Assessing Internal Controls Over Compliance Risks

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.


The major focus of discussions around internal control for the last several years has been on internal control over financial reporting (ICFR), especially for SOX compliance purposes.

But, ICFR is not the only compliance requirement organizations need to worry about — and ensure that their internal controls are sufficient to address.

In this post, I am going to discuss how I advise organizations to assess whether their system of internal control is adequate as it relates to compliance risk (i.e., the risk that they will fail to comply with applicable laws and regulations). I will summarize the process and then review two pieces of key guidance that supports the approach, one from the U.S. and one from the U.K. Finally, I will comment on how this is addressed in the latest draft guidance from COSO. 


My Process

In my recent post, How to Assess the System of Internal Control, I spelled out my overall process:

“An effective system of internal control reduces, to an acceptable level, the risk of not achieving an objective relating to one, two, or all three categories”. (COSO Internal Controls Framework (ICF) updated 2012 draft, paragraph ¶86)

In order to achieve this, you need:

  1. Clearly defined objectives.

  2. A well-executed risk assessment that defines the risks to achievement of objectives.

  3. Definition (which is preferably formal) of the level of risk that management and the board are willing to accept.

  4. A combination of controls that provides reasonable assurance that the above-defined risks are within the above-defined acceptance levels.

  5. An efficient combination of controls.

Every reputable organization will have an objective to comply with applicable laws and regulations. They will be willing to accept only a minimal likelihood of failing to comply — and that is their acceptable level of risk. That takes care of items (1) and (3) above.

My process is to:

  1. Perform a risk assessment that defines the risks to compliance.
  2. Identify and assess the adequacy of the combination of controls that provides reasonable assurance that compliance risks are at an acceptable, minimal, level.

In other words, I follow the same process as I do for all other categories of objectives and risks. For each area of compliance, I identify what could happen that would lead to non-compliance, and then I identify the combination of controls that provides reasonable assurance that the likelihood of non-compliance is minimal. It is not possible to obtain perfect assurance, because we are always subject to human error and do not have unlimited funds with which to fund compliance programs. So, some minimal level of risk has to be accepted by the organization. 


Official Guidance on Compliance

So, let’s look at two pieces of guidance (the italics are added by me for emphasis).

The first is the 2011 U.S. Federal Sentencing Guidelines (PDF). These official guidelines instruct courts in the US how to sentence individuals and organizations that are found guilty of violating federal law. Chapter Eight – Sentencing of Organizations is relevant to our discussion, as it details how an organization can mitigate punishment for violations:

The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility.

Section §8B2.1, explains what is considered "an effective compliance and ethics program":

(a) To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (b)(1) of §8D1.4 (Recommended Conditions of Probation - Organizations), an organization shall —

(1) exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

The key for our discussion in this post is that the Guidelines require a risk-based approach:

(c) In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

The above is explained in the Application Notes that follow the text:

To meet the requirements of subsection (c), an organization shall:

(A) Assess periodically the risk that criminal conduct will occur, including assessing the following:

i. The nature and seriousness of such criminal conduct.

ii. The likelihood that certain criminal conduct may occur because of the nature of the organization’s business. If, because of the nature of an organization’s business, there is a substantial risk that certain types of criminal conduct may occur, the organization shall take reasonable steps to prevent and detect that type of criminal conduct. For example, an organization that, due to the nature of its business, employs sales personnel who have flexibility to set prices shall establish standards and procedures designed to prevent and detect price-fixing. An organization that, due to the nature of its business, employs sales personnel who have flexibility to represent the material characteristics of a product shall establish standards and procedures designed to prevent and detect fraud.

iii. The prior history of the organization. The prior history of an organization may indicate types of criminal conduct that it shall take actions to prevent and detect.

(B) Prioritize periodically, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b), in order to focus on preventing and detecting the criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.

(C) Modify, as appropriate, the actions taken pursuant to any requirement set forth in subsection (b) to reduce the risk of criminal conduct identified under subparagraph (A) of this note as most serious, and most likely, to occur.

So, the U.S. Federal Sentencing Guidelines support my approach, which is to identify risks to compliance and assess whether the system of internal control provides reasonable assurance that those risks are at acceptable levels.

Now, let’s turn to the Ministry of Justice’s Guidance to the U.K. Bribery Act of 2010 (PDF). The Introduction states:

As the principles make clear commercial organisations should adopt a risk-based approach to managing bribery risks. Procedures should be proportionate to the risks faced by an organisation. No policies or procedures are capable of detecting and preventing all bribery. A risk-based approach will, however, serve to focus the effort where it is needed and will have most impact. A risk-based approach recognizes that the bribery threat to organisations varies across jurisdictions, business sectors, business partners and transactions.

Details are found in Section 7: Failure of commercial organizations to prevent bribery

A commercial organisation will be liable to prosecution if a person associated with it bribes another person intending to obtain or retain business or an advantage in the conduct of business for that organisation. As set out above, the commercial organisation will have a full defence if it can show that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing. In accordance with established case law, the standard of proof which the commercial organisation would need to discharge in order to prove the defence, in the event it was prosecuted, is the balance of probabilities.

Note that last phrase: “balance of probabilities.”

The UK guidance consists of six principles. The first, Principle 1, is “Proportionate Procedures” and states:

A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.

