How to prioritize action plans and remediation activities to address assessed compliance risks: consolidation of risks, global/aggregated compliance risks, corporate and local initiatives, tips for monitoring action plans, updates and emerging compliance risks; examples of reports on action plans, roles for compliance risk management, synergies with internal audit and risk management, the use of assurance maps
How to make action plans workable: regulatory alerts, reporting of mitigation actions, how to promote the accountability for treating compliance risks, tracking and measuring the managing of compliance risks, tailoring compliance to deal with the most significant risks, control failures at design or compliance levels, tips for change management
How to document compliance and operational issues. Monitoring and testing techniques for compliance controls, sharing templates and compliance control matrix. Analytical testing to identify risks (e.g. adobe-average fees for anti-corruption controls, transaction splitting for anti-fraud controls).
Discussion case for testing SOX entity level controls related to compliance, sampling techniques in compliance audits, setting the materiality, identifying and documenting findings, testing the awareness of the code of conduct and crisis protocol, testing conflict of interests, testing access rights and segregation of duties (for fraud and privacy risks), testing the delegation of authority including for banks, testing anti-bribery and fraud controls, auditing the whistleblowing channel, the role of general computer controls in compliance
Implementing, Documenting and Testing Compliance Controls Hernan Huwyler
1. Compliance Risks
IE LAW SCHOOL
Corporate Risk Control
Master in Global Corporate Compliance
(LL.M.)
September 6th, 2018
2. A huge thank you
Accurate and well-written procedures for final assignments
creative and workable quality procedures for your organizations
individual feedback given to better assess compliance risks
Engaged participation in online classes and forums
Positive and energizing feedback
Giving thanks requires actions:
– Help (anytime) in risk, controls and
compliance + references
– Career and industry advice
5. Baby steps in risk management
Risk assessment > Risk control > Execution
In the previous episodes
6. Low probability, high impact
RISK
Low probability, low impact
RISK
Low probability, high impact
RISK
High probability, high impact
RISK
Impact
Frequency
In the previous episodes
9. Does it work?
High profile fine for an anti-corruption violation
Violation of a compliance clause in a minor contract
High fine for a breach of food regulation (for a bank)
