As my firm reflected on directors’ expectations that have emerged while working with boards, four areas of emphasis that internal auditors should address rise above the rest. We refer to these as the four Cs: culture, competitiveness, compliance, and cybersecurity. These four areas offer suggestions to directors regarding what they should expect from a risk-focused audit plan.
Here’s a closer look.
A breakdown in risk management, internal control, or compliance is almost always due to a dysfunctional culture. The risks spawned by cultural dysfunction often require a lengthy incubation period before noticeable symptoms appear—and lead to consequences that could result in a reputation-damaging event. Examples include an environment that isolates senior leaders from business realities, allows cost and schedule concerns to override legitimate public safety priorities, empowers falsification of emission reports, or drives unacceptable risk-taking through inappropriate performance incentives. Once a culture of dysfunction inculcates a flawed business environment, it may take a long time for the consequences to emerge—and emerge they will if the dysfunction is left unaddressed.
Given that an organization’s culture is the mix of shared values, attitudes, and patterns of behavior that comprise its particular character, how does a board get its arms around it? An opportunity we see is for directors to look to the chief audit executive as the independent “eyes and ears” of the organization’s culture. Specifically, internal audit can be asked to perform the following functions:
understand the overall working environment;
identify the unwritten norms and rules governing employee interactions and workplace practices;
highlight possible barriers to an effective internal environment and communication flow;
report unacceptable behaviors, decisions and attitudes toward taking and managing risk; and
make recommendations to address identified problems.
Internal audit can also post warning signs to directors that further investigation into cultural concerns is warranted, and can assist in assessing whether the tone in the middle and at the bottom match the leaders’ perception of the tone at the top. This contrast can be quite revealing. It can serve as a powerful reality check to a management team that really wants to listen.
Competitiveness is a priority of every business and poses a significant opportunity for the internal audit function. If, for instance, the company’s practices are inferior relative to best-of-class performers due to underperforming business processes, the internal audit function can improve operating efficiency. In essence, the board should expect internal audit to look beyond traditional compliance areas and financial reporting to help the organization to continuously improve its operations.
Most organizations use some form of a balanced scorecard when monitoring whether they are successfully establishing and sustaining competitive advantage in the marketplace. Key performance indicators address critical areas such as quality, time, cost, and innovation performance. They often include indicators of customer and employee satisfaction. Internal audit can assist with assessing the reliability of these metrics for decision-making. In addition, internal audit can benchmark selected metrics against competitors and best-in-class performers to identify performance gaps that must be corrected in a timely manner.
Traditionally, the internal audit plan ensures that the organization’s compliance with laws, regulations, and internal policies are under control. As the third line of defense in the compliance chain of command, internal audit should ascertain whether:
Front-line operators and functional leaders whose activities have significant compliance implications own the responsibility for identifying and managing compliance risk. These front-line operators are responsible for having effective controls in place to reduce the risk of noncompliance to an acceptable level.
The scope of the independent compliance function, or the second line of defense, is commensurate with the significance of the company’s compliance issues and results in reliable and timely insights to management and primary risk owners.
Internal audit should determine whether a cost-effective monitoring process is in place to address the top compliance risks, and that can assess the overall implementation of the compliance program in light of changes in applicable laws and regulations.
In a recent survey, cybersecurity was cited as the third most critical uncertainty companies are facing as they look forward into 2017. What can internal audit do to alleviate this concern?
Assess whether the company’s processes give adequate attention to high-value information and information systems. Rather than costly, system-wise protection measures resulting in lack of attention to the most important assets, internal audit can assess whether the information technology organization and business leaders agree on what constitutes the company’s crown jewels.
Assist the board and senior management with understanding the threat landscape. The organization’s cybersecurity risks should be assessed based on the company’s crown jewels, the nature of its industry and operations, and its visibility as a potential target. For example: Who are the likely adversaries, and how might they attack? Where are our biggest vulnerabilities? How effective are our current internal controls? Do we conduct penetration testing? If so, what are the results?
Review the organization’s response readiness to a cyber incident. Effective incident response processes are critical to a company’s preparedness to reduce an attack’s impact and proliferation.
By focusing more broadly on the implications of audit findings and thinking beyond the expressed or implied boundaries set by the audit plan, internal audit is better positioned to deliver stronger, more practical and harder-hitting recommendations aligned with what directors are seeking.
