Page 64 - COSO Guidance Book
P. 64
24 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
Third line roles (internal audit): responsibilities to include,
• Maintains primary accountability to the governing
body and independence from the responsibilities of Delegates responsibility and provides resources
management to management to achieve the objectives of the
organization while ensuring legal, regulatory, and
• Communicates independent and objective assurance ethical expectations are met.
and advice to management and the governing body on
the adequacy and effectiveness of governance and risk Put more simply, the board is responsible for oversight of
management (including internal control) to support the the compliance and ethics functions. The most senior level
achievement of organizational objectives and to promote of management, where the CCO sits, is responsible for
and facilitate continuous improvement establishing structures and processes aimed at ensuring
compliance. The next level of management is responsible
• Reports impairments to independence and objectivity for providing expertise, support and monitoring to achieve
to the governing body and implements safeguards as compliance and ethics expectations.
required
Figure 5.1 shows how this model can be used to design an
Above these three lines is the organization’s governing auditing and monitoring plan for a high-risk area (conflict of
body. The Three Lines Model describes the governing body’s interest in an academic medical center).
Figure 5.1 Auditing and monitoring plan for a high-risk area
1st Line 2nd Line 3rd Line
Risk Area Management Management Internal Audit
As Identified During Structures Monitoring Independent
Risk Assessment and policies and support auditing
Conflict of Interest • Establish COI policies and procedures • Annual COI disclosure • Audit 10% of outside travel
(COI) • Educate personnel about COI policies • Purchasing and payments against
Accounts Payable travel
• Report non-compliance to COI Manager Pharmacy vendor reimbursements
registrations
• Report unauthorized vendors • Level 2 review of COI
representatives and displays • Open Payments disclosures
database
• Advise personnel to contact • Research conflict • Audit 10% of “nothing to
Compliance with questions database cross-check disclose”
• Review annual COI disclosures • “For cause” investigations
In addition to the auditing and monitoring of high risks, DOJ to federal prosecutors for their use in assessing C&E
a review of the C&E program as a whole is necessary to program effectiveness. This guidance asks the following
2
provide the needed assurance for the board and executive three fundamental questions regarding the organization’s C&E
management, and it is also part of Principle 17 and the program:
effort to continually improve the C&E program. This review
involves periodic assessment of the effectiveness of the C&E 1. Is the organization’s C&E program well designed?
program as a whole. There are a number of approaches that
could be taken. The review could be performed by members 2. Is the program being applied earnestly and in good faith;
of the compliance and ethics function in a self-review, by the in other words, is the program adequately resourced and
organization’s internal audit function, or by external service empowered to function effectively?
providers. At a minimum, the review should look to see that the
C&E program incorporates all of the elements of an effective 3. Does the C&E program work in practice?
compliance program described in the Appendix 1 (or other
applicable standard) and that they are operating effectively. Determining the answers to these three questions requires
further inquiry into each element of an effective program, as
An additional resource that could be used is the Evaluation well as evaluating the C&E program as a whole.
of Corporate Compliance Programs guidance provided by
. . . . . . . . .
2 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (updated June 2020), http://bit.ly/2Z2Dp8R.
c oso . or g