GDPR fine for a breach involving few names and addresses
Submitting an improper claim to the tax agency
Fine for failing to timely meet a labor law reporting
Inspection of safety requirements of unionized employees
Compensation to an employee for a confidentiality breach
1
2
3
4
5
6
7
8
10. An internal control…
that mitigates
the
likelihood
and/or
the impact
of a risk
is a
practice,
activity or
device
defined in
policies and
procedures
reasonably assuring
objectives in
operational
effectiveness
and efficiency,
reliable financial
reporting, and
compliance with
laws, regulations
and policies
effected by the
board of
directors,
manage-
ment, and
other
personnel
11. Examples
HR analyst monthly controls the reception of
the acknowledgements of the CoCo signed by
the new hires > Fraud and anti-bribery
CISO installs a firewall to prevent data losses
and disruptions > GDPR
Logical access analyst semi-annually reviews
that no user can create and approve the same
purchase order > fraud
HSE manager performs a workplace checklist
before starting a new job > Safety regulation
15. Consolidation of risks
Consolidate compliance risks in activities for a bottom-up
approach
consolidation means adding the impact and the frequency by
supported with software that integrates risk and business
management
An aggregated risk assessment will reduce compliance and
documentation costs
how deep to assess and treat risks, how many levels of categories
Ongoing monitoring reduce costs of separate testing of
performance of controls
16. Consolidation of risks
Categories and sub-categories
Fraud
Corruption
Conflicts of
interest
Purchasing
schemes
Sales
schemes
Bribery
Bid rigging
Invoice
kickbacks
Asset miss-
aproppiation
Theft of
cash on
hand
Theft of
case
receipts
Cash larceny
Skimming
Fraudulent
disbursements
Payroll schemes
Billing schemes
Expense reimbursement
Check tempering
Inventory
and other
assets
Misuse
Financial
statements
fraud
Revenue and
asset
overstateme
nts
Liability and
expense
understatem
ent
AKA: risk domains, taxonomy, typologies,
areas, types or families
Our illustrative example
17. Consolidation of risks
Corruption
risk heat map
at Level 0
Corruption
risk heat map
at Level 1
Corruption
risk heat map
at Level 2
Conflitcs
of
interests
Bribery
Corruption
Sales
fraud
schemes
Procurement
fraud
schemes
Bid
ridding
Kickbacks
18. The 3 maps show the same information!
The consolidated risk exposure is the same
Avoid comparing apples and oranges with a
common tolerance and methodology
Conflitcs
of
interests
Bribery
Corruption
Sales
fraud
schemes
Procurement
fraud
schemes
Bid
ridding
Kickbacks
19. Consolidation of controls
Signing code of conduct
acknowledgements
Ethical training
Having a whistleblower
hotline
Reporting and approving
conflicts of interests
Implementing corruption
financial controls
Authorizing business
relationships in a bidding
policy
Reviewing vendor
transactions for unusual
concentrations of purchases
Conflitcs
of
interests
Bribery
Corruption
Sales
fraud
schemes
Procurement
fraud
schemes
Bid
ridding
Kickbacks
20. Consolidation of controls
Tangible
practical
implications
in
compliance
Entity-level controls
refer to control environment for the entire company
indirectly mitigate many risks
help to monitor compliance
starting controls for compliance
Process-level controls
refer to processes or activities for a business cycle
directly mitigate a risk
help to prevent or detect non-compliance events
for advanced and detailed compliance programs
21. Consolidation of controls
Tangible
practical
implications
in
compliance
Entity-level controls
owned by top managers
managed by group action plans
generic approach to ethics and global policies
elements of the ethics and compliance program
Process-level controls
usually owned by local specialists (SMEs)
targeted approach both to group and local laws
and procedures
some assured by local compliance
22. Control and risk design
Compliance objectives
Business strategies
Compliance risk
tolerance
Assess risks
In qualitative or
quantitate terms
Prioritize
Consolidate
Treat risks
Tolerate, transfer, treat and terminate
Balance controls
Target status
Remediation plans
Diagnose
Implementation
phases
Control owners
Manage changes
Train
Manage stakeholders
Control risks
Document controls in
policies and
procedures
Assess controls
Current status‘
Cost-benefit
Business case
Assess design
Monitor compliance
Evaluate, test and oversee control effectiveness
Combined assurance with internal audit
Scope
Context
Criteria
Compliance program
Recording
Reporting
Key risks and control
indicators
Focus on processes
Organize tasks to
assess
23. The extent and level of detail
of the compliance risk
assessment are dependent on
the risk situation, context, size
and objectives of the
organization
They can vary for specific subareas
such as environment, financial and
social
ISO 19600 4.6
24. Emerging compliance risks
Identification of new
requirements
Change in laws and
regulations > alarms,
reports, news
Corporate governance
and ethical scandals
Settled cases
New contracts being
used
Taxes and labor
regulations
Political changes (e.g.
concession contracts)
Changes in
stakeholders views on
corporate citizenship
Emerging risks
Rapidly growing
unforeseen risks
impacting several
years
Impact and frequency
are not fully known
High level of
uncertainty > lack of
historical data
Actions
Close monitoring in a
separated registry
Business cases study
Analyze trends in the
long-term horizon
Identify potential
changes in assumptions
Raise awareness
New compliance risks
High level of uncertainty > lack of historical data
Emerging
compliance
risks
Privacy laws and
reporting data
breaches
3P management
Customer
expectations
Social
engineering for
fraud
Disclosing non-
financial data
25. 1
3
Tips for monitoring compliance controls
Use high level controls (e.g. control that HR reviews that all
new employees sign the reception of the code of conduct, rather than
controlling individual signed acknowledgments by new hires)
Focus on high-level end-to-end controls
Focus on controls mitigating higher risks (and reduce
documentation for non key controls!)
