Tips and example on assurance mapping



Risk is an omnipresent driving force in all business activities. It requires producing information about the probability of different outcomes in the decision-making process. The assurance services improve the quality of this information across business activities (AICPA, 1996). Assurance, provided by internal and external auditors and many other parties, is the objective examination of evidence to perform an independent assessment over business activities. It adds credibility to the information, from the statutory financial reporting to other non-financial information in environmental and social reports. Assurance is the confidence of what needs to be controlled is actually being controlled in practice.


Since the board is responsible for ensuring that there are robust internal control arrangements across the whole organization, assurance is also a key compliance issue. Moreover, most codes for good corporate governance require the board to attest the effectiveness of the internal control and risk management systems.


There are tools to coordinate and to maximize how to provide assurance services. Assurance maps visually link the assurances from all the providers to the risks that affect the organizational objectives. They explain how the assurance activities (x-axis) apply to key risks in sequential business activities (y-axis). The assurance activities are usually arranged by the three lines of defense or the five lines of assurance models. The maps provide a quick and clear view of processes and risks to the board, in order to ensure a consistent management, oversight and reporting under a common methodology and language. Assurance maps promote the collaboration between departments while being cost effective.

Keys to making decisions on assurance


The primary objective of the assurance mapping is to detect areas of gaps and duplications in assurance efforts between departments. These maps quickly reveal the level of assurance oversight to alleviate low-value and redundant auditing efforts. 

In order to join efforts for a strong GRC function, the risk methodology, particularly related to the taxonomy and the rating scales, should be standardize to express a common and holistic view. It allows the coordination and the interaction between business owners and assurance providers.

With the purpose of identifying processes with missing or unnecessary assurance efforts, the risk exposition can be linked to each process to assess if the assurance costs are justified (“reasonable assurance” for the risk tolerance). When too much assurance is concentrated in one process, the causes for these efforts should be understood before reassigning controls and responsibilities across departments.

When combining assurance programs and coordinating activities, the responsibilities defined by the policies or the audit chapter should be updated. The assurance map is a tool to update and coordinate departmental responsibilities, but not a policy by itself.

Besides combining assurance efforts for duplicated tasks, or reassigning controls on gaps, the communication on issues and action plans for remediation should flow across all the departments. Removing a department to assure a process does not imply that it no longer receives information about the trust and quality of the related information and its controls.

An assurance map in practice
As an example, the following map details the process steps and their risks for a simplified financial month-end closing in a SAP company. This process-based map consolidates controls and risks from assurance providers to assess how much coverage is achieved and needed. It combines the three line of defense model with a standard SAP process for a closing compatible for SOX or COSO compliance.


 
The assurance level rating represents the quality and the level of evidence by each department.

H High Assurance: assurance is detailed and cyclically conducted, the amount of audit evidence reduces risks to a low level (eg. low material accounting misstatement risks), controls are in place and adequately mitigate risks, policies are in place and communicated, IT/BI tools are deployed to automatize controls and to report red-flagged transactions, and performance metrics are closely monitored

M Medium Assurance: assurance is not cyclically performed, controls are not in place to cover some risks, policies are not fully in place or communicated, manual controls are not automated

L Low Assurance: low or none assurance, significant concerns over the adequacy of the controls in place in proportion to the risks; few policies in place

Get the latest in corporate governance, risk, and compliance on Twitter

Combining internal audits with anti-corruption compliance monitoring


 
Internal Audit Automatic queries tax haven countries Specific anti-bribery controls bribery risk map extra-territorial anti-corruption legislation compliance payments payments Hernan Huwyler


Detecting illegal payments concealed in accounting records is a top priority both for internal audit and anti-bribery compliance. Corruption risk is a significant and growing concern for global companies. Many countries are passing and enforcing extra-territorial anti-corruption legislation, and tips to the authorities are increasing because of financial incentives. Improper payments are difficult to identify. They could be disguised as agent and third party commissions, fees and expenses. Other schemes may be more complicated such as inflated invoices, deceptive commission arrangements, and the use of a complex web of intermediaries, shell companies and bank accounts.


Specific anti-bribery controls, performed by the 3 Lines of Defense, should be proportionate to the risks created by each type of transaction. Compliance and internal audit should agree on the same risk factors and its assessment to combine their scope in testing and monitoring.


The bribery and illegal payment risks are usually linked to:
  • where the service is provided, the payment is requested, and the supplier is domiciled (eg. high perceived corruption or tax haven countries, new market sectors, off-shore jurisdictions)
  • who is involved (eg. public officials, small companies, new vendors, due diligence with comments/red flags, subcontractors, associations and JVs, requirements of associated persons)
  • what service is provided (eg. consultancy, licenses, customs and shipping services, public procurement, complex or new projects, incentives and pressures to complete a project)
  • how the service is contracted and paid (eg. the payment method, pre‐determined flat fee, success fees, commission clauses, reimbursed expenses, deal type)



Risk mapping for corruption should balance “the where”, “the who”, “the what” and “the how”. Many companies often link their bribery risks only to high-corruption countries, and they are missing the general environment for a transaction.