One of the board‘s key responsibilities is the oversight of a company’s conduct, including the strength of its culture and the effectiveness of its ethics & compliance (E&C) program. In recent years, that responsibility has become even weightier. Recent corporate scandals, such as Volkswagen, Unaoil, and Mitsubishi Motors, have created public skepticism about business ethics, and policy makers have responded with a new emphasis on accountability for both companies and responsible individuals, including directors who are either negligent in preventing fraud or willingly participate in it. Enforcement agencies now scrutinize a company’s E&C efforts before making prosecutorial decisions by inquiring about board oversight in the company’s approach to E&C.
Organizations around the world invest tremendous resources to establish internal E&C programs and prevent corporate wrongdoing. Although E&C was historically a U.S. focus, a number of international standards have heightened the importance of E&C programs globally: the UK Bribery Act; the new International Organization for Standardization (ISO) 19600 Compliance Management System Guidelines; and the OECD Anti-Bribery Convention.
Directors observe these developments and scratch their heads. What does an effective E&C program look like? How can we succeed with E&C without stifling our business? What is the board’s role in E&C oversight? Has any organization gotten it right?
There is good news for directors. There are exemplary organizations—representing a wide variety of sizes, sectors, and industries—that have raised the bar even higher than mere compliance with the law. These organizations have transformed their workplaces through their E&C efforts to yield stronger, more positive results. And even better, there is now a framework to help directors guide their own organizations in establishing such an E&C program.
The Framework: Principles and Practices of High-Quality E&C Programs
In May 2015, the Ethics & Compliance Initiative (ECI) convened a group of 24 thought leaders with E&C program experience, including corporate directors, former deputy attorneys general, former members of the United States Congress, business executives, senior E&C practitioners, and academics. The panel produced a new report with leading principles and practices for effective E&C program implementation: Principles and Practices of High-Quality Ethics & Compliance Programs. The report includes five key principles practiced by organizations not satisfied with “minimum” E&C efforts; these organizations are referred to in the report as high-quality programs (HQPs). The principles, which should be tailored to each company’s individual circumstances, are adapted below from the original report:
Principle 1: Ethics and compliance is central to business strategy.
E&C is both a function on the organizational chart and is considered to be an essential element within every operation.
A high standard of integrity and compliance is articulated as a business objective, and every strategic decision is evaluated for alignment with the organization’s values and standards.
An HQP ensures compliance with law and regulation, and is resourced to help leaders across the organization understand their critical role in setting and meeting the standard for integrity.
The E&C program is expected to provide an independent voice, and regularly updates the board on E&C objectives, risks, and progress.
HQP staff maintains excellence by dedicating themselves to continuous improvement in E&C through innovation, engagement with stakeholders (inside and outside the organization), and consistent consideration of employee feedback.
Principle 2: Ethics and compliance risks are identified, owned, managed, and mitigated.
While organizational values are the heart of any E&C program, risk assessments provide the foundation upon which HQPs are built.
E&C staff collaborates across the organization to support a risk assessment process that identifies, prioritizes, and mitigates risk consistently.
Compliance performance, strength or weakness of organizational culture, employee willingness or fear to report, and other key E&C areas are evaluated and reported to the board as potential risks to the organization.
Leaders at all levels assume ownership for the ongoing identification and mitigation of risks that are relevant to their areas, both inside and outside the organization.
The board is regularly briefed on emerging E&C risks and how the E&C program is monitoring and mitigating risks where necessary.
Principle 3: Leaders at all levels across the organization build and sustain a culture of integrity.
Culture is the largest influencer of business conduct, and leaders are recognized as the primary drivers of that culture.
Leaders throughout the organization are committed to, and responsible for, making ethical conduct and decision making central to the organization and its operations.
The board assumes responsibility for evaluating the performance of senior management in providing ethical leadership and setting a proper tone at the top.
HQPs equip managers and supervisors with the support needed to make those values relevant to their day-to-day operations.
Recognizing that employees at all levels make ethics-related choices every day, HQPs provide resources, guidance, and training that emphasizes to all employees the importance of acting in accordance with shared values, seeking help, and speaking up.
Principle 4: The organization encourages, protects, and values the reporting of concerns and suspected wrongdoing.
HQPs focus on establishing an environment where issues can be raised long before situations are elevated to the level of misconduct.
HQPs prepare leaders and supervisors to respond appropriately if/when employees do come forward with concerns about wrongdoing.
Managers understand the impact of their actions, and HQPs hold them accountable for contributing to a culture that does not support the reporting of concerns.
There are focused efforts to prevent and deter retaliation.
HQPs treat all those who report violations fairly and consistently, and effectively support employees who report suspected violations.