Use a workflow management software to facilitate the
execution of compliance processes
Use synergies with internal audit, HSE and finance
Use testing templates
26. Synergies with internal audit
Internal audit is designed to evaluate the
adequacy, efficiency and effectiveness of
controls
Internal audit independently evaluates the
compliance function, so both departments
should be separated (but coordinated)
Common view on risks and controls
Coordination of coverage, planning, common
interests in remediation plans
Compliance can improve the work programs
of internal audit
27. Synergies with internal audit
Compliance
2nd line of defense
Independent (-)
Internal Audit
3rd line of Defense
Independent
Operationalsupport
Assurance
Focus on the future
How to prevent a compliance
breach
Focus on the past
How controls are effective and
efficient
External and external
compliance
Compliance, operational and
financial and non-financial
reporting
Integrity, compliance, legal and
regulatory risks
360 degrees risks
Facilitates the development of
policies and procedures
Tests the controls in policies and
procedures
Makes recommendationsCoordinates remediation plans
28. Synergies with risk management
Risk management is designed to identify, assess, manage
and report risks
Coordination to communicate risks to the board
Common interests in strategic planning for compliance risks
assessments, DPIAs, developing consistent methodologies,
Compliance can provide insight about
integrity and regulatory risks to risk
management
29. Synergies with risk management
Compliance
2nd line of defense
Independent (-)
Risk Management
2rd line of Defense
Independent (-)
Operationalsupport
Assurance
Focus on the future
How to prevent a compliance
breach
Focus on the future
How objectives and strategies
can be deviated
External and external
compliance
Develops tools and models for
planning and assess risks and
opportunities
Integrity, compliance, legal and
regulatory risks
Strategy, operational, financial
and compliance risks
Facilitates the development of
policies and procedures
Risk management policy,
embedded risk management
Assess compliance risksCoordinates remediation plans
30. Assurance map
The board is responsible for ensuring that the internal control
framework is effective to mitigate key risks
Tool to coordinate and to maximize how to provide assurance
across the defense lines
how the assurance activities (x-axis) apply to key risks in sequential business
activities (y-axis)
quick and clear view of processes and risks to the board
ensures a consistent management, oversight and reporting of controls under
a common methodology
promotes the collaboration between departments while being cost effective
36. Remediation plan
List of steps to mitigate a risk
after being identified or
after its control was assessed as ineffective
Corrective and preventive actions
Managed by the risk and control owner
Monitored by compliance
Related control being retested after its
remediation
37. Example of a remediation plan
Identified risk Recommendation Planned actions Owner and planned
completion dates
Lack of a data
breach procedure
may create fines
for late reporting,
legal disputes and
damage
reputation
Develop a detail
procedure meeting
GDRP requirements
and outlining the steps
to manage and report
a personal data
breach
1. Hire a consultancy firm to
develop the procedure
2. Communicate the
procedure with 3Ps such
as data processors
3. Assemble a data breach
team to test the
procedure in an incident
response plan
4. Train the infosec teams
Arno Bisch (CISO)
1. 15/9/2018
2. 15/12/2018
3. 1/20/2019
4. 4/30/2019
38. 1
3
Tips for managing remediation plans
Describe issues and risks from the reader perspective
Make the risk and control owner accountable
Have a detailed well-though list of actions
Prioritize by risk level
Get help from subject matter experts
Monitor the completion of actions by step
Get a software to automate alarms for completions
Get the signoff by the process owner and the next
superior hierarchical level
39. Tips for managing remediation plans
You are not
completing the
DDs for the
Caspian! You are
breaching the
policy!
I know it already. I
have not
resources.
Caspian is not a
high-
risk region for
me.
40. Tips for managing remediation plans
The DDs for
Caspian were
stopped to be
performed a
semester ago.
What risks do
you notice?
Most of the DDs
in Caspian were
not detecting any
risk in the last 3
years. Should we
exclude them
from the policy?
41. Get the governance right
If the company pays
you to meet objectives
You own the risks
- manage and report
If you own the risks,
you own the controls
- design and
compliance
If you own the control,
you need to show
compliance
Accountability
Design the control
Monitor execution
Train and resource
Apply discipline
Explain failures
Responsibility
Execute controls
42. Hot topic
Should the compliance risks and controls be
owned by the compliance officer?
