For new authors:
free, easy and fast
For registered authors
Bachelor Thesis, 2017
50 Pages, Grade: 1,2
2. Theoretical framework
2.1. About compliance
The importance of compliance
The causes of compliance violations
Why introduce a Compliance Management System?
2.2. About ISO 19600
Structure and function of ISO 19600
How other compliance standards and guidelines compare to ISO 19600
Why utilize ISO 19600?
3. Analysis of ISO 19600
3.1. Applicability and summary of ISO 19600
Context of the organization
3.2. Analyzing the approach of ISO 19600 on selected topics
Compliance culture and leadership commitment
3.3. The weaknesses of ISO 19600
4. Summary and advice for cooperations utilizing ISO 19600
5. Conclusion and prospects
ISO 19600 is an international standard issued by the International Organization of Standardization (ISO)1 that aims at supporting organizations worldwide in introducing good compliance measures and maintain integrity. The standard was published in December 20142 and has received both praise3 and criticism,4 but no in-depth analysis of its effectiveness. This paper is set out to further analyze the approach offered by ISO 19600 towards compliance. It is supposed to assist cooperations in their decision whether or not to use ISO 19600 as their sole or main resource in implementing good compliance measures within their organization. The research question of this thesis could thus be stated as follows:
How effective are the measures suggested by ISO 19600 in ensuring good compliance in a cooperation?
The term „effectiveness” is defined by the Oxford dictionary5 as "[t]he degree to which something is successful in producing a desired result". Therefore, this thesis is going to analyze the degree to which ISO 19600 is successful in producing the desired result of preventing compliance violations in cooperations. The research is based on findings of studies on compliance as well as the suggestions in popular literature on the topic and opinions voiced by various economists and organizations upon the release of ISO 19600 itself. By comparing those with the suggestions made in ISO 19600 it is possible to assess the standard’s potential effectiveness when it is utilized by a cooperation. Note that ISO 19600 is aimed at all kinds of organizations including non-profit organizations and governmental institutions.6 The focus of this thesis lies on private, profit-driven enterprises, but most of the thesis’ findings apply to other types of organizations as well.
The key literature utilized to analyze ISO 19600 further includes Fissenewert’s "Praxishandbuch Internationale Compliance-Management-Systeme; Grundsätze - Checklisten - Zertifizierung gemäß ISO 19600"7 and Wulf’s "Ethics and Compliance Programs in Multinational Organizations"8 along with studies conducted by KPMG9 and other accounting firms.10
This thesis is structured as follows: in the first part, the theoretical framework, compliance in general and ISO 19600 are discussed to assess the need for compliance measures and guidelines as well as the specific structure and function of ISO 19600. The second and main part of this thesis analyzes the standard more thoroughly. It first shows the standard’s applicability and summarizes its content by giving a specific example of how ISO 19600 could be applied to an arbitrary cooperation. Next, it analyzes selected suggestions made by the standard to assess the scope of the standard’s effectiveness. Those suggestions cover risk management, compliance culture and leadership commitment, compliance training and noncompliance. And finally, the chapter discusses the standard’s specific weaknesses in more detail. The paper is closed by a list of specific advice for cooperations that want to utilize the standard along with a more general conclusion.
This chapter covers the information needed to comprehend the analysis of the main part of this thesis. It talks about compliance by defining the word along with related terms, underlining the importance of compliance for a cooperation and investigating the causes for noncompliance along with the reasons for implementing a Compliance Management System. This chapter also introduces ISO 19600 and outlines its structure and function, compares it to other compliance standards and guidelines, and gives reasons for utilizing ISO 19600 as opposed to those other standards and guidelines.
The word "compliance" derives from the English word "to comply with" and it means "obeying to rules and standards".11 It is clear that companies have always had to follow the law, what is new, however, is how companies do it. Ensuring perpetual compliance has become more and more complex as companies have grown from small local businesses to large, globally interconnected cooperations. And this is the reason why flexible guidelines are necessary today to aid companies in their quest towards reliable compliance management.12
According to ISO 19600 compliance is about meeting all the organization’s compliance obligations.13 These include requirements that the organization has to obey along with those the organization chooses to follow.14 Furthermore, it defines the term "requirement" as "need or expectation that is stated, generally implied or obligatory".15
The German standard IDW PS 980 takes a similar approach and also defines compliance as following both legal requirements and internal company principles.16 Wulf17 adds another dimension to the definition when she states: "the term compliance means knowing and following all relevant laws, rules, policies, regulations, and standards and ensuring organizations adhere to all applicable legal requirements". She says that it "is an organization’s obligation to be aware of and understand federal, state, and local laws as well as internal company-specific rules".18 It is rather obvious that one has to be aware of the rules in order to obey them, but the fact that it is the cooperation’s own obligation to educate themselves about the rules is something that the previous two definitions are lacking. Quentmeier’s19 definition of the term is even more complex, but also adds further information. She points out that both the management’s and the employees’ actions matter. Also, deducting from her focus on morale and ethics, one could say that those "internal company principles" mentioned in ISO 19600 and IDW PS 980 are based on moral and ethical standards of society.
For the sake of this paper compliance is, therefore, defined as follows:
Compliance is the obligation of a cooperation, its management and employees, to be aware of and meet all legal requirements as well as certain clearly stated, company-wide moral and ethical standards.
Compliance management is defined by this paper as taking action to ensure good compliance in a cooperation while a Compliance Management System (CMS) is the sum of all the planned, stated and revised measures taken by a company to ensure compliance. These more simple definitions go along with those in literature.20
It should be obvious that compliance is essential for any cooperation. "Good conduct is after all at the foundation of a company’s ‘license to operate’".21 Recent events such as the Volkswagen emissions scandal22 or the corruption scandal around Siemens23 offer practical evidence of how even the largest cooperations can be set off-balance by incidents of noncompliance. Vetter24 shares a list of possible consequences of compliance violations which could be fatal for any company’s survival. The list includes:
- compromising the company’s reputation through negative attention in the media
- a drop in the value of the company’s shares, and therefore loss of shareholder value
- closure of the company
- significant fines
- blacklisting for future orders
- imprisonment of or fines for managers
- claims for damages from customers
It is thus safe to say that ensuring compliance should be a priority for any cooperation to mitigate and avoid consequences of compliance violations.
Compliance violations are often referred to as “white collar crimes",25 since it requires a certain degree of influence and expertise to commit and obscure large- scale acts of noncompliance. According to a KPMG study,26 "people […] entrusted with a company’s sensitive information and able to override controls are statistically more likely to become perpetrators". Mackevičius and Giriūnas say that "nowadays more and more frauds are committed by intelligent, creative, having high positions, and highly experienced employees who have better access to performing a kind of large-scale fraud".27
Here is the typical profile of a person committing fraud according to the aforementioned KPMG study28 along with the percentage of crimes committed by this group of individuals:
- white and male (87%)
- 36 to 45 years old (41%)
- works in the finance function or in a finance-related role (32%)
- holds a senior management position (53%)
- employed by the company for more than 10 years (33%)
- works in collusion with another perpetrator (58%)
The Association of Certified Fraud Examiners (ACFE) also notes that most perpetrators have no prior fraud charges.29 KPMG30 says that "many fraudsters work within entities for several years without committing any fraud, before an influencing factor - financial worries, job dissatisfaction, aggressive targets, or simply an opportunity to commit fraud - tips the balance". According to the ACFE, it is "important to remember that this human element of fraud - demonstrated in red flags such as living beyond one’s means or exhibiting control issues - is not identified through an audit or other traditional controls".31
The literature cites various reasons why frauds are committed. Next to personal financial pressure due to an economic downturn, for example,32 the KPMG study also cautions companies to apply too much pressure by setting outrageous targets, or else misreporting could be the solution of choice for overburdened employees.33 Furthermore, the study mentions the danger of not fostering a no-tolerance culture against compliance violations as well as employees exploiting weak internal controls.34 Only in 25% of cases, fraud was uncovered by internal whistleblowing and 13% of frauds were discovered by accident.35 According to the survey, "[i]ndividuals often argue that it is not their place to provide tip-offs; others fear repercussions, such as the loss of their job, especially where the fraud involves line or senior managers or board members"36 and a challenging economic climate might be to blame for companies’ poor defenses.37
Heißner38 names societal causes for compliance violations. He says that due to individualization more focus is put on the individual and their success which is propelled by the media and social networks. People might feel pressured into criminal acts in order to "keep up with the Joneses". He also blames the increasing complexity of our modern world which creates a lack of transparency and enables criminally inclined individuals to use the obscurity in long business proposals and contracts, for example, to their own advantage.
