Charmone Adams is an Advisory Principal with Grant Thornton LLP and is based in the New York Office. Since joining the firm, Charmone has been working closely with many SEC, FRB, and FINRA regulated entities. He has over 15 years of experience in financial services and his portfolio comprises U.S., U.K. and APAC based companies, such as investment managers, investment advisory firms, banks, and broker-dealers. In recent years, his focus has been on providing clients with guidance on key enterprise risk, regulations, internal controls, and internal audit. Additionally, Charmone has experience in corporate accounting and external reporting. Charmone holds a BSc. (Business Administration) from Central State University and an M.B.A. in Finance from Franklin University. In addition, he holds a Certified Public Accountant (CPA) license with the state of New York and is a Certified Fraud Examiner (CFE). Charmone serves on the Board of Directors for multiple organizations, such as The AICPA Foundation, Charter High School of Law, and Social Justice (CHSLSJ), and Blacks on Wall Street (BoWS).
In a recent interview with CXO Magazine, Charmone Adams discussed his experience with risk management and regulatory compliance. He shared his views on compliance and managing financial risks, technology, automation, and artificial intelligence, internal controls and risk management frameworks, and many more.
What are some key lessons you’ve learned in your career that have shaped your approach to risk management and regulatory compliance?
Positivity equals success. A cheerful outlook can drive success in any profession, including risk management and regulatory compliance. Approaching challenges and setbacks with a positive mindset gives you the power to stay focused on solutions rather than obstacles. As a consultant, displaying optimism by balancing recognizing inherent limitations and changes with pursuing meaningful progress is essential. Our profession comes with changes, such as changes in the industry, the market, and politics. Some aspects of your work may be beyond your control, so focus your energy on the areas where you can influence.
As previously stated, it is essential to embrace change. The only way to stay ahead is by embracing change and remaining determined. In 2015, I moved my family from Washington, DC to New York, NY for a job opportunity, determination, and a dream. This decision has led me to acquire extensive knowledge in risk management and regulatory compliance. It is essential always to keep your mind open and embrace change. Successful executives cultivate a mindset that allows them to adapt to new situations and challenges and are not afraid to explore solutions or emerging trends.
I have learned the importance of a strong mentor and team collaboration throughout my career. Whether you are managing a team or participating in risk management and regulatory compliance projects, the collective effort of a diverse group of skill sets adds value. It brings a unique perspective that could enhance success. As we collaborated and shared ideas, our teammates may uncover innovative solutions that could improve outcomes.
Never stop learning. Continuous learning is a foundational aspect of life and crucial to professional growth. Learning is a journey and provides a level of gratification when gaining knowledge and understanding. The education process built a high level of confidence that I can navigate complex situations in life. A mindset of life learning ensures one can constantly adapt to new developments, challenges, and obstacles. I have always viewed education as a way to stay current and relevant in my profession by pursuing or maintaining certifications, attending conferences, and engaging in industry discussions. It is a fact that investing in professional development benefits one career and contributes to personal growth. Growth comes when one pushes themselves to go beyond the norm.
How do you balance innovation in business process redesign while maintaining strong internal controls and compliance standards?
Advances in technology have introduced new capabilities for control test automation that create added value for internal and external auditors and management — wherever controls are embedded in an organization’s business processes or its reporting. When technology is used to evaluate the operating effectiveness of controls: The entire population of data can be assessed, rather than just a sample, automated testing that once was manual can relieve personnel from labor-intensive, often repetitive work. Many of today’s advanced automation technologies were in their infancy in 2013 when the revised Internal Control—Integrated Framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) described how technology can support ongoing evaluations of controls.
The COSO framework described how continuous monitoring techniques can provide a high standard of objectivity and enable efficient review of large volumes of data at a low cost. The framework indicated that combined with robust review and analysis of results by knowledgeable personnel, automated monitoring can provide for efficient, effective ongoing testing. Today’s tech-savvy companies and internal and external auditors deliver on COSO’s vision. CTA activities are being designed and implemented in organizations’ continuous monitoring activities, providing management valuable feedback and customized alerts when deviations exceed acceptable thresholds.
