15th SSC Conference in Krakow - future of Risk and Controls in SSC

The future of Risk and Compliance operations as shared function (case study)

Risk and Compliance is a great “product” to be shared as a function, act as-a-service and bring value in terms of standardization to the wider business.

On 22nd of March I will be speaking on the 15th SSC Conference in Krakow on my experience in the SSC Coty of centralizing Risk and Controls function. 

I will concentrate on the hot topics and lessons learnt, and try to answer the questions as follows:

–       What to transfer to SSC and what to keep local?

–       How to transfer in “lift & shift” and “shift & lift” models?

–       What can you get from shared Risk and Compliance function?

–       What can hold it back, and why sometimes is not going as expected?

See the preview of this session here:

Internal Control and SOX Compliance - procedure elements for your SSC

There is no such thing as a perfect control system. There are certain elements which may negatively impact on its effectiveness, such as staff size limitations, system configuration, human error, misunderstandings, fatigue, or stress.

Internal Control system is to reduce these risks through ongoing review and validation of controls design and effectives.

The main elements of this procedure, frequency of execution and responsibility are set out below:

Procedure Element	Description	Responsibility
Financial Risk Map, Risk Evaluation	Annual high level assessment of financial reporting risks mapped and calculated at the Company level.	Vice-President and General Auditor presents to Audit and Finance Committee.
Self-Assessment of Control Design and Effectiveness	Ongoing preparation and update of Process Documentation. Ongoing supervision and validation of quality of control activities. Update as per changes, e.g. organisational changes, system set-up.	Process Owners supported by the Internal Control & Compliance, especially where processes are newly brought into scope or where there are significant changes to processes.
Internal Control Review	Periodic walkthrough of the Process Documentation to identify presence and proper design of controls.  Eventually missing controls and weaknesses are identified and remediation actions agreed.	Internal Control & Compliance
Attestation	Finance Directors attest to the existence and effectiveness of internal controls over their In-scope Processes as a component of the year end close process.  This attestation is based on attestations from Process and Sub-Process Owners based on their Process Test of Design and Documentation, Control Test of Design and knowledge of the functioning of the process throughout the year.	Local CFOs make attestation based on Process Owners input, Internal Control & Compliance facilitates the attestation process
Control Test of Effectiveness	Testing of the operating effectiveness of controls are conducted on a sample basis. Test of operating effectiveness is carried out on Key Controls on an annual basis and Non-Key Controls on a three year rotation.	Internal Audit Internal Control & Compliance coordinates and facilitates audit process
Deficiencies Report	Weaknesses identified on controls are assigned to respective Process Owner actions with a target date for implementation. All Significant and Material Weaknesses are reported to the Audit and Finance Committee.	Process Owners and Internal Audit Internal Control & Compliance is informed on the report
Corrective Actions	Remediation actions are conducted in order to close the action within a due date.	Process Owner Internal Control & Compliance monitors action Internal Audit evaluates action closer
External Audit Exchange Act report	External Auditor performs independent tests on internal controls. Internal Control report is signed-off by CEO and publish to the market.	CEO and CFO External Auditor

Internal Control documentation - guide for your SSC

Internal Control documentation is owned by the Process Owner, who ensures its content is aligned with both SSC and Local Markets teams. 

Process Owner is ultimately responsible for ongoing preparation and update of relevant process documentation, which includes:

· Process Maps and Narratives

· Risk and Control Matrix

· Controls Activities Procedures

Internal Control & Compliance in SSC is the custodian of the process narratives as well as Risks and Controls Matrix, which means that no changes to the documentation are allowed before review of the Internal Control person.

Process maps and narratives provide a high level overview of the process as well as a detailed description of its risks, associated controls and required evidences, while risks and controls are summarised in a Risk and Control Matrix with controls classified as Financial Reporting (SOX) and Operational Controls, as well as Key Controls and Non-Key Controls.

The process or control documentation need to be concise however explicit enough to allow employee to perform the control accurately. The optimal level of control activity documentation should include:


Sub Process - Sub-process for the Tower / Stream, which determines the Control Owner

Risks - Risk which is mitigated by the control

Control Objective - Objective that is achieved by the control

Control Reference no. - Reference ID to identify the control in process documents. The naming convention is combination of Control Category, Tower & number in chronology' i.e. OAP01, OAP02

Control Activity - Detailed procedure on who, how, what and when will perform in the proper sequence to execute the control activity. Description should clearly define all parties involved and interconnection, or dependences between them.

Control Documentation - Type and form of documents which are used to evidence the control performance.

Upstream Dependency - Activities that are performed by the Local Markets and have a bearing on the activities being performed in the SSC, eg. reports, checks, information exchange.