Appelbaum et al.39 raise an interesting point when they say that there is both positive and negative deviant behavior - the first leads to progress and innovation whereas the second does harm to the company. The main reasons for deviant behavior they cite are a toxic work environment, the influence of deviant role models, an operational environment that facilitates disobedient behavior, situation-based reasons and/or a personal pre-disposition towards deviant behavior in the individual.40
One of the oldest models that aim at explaining compliance violations is the so-called Fraud Triangle first introduced by Cressey in 1973.41 In the 1995 version of the Fraud Triangle the three components leading to noncompliance are motivation, opportunity and rationalization.42
Mackeviöius and Giriünas criticize that the Fraud Triangle "does not reenact the conditions under which it is the easiest to commit fraud and persons’ abilities to commit a fraud, it does not reveal when there is the greatest risk of fraud, it does not take into account the role of the internal control system in assessing and detecting fraud".43 Thus, they added even more depth to the original model by introducing the fraud scales which can be illustrated as shown below:
Illustration 1: Fraud Scales (Source: Fraud Scales: Mackeviöius, J and Giriünas, L (2013) p. 154)
illustration not visible in this excerpt
The four elements of the scale are quite similar to the ones in the original model. The first element is motivation or why a person commits fraud.44 The motivation is usually found in greed or personal life circumstances.45 The second element is conditions. There are certain conditions in the economy at large, like globalization, that further increase the risk of compliance violations.46 The third element is possibilities. As mentioned before, employees must have some power within the organization and access to a lot of internal information as well as an opportunity in the form of a gap in internal controls to commit a crime.47 The fourth element is realization. The authors of the Fraud Scales claim that it is "the employee’s personal characteristics such as honesty and integrity that allow to objectively assess whether he is willing to make any errors or to commit a fraud".48 This goes against the Fraud Triangle in which the rationalization elements stands for how employees justify their deviant behavior.49
The arrows in the illustration above indicate that "each of the elements has the same impact on the result of the scales, but one of the elements - realization - has the opposite effect of evaluation, because if the employee has a low integrity and lacks honesty, the risk of fraud committing will be higher".50
According to the authors, the key element and the determining factor on the risk of compliance violations is the weight of internal controls indicated by the scales in the middle. They say that "the stronger is the internal control in a company, the lower is the risk of fraud manifestation, in spite of an integrated assessment of the four elements".51 This should be a positive message since the amount of internal controls applied can be directly influenced by the company whereas the four elements are mainly out of the company’s direct control.
Compliance violations can be fatal to the survival and success of any company as discussed above. And while they can be fatal, they can never be fully avoided, since it depends on the actions of each individual within a cooperation. So, does is it even sensible to invest time and financial resources into building a CMS if there still is a chance it can fail?
Yes, it probably is. More and more senior managers begin to realize that they need to take proactive and preventive measures to ensure good compliance. They cannot trust their organization to behave in a legally correct manner, rather, they need to take compliance in their own hands and use it to gain a competitive edge.52 Vetter 53 describes this eloquently when he says: "Es wäre für die Geschäftsleitung eine Illusion zu glauben, Compliance vollziehe sich im Unternehmen stets von selbst. Richtig ist vielmehr, dass eine vorbildliche Compliance sowohl aus organizationstheoretischer Sicht wie auch aus rechtlicher Sicht ein proaktives Vorgehen der Geschäftsleitung erforderlich macht und das gesamte Unternehmen erfassen muss".
