Farewell to Tom Terrific and Using a Risk Assessment to Design Internal Controls

Thomas Fox - Compliance Evangelist
Contact
LinkedIn
Facebook
X
Send
Embed

Compliance Evangelist

There were many with the name before him and I am sure there were many with the name after him but there was only one ‘Tom Terrific’. Today we honor that greatest of all New York Mets, Tom Seaver who recently passed away at age 75. For a 12-year kid, it is remembering reading the Box Score each morning in September when the lowly Mets roared back to overtake those loveable losers, the Chicago Cubs who had led the National League (NL) for the entire 1969 season. Seaver led the charge, where, according to Tom Verducci in a 2019 SI.com article, “Seaver went 10-0 with a 1.34 ERA in his last 11 starts. He was nearly perfect in six September turns: no home runs, no stolen bases allowed, no losses and no relievers.” Of course, the baseball gods ordained that the Mets would defeat the best team in baseball, the Baltimore Orioles, for the World Series title that fall.

His numbers were outstanding. According to his NYT obituary, he had 311 wins and 3,640 strikeouts in his 20 big-league seasons, which is sixth on the career list. He was the NL’s “Rookie of the Year in 1967 and was an All-Star nine times in 10 full seasons with the Mets. He had five seasons with more than 20 wins for the team, led the league in strikeouts five times and in earned run average three times. He won three Cy Young Awards as the league’s best pitcher.”

But all that was not what made him Tom Terrific. At aged 24 he seemed like a seasoned pro. At age 40 he seemed like a kid in a candy shop. His work ethic was unparalleled as was his preparation. Just as Lou Brock was a gentleman, so was Tom Terrific. And he had a sense of humor. My favorite story came from T.J. Quinn, writing in ESPN, who reported, ““Did I ever tell you about the dinner I organize at Cooperstown every year?” he said once. “It’s me, Sandy Koufax, Bob Gibson, Gaylord Perry and Warren Spahn. Sandy and Gibby are the only ones without 300 wins. You know what we call them?” He paused. “Our fourth and fifth starters.””

Tom Terrific indeed.

Today, I want to use the rigor in the preparation of Seaver to introduce the topic of how to use a risk assessment to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks. 

One of the biggest risks under the Foreign Corrupt Practices Act (FCPA) is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The 2019 Securities and Exchange Commission (SEC) FCPA enforcement action against Quad/Graphics Inc., was just such a situation, where a newly emerging international sales operation, acquired through an acquisition, was executed through third party agents.

The compliance function should understand the corporate or business unit controls over the international business in addition to the necessary controls over agents. Some of the questions you might consider are the following: Is there a US based international sales manager who is responsible for growing the business? What is the incentive compensation plan? How good are the Segregation of Duties (SODs)? In other words, can the international sales manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are these internal controls documented?

What about a situation in opposite to the above, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short durations? This situation minimizes, retains and shifts some compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside the company.

The retained risks are the risks associated with gifts, travel and entertainment; approval of credit terms to customers; product pricing; special arrangements with customers such as providing product samples; knowing who the ultimate customer is and where the goods are ultimately shipped; and use of freight forwarders and customs agents. Shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs.

The bottom line is that a risk assessment is foundation for multiple purposes. It can also be used to help to design, create and implement your internal controls.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Thomas Fox - Compliance Evangelist

Written by:

Thomas Fox - Compliance Evangelist
Thomas Fox - Compliance Evangelist
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Thomas Fox - Compliance Evangelist on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide