IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

The second day of the conference was excellent. Everyone I spoke with regarding the speakers, topics, and materials thought day 2 was the best and blew away the first day. I had the privilege to attend several sessions that focused on Corporate Governance, Audit Committee Oversight duties, Fraud Risk Assessments, and Effective Audit techniques. I was unable to attend the full day on Wednesday, Day 3, but was able to enjoy Ed Robinson’s presentation and a thorough breakdown on the Foreign Corrupt Practices Act (FCPA). I will post my notes from the conference in sections given the need to digest all that I heard prior to posting:

Structuring an Effective / Comprehensive Compliance Program“, was presented as a panel discussion that included several notables on the panel to include – Ryder, OCEG, Turner, and Southern Company.

  • It was noted that SOX provided several benefits – attention and resources around the existing compliance program and the motivation to mature. Second, SOX identified how weak many of the technology controls were surrounding the controls of the financial reporting systems.
  • A study from the OCEG was presented with several trends and statistics (Available – Check out this post for the OCEG and many more):
  • The Status Quo in organizations is the existence of SILOS (Finance, HR, IT) on the management of compliance and control requirements
  • Technology solutions are trending to bridge these SILO gaps and create a central management approach
  • 2/3 of companies were found to be adversely effected from redundant/duplicate controls. These included:
  • Pain of reconciling disparate data
  • Difficult to find the truth
    • 1/2 of all identified failures caused harm and damage to the organization (deficiencies), but these effects were short lived and the memories were quickly forgotten in the organization.
    • Only 14% of respondents had integrated their compliance programs
    • The overarching theme that resonated from the study was the need for consistency and accountability
  • Compliance departments must not become the Department of NO. (A role that IT Security once held, and in some cases still holds)
  • The existence of a Chief Risk or Compliance Officer is attributed to the FSG (Federal Sentencing Guidelines)
  • General overview of the FSG (Mainly pulled from Chapter 8):
    • Possess good policies and procedures
    • Assign a responsible party (Compliance Officer)
    • Existence and presence of a program
    • communicate / Publish / Train on program
    • Enforce the Standards
    • React and address problems
    • “Effective” as defined by the FSG is a program that has the ability to identify and prevent criminal activity
    • Note: The government does not care how much was spent on a safeguard, but only that it is effective – business perspectives must be considered
    • FSG is not a compliance or standard for an organization, but should be incorporated to ensure that the organization is both protected and due care is taken for the personnel
  • Challenge of Ethics
    • Organizations can choose to accept fines for non-compliance if only direct costs are considered
    • Ethics are decided based upon social duties, doing the right thing, and based on the maturity of the business
  • When dealing with auditors, create a relationship and seek to understand the intent of the effort
  • Understanding the reasons information is sought allows for the organization to provide the correct information.
  • OCEG – the Red Book published in its current form has recommendations on establishing a compliance program
  • The risk faced by an organization can come from a number of areas and must be centrally responsible to a core group, i.e. the Compliance group. These risks may be categorized as environmental, compliance, people, ethics, regulations, and business
  • A simple method of gaining acceptance by business parties is to first identify the risks (see categories above), second vet these against a formal corporate compliance steering committee (vet and weigh the risks), third give business another pass, and finally compare these digested risks and ratings against any multinational rankings.
  • Benchmarking is very important to ensure a business is not over spending or falling behind in the technology innovations. Benchmarks can be gathered through OCEG and public surveys.
  • Several Studies were recommended to include:
  • A common refrain by the panel was that compliance programs should promote the delivery of advanced information on compliance to satisfy the concern of management, the Board, and the Audit Committee
  • Some takeaway tips from the session:
    • Develop an Agree Upon Procedure process for GRC
    • Define hard metrics for a framework – consider OCEG Red Book
    • Become certified – whether by ANSI, OCEG, or others
    • A tip by the OCEG spokeswoman was that everyone should join the OCEG study survey process, because all participants get a free customized report that provides benchmarks based on each survey.

Benchmark, Benchmark, Benchmark:

  • There are some statistics that are not easy to locate and absorb into an organization for comparison that are timely or complete, however a great tip provided by the panel was to look after bad reports!
  • Bad compliance or failed audit reports that are made public in proxy filings and by government agencies contain huge amounts of information on what was done wrong – Fannie Mae (348 page report worthy of any good flight across the pond), Boeing, CA)
  • Take advantage of free webinars to learn about latest interpretations of laws and requirements

The greatest theme that resonated throughout this session, one-on-one interviews and discussions I had, and those of other sessions can be summed up in the following points:

  • Seek to understand an organization’s culture – even transformational leaders must understand where the river flows before effecting change.
  • Identify areas of value from the compliance program beyond avoiding fines, and contribute to the mission of the business
  • Risk Assessments (of all risk categories) are a necessary starting point before any audit and monitoring is possible.
  • Communicate in a language that can be understood – and gain a presence with the Directors and executive management.

A huge overview, and I hope some value to anyone seeking to hone their compliance programs. There is a tremendous amount of thought leadership in this area, and I encourage anyone to contact me to discuss these points.

Best regards,

James DeLuccia IV


One response to “IIA South Eastern Regional Conference Day 2.1 – Effective Compliance Programs

  1. very interesting, but I don’t agree with you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s