If you think that Compliance is expensive. Try non-compliance
Characterizing the financial, oversight, fines, social
and other costs of noncompliance can be as catastrophic or panicky. The
cascading effects of ongoing noncompliance can further accelerate the costs
and provide irreparable damage to reputation, trust and credit with the
stakeholders. This article recommends prevention, controls, early recognition,
monitoring and intervention as vital components of compliance.
Control is a business issue, not a specialist
issue to be outsourced to finance staff, c-level officers or risk managers.
Corporations have to treat Governance; Risk, Compliance and IT security
(GRC) mandates not as an economic dilemma, but as a trade-off between
cost and benefits.
In a particular incident the internal control problems were identified
within the following processes:
- Application of cash to accounts receivable, revenue recognition
- IT system security and payroll bank account reconciliation.
Were these issues addressed in a timely way, the noncompliance costs amounted
to several million € could have been avoided as Compliance incurs
those costs, which easily can be determined.
From trust to documentation to evidence
The added benefits of corporate governance are more ambiguous. Increased
attractiveness to potential customers, employees, lower cost of capital,
detection and preferably prevention of breaches of internal controls are
benefits. The economic trade-off is not unequivocal.
Cultural differences may vary the legal requirements from "trust me" to
"show me." However, in the United States of America trust was at its lowest,
so "prove me" became institutionalized in the various mandates and directives
passed since the Sarbanes-Oxley Act of the early 2000.
European compliance more or less became known as soft law based upon the
"comply or explain" principle. While the international background may
differ between the origin and elaboration of initiatives to improve corporate
governance, the objective was the same: to restore trust. The approach
in general was the same, to increase transparency.
Cost of corporate governance
Implementation programs to comply with the GRC provisions fall in two
categories:
Changing the structure. Legal changes are required to change e.g.
take-over protection clauses in the articles of association.
Increasing transparency. Internal control systems are implemented
both to allow risk management programs in order to safeguard the achievement
of strategic, operational, financial reporting and compliance objectives
and to enable voluntary or required external reporting on the effectiveness
of internal control systems and other corporate governance issues. The
corporate governance report with many components like CSR or anti-Corruption
is now a mature part of any annual report.
Increasing moral conduct. Business ethics programs were developed
to increase, safeguard or revise ethical behaviour of employees in order
to prevent unethical and/or illegal behaviour of people, who sometimes
were even acting on behalf of the corporation.
Controls. Companies that control their processes strategically,
by means of e.g. a higher degree of centralized transaction processing
and control, a higher percentage of automated versus manual controls and
a greater reliance on company-level controls.
Integrated and embedded. Companies have established standardized
and distributed compliance programs, which are embedded within the daily
and operational business. As a result, they use fewer full-time resources,
follow a broad view of risk, stimulate a substantive interaction with
business owners and deploy internal audit strategically.
While no single approach exists for implementation of GRC requirements
and provisions, some lessons can be learned by paying undivided attention
to corporate governance, by means of compliance to external requirements
or as the results of intrinsic business improvement efforts increased
the quality of GRC in organizations at all levels.