Combining internal audits with anti-corruption compliance monitoring


 
Internal Audit Automatic queries tax haven countries Specific anti-bribery controls bribery risk map extra-territorial anti-corruption legislation compliance payments payments Hernan Huwyler


Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial anti-corruption legislation, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts.


Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring.


The bribery and illegal payment risks are usually linked to:
  • where the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)
  • who is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)
  • what service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)
  • how the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)



Risk mapping for corruption should balance “the where”, “the who”, “the what” and “the how”. Many companies often link their bribery risks only to high-corruption countries, and they are missing the general environment for a transaction.



Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny.



Compliance and Internal Audit may combine their reviews to detect illicit payments by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach.


Testing the control design by Internal Audit

-          Review of segregation of duties in approving new vendors, contracts, service receptions and payments, assuring the appropriate seniority of approvers and their effective counterbalance.

-          Review of  anti‐corruption obligations in contracts with business partners and the appropriate indemnities and warranties clauses.

-          Ensure that the accounting staff is trained to properly book to proper purchasing and payment categories, and to add meaningful and clear descriptions for entries. No auxiliary spreadsheet should support a global journal entry without disclosing itemized information about the service and the supplier.

-          Ensure that the financial controllers are trained about the anti-bribery, travel and expense rules, cash and bank controls, and how to identify red flags.


Substantive testing for control efficiency by Compliance (reassured by Internal Audit)

-          Test the effectiveness of the pre-contract due diligence, the verification of services and the fairness of the paid amount by selecting payments linked to all levels of risk (including any suspiciously unnecessary contracting by non-statistical sampling). Focusing the payment testing only to high-risk transactions or statistical sampling may be ineffective to cover all risks.

-          Audit of third parties (on‐site compliance audits): background checks on executives, owners and assigned employees (party screening); assure the training on extortion and bribery provisions and controls for vendor employees; and confirm the circumstances under the third party was engaged and instructed; check that the service was engaged after the due diligence was finished.

-          Review the existence of enquiries from the approvers to validate the service legitimacy. Approvals should be based on a statement of received services, summarizing the woks and deliveries provided. The review need to cover the disclosed conflicts of interest.


Monitoring by Compliance (quarterly watch-lists to trigger specific reviews by Internal Audit)

-          Automatic queries to list gifts, meals, entertainment, travel expenses, sponsorships, and political and charitable contributions to link them to the approval by sr. executives and limits.

-          Automatic queries to list payments to third parties, including vendors, suppliers, resellers, distributors, agents and consultants (lawyers and accountants).

-          Payments to offshore bank account or in different locations or currencies.

-          Automatic queries to list upfront payments, advances and customer rebates.

-          Out of tendency paid commissions by type of service or versus monthly average.

-          Substantial price increases or decreases.

-          Automatic queries to highlight changes in lease expenses, in particular for equipment.


Get the latest in corporate governance, risk, and compliance on Twitter

6 Tips for Compliance Risk Mapping

How to create a world-class compliance risk assessment


Tips for Compliance Risk Mapping Compliance Risk Assessment

The Spanish Criminal Code provides specific requirements for the implementation of corporate compliance programs to regulate the criminal liability of legal entities. The Spanish framework is similar to the U.S. Federal Sentencing Guidelines for Organizations when the adequate oversight efforts to prevent a compliance breach are proven to reduce penalties. Having a criminal compliance risk map is one of the compliance program requirements mentioned by the Spanish criminal code.


Building a program to reach high business values requires the chief compliance officer to be focused on addressing criminal, compliance and ethical risks. This approach is supported by a risk map to assess business actions which may result in criminal offences, or more generally, in a regulatory, legal, contractual or ethical breach. This map will guide prevention actions, such as training or developing policies and internal controls, or contingency actions such as incident management or dealing with investigations.


There are many different approaches to produce a compliance risk map. I would like to highlight key best practices for a world-class assessment:

1- Set the risk mapping scope with a comprehensive list of criminal offences (locally the art .31 bis), regulations, contracts, voluntary commitments, and fraud schemes. This risk universe allows classifying risk factors to facilitate mitigation and communication actions. The compliance risk landscape should address industry-specific, counter-party and general regulations. Multinational companies should group the compliance risk domains by general topics to link them to different local jurisdictional requirements. This compliance requirement list should be validated by subject matter specialists from the compliance and the legal departments.

2- Follow a global ERM policy to assure this map can be easily integrated into the GRC management. While the ERM practices or the internal audit risk assessments are not specifically performed to identify legal and regulatory compliance risks, they can be combined, calibrated or linked to a legal compliance map. This project should be built on the current ERM activities. Also, assessing the financial impact ensures that the compliance risk map will not be limited in a qualitative category. Using international standards, such as the ISOs 31000, 37001 and 19600, allows better supporting the methodological framework.

