No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

How to Integrate a Compliance & Ethics Program with a Control Framework

by Ron Kral
August 16, 2017
in Compliance, Ethics
laptop with compliance program

Leveraging COSO’s Internal Control – Integrated Framework

Cultures may vary widely, but all organizations should be proactive about building and maintaining a culture of compliance. The COSO Integrated Framework provides extensive guidance on how to accomplish this. Ron Kral offers insights on integrating your company’s C&E program with a control framework.

While many organizations have a compliance and ethics program (Program) to prevent and detect criminal conduct, some struggle to weave it into their culture to best protect themselves. A starting point is to thoroughly understand minimum requirements as defined in Chapter 8, Part B of the U.S. Sentencing Guidelines (Guidelines), entitled Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program published by the U.S. Sentencing Commission. The Guidelines provide incentives to organizations that follow a structural foundation to self-police their own conduct through an effective Program. Next is to integrate the Program requirements into a control framework, such as the Internal Control – Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Finally, the Program’s expectations and controls need to be entrenched into the cultural fabric of the organization. This article offers an approach in addressing the Guideline’s minimum requirements in harmony with COSO’s Internal Control – Integrated Framework (COSO Framework).

Minimum Requirements for an Effective Compliance and Ethics Program

Since 1991, the Guidelines have served as corporate America’s blueprint in structuring effective programs to prevent and detect violations of law. Under the Guidelines, an organization that is convicted of a crime may be eligible for a reduced sentence if it had an “effective” Program in place at the time the crime was committed. The Guidelines define the minimum requirements for an effective Program, which includes exercising due diligence to prevent and detect criminal conduct, as well as promoting an organizational culture that encourages ethical conduct. The Guidelines forward the following seven minimum requirements for encouraging ethical conduct and demonstrating a commitment to legal compliance:

  1. The organization needs to establish standards and procedures (such as a code of conduct and appropriate policies and procedures) to prevent and detect criminal conduct.
  2. The governing authority (i.e., board of directors) must be knowledgeable about the content and operation of the Program and exercise reasonable oversight with respect to its implementation and effectiveness. In addition, high-level individual(s) must be assigned overall responsibility for the Program and specific individual(s) must be delegated day-to-day operational responsibilities. Those with day-to-day responsibilities must report periodically to the high-level individual(s) and, as appropriate, to the governing authority on the effectiveness of the Program. To carry out these responsibilities, individuals must be given adequate resources, appropriate authority and direct access to the governing authority.
  3. The organization must use reasonable efforts to avoid placing in a substantial authority position those whom the organization knew, or should have known through the exercise of due diligence, had engaged in illegal activities or other conduct inconsistent with an effective Program.
  4. The organization must take reasonable steps to communicate periodically and in a practical manner the Program’s standards and procedures throughout the organization, including training that is tailored to members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees and applicable agents of the organization.
  5. The organization must take reasonable steps to:
    1. Ensure that the Program is followed, including monitoring and auditing to detect criminal conduct.
    2. Periodically evaluate the Program’s effectiveness.
    3. Have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
  6. The organization must promote and enforce the Program consistently throughout the organization through appropriate:
    1. Incentives to perform in accordance with the Program
    2. Disciplinary measures for those engaging in criminal conduct or failing to take reasonable steps to prevent or detect criminal conduct
  7. After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s Program.

The Guidelines also call for the organization to periodically assess the risk of criminal conduct and take appropriate steps to design, implement or modify requirements of the Program to reduce the risk of criminal conduct identified through the risk process.

Wide Applicability

The Guidelines apply to all organizations – public or privately held, large or small. It applies to virtually every type of organization, including corporations, partnerships, associations, joint-stock companies, unions, trusts, pension funds, unincorporated organizations, governments and nonprofit organizations. The Guidelines do not distinguish between organizational size, meaning all sizes and types of organizations are susceptible to the same Guidelines. However, the scalability to organizational size is an important theme, as the Guidelines specify several times that “reasonable” efforts are expected. Specifically, the Guidelines state “the formality and scope of actions that an organization shall take to meet the requirements of this guideline, including the necessary features of the organization’s standards and procedures, depend on the size of the organization.”  Therefore, larger and more complex organizations are expected to have a more robust Program.