Depends on the culture maturity of the organization
If the compliance officer owns a risk cannot monitor
its compliance
Mature cultures > the legal function, the board
secretary and the data protection officer can take
many compliance risks
Less mature cultures > ethical risks are owned by
the compliance officer
43. Hot topic
Ethical risks and controls
Anti-bribery, political activities, contributions
Insider trading
Anti-trust, anti-boycott and consumer rights
Anti-fraud, whistleblowing and conflicts of interest
Anti-money laundering, terrorism financing
3Ps and government contracting
Human rights
Other areas derived from the CoCo
44. Tracking risk control performance
KPIs related to compliance reviews findings and action plans
The level of compliance risks
Results of risk and compliance self assessments
Metrics on the advance of compliance initiatives
– training provided (% of employees), vendors with DD
Non-compliance with clients, ISO and regulator audits
Surveys on the organizational culture
45. Tailoring compliance
The ethics and compliance program addresses key risks
no one size fits all solution
explains why the assessment of compliance risks is critical for designing the
program
The maturity of the compliance culture shapes the extension
of the compliance initiatives
immature cultures need more support in designing the compliance controls
with procedures
mature cultures need to assess the effectiveness of controls and keep
discipline
the culture maturity level can differ across departments
46. Tailoring compliance
The compliance officer facilitates the design of controls
offers several control alternatives to the risk and control owners
need of a good toolbox of controls and best practices by compliance risk
explains why the skills in internal controls are relevant
controls are the backbone of the policies and procedures
The compliance officer monitors the effectiveness of controls
monitoring of performance and exceptions
by employees and 3Ps
explains why the skills in compliance audit procedures are relevant
47. Example Control self-assessment CSA
Are you aware of any cash or non-cash gift or payment to foreign
public officials in the last 3 years?
____ ► If YES, obtain basic facts below and contact the
Compliance Manager
Name of foreign
public official
Foreign public
official title
Description of
transaction
Type of
payment
Run through
Petty Cash or
Expense report
Date of
transaction (or
expense report)
Amount Account used to
record
transaction
e.g. cash,
noncash gift,
check, wire
transfer
GL acct # and
description
Total -
48. Example Control self-assessment CSA
Do you know whether the company employed relatives of a
foreign public official in the last 3 years?
____ ► If YES, obtain basic facts below and contact the
Compliance Manager
Name of friend /
relative of
foreign public
official
Job position Foreign public
official title
Date Hired Annual salary
amount
Total -
49. Example Control self-assessment CSA
Has the company paid any of the following types of expenses for
or on behalf of a foreign public official or relatives of a foreign
public official in the last year?
Answers
Travel - any amount YES/NOT
Lodging - any amount YES/NOT
Meals – more than USD 100 or equivalent YES/NOT
Per diem - any amount YES/NOT
Entertainment – more than USD 100 or equivalent YES/NOT
Medical – any amount YES/NOT
Tuition - any amount YES/NOT
Charitable contributions – more than USD 200 or equivalent YES/NOT
Political Contributions - any amount YES/NOT
50. Example Control self-assessment CSA
Has the company paid or authorized facilitation fees?
____ ► If YES, review the appropriate accounts for supporting
documentation, including approvals.
Name and title
of party
receiving the
facilitating
payment
Purpose of
facilitating
payment
Type of payment Run through
Petty Cash or
Expense report
Date Approvals Amount of
facilitating
payment
Account used to
record
transaction
Detailed
description
e.g. cash,
noncash gift,
check, wire
transfer
GL acct # and
description
Total -
51. Example Control self-assessment CSA
Are you aware of any contractors compensated at rates that are
materially different from other contractors providing similar
services?
____ ► If YES, please explain and provide contractor
information.
Contractor
name
Description of
services
Contractor's
commission's
Average
Commission
Total
52. Example Control self-assessment CSA
Do you know whether the company uses any contractors with
whom the company does not have a written contract or purchase
order?
____ ► If YES, please explain and provide contractor
information.
Contractor
name
Description of
services
In use since Average
payments
Total
53. Example Control self-assessment CSA
Do contractors whom obtain visas, permits, licenses,
concessions and other public administrative acts submit invoices
without supporting receipts from the government office?
____ ► If YES, please explain and provide contractor
information.
Contractor
name
Description of
services
Type of missing
receipts or
documentation
Average
payments
Total
54. Example Control self-assessment CSA
Has the company received solicitations from public officials for
improper payments not previously reported?
____ ► If YES, please explain and provide information.
Name and title
of party
requesting the
payment
Description of
tbe solicitation
Date Amount
requested
Total
55. Example Control self-assessment CSA
Is the anti-corruption policy available, distributed and
communicated to employees in the dominant local language(s)?
____ ► If NOT, please explain.
Are there any third party (agents, distributors, customs brokers,
sales representatives and others) that have not been approved in
accordance with the group due diligence policy?