If a company chooses to get certified according to a compliance standard, it makes its Compliance Management System even more reliable, by receiving feedback from an independent third party and increasing the pressure to comply with all requirements of a sound CMS.54
Another advantage is that by "following guidelines that clarify what constitutes maturity, organizations can limit the disruption to business activities that normally accompany higher intensities of inspection visits. To support such approaches a generally accepted reference for ‘good compliance management’ is an important tool".55
The advantages of introducing a good Compliance Management System are not limited to preventing compliance violations. It can also help if a company has to face a legal trial due to compliance violations after all.56 As the ISO has put it: "In a number of jurisdictions, the courts have considered an organization’s commitment to compliance through its Compliance Management System when determining the appropriate penalty to be imposed for contraventions of relevant laws".57 An example would be the UK Bribery Act of 2010 which accepts proof that adequate measures have been taken to limit liability.58 Having a well laid out Compliance Management System can be proof that a company has done its due diligence59 and help dampen penalties as well as the harm done to the cooperation’s reputation.60
ISO 19600 was first published on December 5, 2014 61 and headlined with "Compliance Management Systems - Guidelines". As the title suggests, this standard is supposed to give guidance and not state specific requirements so that it is adaptable to any organization’s needs.62 Since it exclusively contains recommendations ("should") it is aimed at the individuals responsible to introduce a proper Compliance Management System or improve an existing one, and not at auditors. The goal is not to get certified, but to simply assist in building a good Compliance Management System.63 Its approach is not new, but rather a systematic collection of international know-how64 condensed into less than 30 pages.
ISO 19600 has a specific structure dictated by ISO called the "high-level structure".65 It is supposed to make ISO standards more coherent and enable companies to introduce multiple standards simultaneously.66 This structure could be visualized as shown in illustration 1. The details of ISO 19600 will be discussed extensively in chapter 3.1.
illustration not visible in this excerpt
Illustration 2: ISO’s High-Level Structure (Source: own illustration)
Furthermore, ISO 19600 is based on the "Plan-Do-Check-Act" model or the principle of continual improvement.67 ISO 19600 offers its own flowchart on how to introduce and maintain a good Compliance Management System based on this principle. Illustration 3 is a simplified version of this flowchart.
illustration not visible in this excerpt
Illustration 3: Introducing and maintaining a Compliance Management System (source: own illustration based on ISO 19600 (2014) p. vi and Fissenewert, P. (2015) p. 22)
As can be seen in the illustration, a company first needs to establish its own compliance management principles (left side of the chart) and then implement those into their daily operations (right side). Compliance management principles can be derived from three different sources: from principles of good governance, from stakeholder interests, and by analyzing internal and external risks. Once those basic principles have been established in theory they can be implemented in a continuous cycle of "plan," "do," "check" and "act". First, the cooperations need to identify concrete compliance obligations and risks to then make plans to address them. Next, those measures need to be implemented. Their success has to be measured, compliance violations have to be managed and based on that, the cycle has to start again if further obligations or risks are uncovered or when the Compliance Management System is falling short. Good leadership commitment and clearly defined responsibilities are essential in order for the system function.
1 cf. ISO 19600 (2014) p. iv
2 cf. ISO 19600 (2014) p. i
3 cf. ESV (2015) n. pag.
4 cf. CCZ (2015) n. pag.
