Page 74 - COSO Guidance Book
P. 74
34 | Enterprise Risk Management | Compliance Risk Management: Applying the COSO ERM Framework
of methods and techniques, with a goal of obtaining assurance options for reporting is important. Other options may involve
on the quality of the system’s performance over time and telephone- or email-based systems (internal or operated by
contributing to its continuous improvement (see figure A.1). independent third parties) or direct reporting to others within
the organization, such as human resources, compliance,
Figure A.1 Auditing, monitoring and reporting internal audit, an investigations unit, certain members of
senior management, or even the board or audit/compliance
committee.
Characteristics of an effective reporting system include user
Auditing options that allow for the following:
Monitoring
Activities (nonindependent)
(independent) 1. Anonymous reporting — The reporter’s identity is not
known (where allowed by law ), often achieved through a
hotline or similar mechanism
2. Confidential reporting — The reporter’s identity is known
only to a select few, and those few are expected to take
Other reasonable steps to maintain that confidentiality while
Performance
Feedback pursuing the matter
3. Open reporting — The reporter is willing or desires to
have their identity disclosed without limitations
Accordingly, auditing is performed by individuals independent
of the function being reviewed. Auditing may be performed These and any other methods of reporting should be
by an internal audit department, other third parties, or by developed with consideration for federal, state, and local laws
individuals within the compliance function if structured so as in the countries and regions in which the reporting system
to maintain their independence. Monitoring is often performed operates.
by a quality assurance function or managers, supervisors, and
other employees within the function being reviewed. For any reporting to be effective, it must be trusted. Trust is
driven by many factors, but the most important two are (1) a
A monitoring and auditing plan is an important driver of belief that the organization will take allegations and concerns
compliance program effectiveness, and it should be designed seriously and perform a proper assessment in response and (2)
and updated based on periodic risk assessments. Monitoring that reporters can expect to be free from retaliation after they
and auditing activities should be aimed at both (1) detecting have reported their observations and concerns in good faith.
noncompliance (or signs of noncompliance) and (2) identifying
breakdowns in internal controls over compliance, such Finally, DOJ encourages publicizing reporting systems to third
as areas in which a preventive or detective control is not parties, in addition to employees. Vendors, suppliers, and other
functioning as designed. A wide variety of techniques may be third parties are often in a unique position to observe signs of
used in monitoring and auditing. Examples include observation possible violations that might not immediately be observable
and site visits, surveys, questionnaires and checklists, by employees.
interviews, reviewing transactions and documentation, data
analytics, and reviewing digital evidence. The audit function All matters reported should be reviewed and assessed
may also provide assurance to the board regarding the overall in a timely manner. The assessment of a report should
effectiveness of a C&E program. consider whether further investigation is necessary based
on the information provided by the reporter, the nature and
Another important mechanism of an effective C&E program seriousness of the possible violation, and any other information
involves maintaining a trusted system for seeking guidance known that is relevant to the report.
and reporting suspected wrongdoing by employees (and
others). Employees should have multiple avenues for seeking Even in the most trusted of systems, some employees may not
guidance regarding compliance and ethics issues and for feel comfortable reporting wrongdoing until they are leaving
reporting what they perceive as potential violations of laws, an organization. As a result, exit interviews of departing
regulations, or the organization’s policies and procedures. employees should provide one final opportunity for the
employee to report suspected wrongdoing and to provide
Although employees may be encouraged to report matters feedback in other areas related to the C&E program.
to their supervisors, organizations must recognize that
there may be situations in which that is not desirable or Investigations may result from information obtained via the
practical. Accordingly, making employees aware of other reporting system, but may also stem from an organization’s
c oso . or g