____ ► If YES, please explain.
56. How to test and document
compliance controls 3
57. Documentation flow
Ethics and Compliance Program
Approved by board, audit targets
Compliance Audit Plan
Annual schedule of visits, coverage, resource planning
Work papers + documentation
Test results by control
Complance audit report
Findings and action plans for remediation,
approved by owner
Work program
Audit procedure for each control (nature, timing,
and extent of procedures)
Compliance
audit
procedures
and toolkit
Templates
for work
programs,
reports,
testing
sheets,
software
RiskandControlMatrices
Repositoryofidentifiedrisksandcontrolsby
businesscyclesandsub-processes
58. If the compliance
officer owns controls,
they need to
document decisions
and controls
performed to limit
their personal liability
59. When does compliance audit?
Monitor compliance of policies and procedures
continuous improvement of compliance controls
reinforce the culture > duty of care, corporate defense
Audit to 3Ps
right-to-audit clauses in supply contracts
verify contract compliance and charges
– e.g. audit invoices distribution fees
due diligence (before starting a contract)
Preparation for certifications
ISO 37001 anti-bribery, ISAE 3000
60. When does compliance audit?
Reactive compliance audits
response to an incident
indication of control weaknesses
fraud, emerging risks, regulatory issues
many findings
Proactive compliance audits
annual planning in the ethics and compliance program
indication of key risks
less findings, but better action plans
Tip: plan and budget for both cases
61. Audit documentation
Basis for the audit conclusions
examples of control failures to agree on remediation plans
need to document the lack of documentation as a non-compliance
work-papers referenced to internal and external documents
Evidence of the work performed by compliance
Practical issues: avoid duplications and lack of confidentiality
computer-generated reports
Covered by the document retention policy
63. How to document findings
Link supporting documentation to a step in the work program
scanned copies, only pages with compliance interest, focus on control
failures, use control codes to index pages, write notes
confirm failures to document controls (e.g. incomplete request, no audit trail)
Oral explanations in meetings are documented by minutes
(distributed to all the participants, record participants)
Photos supports operational activities
inventory counts, field activities and conditions
Control the time stamps (done/reviewed by/on)
Signoff the audit report with the action plans
64. How to document findings
In sample testing, include the population universe and
selection criteria
identification of sources of the universe of transactions (e.g. SAP
report ABC)
document the filters applied (e.g. approvals from Jan to Dic for
more than >50,000 EUR for ABC entities, SQL queries)
ensure the integrity of the universe (e.g. reconciliation to
accounting balances, total check sums)
66. Control failures
Design issue
The control is not implemented or wrongly designed
e.g. lack of procedures, no adherence to a procedure, checking
incorrect transactions, ineffective contract clauses
Highest priority, requires to develop procedures or amend
contracts, and then, to train staff on changes
Compliance issue
The control is not fully performed for all control events
e.g. control missed for some days, locations or people
Requires to reinforce the controls addressing the root cause
69. Compliance testing procedures
Structured and unstructured interviews
process walk-thoughts, orientation, corroboration
Inspection of documentation and control evidence
review of internal and external documents, contract review, tracing documents
Observation and physical examination
on-site visits, inspections, inventory and fixed assets counts
Confirmations with 3Ps
validations sent to customers, clients, attorneys, banks and 3Ps
Analytical procedures
investigation on the fluctuation of data, red flags, unusual changes and
relationships
70. Tips for compliance audits
Assess the knowledge (and certification in some jobs) of the
person executing each control
Assess the timeliness in the control performance by controlling
time stamps of each control event
In controlling approvals, assess the effective independence
and the proper designation of the approver
Assess if the sources of information to decide about a control
are reliable and cannot be changed
Reperform the controls done by the owner with parallel
sources or tools
72. Control types
Key controls AKA primary controls, super controls
Mitigate high risks
integrity risks, segregation of duties
Lack of compensatory controls
Tested by compliance
Non-key controls
Mitigate mid to low risks
With compensatory controls (even partially)
Can be self-tested by the control owner (CSA)
73. Control types
Preventive controls
Reduce the frequency of the related risks
e.g. documenting controls in policies, training, segregation of
duties, delegation of duties, approvals, passwords
Preferred for compliance
Detective and corrective controls
Reduce the impact of the related risks
e.g. corporate defense, crisis protocol, data breach reporting,
incident management, disciplinary protocols, inventory counts,
reconciliation, confirmations, environmental disaster plan
74. Control types
Manual controls
Performed by individuals requiring human judgment
e.g. new hire signs the CoCo acknowledgement, HR director reviews and manually signs
bonus letters, accounting analyst reconciles bank accounts in MS Excel
Tested documentation inspection (usually samples), higher
error and fraud risks
Automatic controls
Performed by an IT system usually in high volume
e.g. SAP 3-way match, SAP parks a document for approval, sequence checks, duplication
checks
Tested by IT audit procedures (without sampling)
76. Control types
IT general controls
Operation of the IT environment
e.g. logical access analyst grant access to new users, IT operator
approves the installation of new software and patches
Tested by general IT policies, relevant for GDPR compliance
Application controls
Configuration of IT applications
e.g. CISO sets the two-factor authentication, data input validation
Tested by reviewing IT parameters and configuration
77. Control types
Entity-level controls
Related to the complete organization effective by the board
e.g. having a code of conduct, segregation of duties
Highest risks (and interest for compliance)
Process controls
Related to a business cycle (e.g. Procure to Pay, Recruit to
Retire, Record to Report)
e.g. inventory counts, standard procurement contracts
Mid to low risks, usually with compensating controls (e.g.
