism as the Board’s Secretary and Chair of the Governance and Nomination Committee. Previously, Jim served on the Board of Directors for the Ethics and Compliance Officers Association and the Board of the Rochester Area Business Ethics Foundation.

Related Posts

joining forces

Why ESG Programs Should Make Internal Audit an Ally

by Kapish Vanvaria
November 30, 2022

Recent research shows internal audit functions are rarely involved in setting strategy for ESG or even in reviewing how goals...

DOJ increasing monitorships

DOJ Signals Expanded Use of Independent Monitors for Corporate Criminal Enforcement

by Womble Bond Dickinson
June 8, 2022

The DOJ indicates that it will increase the use of monitors in corporate criminal enforcement; what does that mean for...

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

Compliance and International Arbitration: Once Separate, Now Becoming Inextricably Linked

by Kevin Abikoff, Laura Perkins, Jan Dunin-Wasowicz and Laura Vittet-Adamson
May 11, 2022

National and international arbitration venues and lower courts are now seeing corruption-related pleas, disclosures and settlement agreements introduced as evidence...

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

Best Guardrail Against Compliance Failures? Better Embedded Controls — Not More Training.

by Chris Audet
March 30, 2022

Gartner senior research director Chris Audet discusses compliance training’s shortcomings here, suggesting a well-designed framework of embedded controls can better...

Next Post
businesswoman at laptop using calculator

Thomson Reuters Survey: Corporate Tax Departments Must Automate to Achieve Necessary Efficiencies

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT