What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities which violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate a company lacks a culture of compliance or everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. In the FCPA Resource Guide and the Update to the Evaluation of Corporate Compliance Programs, the Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.
However, many compliance professionals, and particularly lawyers think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based upon the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.
Three Key Takeaways
1. An internal control override is not necessarily a bad thing if proper procedure is followed.
2. Internal controls are not set in stone.
3. The key is to have a process for monitoring the controls, taking input, literally from each line of defense.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Ver todos los episodios