The Commentary section explains:

The procedures put in place to implement an organisation’s bribery prevention policies should be designed to mitigate identified risks as well as to prevent deliberate unethical conduct on the part of associated persons.

There are some who don’t like the risk-based approach to ensuring compliance. I do, because resources are limited and perfect assurance is not possible.



Turning to the updated COSO ICF, you will not find much detail on how to assess the adequacy of the system of internal control as it relates to compliance risks.

  • Paragraph ¶88 states that: “When internal control is determined to be effective, senior management and the board of directors have reasonable assurance, that the organization…..[c]omplies with applicable laws and regulations.”

  • Paragraph ¶103 includes the sentence: “Regulators, standard-setting bodies, and other relevant third parties may establish criteria for evaluating the severity and corresponding classification and reporting of deficiencies relating to external reporting objectives, operations, and compliance objectives.” It continues with “The Framework does not prescribe such criteria, but recognizes and accommodates the authority and responsibility of those other parties that interact with the entity to issue such laws, rules, regulations, and standards for conducting assessments and classifications.”

As we have seen from a review of two key pieces of official guidance, the regulators generally do not spell out in complete detail all the internal controls needed to satisfy them. That’s not surprising, since every organization has different business practices, processes, and controls. Instead, a risk-based approach is recommended.

When I comment on the updated COSO ICF draft, I will recommend that this topic be revisited.

What do you think?

Do you agree with my approach? Can you point to where the regulators have defined what consitituted adequate internal control for compliance?

Posted on Oct 23, 2012 by Norman Marks

Share This Article:    

  1.  Norman,

    A great blog post as always!!!

    You are right, here : "But, ICFR is not the only compliance requirement organizations need to worry about – ensure that their internal controls are sufficient to address."

    Financial reporting is one thing, it is probably easier to achieve than operational compliance in many respects.

    The problem for regulators and institutions attempting to reach regulation alike, is that what is compliant for one company may not be for another. This is especially the case when you swing in diversity between the two companies.

    It seems simple on the surface however different companies trying to reach the same regulatory standard are going to have different processes, products, limits and volumes.

    A solution to this issue is Principles Based Regulation and the FSA have written a paper on this regulatory approach that can be found here -

    Just food for thought.

  1. Norman:

    My browser isn't reading your post very well.  There are a lot of strange marks showing but I think I have the gist of your primary theme.

    I agree completely with your theme that compliance objectives should be no different than financial reporting, safety, product quality, customer service or other key areas necessary to long term success.  The key is to identify significant, plausible risks, identify risk treatments and assess acceptability of residual risk status.  In the case of compliance it frequently means assessing the organization's tolerance to illegality and the potential consequences.  Unfortunately legal systems, particularly in the U.S,, can make doing this in a transparent way a huge risk hence compliance is often an area where companies have big problems.. 

    We have developed a framework to score compliance risk management systems that is a available at:


    OCEG offers a great assessment framework that is particularly well suited to evaluating compliance frameworks.

    COSO, as you point out, has never been particularly helpful evaluating compliance risk treatments systems.

  1. Hi, have a pleasant day to you.Most of all I want to say that your blog is very interesting and some of the topics are relevant of mine.Thanks for the information. I hope that you have more information so that i can learn a lot. Anyway, thanks again...
  1. The concepts are similar to any type of internal controls analysis.  Start with the objectives, identify risks to achieving the objectives, identify the controls to help achieve the objective, perform testing, document observations, and then recommend improvements. For compliance testing, it is very important to consult the legal department and perform analysis as to how they are identifying key laws and regulations that apply to the organization.  Non-compliance with certain laws and regulations carry greater risk than others.  This should be part of our risk assessment. Internal auditors can focus their efforts to these laws and regulations first.

  1. Norman:

    When evaluating compliance related business objectives it is particularly important that the full range of "risk treatments" be considered, not just those that have historically been called "controls".  Compliance risks can be "shared", "transferred" and "financed" to varying degrees.  

    This was a key focus of the presentation I made at the 2012 IIA GRC Conference.  A link to that presentation is below:

    Unfortunately the traditional IA development path has not included sufficient training on risk treatments.  The new CRMA certification is an excellent initiative from the IIA to address the skill/experience deficiency that a very large percentage of internal auditors, including CAEs currently have.  It's great to see the IIA is aggressively promoting the value of the new certification.


  1. Norman: Another great article highlighting the dangers of focusing only on SOX and Internal Controls as opposed to risk management.

    Since 1998, there has been an Australian Standard AS 3806 - Compliance Programs which provides principles for the development, implemnentation and maintenance of effective compliance programs. The standard was commission by the government competition regulator and developed with their support and that of the Tax Office, Securities Commission and the Australiasian Compliance Insititute (ACI), Law Society, and the Institute of Internal Auditors - Australia.

    There is no definition of  what constitutes adequate internal controls for compliance by (Australian) regulators due to the nature of principles based regulation however given their involvement in the development of the standard the position of the courts has been to take it into consideration.

    AS 3806 supports a risk based approach to managing compliance risks therefore I recommend it to all. The ACI has also developed a Compliance Performance Review Protocol for reviewing and assessing the adequacy, effectiveness andf efficiency of compliance programs which IIA members may find useful. 

    The Australian Governament and ACI is also currently supporting the development of an International Standard based on AS 3806

Leave a Reply