Both compliance and internal audit are aimed in developing effective financial and commercial controls to mitigate bribery risks, as well as, money laundering and occupational fraud in general. Since the control objectives and the bribery risk map are shared, both areas can coordinate their actions to get the same comfort level while being accountable for their specific responsibilities. Internal audit will benefit from sharing its work programs with compliance to be focused on key controls and to avoid any duplication of efforts. As well as, compliance will benefit from receiving the audit reports and monitor the remediation plans to relocate its program to areas of heightened scrutiny.



Compliance and Internal Audit may combine their reviews to detect illicit payments by separating the process into 3 stages: design, control efficiency and monitoring. The following chapters suggest ideas for a collaborative approach.


Testing the control design by Internal Audit

-          Review of segregation of duties in approving new vendors, contracts, service receptions and payments, assuring the appropriate seniority of approvers and their effective counterbalance.

-          Review of  anti‐corruption obligations in contracts with business partners and the appropriate indemnities and warranties clauses.

-          Ensure that the accounting staff is trained to properly book to proper purchasing and payment categories, and to add meaningful and clear descriptions for entries. No auxiliary spreadsheet should support a global journal entry without disclosing itemized information about the service and the supplier.

-          Ensure that the financial controllers are trained about the anti-bribery, travel and expense rules, cash and bank controls, and how to identify red flags.


Substantive testing for control efficiency by Compliance (reassured by Internal Audit)

-          Test the effectiveness of the pre-contract due diligence, the verification of services and the fairness of the paid amount by selecting payments linked to all levels of risk (including any suspiciously unnecessary contracting by non-statistical sampling). Focusing the payment testing only to high-risk transactions or statistical sampling may be ineffective to cover all risks.

-          Audit of third parties (on‐site compliance audits): background checks on executives, owners and assigned employees (party screening); assure the training on extortion and bribery provisions and controls for vendor employees; and confirm the circumstances under the third party was engaged and instructed; check that the service was engaged after the due diligence was finished.

-          Review the existence of enquiries from the approvers to validate the service legitimacy. Approvals should be based on a statement of received services, summarizing the woks and deliveries provided. The review need to cover the disclosed conflicts of interest.


Monitoring by Compliance (quarterly watch-lists to trigger specific reviews by Internal Audit)

-          Automatic queries to list gifts, meals, entertainment, travel expenses, sponsorships, and political and charitable contributions to link them to the approval by sr. executives and limits.

-          Automatic queries to list payments to third parties, including vendors, suppliers, resellers, distributors, agents and consultants (lawyers and accountants).

-          Payments to offshore bank account or in different locations or currencies.

-          Automatic queries to list upfront payments, advances and customer rebates.

-          Out of tendency paid commissions by type of service or versus monthly average.

-          Substantial price increases or decreases.

-          Automatic queries to highlight changes in lease expenses, in particular for equipment.


Get the latest in corporate governance, risk, and compliance on Twitter

6 Tips for Compliance Risk Mapping

How to create a world-class compliance risk assessment


Tips for Compliance Risk Mapping Compliance Risk Assessment

The Spanish Criminal Code provides specific requirements for the implementation of corporate compliance programs to regulate the criminal liability of legal entities. The Spanish framework is similar to the U.S. Federal Sentencing Guidelines for Organizations when the adequate oversight efforts to prevent a compliance breach are proven to reduce penalties. Having a criminal compliance risk map is one of the compliance program requirements mentioned by the Spanish criminal code.


Building a program to reach high business values requires the chief compliance officer to be focused on addressing criminal, compliance and ethical risks. This approach is supported by a risk map to assess business actions which may result in criminal offences, or more generally, in a regulatory, legal, contractual or ethical breach. This map will guide prevention actions, such as training or developing policies and internal controls, or contingency actions such as incident management or dealing with investigations.


There are many different approaches to produce a compliance risk map. I would like to highlight key best practices for a world-class assessment:

1- Set the risk mapping scope with a comprehensive list of criminal offences (locally the art .31 bis), regulations, contracts, voluntary commitments, and fraud schemes. This risk universe allows classifying risk factors to facilitate mitigation and communication actions. The compliance risk landscape should address industry-specific, counter-party and general regulations. Multinational companies should group the compliance risk domains by general topics to link them to different local jurisdictional requirements. This compliance requirement list should be validated by subject matter specialists from the compliance and the legal departments.