Integrating the Guideline’s Minimum Requirements with the COSO Framework

Once an organization has a clear understanding of the minimum requirements for an effective Program, it is wise to sync-up the requirements to a control framework. In the U.S., the COSO Framework is by far the most popular control framework. The COSO Framework defines five components (control environment, risk assessment, control activities, information and communication and monitoring activities) and 17 supporting principles. All “relevant” principles must be present and functioning to conclude that the associated component is present and functioning in support of concluding that objectives are effective. The COSO Framework views the 17 principles to be suitable for all entities except in rare industry, operating or regulatory situations in which management has determined that a principle is not relevant to them. Refer to the COSO Framework’s Executive Summary for an abstract of the framework, including the five components and identification of the 17 principles.

While it should be evident that all five components and 17 principles are relevant to an effective Program, here are some logical connections using the core of the seven minimum requirements as a basis:

#1: The organization needs to establish standards and procedures to prevent and detect criminal conduct.

This one is synonymous with COSO Framework Principle 1, which is demonstrating a commitment to integrity and ethical values by setting a tone at the top through the establishment of standards of conduct and evaluating adherence. Principle 1 is commonly considered the most important of the 17 principles since it is the bedrock of promoting organizational values and ethical expectations.

#2: The governing authority must be knowledgeable about the content and operation of the Program and exercise reasonable oversight with respect to its implementation and effectiveness.

This second minimum requirement is closely aligned with COSO Framework Principle 2, which is the board of directors demonstrating independence and exercising oversight of the development and performance of controls, including those established from Principle 1 above. This is a big one, perhaps only second in importance to COSO Framework Principle 1. Without independent board oversight of executive management, who is available to hold the CEO and other executives accountable?  A recurring theme at most major U.S. frauds since 2000 (i.e., Enron, Worldcom, HealthSouth, Tyco, Adelphia Communications, etc.) is the lack of effective independent board oversight of management. The largest type of fraud in terms of dollars is financial statement reporting fraud and thus it is critical that effective oversight exists over the top executives to help prevent and detect this fraud.

#3: The organization must use reasonable efforts to avoid placing in a substantial authority position those whom the organization knew, or should have known through the exercise of due diligence, had engaged in illegal activities or other conduct inconsistent with an effective Program.

Continuing with the matching to the COSO Framework, minimum requirement #3 is addressed by Principle 3, which is the establishment of structures, reporting lines and appropriate authorities and responsibilities. The key is ample due diligence through onboarding efforts and ongoing professional skepticism to help ensure that only ethical persons lead the organization.

#4: The organization shall take reasonable steps to communicate periodically and in a practical manner the Program’s standards and procedures throughout the organization, including training that is tailored to members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees and applicable agents of the organization.

COSO Framework Principles 4 and 14 address minimum requirement #4. Principle 4 centers on competency enabled through training activities for all employees, agents and directors. Principle 14 addresses internal communications of objectives and responsibilities necessary for the proper functioning of controls, which are established through policies and procedures such as a code of conduct or conflict of interest policy.

#5: The organization shall take reasonable steps to ensure that the Program is followed, including monitoring and auditing to detect criminal conduct.

Good governance practices and controls on paper means little if people and systems are not doing what they are supposed to do. Hence the importance of COSO Framework Principle 16 pertaining to ongoing and separate evaluations to ascertain if controls are properly designed and operating effectively. Monitoring activities assess whether controls outlined in the five COSO components and 17 principles are operating as intended. An independent internal audit function often does much of the heavy lifting on this front.

Another aspect of this minimum Guideline requirement is to have and publicize a system whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. This is often accomplished through an ethics/fraud hotline, which relates to multiple COSO Framework Principles, including Principles 1, 14 and 15 when extended to external parties such as customers and vendors.