Control Category (Financial/Operational/Compliance/SOD) - Financial (control is associated with risk over financial statements), Operational (control is associated with risk with respect to business operations), Compliance (controls associated with key regulations e.g. FCPA) and SOD (control ensures segregation of duty)

Control Performance (Automated/Manual) - Automated (control is performed in the system without any manual intervention - e.g. 3 way match for invoice processing) and Manual (control is manually - e.g. approval of MJE)

Control Method (Preventive/Detective) - Preventive (control is performed before the process activity is completed) and Detective (control is performed after the process activity is completed)

Control Frequency - Control frequency is based on the number of times a control is performed in a calendar year, i.e. yearly, half-yearly, quarterly, monthly, daily, as & when (on occurrence)

Criticality (Key/Non Key) - Identify the control as Key / Non-key:
Key-Control - It is required to provide reasonable assurance that material errors will be prevented or timely detected
Non-Key Control - It is also referred as sub-process, secondary, activity or operative control.

SOX - Internal Controls determines if control is SOX or Non SOX

Control Owner - Ownership of the control needs to be clearly identified. Need to be the position details and NOT the name of the individual

Applicable Countries - Countires to which the control applies

Country Nuance - Nuance for the exception country

SOD - Specify segregation of duty to be maintained in control activity

Reference Documents - Documents / templates used in control performance

Metrics - SLA/KPI agreed to be reported applicable to the control activity

Systems / Tools - Systems and tools used for control performance 

SSC Internal Control Framework - set the principles

You decided to set a share function - Internal Conrol & SOX compliance, under your SSC. This is what is absolutely worth to do, as risk and compliance has a future as a centralized function.

This is still a very niche topic, and many managers from SSCs prefer to keep Risk and Compliance in HQ. I totally agree with approach that – due to its strategic importance – Risk & Compliance needs its stable and direct link to “top” of the organization.

Nothing stops us from making it customer-oriented, efficient, integrated, collaborative, technology-driven, though. Risk and Compliance is a great “product” to be shared as a function, act as-a-service and bring value in terms of standardization to the wider business.

The below is a draft of Internal Control Framework that may be used as a set of principles.

1. INTRODUCTION

Internal Control is a process for assuring achievement of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.

• Company publicly traded on the NYSE is subject to Sarbanes Oxley (SOX). 
• Under Section 404 of the Sarbanes Oxley Act (“SOX”), management is required to produce an "internal control report" as part of each annual Exchange Act report. The report must affirm that adequate internal control structure and procedures for financial reporting are maintained.
• Company should maintain appropriate Internal Control (“IC”) system, in line with the COSO framework.

2.  SCOPE

Internal Controls are the integral part of Company’s financial and business policies and procedures. Internal controls consist of all the measures taken by the organisation for the purpose of:

• protecting its resources against waste, fraud, and inefficiency,
• ensuring accuracy and reliability in accounting and operational data;
• securing compliance with the policies of the organisation and relevant laws.

SSC IC framework should be the document to set the roles and responsibilities in accurate internal controls implementation across services provided by SSC.

3. ROLES AND RESPONSIBILITIES

Everyone within organization has some role in internal controls. The roles vary depending upon the level of responsibility and the nature of involvement by the individual. The chart of responsibilities in Internal Controls are set as below:

Audit and Finance Committee

The Committee oversees the integrity of the Company’s financial reporting process and systems of internal controls, including the integrity of the Company’s financial statements; as well as compliance with the laws and regulations.

Chief Financial Officer

Chief Financial Officer establishes minimum control requirements and principles that have to be adopted across the organization. Chief Financial Officer delegates responsibility for internal controls and SOX compliance to the finance directors.  Finance Directors are expected to delegate responsibility for individual processes to a named Process Owners, i.e. senior managers usually within their own organisation or in SSC organisation.

Process Owners

Process Owners are responsible for delivering controls compliance, making whatever resources are required available and utilising the support provided by the Internal Control & Compliance effectively. For complex processes that cut across organisation structures a Process Owner may appoint Sub-Process Owners who are responsible to the process owner but may work in different departments/teams.  SSC may be a sub-process owner. Process and Sub-process Owners are designated individuals who ensure that processes and controls are duly documented and kept up to date. Finance Directors are ultimately accountable for internal controls within their financials processes. They attest to the existence and effectiveness of the controls on a quarterly bases.

SSC Internal Control & Compliance

Internal Control & Compliance is fully authorized and has unrestricted access to organization records and information when performing internal review. All employees are requested to assist the internal control activity. Internal Control & Compliance is responsible for ensuring the successful implementation and review of the internal controls framework, especially: Implement, direct and oversee the Internal Controls Framework and compliance programs in SSC. Conduct ongoing reviews of organization controls, operating procedures (SOPs), and compliance with policies and regulations. Review and appraise the soundness, effectiveness, efficiency, and proper application of accounting and financial controls, compliance procedures and controls and timeliness of documentation generation. Care of quality of the controls documentation and its timely review by respective Process Owners, acts as the process narratives custodian, means no changes can be implemented to the control procedures without Internal Control review. Provide recommendations for control improvements and proactively seek for synergy and automation opportunities . Report progress and status of internal controls readiness to senior management, incl. Global Process Owners and Finance Directors, and Local Markets. Coordinate activities with Internal Audit and compliance personnel, and liaison with External Auditors; support SSC teams in preparation for audit, and monitor the addressing of audit findings and control deficiencies. Recommend and conduct mandatory employee training, and provide ongoing compliance support and advisory for the employees in SSC. Support process owners in the Process Test of Design and update / archive of Process Documentation (Process Maps and Narrative, and Risk and Control Matrix).