CTAs also are being designed and implemented as supervisory control activities, such as authorizations and approvals or reconciliations. When implemented skillfully and reviewed and monitored by competent personnel, CTAs can provide benefits that include a more frequent or continuous testing of controls, timely information for decision-making, and identification of errors or issues that may be missed due to human error or the limitations of a sample-based approach.
Regardless of the industry, CTA can be a powerful tool for internal and external auditors who are evaluating the operating effectiveness of controls to support or gather evidence about the effectiveness of internal controls. Manual tests of these controls often are labor-intensive and rely upon sampling. At the same time, automated tools and techniques have the potential to reduce the need for repetitive human labor while extending testing to the entire population.
Within controls, the uses of CTA may vary widely based on industry. Take revenue recognition, for example. A company in an industry or sector with a subscription-based business model that recognizes revenue over time may have different CTA opportunities than a company with a point-in-time revenue model based on discrete individual sales. CTA can be implemented outside of internal controls to control operations, reporting, or compliance objectives.
What are the biggest challenges organizations face today in maintaining regulatory compliance and managing financial risks?
It is no wonder regulatory compliance is cited as one of the top concerns of company leaders. Regulatory requirements for financial institutions are increasing, adding time and complexity to compliance management. But, with the support of AI, institutions are finding opportunities to improve efficiencies and better prepare for compliance.
With all regulatory requirements, companies are evaluated on their internal controls to ensure they operate safely, soundly and comply with applicable regulations. Institutions should conduct internal regulatory testing and monitoring to prepare for external evaluation. To evaluate if their internal controls are functioning effectively, an institution first assesses the processes they have in place with a Risk and Control Matrix (RACM). A RACM evaluates and verifies that the controls sufficiently mitigate risks, prevent fraud and ensure compliance in areas like Anti-Money Laundering, Know-Your-Customer, data privacy and information security. This process also determines when a control is weak or if there are exceptions to it.
For most institutions, these controls are manual, dependent on human intervention and decision-making (which takes time). An added challenge is that companies often need to create unique control processes because every institution manages these processes differently. You might think incorporating AI into compliance management would only add more risk. But, when institutions collaborate with partners to strategically leverage AI into particular parts of the control design and assessment process, they can gain greater staff efficiencies and confidence in their compliance processes.
In addition, an escalation of geopolitical conflicts, most notably Russia’s attack on Ukraine, has led to numerous sanctions issued by the U.S., UK, and European Union that demand the scrutiny of boards in their oversight role. My experience has revealed that compliance functions at organizations worldwide are struggling to keep up with the depth and breadth of the sanctions. Meanwhile, individual boards are battling separate concerns. Some boards are not receiving enough information from management on sanctions compliance processes and topics. Other boards are getting so much information from management on these issues that keeping them all in context is difficult. Leading boards ensure they get the correct information and appropriate training on sanctions and compliance issues.
How has the role of internal audit evolved with advancements in technology, automation, and artificial intelligence?
Organizations are moving quickly to adopt artificial intelligence (AI) solutions but controlling the risks is essential. Internal audit teams might need to re-frame their roles in the organization to address new AI capabilities. The Artificial Intelligence Audit Framework from the Institute of Internal Auditors defines internal audit’s role in AI as helping an organization evaluate, understand, and communicate the extent to which artificial intelligence will have an effect, negative or positive, on the organization’s ability to create value. With the growing interest in generative AI, a straightforward way for internal auditors to locate uses is to consider which applications are getting a productivity boost from algorithm-enabled text, code, image, speech, and video capabilities. It is easy for internal audit to get stuck in the details of an AI solution. Still, auditors must first consider how the solution connects to the organization’s most significant goals.
