COSO Framework: Fraud, Corruption and Compliance (Part I of II)
Global companies need to actively work to prevent fraud and corruption. Fraud and corruption go hand-in-hand. To commit bribery, bad actors have to gain access to money for unauthorized (illegal) purposes. A failure to prevent fraud and corruption can have significant legal, financial and reputational consequences.
Luckily, companies are devoting additional resources to assess fraud and bribery risks with specific focus on internal financial and compliance controls. In evaluating their internal controls, companies are paying greater attention to procedures for procurement, third-party risk management, internal and external communication of company codes of conduct, and related training programs.
Chief compliance officers face ever-increasing challenges in managing these programs, collecting data related to these functions and analyzing such data to make continuous improvements to the company’s anti-corruption compliance program. Ultimately, top management and the board of directors bear responsibility for the operation and effectiveness of the compliance program.
At the heart of an effective ethics and compliance program is an efficient governance framework that provides important information concerning potential violations of internal controls and compliance policies and procedures. The compliance function cannot operate in a silo where its policies and procedures are excluded from the company’s overall governance framework based on coordination and information sharing across corporate functions, such as finance, procurement, legal and human resources.
In today’s global economy, risks are not restricted to individual countries or even regional divisions. Instead, global risks transcend functional and geographic boundaries. As a result, companies have to employ effective internal controls and design key performance indicators for such controls.
The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework provides companies with a model for evaluating and managing a company’s set of risks. The COSO framework gives companies a foundation to build on financial reporting to include compliance reporting, and provides five cornerstones for strong corporate governance.
Transparency: Management standards and practices align with stated corporate values, allowing employees to feel safe in admitting mistakes or identifying weaknesses.
Adaptability: The Organization is able to respond to legal or regulatory changes or address a control failure in a timely manner.
Evidence: The organization can readily provide documents, records, objects and other items relating to the existence or non-existence of alleged or disputed facts.
Resources: Based upon a continuing risk assessment process, adequate money, materials, staff and other assets are allocated to enable the organization to meet its compliance objectives.
Accountability: It is clear who has responsibility for compliance activities, who answers for their completion, who is consulted when opinions are needed and who is to be informed about progress.
As I have often stated, compliance needs a seat at the business table and must be able to exercise line of sight across the business functions. A COSO framework is critical to integrate the compliance function into the overall business controls. This means greater coordination between the company’s CFO and CCO. It is no longer practical for CFOs to wall off compliance from the company’s internal controls – an effective governance framework mandates elimination of this artificial barrier between financial and compliance controls.
The elimination of this barrier between financial and compliance functions extends from headquarters to regional and local functions – financial and compliance staff have to coordinate and cooperate at every level for the system to work. All too often, I have observed companies with separate Sarbanes-Oxley staff responsible for financial reporting, global risk management, financial controllers and finance staff, and compliance staff, each of which fails to talk to each other, share information or operate with any joint purpose or coordination. Such an organizational framework is irrational and contrary to effective corporate governance principles.