2- Follow a global ERM policy to assure this map can be easily integrated into the GRC management. While the ERM practices or the internal audit risk assessments are not specifically performed to identify legal and regulatory compliance risks, they can be combined, calibrated or linked to a legal compliance map. This project should be built on the current ERM activities. Also, assessing the financial impact ensures that the compliance risk map will not be limited in a qualitative category. Using international standards, such as the ISOs 31000, 37001 and 19600, allows better supporting the methodological framework.

3- Plan from the top to the bottom. Expanding the risk map may be time consuming. The compliance officer may perform an initial risk assessment to articulate efforts.

This is a simplified example for planning the risk mapping in a multinational company:


expand

You can expand this example with more data from compliance exception reports, detailed whistleblowing statistics, external and tax audit findings, transactional records, client complaints, surveys and social media data.

4- Cover the business actions produced by administrators, directors, managers, executives, employees, consultants and suppliers. Involve employees at many company levels, jurisdictions and functions to limit the risk biases while capturing both top and bottom risks. Set a clear ownership of the compliance risks to facilitate managing the action plans and reporting (my related article). Performing the assessments close to the operations increases the chances of identifying the most relevant risks. The chief compliance officer should understand the full spectrum of compliance requirements and issues. External legal advisors can be a good help.

5- Involve key people in the risk assessments. Risk owners will disclose their risks, their vulnerabilities, if they trust in the people in charge of the risk assessment. Involving locally well-recognized directors in the risk mapping is a must to do. Introducing the initiative with training also creates a positive working environment.

6- Compliance risks should be frequently followed-up according to their exposure by reviewing results of action plans, producing key risk indicators, and escalating them to different risk committees or executive boards. Ethics and compliance risks appear each day by regulatory pressures, new strategic objectives, organizational changes, and cybercrime. Just getting a compliance risk map is false compliance (locally called make-up compliance in Spain). The dynamic follow-up of risk actions builds the compliance culture.


What lessons have you learned produce a compliance risk map? Please, expand this article with your comments.

Get the latest in corporate governance, risk, and compliance on  Twitter

Business intelligence in governance, risk and compliance

Business intelligence in governance, risk and compliance Audit, Compliance, Risk Mapping, SAP Hernan Huwyler


The importance of risk and compliance has dramatically increased over the last years to improve corporate governance. Organizations are addressing the governance challenges, primarily as a consequence of regulatory requirements, business transformation, emerging risks and large scandals in corporate governance. Many organizations are struggling to focus their risk and compliance programs to meet stakeholders’ expectations.


A large number of GRC services and solutions are currently available from large and niche consulting firms to support an integrated control model. A GRC platform is offered as a transparent system of collaboration to orchestrate control activities across business. While organizations can fairly deal with the “G”, the “R”, and the “C” as independent departments, the integration of them was proven to be difficult, leading to control gaps, redundancies, inefficiencies and conflicts. A plethora of GRC modelling proposals exists both in the commercial arena and in the research community (Racz et al., 2010). Business intelligence has the ability to easily model control objectives and to address holistic risks.


The integration of controls, protocols, key indicators and reports into a GRC platform facilitates the automated detection of risks and the audit of compliance procedures. A major issue about this approach is inflexibility to maintain the control repository for a complex and dynamic environment while using a single solution. The diversity of emerging risks requires a grounded approach to support a “compliance by design” model. Business intelligence allows the GRC departments to model the control framework to produce breach alarms, monitor performance and simply assurance.

The capability to capture and to change control requirements through a common GRC modeling framework facilitates the management of the controls and the enterprise applications. Business process management, as a common framework for business intelligence, allows enforcing corporate compliance and meeting control objectives. It helps to link what need to be done (nominative compliance approach) with how the control activities should be performed by the business process owners (descriptive internal audit approach). It is essential, then, that business, compliance, and control objectives are jointly designed to converge in common rules (Shazia at al., 2007). Regulations, compliance and internal control directives are complex and vague. These mandates of permissions and prohibitions, often written in legalese or technical jargon, are translated by subject experts into rules for a single control repository. These rules can trigger violation alarms and control remediation protocols that may surface at runtime.


Example: U.S. anti-boycott laws scenario




This scenario shows a set of simple rules to integrate control actions with compliance risks in a company under SAP and business intelligence.

A GRC platform based on business intelligence allows organizations to easily maintain and adjust their compliance requirements to highlight control violations and report key compliance indicators.

Get the latest in corporate governance, risk, and compliance on  Twitter

Corporate compliance and stock volatility in top 35 Spanish companies

Compliance is a major ethical consideration that has an impact on the business strategy to improve the financial performance and to limit the risk of failure to a tolerable level. Compliance risks are today a mainstream issue in Spain after increased exposition to new criminal liabilities and globalization. Spanish companies from all sectors revised their codes of conduct and whistleblowing policies to adapt them to the new business landscape, but the relationship with sustainability risks was not explored.


In order to study the correlation between risk management and compliance, I generated 700 data sets to weigh them according to their relative market capitalization for the 35 public companies that make up Spain's benchmark IBEX 35 index. The compliance maturity was taken from analyzing the code of ethics and other publicly available ethics and corporate governance documents for these factors:

  • corruption, business conduct & gifts,
  • antitrust and market abuse,
  • workers´ protection, discrimination and harassment,
  • environmental and urban planning protection,
  • copyright and intellectual property protection,
  • IT data protection,
  • tax compliance,
  • money laundering,
  • occupational fraud, and
  • whistleblowing policy, available channels and management (30% of total score).
When the code of ethics and related governance policies set standard controls to mitigate the high level compliance risks a complete score was assigned to each factor. Other cases were particularly assessed according to mitigating controls.
The risk level was defined as the historical 250-day return measuring the stock volatility or beta. This indicator spots the risk arising from exposure to general market movements as opposed to idiosyncratic factors.

The market capitalization was taken from the last statistics update published by the Madrid Stock Exchange.The sector classification also followed the Madrid Stock Exchange criteria.

The data analysis revealed a weak negative lineal correlation (r):-0.18 between the compliance maturity and the stock volatility risk. The compliance/risk correlation,  which does not imply causation, is stronger in the retailing and the telecommunications sectors.




On balance, companies with strong and transparent ethics and compliance policies has better risk management in creating stakeholder value.

There are 2 types of outliners in the analysis:
  • Santander Bank, Repsol, OHL and Acciona have a mature compliance model according to the information in this study, but the stock value was highly volatile in the last 250 trading days, and
  • AENA, Endesa, Gas Natural, Dia and Iberdrola have low market value volatility, but opportunities to strengthen their compliance programs.



You can find the supporting data from these links:

MS Access Datasets 
Summary of dataset
Supporting Code of Ethics and Documents

I will do further research to expand the conclusion of this study, by:
- using the OECD Guidelines for Multinational Enterprises to set the compliance factors to assess
- expand the study to other public non-IBEX35 companies
- monitor de evolution in time
- include the effective reporting of compliance and risks information

Do you have any suggestions for improving the study methodology or scope? 

Get the latest in corporate governance, risk, and compliance on  Twitter

The 100 most critical and common segregation of duties conflicts in SAP

The 100 most critical and common segregation of duties conflicts in SAP Hernan Huwyler
 
The most visited post in my blog covers the 20 most critical conflicts that you may find in SAP auditing, SOX testing and user security controls. After several years of fine-tuning  the user conflict matrix and having SAP HANA released, I expand this post by listing the 100 most critical and frequent segregation of duties incompatibilities.  This list helps in simplifying the user reviews by internal auditors, functional roles and access security professionals while explaining the risk which may result in operational fraud.


This is the list which you are welcome to get as a MS Excel file,

VA01 Create Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
F.80 Mass reversal of documents and F-60 Maintain Table: Posting Periods are incompatible since the user may open accounting periods previously closed and make postings after month end.
VA01 Create Sales Order and VD01 Create Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and VD02 Change Customer (SD) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD02 Change Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA01 Create Sales Order and FD01 Create Customer (FI) are incompatible since assets may be disposed at less than the true value.
VA02 Change Sales Order and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and F-30 Post with clearing are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
F.80 Mass reversal of documents and OB52 C FI Maintain Table T001B are incompatible since the user may open accounting periods previously closed and make postings after month end.
VL02N Change outbound delivery and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
XK01 Create Vendor (Centrally) and XD01 Create Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD01 Create customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
VA02 Change Sales Order and XD02 Change Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VA01 Create sales order and VL02N Change outbound delivery are incompatible since the user may create/change sales orders and deliveries to hide the misappropriation of goods.
VF01 Create Billing Document and XD01 Create Customer (Centrally) are incompatible since assets may be disposed at less than the true value.
VL01N Create outbound delivery with order ref and F-22 Enter customer invoice are incompatible since the user may create/change a delivery and create/change an invoice.
VA01 Create sales order and F-32 Clear customer are incompatible since the user may create/change a sales order and process incoming payments inaccurately/fraudulently, potentially resulting in losses to the company.
XK01 Create Vendor (Centrally) and XD02 Change Customer (Centrally) are incompatible since assets may be sold to non-existent or fraudulent customers.
XD02 Change customer (centrally) and F-30 Post with clearing are incompatible since the user may create a customer and then post payments against the customer.
MIGO Goods Movement and MM01 Create Material are incompatible since the user could create or change a fictitious receipt and create/change a material document to hide the deception.

Get the latest in corporate governance, risk, and compliance on  Twitter