Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Creating Ethics and Compliance Programs That Work with Sarbanes-Oxley

By Bert F. Lacativo
August 01, 2003

Part Two of a Two-Part Article

Last month, we discussed how brightly the spotlight is shining on ethics and compliance programs. We explained that Sarbanes-Oxley has a provision that provides Federal protection for employees of SEC registrants who report wrongdoing to the government and/or law enforcement. The Act has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. And we urged that companies assess the effectiveness of their ethics and compliance efforts.

Having reviewed program design, board of directors and senior management, and employees in last month's article, we continue that theme, concentrating on vendors and customers, the assessment, and ongoing monitoring systems.

Vendors/Customers

Here are the key questions to assess:

  • Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?
  • Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Has the company's ethical expectations been communicated to those vendors and suppliers?
  • Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? This author believes that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

  • Assessment of the control environment to identify high-risk areas.
  • Identification of applicable statutes and regulations affecting the company and its industry.
  • Assessment of the current understanding and adherence to compliance related policies and procedures.

Assess the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

  • Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
  • Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
  • Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

  • Interviews with key employees regarding ethics and compliance related risks.
  • The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
  • Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
  • Assessment of the strength and effectiveness of the compliance related practices.
  • Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

  • Identification of refinements to the compliance program based upon the findings above.
  • Development of a corrective action plan to implement the refinements.
  • Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
  • Implementation of the policy changes identified above.
  • Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.

Conduct of Training

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

  • The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
  • Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.
  • This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

Conclusion

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.



Bert F. Lacativo

Part Two of a Two-Part Article

Last month, we discussed how brightly the spotlight is shining on ethics and compliance programs. We explained that Sarbanes-Oxley has a provision that provides Federal protection for employees of SEC registrants who report wrongdoing to the government and/or law enforcement. The Act has created a situation in which anyone who reports wrongdoing to the government and/or law enforcement is protected from employer retaliation under Federal Statute. And we urged that companies assess the effectiveness of their ethics and compliance efforts.

Having reviewed program design, board of directors and senior management, and employees in last month's article, we continue that theme, concentrating on vendors and customers, the assessment, and ongoing monitoring systems.

Vendors/Customers

Here are the key questions to assess:

  • Does the company perform due diligence procedures on new suppliers and large customers to gain an acceptable comfort level regarding the company's integrity?
  • Has the company developed guidelines for dealing with vendors and suppliers? Has the company set out specific guidance regarding the acceptance of gifts and gratuities from vendors and suppliers? Has the company's ethical expectations been communicated to those vendors and suppliers?
  • Does the program include a convenient mechanism for vendors and customers to report wrongdoing? Does it allow for anonymous reporting? Has the existence of the mechanism been widely publicized? Is use of that mechanism monitored to determine frequency of use and quality of complaints received? Have vendors and customers been polled to determine their awareness of the reporting mechanism?

Effecting the Assessment

Now that the questions have been asked, how is the assessment done? This author believes that an effective assessment should be conducted by an independent, objective and uninterested third party. The following is a list of general procedures likely to be performed when assessing a company's ethics and compliance program:

Identify and obtain a complete understanding of the business and compliance risks associated with the business, the ways noncompliance may occur and the conditions that give rise to them. Activities would include:

  • Assessment of the control environment to identify high-risk areas.
  • Identification of applicable statutes and regulations affecting the company and its industry.
  • Assessment of the current understanding and adherence to compliance related policies and procedures.

Assess the company's existing systems, practices and procedures to determine whether they have been designed to achieve and maintain reasonable assurance of compliance with applicable statutes and regulations affecting the company. This review should focus not only on the written policies and procedures, but also on the actual practices and processes in place. Activities would include:

  • Analysis of the company's organizational structure and mechanism for reporting violations of law and/or the company's policies and procedures.
  • Assessment of the company's communication of the ethics and compliance program within and outside the organization, as appropriate.
  • Assessment of the company's criteria and methods for providing ethics and compliance related training and the methods utilized to assess the effectiveness of the training.

Perform a detailed assessment of the company's financial, management and other practices related to each of the compliance risk areas under review. Activities would include:

  • Interviews with key employees regarding ethics and compliance related risks.
  • The design and performance of tests to determine adherence to the company's ethics and compliance program policies and procedures.
  • Documentation of internal controls and procedures that act as mitigators to the compliance risks identified.
  • Assessment of the strength and effectiveness of the compliance related practices.
  • Development of proposed recommendations for compliance program enhancement.

Implementation of proposed enhancements to the ethics and compliance program, resulting from the findings in number three, would be addressed jointly by the third party conducting the review, company management and legal counsel. Activities would include:

  • Identification of refinements to the compliance program based upon the findings above.
  • Development of a corrective action plan to implement the refinements.
  • Identification of necessary changes to procedure, policies, training and company systems to implement the corrective action plan items.
  • Implementation of the policy changes identified above.
  • Development and/or updating of training and communication materials to reflect the ethics and compliance program enhancements.

Conduct of Training

The final aspect of the ethics and compliance program assessment is development of an ongoing monitoring process. Activities would include:

  • The design of periodic tests to insure adherence to the company's ethics and compliance policies, procedures and processes.
  • Testing and validation, along with an overall assessment of the operation, of the compliance program and the related policies, procedures and processes.
  • This ongoing assessment process could be accomplished by utilizing a company's internal audit group. Periodic review of the internal auditor's work by an independent, objective third party is an option for a company to consider.

Conclusion

As an additional consequence of recent accounting-related irregularities, it is more likely that a company's independent auditor will be required to examine, assess and perhaps opine on the quality of a company's fraud prevention efforts; including the company's ethics and compliance program.



Bert F. Lacativo

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.