#6: The organization must promote and enforce the Program consistently throughout the organization through appropriate incentives and disciplinary measures.

Incentives and disciplinary measures are a common topic of the COSO Framework, most notably in Principle 5 in holding individuals accountable and Principle 8 in considering the potential for fraud in assessing risks. People tend to perform as incentivized, and the lack of appropriate disciplinary measures will send a powerful cultural message that people will likely get away with fraudulent behaviors.

#7: After criminal conduct has been detected, the organization must take reasonable steps to respond appropriately.

This one is similar to Guideline requirement 6 in that it involves disciplinary actions, in this case after the fraud is detected. In addition to COSO Framework Principles 5 and 8, Principle 1 comes into play to address ethical deviations in a timely manner. In addition, Principle 9 pertains by assessing the impact of the criminal conduct in terms of control changes that should be considered to better prevent future frauds from occurring and perhaps identifying them in a more timely manner.

Evaluation of Programs

The Fraud Section of the U.S. Department of Justice’s Criminal Division (Fraud Section) published a list of sample topics and questions entitled Evaluation of Corporate Compliance Programs in February 2017. It provides thought-provoking questions, including on risk assessment and risk-based training. This publication also includes questions on a wide variety of Program topics, including third-party management and M&A (merger and acquisition) integration. The publication is a must-read for insights on frequent questions the Fraud Section may ask in determining organizational culpability in the event your organization is a defendant in a federal court. Considering these question in conjunction with your Program and the COSO Framework is a worthwhile exercise.

Conclusions

While cultures will vary, healthy organizations must be proactive in developing and adhering to a Program that meets the Guidelines’ seven minimum requirements. Leveraging the COSO Framework to a Program is not difficult and yet very useful in ensuring that the Program’s effort ripples through the culture. Specifically, the components and underlying principles of control environment, risk assessment, control activities, information and communication and monitoring activities are all critical to the ultimate success of a Program. Integration of Program requirements with the COSO Framework provides a strong basis for aligning objectives, risks and controls to best promote ethical behaviors.

Don’t think of the COSO Framework solely as a regulatory tool to evaluate the effectiveness of internal control over financial reporting. Instead, think of it as a valuable framework for also addressing other reporting, compliance and operating objectives, including to prevent and detect fraud.

This is an article from the Governance Issues™ Newsletter, Volume 2017, Number 2, published on August 4, 2017.


Tags: Code of ConductCorporate CultureCOSORisk Management Frameworks
Previous Post

OIG Enforcement on the Rise

Next Post

TRACE: After You Pay a Bribe

Ron Kral

Ron Kral

Ron Kral is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. Ron is a highly rated speaker, trainer and advisor. He is a member of 4 of the 5 COSO sponsoring organizations; the AICPA, FEI, IIA, and IMA. Contact Ron at Rkral@KralUssery.com or www.linkedin.com/in/ronkral.    

Related Posts

Fox_Incentives in Compliance_f

Incentives in Compliance

by Corporate Compliance Insights
January 23, 2023

Learn more about how compensation can reinforce compliance culture (or not) Encouraging Good, Discouraging Bad Incentives in Compliance What’s in...

mcds

What Charges Against Former McDonald’s CEO Can Teach Us About Investigations of Senior Officers

by Lloydette Bai-Marrow
January 18, 2023

The case of Steve Easterbrook, the former CEO of McDonald’s, is a salutary lesson in the dire consequences of failing...

best employees speak up

Why Our Best Employees Don’t Speak Up

by Courtney Sander
November 2, 2022

Are we conditioning our employees not to speak up? The traits present in our best employees might make them less...

quiet quitting well being

Why ‘Quiet Quitting’ Could Harm Ethics & Compliance Functions

by Lisa Beth Lentini Walker
September 14, 2022

Few compliance programs have tasks that are spelled out in the job descriptions of every person in an organization, and...

Next Post
TRACE: After You Pay a Bribe

TRACE: After You Pay a Bribe

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT