|
© Matti Mattila, CPFA, CISA, CIA |
| Nature Of Compliance Objective
|
|
|
There is a difference in nature between compliance objective and basic objectives.
Basic objectives of a process tell what to do, while rules tell how to do what is due to be done.
Basic objectives give purpose and justification for a process,
while rules do not; no process is run just because of compliance.
Compliance with any rule has two outcomes: rules have been either complied or not.
In attainment of [basic] objectives there are usually several valid outcomes.
E.g. achievement of a turnover less than one million (objective) is not the same as none turnover.
|
|
| Protection Of Stakeholders’ Interests
|
|
|
All kinds of stakeholders of organizations have been granted rights by rules,
violating of which are due to be punished and/or compensated.
In addition, indirect negative consequences can arise - such as loss of sales
because of bad reputation, or exposure to heavier [external] control than earlier.
A well-known example about the latter are the finacial scandals concerning Enron, WorldCom, Qwest
and some other enterprises in the beginning of 2000's, followed
by the Sarbanes-Oxley Act of 2002 (SOX) [6].
The scandals happened some ten years after boom of corporate governance codes [7].
If these codes - and rules then in force - were complied conscientiously and correctly with
no big financial scandals would have emerged.
The primary problem was is in compliance, not in the rules themselves.
|
|
|
Legislator and stock exchanges have issued rules in favour stakeholders of business organizations.
These rules help owners in exercising their rights where ownership and power are separated.
Stakeholders have a right to learn timely financial statements [8]
made in accordance with laws and regulations.
Companies whose securities are traded on a stock exchange should report
even more pieces of information in compliance with governance guidelines, codes or rules [9]
set by the stock exchange.
It is not enough that the financial statements and other published information are accurate and flawless;
they must also show a true and fair view about the reported matters to key stakeholders:
especially to owners, but also to business partners, employees, and other such actors.
However, making financial statements should not cause unreasonable administrative burden and costs [10].
|
|
|
|
|
Every society has a system and dedicated resources for putting rules into force,
controlling compliance with rules, and for resolving legal disputes.
Independent auditors and supreme audit institutions [11]
have an important role in determining, whether financial reporting of entities is
in accordance with relevant laws, and regulations, and generally recognized accounting practices.
There are several authorities that follow and check compliance with other rules,
e.g. office of free competition, office of the data protection ombudsman, tax authorities, police, and customs.
Citizens in democratic countries are able to control official acts of authorities.
E.g. in Finland citizens have legal right to access any document of a public sector organization
unless indispensable grounds exist for limiting its [document’s] public availability [12],
and make claims and complaints.
|
|
| Compliance Control
|
|
Nobody can protect his interest without relevant, reliable, and sufficient timely information
regarding the matter of interest.
Shareholders and debtors need financial information about the organization they have money in,
parties need information about compliance with the contracts,
citizens need information about public funds, and so on.
Information rights of shareholders are often given priority in internal control literature.
E.g. in COSO framework [13],
where there is a separate internal control objective for financial reporting process.
|
|
|
Organizations need appropriate accounting systems that are able to provide
accountable persons and other legitimised persons information about compliance with rules.
Information should be organized in accordance with good data management practices
so that it can be made readily use of.
There are systems in place that record information about events on continuous basis
- e.g. bookkeeping, time recording, access control systems,
and fraud reporting systems.
Some systems record nothing, but give an alert, e.g. burglar alarms.
Information recorded should be analysed timely,
and results of analyses should be delivered without delay to a service
whose job is to take action, when needed.
Common analyses of this kind of information includes search for anomalies,
trends and other patterns and statistics that indicate suspicious events, e.g.
repetitive failures when trying to log in network and information systems [14].
|
|
|
Cornerstone in ensuring compliance with rules is, however,
commitment of each member of an organization to demands of properly built [control] environment.
In the ECAR model [control] environment is included in “Direction”, the counterpart of “Control”
(see Figure 3).
The board - or other such body or person - and management
have a key role in creation of a positive control environment
and in ensuring that demands of control environment are taken seriously.
However, control environment is a result and a mix of behaviours of all employees of an organization.
The subject will be discussed more thoroughly later in this document.
|
|
[6]
Congress of the United States:
An Act To protect investors by improving the accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for other purposes
[7]
The boom was started in 1992, when The Committee on The Financial Aspects of Corporate Governance
(Cadbury Committee) issued "Report on The Financial Aspects of Corporate Governance".
[8]
Financial statement include [usually] balance sheet, income statement, and cash flow statement,
and their explanations (notes)
[9]
E.g.
Corporate governance rules of the New York Stock Exchange.
Companies are expected to comply with those guidelines or codes, or explain the reasons for not complying with them.
[10]
OECD:
OECD Principles of Corporate Governance, page 49
[11]
Supreme Audit Institutions (SAI) are independent government auditing agencies -
e.g. (US), and
National Audit Office (UK).
Most SAIs belong to
International Organization of Supreme Audit Institutions.
[12]
Laki viranomaisten toiminnan julkisuudesta 621/1999
[13]
The Committee of Sponsoring Organizations of the Treadway Commission (COSO):
Internal Control - Integrated Framework, Executive summary framework, page 3
[14]
Matti Mattila: Tehtävänä [johtaminen, vastuulla] valvonta, page 41-42
|
|