Who Will Watch the Watchers? The Case for Internal Audit

29 January 2018 by Daryl Tunningley

“Quis custodiet ipsos custodes?” wrote the Roman satirist Juvenal around the turn of the 2nd century, raising questions of the capability of those in authority to discharge their duties responsibly. It’s a question that for the almost two thousand years since, civilisations have grappled with, resulting in the notion of auditing – to ensure that others can see that responsibilities are being met, as they should be.

Auditing and compliance are terms that every business has had to embrace more fully over many years, with ever-stronger obligations in areas of employment law, health and safety and day-to-day environmental standards. Beyond those more mainstream areas, a company like CSG, operating within a tightly-regulated arena such as waste processing and hazardous chemicals, you can imagine the sheer volume of regulation (and the consequences of getting it wrong) can be mind-boggling.

Of course, as a large, reputable company with many years’ experience in the field, this isn’t quite as daunting as it sounds – very many systems, processes and job roles have evolved over time to enable the management of the multitude of technical and bureaucratic requirements required of us. For the last ten years, though, we’ve felt it necessary to create our own extra layer of applying checks and balances, in order better to understand the way we continue to work within a constantly-changing regulatory landscape and, of course, to minimise risk.

That layer is the IAG, our Internal Audit Group, a committee of several Senior Managers and Directors who meet every two months and report to the CSG Board on all areas where compliance with regulations is a necessary requirement. Central to that mission is CSG’s Permitting & Compliance Manager Antony Gerken.

“The IAG came about as a result of our drive to gain ISO accreditation”, Antony explains. “From that initial requirement, it was clear that best practice involved learning from mishaps made by other people – to prevent issues from happening, rather than cure those that have happened.”

It is a sign of CSG’s stability and competence that most of the matters the IAG oversees are generally delegated back to the team directly involved – it means the IAG’s principal role is an advisory one, where consultation from within CSG is sought and given.

“The very existence of the group is a means to encouraging the culture of every part of the company to continually accept and work better within our regulatory parameters”, adds Antony. “We’ve found that simply by raising the internal profile of the IAG within CSG, all the external audits we are regularly subjected to have become much smoother.”

The ‘box-ticking’ nature of ensuring compliance, especially with the more technical, seemingly less urgent areas of ‘red tape’, like Financial Compliance, gives the impression that this is very dry area of operation, suited to diligent bureaucrats with little need to apply ‘real-world’ understanding of the rules, like the Vogons of Douglas Adams’ “Hitch-hikers’ Guide to the Galaxy” – but that rather harsh stereotype falls down when you hear why it’s of interest to the IAG.

“Financial compliance sounds dull but it can often be the opposite: for example, one of our chief requirements is to be seen always to be working within the auspices of anti-bribery and anti-[money]-laundering laws”, Antony explains before adding, with a knowing nod, “which is especially important a consideration in certain other countries”, neatly making the point that, where compliance is required, the very nature of the exercise is to guard against problems and abuses that the rest of us, naively, would barely consider.

There are another advantages to all this watching. On a very basic level, having a broad range of experienced professionals to assess operational processes, bringing their collective experience to bear, means the remit goes beyond mere compliance. Inevitably, it leads to suggestions that make processes quicker or easier and therefore more efficient. Many times, real efficiency savings have occurred simply because a process has been more effectively scrutinised.

There’s also the secondary benefit of being better able to deal with upcoming rule changes from bodies such as the Environmental Agency, which is this: being seen to be better able to predict and respond to rules that affect the industry makes CSG stand out from its competitors. In other words, just being known to be more diligent is its own virtue, offering us a commercial advantage.

The nature of auditing is about understanding the fine detail, the micro-level of day-to-day matters but there’s one macro-level looming uncertainty that threatens to change so many areas of compliance that it’s already occupying much of the IAG’s thoughts – the expected impact of Britain’s impending exit from the European Union. It threatens to be a subject so wide-ranging, it will undoubtedly require its own blogpost, possibly several, and it’s still an area that offers so many unanswered questions.

Juvenal’s words are most commonly associated with the need to apply visibility to those in power. In order for the IAG’s questions about compliance in the world after Brexit to become answered, we’ll all have to watch a different set of watchers…

Cookie	Duration	Description
_GRECAPTCHA
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
rc::a	never	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c	session	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__sharethis_cookie_test__	session	This cookie is set by ShareThis, to test whether the browser accepts cookies.
HSID	2 years	A third party cookie placed by Google to assist with fraud prevention.
NID	6 months	A third party cookie placed by Google to provide ad delivery or retargeting and store user preferences.
yt-player-headers-readable	never	The yt-player-headers-readable cookie is used by YouTube to store user preferences related to video playback and interface, enhancing the user's viewing experience.
yt-remote-cast-available	session	The yt-remote-cast-available cookie is used to store the user's preferences regarding whether casting is available on their YouTube video player.
yt-remote-cast-installed	session	The yt-remote-cast-installed cookie is used to store the user's video player preferences using embedded YouTube video.
yt-remote-fast-check-period	session	The yt-remote-fast-check-period cookie is used by YouTube to store the user's video player preferences for embedded YouTube videos.
yt-remote-session-app	session	The yt-remote-session-app cookie is used by YouTube to store user preferences and information about the interface of the embedded YouTube video player.
yt-remote-session-name	session	The yt-remote-session-name cookie is used by YouTube to store the user's video player preferences using embedded YouTube video.
ytidb::LAST_RESULT_ENTRY_KEY	never	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_dc_gtm_UA-3670824-1	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_fbp	3 months	Used by Google to store and track visits across websites.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_EMELM24JCP	2 years	This cookie is installed by Google Analytics.
_gat	1 minute	This cookie is installed by Google Universal Analytics to restrain request rate and thus limit the collection of data on high traffic sites.
_gcl_au	3 months	Used by Google to store and track visits across websites.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_its.{18040}.channels	1 year	Stores configuration details of various marketing channels to analyze and optimize multi-channel marketing efforts. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.customVars	1 year	Stores persistent custom variables for purposes such as tracking and analytics. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.integrations	1 year	Stores information about third-party integrations used on the website. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.sites	1 year	Keeps track of site configuration cache for specific tracked sites. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.state	1 year	Records the current state of the user's interaction with the website to maintain a seamless user experience. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.vid	1 year	Stores a unique Visitor ID to recognize returning users and analyze their interactions over time. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ct_traffic_journey_cookie	1 month
ct_traffic_source_cookie	1 month	No description available.
HSID	2 years	A third party cookie placed by Google to assist with fraud prevention.
NID	6 months	A third party cookie placed by Google to provide ad delivery or retargeting and store user preferences.
SID	2 years	A third party cookie placed by Google to provide ad delivery or retargeting and provide fraud prevention.

Cookie	Duration	Description
_its.{18040}.channels	1 year	Stores configuration details of various marketing channels to analyze and optimize multi-channel marketing efforts. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
_its.{18040}.vid	1 year	Stores a unique Visitor ID to recognize returning users and analyze their interactions over time. This cookie will only be used if a local storage key cannot be utilized due to browser support or configuration settings.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
cke122594	5 years	No description
csg-cookie	1 month	No description
ct_user_journey_cookie	1 month	No description

Blog

Who Will Watch the Watchers? The Case for Internal Audit

29 January 2018 by Daryl Tunningley