3- Plan from the top to the bottom. Expanding the risk map may be time consuming. The compliance officer may perform an initial risk assessment to articulate efforts.

This is a simplified example for planning the risk mapping in a multinational company:


expand

You can expand this example with more data from compliance exception reports, detailed whistleblowing statistics, external and tax audit findings, transactional records, client complaints, surveys and social media data.

4- Cover the business actions produced by administrators, directors, managers, executives, employees, consultants and suppliers. Involve employees at many company levels, jurisdictions and functions to limit the risk biases while capturing both top and bottom risks. Set a clear ownership of the compliance risks to facilitate managing the action plans and reporting (my related article). Performing the assessments close to the operations increases the chances of identifying the most relevant risks. The chief compliance officer should understand the full spectrum of compliance requirements and issues. External legal advisors can be a good help.

5- Involve key people in the risk assessments. Risk owners will disclose their risks, their vulnerabilities, if they trust in the people in charge of the risk assessment. Involving locally well-recognized directors in the risk mapping is a must to do. Introducing the initiative with training also creates a positive working environment.

6- Compliance risks should be frequently followed-up according to their exposure by reviewing results of action plans, producing key risk indicators, and escalating them to different risk committees or executive boards. Ethics and compliance risks appear each day by regulatory pressures, new strategic objectives, organizational changes, and cybercrime. Just getting a compliance risk map is false compliance (locally called make-up compliance in Spain). The dynamic follow-up of risk actions builds the compliance culture.


What lessons have you learned produce a compliance risk map? Please, expand this article with your comments.

Get the latest in corporate governance, risk, and compliance on  Twitter

Business intelligence in governance, risk and compliance

Business intelligence in governance, risk and compliance Audit, Compliance, Risk Mapping, SAP Hernan Huwyler


The importance of risk and compliance has dramatically increased over the last years to improve corporate governance. Organizations are addressing the governance challenges, primarily as a consequence of regulatory requirements, business transformation, emerging risks and large scandals in corporate governance. Many organizations are struggling to focus their risk and compliance programs to meet stakeholders’ expectations.


A large number of GRC services and solutions are currently available from large and niche consulting firms to support an integrated control model. A GRC platform is offered as a transparent system of collaboration to orchestrate control activities across business. While organizations can fairly deal with the “G”, the “R”, and the “C” as independent departments, the integration of them was proven to be difficult, leading to control gaps, redundancies, inefficiencies and conflicts. A plethora of GRC modelling proposals exists both in the commercial arena and in the research community (Racz et al., 2010). Business intelligence has the ability to easily model control objectives and to address holistic risks.


The integration of controls, protocols, key indicators and reports into a GRC platform facilitates the automated detection of risks and the audit of compliance procedures. A major issue about this approach is inflexibility to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model. Business intelligence allows the GRC departments to model the control framework to produce breach alarms, monitor performance and simply assurance.

The capability to capture and to change control requirements through a common GRC modeling framework facilitates the management of the controls and the enterprise applications. Business process management, as a common framework for business intelligence, allows enforcing corporate compliance and meeting control objectives. It helps to link what need to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential, then, that business, compliance, and control objectives are jointly designed to converge in common rules (Shazia at al., 2007). Regulations, compliance and internal control directives are complex and vague. These mandates of permissions and prohibitions, often written in legalese or technical jargon, are translated by subject experts into rules for a single control repository. These rules can trigger violation alarms and control remediation protocols that may surface at runtime.


Example: U.S. anti-boycott laws scenario




This scenario shows a set of simple rules to integrate control actions with compliance risks in a company under SAP and business intelligence.

A GRC platform based on business intelligence allows organizations to easily maintain and adjust their compliance requirements to highlight control violations and report key compliance indicators.

Get the latest in corporate governance, risk, and compliance on  Twitter

Corporate compliance and stock volatility in top 35 Spanish companies

Compliance is a major ethical consideration that has an impact on the business strategy to improve the financial performance and to limit the risk of failure to a tolerable level. Compliance risks are today a mainstream issue in Spain after increased exposition to new criminal liabilities and globalization. Spanish companies from all sectors revised their codes of conduct and whistleblowing policies to adapt them to the new business landscape, but the relationship with sustainability risks was not explored.


