Managing Compliance Using the COSO Framework

As the Chief Compliance Officer (“CCO”), how do you oversee and manage regulatory compliance risks within a dealer organization? Where do you start?

Last year at the Private Capital Markets Association (“PCMA”) CCO Education Series: UDP and CCO Certificate Program, seasoned compliance personnel shared their deep experience in managing compliance functions. The panellists offered their views on compliance from an array of perspectives, including the CCO from a multinational real estate investment and development firm. The audience was interested in knowing how the compliance function is implemented and operated at a large firm of this calibre and possible best practices that have been put in place. The CCO offered helpful advice and shared her experiences, the compliance success at her firm came down to culture, striking the right balance, and being able to identify and close compliance gaps with a system of internal controls.

The COSO Framework The Internal Control – Integrated Framework (“Framework”) was first published by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) in 1992. Commonly known as the COSO Framework, it is adapted by many organizations to improve organizational performance and demonstrate compliance with regulations around disclosure controls and procedures (“DC&P”) and internal controls over financial reporting (“ICFR”). On May 14, 2013 COSO released an updated version of the Framework for adoption by publicly traded companies before the end of 2014.

The “COSO Cube” succinctly captures the timeless objectives and components of an effective internal control system in any organization. The Framework recognizes that organizations are multi-dimensional, and that an effective internal control system has five components: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities. These components are codified into seventeen principles, which work together and touch all levels of the organization to achieve three categories of overarching objectives: Operations, Reporting, and Compliance!

Applying the COSO Framework in Managing Regulatory Compliance

Traditionally the Framework has been adopted by large or publicly accountable organizations that are required to report or certify their internal controls. Primarily used in the context of financial reporting, how is this useful for smaller organizations and is it overkill for small to medium-sized investment firms who are predominantly interested in demonstrating regulatory compliance? Let’s put it to the test.

The following illustration is based on these assumptions:

• The Company is an Exempt Market Dealer (“EMD”) and Investment Fund Manager, which raises capital for multiple funds;
• The Company has : two Partners (UDP and CCO), one Operations Manager, and four Sales Representatives; and,
• The CCO is required to report to the Board annually and the Company is subject to books and records requirements under NI 31-103.

Based on the simple assumptions stated above, the company is only interested in adopting the COSO Framework to achieve its Compliance-related objectives. So let’s assume that we are now left with only the Compliance slice of the COSO Cube. How do we apply concepts from the COSO Framework to manage and operate an effective regulatory compliance program?

Control Environment

The Control Environment essentially establishes responsibility and oversight in an organization, setting the “tone at the top” and enforcing accountability.

COSO Principles

• Demonstrates commitment to integrity and ethical values
• Exercises oversight responsibility
• Establishes structure, authority and responsibility
• Demonstrates commitment to competence
• Enforces accountability

Application

The Partners know the importance of regulatory compliance and buy-into the need to comply with regulations. The Partners incorporate the importance of compliance in the company’s Code of Conduct. Engaging external compliance advisors as needed, design and implement a compliance program including annual training for the Operations Manager and Sales Representatives on regulatory compliance. The Sales Representatives are “Makers” and the Operations Manager is the “Checker.” The CCO monitors results by exception.

Risk Assessment

Risk Assessment essentially identifies significant risks and validates having controls in place. In the EMD compliance context, the overarching risk is being sanctioned by the regulator and ultimately losing the license to conduct business. The Risk Assessment component is an iterative process; the assessment should be refreshed periodically in order to ensure current risks are addressed adequately.

COSO Principles

• Specifies suitable objectives
• Identifies and analyzes risk
• Assesses fraud risk
• Identifies and analyzes significant change

Application

The objective is to achieve compliance in the eyes of those charged with governance, management, and the regulators. Working with compliance advisors as needed, identify and prioritize non-compliance risks. Stay up to date on significant regulatory changes by subscribing to relevant publications and staying connected with the PCMA.

Control Activities

Control activities are the specific procedures designed to mitigate significant risks.

COSO Principles

• Selects and develops control activities
• Selects and develops general controls over technology
• Deploys through policies and procedures

Application

Work with compliance advisors as needed and develop specific procedures to mitigate non-compliance risks based on priority. Use technology only if it is feasible and pragmatic. Establish internal compliance standards by formalizing a company policy and procedure manual, and developing standard forms and templates to mitigate the significant risks.

Information and Communication

Information created from establishing the compliance program should be retained and used effectively. Both information that helps set “ground rules” and expectations, and actual results that can be used to gauge against expectations should be communicated to stakeholders.

COSO Principles

• Uses relevant information
• Communicates internally
• Communicates externally

Application

Save information like policies, procedures, process flow charts, and tools developed from the compliance program in a central location accessible by all employees for knowledge management purposes. Expressly communicate to the Operations Manager and Sales Representatives regarding their responsibilities in the maintenance of the compliance program. A critical source of information is the Monitoring Activities component, which is further described below.

Monitoring Activities

Monitoring is an instrumental part in maintaining the quality of the compliance program. It is a vital component that provides the overseer with opportunities to assess the quality of regulatory compliance and to identify possible weaknesses or improvement opportunities.

COSO Principles

• Conducts ongoing and/or separate evaluations
• Evaluates and communicates deficiencies

Application

The Operations Manager monitors ongoing compliance by reviewing specific documents, incident logs for non-compliance trends, and provides feedback to Sales Representatives. Also engages an independent auditor to evaluate the compliance program periodically (i.e. the program’s effectiveness as a whole). The auditor designs test procedures that gauge how the compliance program is performing against expectations, and whether the controls are operating effectively at mitigating significant risks. The auditor formally communicates audit results to the CCO by reporting compliance deficiencies ranked by risk weight accompanied by remediation plans. The auditor validates any deficiencies noted with the relevant stakeholders prior to finalizing the report. Using detailed audit results, the CCO can provide feedback to the Operations Manager and Sales Representatives. Using risk-weighted deficiencies and remediation plans, the CCO can oversee and monitor improvements to the compliance program by incorporating the deficiencies into the next risk assessment iteration.

Through the audits, the company is demonstrating its proactive strive for continuous improvement in regulatory compliance. And in fact, the compliance program will improve if gaps identified by the audits are effectively remediated.

Summary

The COSO Framework offers useful guiding principles that can be applied in establishing and operating an effective regulatory compliance program; it strives for continuous improvement to close compliance gaps and integrates all levels of the organization, naturally creating a compliance culture that is understood and practiced by the organization as a whole. The COSO Framework has already proven to be effective in demonstrating regulatory compliance in the financial reporting context, and we have illustrated in this article that its timeless principles are also applicable and scalable to the regulatory compliance context for EMDs.

For more information contact:

Sarah Cheng
Manager
MNP LLP
416.515.5019
[email protected]

Stephen Warden
Partner
MNP LLP
416.515.3893
[email protected]