The board is regularly briefed on high-level trends in employee reporting, and management is expected to be transparent with the board when substantive “bad news” transpires.
Principle 5: The organization takes action and holds itself accountable when wrongdoing occurs.
Investigations are timely, neutral, thorough, competent, and consistent.
When a violation is confirmed, the organization responds with appropriate consequences, regardless of the violator’s position within the company.
The organization maximizes learning from every substantiated case of wrongdoing.
HQPs recognize that technology has increased reputational risk.
HQPs have well developed systems for escalating issues, with regular testing for crisis management and response.
When appropriate, HQPs disclose issues to appropriate regulatory and government authorities and work cooperatively to respond to their concerns.
The board is well informed when substantive issues arise that require organizational accountability to stakeholders.
As corporate directors know better than anyone, there is no one approach to effective ethics and compliance. Each company’s circumstances are unique; therefore, their E&C programs must vary accordingly. But there are some universals among organizations that “get it right,” particularly when it comes to implementing a proper E&C tone at the highest levels of the organization. The board has an essential role in setting the expectation that the organization will not be satisfied with upholding only the minimum standard. Understanding the principles and practices that characterize leading E&C practice will help board members engage with management to ensure that the highest standard of integrity is seamlessly aligned with the performance of the organization overall.
Patricia Harned is CEO of the Ethics & Compliance Initiative (ECI) and frequently speaks and writes about workplace ethics, corporate governance, and global integrity. Ronnie Kann is executive vice president of research and program development at ECI, having served chief ethics and compliance officers, general counsel, and chief human resource officers throughout his career. Harned and Kann both contributed as authors to the ECI reportPrinciples and Practices of High-Quality Ethics & Compliance Programs. The Ethics & Compliance Initiative (ECI) empowers its members across the globe to operate their businesses at the highest levels of integrity. ECI provides leading ethics and compliance research and best practices, networking opportunities, and certification to its membership, which represents more than 450 organizations across all industries. ECI is comprised of three nonprofit organizations: the Ethics Research Center, the Ethics & Compliance Association and the Ethics & Compliance Certification Institute. www.ethics.org
At Protiviti, we often receive questions regarding the proper positioning of compliance in an organization. The debate often centers on addressing to whom compliance reports. Unfortunately, this line of inquiry does not focus on the fundamental issue of roles and responsibilities. One reason there is disparity among organizations in positioning compliance is that there are different views regarding the responsibilities expected of the function. Positioning the compliance function for effectiveness is a matter of first defining the roles executive management and the board wants that function to play. An understanding of these roles consequently provides a powerful context for evaluating how to position the compliance function within the organization.
Generally, a company’s compliance function is responsible for overseeing or coordinating compliance efforts, ensuring that the company and its employees understand and are complying with applicable laws, regulations, and internal policies. Some functions may deal with all compliance matters. Depending on the organization’s industry, other functions may focus on specific compliance domains, such as environmental, health and safety, contracting, product quality, employment and labor, and anti-corruption. Ethical and responsible business behavior may also fall within the scope of a compliance function’s responsibilities.
Regulatory settlements addressing egregious noncompliance issues sometimes stipulate a different line of reporting for a company’s compliance officer. For example, it is not unusual for settlement deals to stipulate that the chief compliance officer (CCO) not be subordinate to the CFO or chief legal officer and that he or she should report directly to the CEO and the board. A compliance function may be led by someone designated as the compliance officer or an equivalent title. If responsible for overall compliance, that person may be the CCO, which we use here to refer to the function’s leader. But the question remains: What is the CCO expected to do?
We see two distinct CCO roles in practice, as well as variants of each. An understanding of the two roles provides context for framing the positioning conversation.
The “Champion” CCO advances the framework for identifying the applicable compliance requirements (as defined by laws, regulations, contracts, and internal policies), aligning policies and processes with those requirements, assessing risk of noncompliance and closing gaps to ensure ongoing compliance. The frontline operating units and process owners are responsible for applying the compliance framework. They retain primary ownership of the risks created by their respective units and processes. The Champion CCO:
Enables and supports the application of the compliance framework by providing tools, guidance, and other resource materials.
Educates primary risk owners on the proper use of the framework, providing them with appropriate insights and offers consultation upon request.
Coordinates and integrates cross-unit and cross-functional applications of the framework to ensure that effective practices to address enterprise compliance matters and common risks are shared.
Facilitates risk assessments and the formalization of risk mitigation plans and supports executive management in communicating relevant compliance messages.
Prepares reports on the state of compliance, typically on an annual basis, and either presents that information to the board or assists a senior executive who presents that information to the board.
Reports compliance activities with periodic summaries to appropriate executives and the board, including an assessment of risks and the potential impact of noncompliance against the estimated costs to achieve compliance, along with recommended compliance funding priorities and initiation of appropriate corrective actions.
The “Line of Defense” CCO undertakes the activities of the Champion CCO and is authorized to do a combination of the following in addition to the above duties:
Evaluate the state of compliance, quality of compliance risk assessments, design and implementation of risk mitigation plans, and operating effectiveness of those plans, all in coordination with internal audit and other evaluators.
Establish standards and implement procedures to ensure the organization’s compliance programs are cost-effective in preventing, deterring, and detecting noncompliance with applicable laws and regulations, contracts and internal policies, and making necessary corrections through improving existing policies and compliance infrastructure.
Approve policies and compliance risk mitigation plans.
Coordinate internal compliance reviews of lines of business and function and monitoring activities to ascertain whether compliance programs are working.
Escalate issues to executive management, including the CEO and, through appropriate channels, the board.
Veto activities affecting compliance with the organization’s mission-critical policies.
Arbitrate disagreements between operating and functional units affecting compliance.
The Line of Defense CCO may not be authorized to do all of the above, but the position clearly extends beyond that of an advocate because this role has the teeth of escalatory and/or veto authority.
These descriptions are not exhaustive, but they clearly differentiate the two roles. We can use them as a context for articulating several principles relating to the positioning of compliance within organizations.
The Line of Defense CCO must have sufficient stature with business-line leaders and across the organization to serve in the role effectively. Stature comes from the authority, compensation, and direct reporting lines that command respect. The authorities of the Line of Defense CCO should convey to the organization, as a whole, that this executive is a player. To illustrate, this positioning is accentuated if the Line of Defense CCO:
Reports to someone who has strong influence in the organization, such as the CEO or executive committee (perhaps with administrative reporting to another C-level executive) or the chief risk officer in ways that establish the CCO’s independence from core business activities;
Is vested with the authority to escalate issues to a senior executive who has access to and influence with the board and, in appropriate circumstances as determined by the board, has direct access to a standing board committee;
Engages in mandatory and regularly scheduled executive sessions with the board or a standing board committee;
Has influence on compensation practices incenting the desired compliance behaviors; and
Is sufficiently resourced with a support staff commensurate with his or her responsibilities.
A Line of Defense CCO also:
Needs an escalation process that is formalized, meaning written procedures and agreements requiring escalation of any significant issues raised by the compliance function that are being challenged by business-line executives; and
Should be a centralized role, meaning that all personnel with compliance responsibilities report through the CCO’s line rather than through their respective lines of business.
In addition to the above positioning, some believe that the authority to hire and fire the Line of Defense CCO should be vested in the board. We are not convinced this is necessary, although there may be circumstances where a board may conclude that it is.
In heavily regulated industries, the Line of Defense CCO model is likely the preferred option. In other industries, and in situations where management expects the CCO to focus primarily on understanding and coordinating an organization’s fragmented compliance efforts and reporting on the state of compliance, the Champion model might be more appropriate.
If the CCO or equivalent executive plays the role of the Champion, that person may report to a C-level executive (e.g., chief administrative officer, chief operating officer, chief legal officer, general counsel) or to a direct report of a C-level executive, and operate with adequate support staff commensurate with his or her designated responsibilities. While independence may be desirable, the Champion CCO doesn’t necessarily need to be independent. In fact, depending on the nature of the designated responsibilities, the Champion CCO may not even be a full-time job. In practice, the Champion CCO typically reports to the board of directors or a standing committee of the board only by invitation. A prime issue with the Champion CCO is clarifying how the compliance function interfaces with the lines of business.
When applying the above principles, the key question becomes: What do the board and the CEO expect from compliance? Effective compliance management starts at the top. If a viable line of defense is intended, the Champion CCO will not be able to deliver.
Questions for Boards
The following are some suggested questions that boards may consider, based on the risks inherent in the entity’s operations:
If the organization has a compliance function, is the board satisfied with the scope of the function’s roles and responsibilities and that it is getting the insights it needs from the function?
If there isn’t a compliance function, is the board satisfied a cost-effective plan is in place to monitor the top compliance risks and oversee implementation of the organization’s compliance program?
If the organization has implemented the Champion CCO model, is the board confident that compliance programs are updated periodically in light of changes in the company’s needs and in applicable laws, regulations and contractual requirements?
Jim DeLoach is managing director with Protiviti, a global consulting firm.