budget controls)
81. Risk and control matrix
Cycle and sub
process
Corporate Governance – Code of Conduct
Control objective All employees are fully aware of the code of conduct.
Risks Fraud and non-compliance with law, regulation and business principles
Control activity Is the code of conduct, commitments and responsibility and the related whistleblowing
procedure communicated to new hires and employees.
Control types Preventive – Manual – Per event
Population New hires
Attributes 1. New hires sign and date the code of conduct acknowledgment.
2. Acknowledgments are signed before the starting date
Common compliance
issues
Excluding particular employment contracts (interns, part-time) or subcontractors.
Signing the acknowledgment after the starting date
82. Universe
Total population = 6
cases in 8 months
Estimated annual
population = 9 cases
(6/8*12)
Stadistical sample size
= 2
Sampling method =
last 2 items
List of employee additions
1-1-2018 to 8-31-2018
Employee
Nr
Name Starting
date
Selec
ted
320 Muller, Samuel 1-1-2018 No
321 Schmid, Sarah 1-1-2018 No
322 Huber, Fabio 2-1-2018 No
324 Keller, Julie 4-1-2018 No
325 Meier, Alex 4-1-2018 Yes
326 Müller, Jonas 5-1-2018 Yes
83. Compliance control testing sheet
Conclusion: 1 out of 2 sampled items failed at the control
Control is assessed as ineffective > remediation plan required
Corporate governance – Code of Conduct
Prepared by/on Dario Mosser 9-7-2018
Employee
Nr
Name Starting date Signature
of ack.
Signed and
dates?
Before
starting
date?
Conclus
ion
325 Meier, Alex 4-1-2018 4-1-2018 Yes Yes Passed
control
326 Müller, Jonas 5-1-2018 6-3-2018 Yes No Failed
control
84. Risk and control matrix
Cycle and sub
process
Corporate Governance – Access Review
Control objective Access rights to critical applications is limited to business needs.
Risks Fraud and non-compliance with law, regulation and business principles
Control activity The list of the users having access to ERP, CRM and other financial software, as well
as the semi-annually examined and confirmed.
Control types Preventive – Manual – Semi-annual
Population List of financial software
Attributes 1. The list of users by profile and the description of associated rights are reviewed by
the application owner
Common compliance
issues
Only a high level review. Accesses of dismissed employees. Accumulation of rights
and privileges / critical conflicts. Accesses granted without proper approvals.
85. Compliance control testing sheet
Control is assessed as effective > remediation plan not required
Corporate governance – Access review
Prepared by/on Dario Mosser 9-7-2018
Review
on
Performed by Coverage Reviewed by
application
owners?
Conclusion
Jan
2018
Steiner, Sarah Logical
access manager
SAP, CRM, ProjMgm,
Oracle HR
Yes Passed
control
Jul
2018
Steiner, Sarah Logical
access manager
SAP, CRM, ProjMgm,
Oracle HR
Yes Passed
control
87. Examples of risk and control matrix
Cycle and sub
process
Order to Cash – Bids and Contracts
Control objective All customer contracts and amendments are reviewed and appropriately signed.
Risks Contracts or amendments are not reviewed resulting in litigation, disputes and claims.
Control activity Contractual arrangements are reviewed and approved by the in-house legal counsel
and management at proper level per group contract policy. Contract exceptions (e.g.
non standard terms and conditions) require management approval per group policy.
Control types Preventive – Manual – Per event
Population All customer contracts and contract amendments.
Attributes 1. Contract or amendment is approved by management and legal.