Internal Audit

Internal Audit is an independent function. Internal Control & Compliance is not a part of Internal Audit. Internal Audit role is to test controls design and effectiveness. On an annual basis they assess and report to the Audit and Finance Committee on the controls effectiveness.  In case control deficiency is identified, Internal Audit classifies them as Deficiency, Significant Deficiency or Material Weakness[1] and maintain records of controls’ deficiencies and associated action plans. Internal Audit reports Significant and Material deficiencies to the Audit and Finance Committee.

[1] Deficiency exists when the design or operation of a control does not allow to prevent or detect misstatements on a timely basis. 

Significant Deficiency exists when there is a merit risk of misstatement of the company’s financials, with no impact on company’s audit opinion.

Material Weakness exists when there is a reasonable possibility that a material misstatement of the company's annual or interim financial statements will not be prevented or detected on a timely basis.

Internal Controls elements

Internal control system operates at different levels of effectiveness. Determining whether a particular internal control system is effective is a judgment resulting from an assessment of whether the five components - Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring - are present and functioning. Effective controls provide reasonable assurance regarding the accomplishment of established objectives.

Control Environment

The control environment sets the tone of the organization and influences the control consciousness of its people. Leaders of each division, area or activity establish a local control environment. This is the foundation for all other components of internal control, providing discipline and structure.

Risk Assessment

The process of identifying and analyzing risk is an ongoing process and is a critical component of an effective internal control system. Attention must be focused on risks at all levels and necessary actions must be taken to manage. Risks can pertain to internal and external factors. After risks have been identified they must be evaluated.

Control Activities

Control activities are the policies and procedures that help ensure management directives are carried out. They help ensure that necessary actions are taken to address defined risks. Control activities occur throughout the organization, at all levels, and in all functions. They include a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets and segregation of duties.

Information & Communication

Relevant information must be identified, captured and communicated in a form and time frame that enables people to carry out their responsibilities. All personnel must receive a clear message on their control responsibilities. Direct Supervisor is obliged to train personnel on individual control activities relate to their work.

Monitoring

Internal control systems is monitored in three ways. Ongoing monitoring occurs in the ordinary course of operations. Separate evaluation is performed by Internal Control & Compliance on the selected processes or activities. On annual bases independent audit is performed by Internal Audit. Internal control deficiencies should be reported upstream, with serious matters reported immediately to top administration and governing boards.

How secure you are?

You are as secure as careful you are.

Stay vigilant, watchful and attentive! Use your common sense and instincts.

If anything seems weird…, stop action, refuse to continue your work, raise your hand!



Watch out! Don't get hooked by an e-mail scam Watch how easy it is to loose your password, data, and ... security.

Don’t get hooked by an e-mail scam

Phishing email messages, websites, and phone calls are designed to steal money, data or information.

Whenever any suspicious e-mail or phone comes, follow 4 steps to make sure this is not phising:

SPOOFING: carefully check sender’s address. On mobile device click on the display name to show the address.

URGENCY: you should be worried if there is a call to actions? Always check the link first, where it really can drive you, instead simply quickly clicking on it.

VERIFY: in case you are not sure if the sender is the “safe”, contact the person by doing a forward or using other phone number. Do not simply reply to the e-mail.

ROBUST PROCESSES: first and foremost, ensure that you follow your processes. If sender is asking you for any deviation, it needs to have all valid steps and approvals. Never agree on doing anything without being sure.

Trust your instinct. If it doesn’t feel right, question it.

';--have you been pwned?

Carefully check the sender’s address – on mobile devices click on the display name to show the address.

Always hover over the links to display the URL. What appears to be the URL is a link, so it can be deceiving.

The content of the email will try to entice you to click on the link. It will call to action. You will feel a sense of urgency.


Do not forget to follow the security steps! Check your e-mail here: https://haveibeenpwned.com/

Invoice fraud – check twice, or pay the price

Invoice fraud occurs when a fraudster tricks an organisation into changing the bank account payee details for a payment.

Fraudsters pretend to be a regular supplier of the organisation.

As funds are often transferred quickly, this makes the recovery of the money difficult.

Look out for requests to:

• Change payee account details for a regular payment already set up with a supplier, particularly if the request is for an immediate payment.

Take time to consider:

• If a request to alter bank details or transfer money was expected or if it was received out of the blue from an existing supplier.
• Is there a PO for the supply, can anyone confirm that goods / services were actually ordered and delivered?

Always verify requests to change bank details or set up new payment instructions by contacting the supplier directly. Use established contact details on file before implementing changes

Making fake statements is easy as 1-2-3. You can even find many instructions on youtube!

Inside job

Money and information are very often stolen by people within the organisation. There are many reasons why it happens. In many instances it is all because greed, however it is not only that.

To be safer always have eyes and ears open for the behaviours or activities of concern, and suspicious behaviour patterns that might indicate a potential insider risk:

• Hostile attitudes and extremist views towards the company
• Becoming withdrawn or appear vulnerable
• Not eager to use vacations
• Unauthorised handling of sensitive material
• Being miserable, too nervous, etc.