5 Oxford Dictionary (2016) n. pag.
6 cf. ISO 19600 (2014) p. 1
7 cf. Fissenewert, P. (2015)
8 cf. Wulf, K. (2012)
9 cf. KPMG (2011) and (2016)
10 cf. EY (2016) and Deloitte (2015)
11 cf. Fissenewert, P. (2015) p. 25
12 cf. Makowicz and Wüstemann (2015) p. 1198
13 cf. ISO 19600 (2014) p. 3
14 cf. ISO 19600 (2014) p. 3
15 ISO 19600 (2014) p. 3
16 cf. IDW-1 (2016) p. 2
17 Wulf, K. (2012) p. 9
18 Wulf, K. (2012) p. 9
19 cf. Quentmeier, H. (2012) p. 13
20 e.g. cf. Eggert, M. (2014) p. 7 and Hein, R. (2016) p. 14
21 Bleker, S. and Hortensius, D. (2014) p. 9
22 cf. ESV (2015) n. pag.
23 cf. Fissenewert, P. (2015) p. 46
24 cf. Vetter, E. (2013) p. 9 f.
25 cf. KPMG (2011) p. 2
26 KPMG (2011) p. 4
27 Mackevičius, J and Giriūnas, L (2013) p. 160
28 cf. KPMG (2011) p. 1 ff.
29 cf. ACFE (2016) n. pag.
30 KPMG (2011) p. 3
31 ACFE (2016) n. pag.
32 cf. KPMG (2011) p. 9
33 cf. KPMG (2011) p. 9
34 cf. KPMG (2011) p. 10
35 cf. KPMG (2011) p. 10
36 KPMG (2011) p. 11
37 cf. KPMG (2011) p. 11
38 cf. Heißner, S. (2014) p. 29 f.
39 cf. Appelbaum, S. et al. (2007) front page
40 cf. Appelbaum, S. et al. (2007) p. 591 f.
41 cf. Mackeviöius, J and Giriünas, L (2013) p. 152
42 cf. Mackevicius, J and Giriünas, L (2013) p. 152
43 Mackeviöius, J and Giriünas, L (2013) p. 153
44 cf. Mackeviöius, J and Giriünas, L (2013) p. 154
45 cf. Mackeviöius, J and Giriünas, L (2013) p. 154
46 cf. Mackevičius, J and Giriūnas, L (2013) p. 156
47 cf. Mackevičius, J and Giriūnas, L (2013) p. 159
48 Mackevičius, J and Giriūnas, L (2013) p. 160
49 cf. Mackevičius, J and Giriūnas, L (2013) p. 160
50 Mackevičius, J and Giriūnas, L (2013) p. 160 f.
51 Mackevičius, J and Giriūnas, L (2013) p. 160 f.
52 cf. Vetter, E (2013) p. 2
53 Vetter, E. (2013) p. 1 f.
54 cf. Jonas, P. (2016) p. 64
55 Bleker, S. and Hortensius, D. (2014) p. 10
56 cf. Makowicz and Wüstemann (2015) p. 1199
57 ISO 19600 (2014) introduction
58 cf. Makowicz and Wüstemann (2015) p. 1199
59 cf. Makowicz and Wüstemann (2015) p. 1198
60 cf. Jonas, P. (2016) p. 64
61 cf. Makowicz and Wüstemann (2015) p. 1195
62 cf. ISO 19600 (2014) p. v
63 cf. Withus, K. and Kunz, J. (2015) p. 687
64 cf. Makowicz and Wüstemann (2015) p. 1195
65 cf. ISO 19600 (2014) p. vi
66 cf. Fissenewert, P. (2015) p. 20
67 cf. ISO 19600 (2014) p. v
Bachelor Thesis, 64 Pages
Term Paper, 26 Pages
Master's Thesis, 79 Pages
Essay, 11 Pages
Research Paper (undergraduate), 12 Pages
Term Paper (Advanced seminar), 13 Pages
Doctoral Thesis / Dissertation, 156 Pages
GRIN Publishing, located in Munich, Germany, has specialized since its foundation in 1998 in the publication of academic ebooks and books. The publishing website GRIN.com offer students, graduates and university professors the ideal platform for the presentation of scientific papers, such as research projects, theses, dissertations, and academic essays to a wide audience.
Free Publication of your term paper, essay, interpretation, bachelor's thesis, master's thesis, dissertation or textbook - upload now!