In order to study the correlation between risk management and compliance, I generated 700 data sets to weigh them according to their relative market capitalization for the 35 public companies that make up Spain's benchmark IBEX 35 index. The compliance maturity was taken from analyzing the code of ethics and other publicly available ethics and corporate governance documents for these factors:

  • corruption, business conduct & gifts,
  • antitrust and market abuse,
  • workers´ protection, discrimination and harassment,
  • environmental and urban planning protection,
  • copyright and intellectual property protection,
  • IT data protection,
  • tax compliance,
  • money laundering,
  • occupational fraud, and
  • whistleblowing policy, available channels and management (30% of total score).
When the code of ethics and related governance policies set standard controls to mitigate the high level compliance risks a complete score was assigned to each factor. Other cases were particularly assessed according to mitigating controls.
The risk level was defined as the historical 250-day return measuring the stock volatility or beta. This indicator spots the risk arising from exposure to general market movements as opposed to idiosyncratic factors.

The market capitalization was taken from the last statistics update published by the Madrid Stock Exchange.The sector classification also followed the Madrid Stock Exchange criteria.

The data analysis revealed a weak negative lineal correlation (r):-0.18 between the compliance maturity and the stock volatility risk. The compliance/risk correlation,  which does not imply causation, is stronger in the retailing and the telecommunications sectors.




On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.

There are 2 types of outliners in the analysis:
  • Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and
  • AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.



You can find the supporting data from these links:

MS Access Datasets 
Summary of dataset
Supporting Code of Ethics and Documents

I will do further research to expand the conclusion of this study, by:
- using the OECD Guidelines for Multinational Enterprises to set the compliance factors to assess
- expand the study to other public non-IBEX35 companies
- monitor de evolution in time
- include the effective reporting of compliance and risks information

Do you have any suggestions for improving the study methodology or scope? 

Get the latest in corporate governance, risk, and compliance on  Twitter

The 100 most critical and common segregation of duties conflicts in SAP

The 100 most critical and common segregation of duties conflicts in SAP Hernan Huwyler
 
The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning  the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities.  This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.


This is the list which you are welcome to get as a MS Excel file,

VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.

Get the latest in corporate governance, risk, and compliance on  Twitter


What factors define a good risk and compliance culture?

What factors define a good risk and compliance culture? Risk and Compliance Culture Risk Culture Hernan Huwyler


The promotion of a sustainable risk and compliance culture across the enterprise is a responsibility of the board and the executive-level leaders, particularly, the chief compliance and risk officers. Their tone at the top filters down the elements of a “good culture” through the layers of management and risk takers. Where culture is favorable, behaviors are more desirable in terms of policy compliance, risk prevention, whistleblowing and accountability.

Regulators and authorities have pronounced about a “poor culture” in enforcement cases to extend liabilities to governance areas. For instance in Spain, the State Prosecutor recently indicated that compliance programs should build the true compliance culture of a company rather than being an instrument to avoid criminal liability. Inadequate culture led by performance complacency, tolerance of improper behaviors or the justification of compliance breaches diverts resources from strategic objectives.

We need to understand the internal and external factors of the risk and compliance culture to change them for the better. Perceptions of the governance structures such as remuneration incentives and performance measurement are critical to adjust risk behaviors. The compliance program should specify these desired expectations to align practices in all part of the company with business ethical values and shared risk tolerance.

Research evidence suggested that culture is strongest in business units when:
  • have smaller (up to 5) and less diverse members (Colquitt et al. 2002), 
  • staff well-being, engagement and tenure are higher (Huhtala et al. 2015, Beus et al. 2010) 
  • social interaction is high and leaders provide clear guidance (González-Romá et al. 2002), 
  • communication network is more dense (Zohar & Tenne- Gazit 2008), 
  • are focused on customer needs (Bedarkar et al. 2015), 
  • more interdependent and have higher group identification (Roberson 2006), and 
  • more cohesive with leaders who are transformational, share a clear strategic vision for the work and behave consistently (Luria 2008) 

The ISO 31.000 on risk management defines that the organization's culture should be assessed as part of the internal context to adjust and to improve the risk policy. Strong culture factors suggested by research can be promoted by:
  • setting a risk tolerance policy to consistently manage holistic risks including compliance, operational, financial and strategic functions, 
  • focusing cost saving and performance programs to investigate accidents and losses, including those covered by insurance and fraud, 
  • setting HR policies to avoid mutual accountability and to promote open door communication, issue escalation and whistleblowing reporting, 
  • adjusting the remuneration scheme to taken risks and internal control reviews, 
  • developing a comprehensive training program to build skills to support behaviors such as detecting fraud red flags, team management and objective settings, workplace incident response, and regulatory compliance, 
  • building a risk and compliance reporting channels for governance oversight, to aggregate risk management information and indicators and to decide on the risk reduction plans, the development of the compliance program, and the internal control effectiveness, 
  • articulating an value-based compliance system with policies and procedures enhancing personal accountability, and 
  • involving suppliers, investors, clients and regulators in creating and developing action plans to support a transparent culture and to anticipate risks. 

Get the latest in corporate governance, risk, and compliance on  Twitter