Common compliance
issues
Amendment are not fully approved, approvals at a lower level (splitting)
88. Examples of risk and control matrix
Cycle and sub
process
Order to Cash – Bids and Contracts
Control objective Tenders and bids are reviewed and approved before being signed by the customer.
Risks Tenders and bids are not reviewed resulting in risks and losses to the company.
Control activity Tenders and bids are reviewed and approved by authorized management and in-
house legal counsel at proper level per the bidding policy.
Control types Preventive – Manual – Per event
Population All Tenders and all material bids.
Attributes 1. Tenders and bids are approved by management (and the legal head if required) in
accordance with Policy.
Common compliance
issues
Amendment are not fully approved, approvals at a lower level (splitting)
89. Examples of risk and control matrix
Cycle and sub
process
Order to Cash – Master file
Control objective All customers and related information is accurate, legitimate and appropriately
authorized.
Risks Changes to master data are not supported and unauthorized. Access to master data
is not restricted. Privacy and GDPR breach. Fraud by creating ghost customers or
duplicating credit limits.
Control activity Customer credit files are properly maintained and master file changes are reviewed
and approved as per customer creation procedure.
Control types Preventive – Manual – Per event
Population ERP report of changes to customer master data (log).
Attributes 1. Approved customer master maintenance form with supporting documentation in
accordance with customer creation procedure.
2. Credit limit setup in ERP, according with supporting information, agrees to
approved credit limit contained in customer's credit file.
Common compliance
issues
Duplicated customers with additional credit limits. Unapproved changes.
90. Examples of risk and control matrix
Cycle and sub
process
Order to Cash – A/R management
Control objective Bad debt reserve is established to record receivables at their net realizable value, and
is accurately recorded in the correct accounting period.
Risks Accounting fraud. Uncollectible accounts are not properly recognized and reserved.
Control activity Adjustment of reserve for doubtful accounts is recorded and properly approved in
accordance with the A/R policy.
Control types Preventive – Manual – Monthly
Population Monthly review of A/R and its adjustment of bad debt reserves
Attributes 1. Reserve requirement calculation is done in accordance with the policy
2. Expense adjustments are recorded in the proper period and approved.
3. Approval of amounts not reserved according to A/R policy
Common compliance
issues
Inconsistency with the aging reports and customer classification calculating the
reserves. Optimistic calculation without legal support. Lack of monitoring.
91. Examples of risk and control matrix
Cycle and sub
process
Order to Cash – Period end closing
Control objective All goods shipped and services provided are accurately recorded in the proper period.
Risks Lack of compliance with revenue recognition principles. Accounting fraud. Revenue
that has not been earned is recorded and revenue that has been earned is not
recorded.
Control activity Revenue accrual is properly authorized, supported, and completely recorded.
Control types Preventive – Manual – Quarterly
Population Quarter revenue accruals
Attributes 1. Entity has adequate local procedure for accruing revenue per group policy.
2. Accrual is approved by proper level of management.
3. Related journal entry matches the accrual analysis and is recorded in the proper period
on the General Ledger
4. If inventory transactions and cost of sales should be related to the accrual, amounts
are properly adjusted
Common compliance
issues
Inconsistency with the aging reports and customer classification calculating the
reserves. Optimistic calculation without legal support. Lack of monitoring.
92. Conclusions
How these classes inspired you?
What control practices and ideas do you know
more about?
What compliance controls are you struggling
with?
How can you design and implement new
compliance controls in your organization?
Where did you raise your eyebrows?
93. Resources
Brum, Sidney - Financial Elements of Contracts Drafting
Monitoring and Compliance Audits, 2013, Lexix, ISBN
0769868436
CEB - Sample Entity Level Controls / Tracking Checklist
Graham, Lynford, Internal Control Audit and Compliance,
2015, Wiley, ISBN 9781118996218
Lamm, Jacob - Under Control Unifying and Simplifying
Governance Across the Enterprise, 2009, Apress, ISBN
1430215925
94. Resources
Spedding, Linda, Business Risk Management Handbook,
2007, CIMA Publishing, ISBN 9780080553665
Tarantino, Anthony - Governance, Risk and Compliance
Handbook, 2008, Willey, ISBN 047009589X
ISO 31000:2018 - Principles and guidelines for risk
management
ISO 19600:2014 - Compliance management systems
95. What is next?
Videoconference Sep 21th
How to determine, test and monitor the
right controls for a compliance program