To get the most value out of an AI internal audit, you need to adapt the audit to the current maturity of the organization’s AI adoption. To do that, performing an AI maturity assessment that includes these elements: Gain an understanding of the entire AI landscape throughout the organization, perform a high-level AI risk assessment, Evaluate the organization’s governance structures, policies and procedures, assess data security and privacy processes and requirements, and evaluate the alignment of the organization’s AI deployments with its ethical guidelines and values. Your assessment should also consider the foundational programs on which AI solutions depend. Examples include enterprise ERM, Ethics and Code of Conduct, data governance, SLDC methodology and processes, and third-party risk management. The AI risk assessment should consider open findings and known limitations of these programs. After an initial AI maturity assessment, internal audit can move to a “deeper dive” that considers more technical aspects of AI algorithms and development. This deeper dive can take advantage of the Artificial Intelligence Risk Framework recently issued by the National Institute of Standards and Technology (NIST), which is organized around three primary functions. It is essential for internal audit teams to fully understand how and where other teams are already using AI — and even how the internal audit team can use AI.
Generative AI (GenAI) is a powerful way to harness AI capabilities — and a powerful way to enhance your work every day. GenAI can incorporate natural language processing, analysis, ranking, machine learning, and other capabilities from artificial intelligence. Internal audit teams can use GenAI to help organize and analyze information, create scenarios, and make suggestions.
What best practices do you recommend for organizations looking to enhance their internal controls and risk management frameworks?
To add the most possible value, it is essential to consider some best practices. This starts with a spirit of collaboration and innovation for relationships, processes, and controls. Educating stakeholders, involving first, second and third lines of defense, and aligning your risk management and assurance functions are also especially important. To ensure stakeholders understand the requirements, leadership should actively promote the company’s commitment to internal controls and involve members of their risk management and assurance functions in the sales process. This allows one to talk with potential business partners and customers, discussing relevant internal controls and how you take a systematic approach proactively and productively to effectively and efficiently managing risk.
Adding value also means working smarter:
- Know the risks you are trying to mitigate before discussing controls.
- Find those “killer” controls that address multiple risks.
- Develop enterprise control standards to establish expectations and drive consistency across decentralized operations.
- Challenge the control mix – automated vs. manual, preventative vs. detective, and transactional vs. process vs. entity-level.
- Reduce control duplication, being careful not to be “over-controlled.”
- Maximize the use of technology in control operation and your risk management and assurance functions.
Without discipline and intentionality, controls will inevitably grow in number and complexity over time. Staying focused on continuous improvement and challenging the status quo will ensure you operate a lean and mean control environment. It is essential to strike the right balance of risk, cost, and value. There is also tremendous opportunity to improve efficiency and reduce control monitoring and testing costs dramatically. Control testing is a repeatable, recurring, and predictable process. As a result, it is ripe for automation using low code solutions, analytics, and robotic process automation (RPA) platforms. Once established, control test automation (CTA) dramatically reduces the time to evaluate controls, allows you to assess controls more frequently, reduces the cost of compliance and offers the added benefit of covering the entire transaction population.
With increasing regulatory scrutiny across industries, how can businesses stay ahead of compliance requirements while remaining agile?
The relentless and rapid advancement of technology, increasingly complex business operations, and sophistication and speed of business transactions continue to create more instances where internal controls matter. As more aspects of the business and customer engagement are digitized, controls become more important, especially as suppliers and business partners are integrated into the value chain. With the advent of pervasive digitization, technology and operations are moving beyond “your four walls” and now touch every financial, administrative, operational, and customer-facing process. For outsourced processes and systems, it is increasingly accurate that you can delegate the task, but not the responsibility of protecting your customer’s data and ensuring its integrity. Sure, you can transfer some risk with insurance and firm contracts, but that will not address the negative impact on your reputation and future growth.
Many companies are embarking on transformational efforts – establishing shared service centers, redesigning business processes and operations, implementing new business applications (often in the cloud) and more. These companies are establishing intentional internal controls workstreams with resolute and knowledgeable resources. This approach ensures controls are adequately considered and incorporated in future state design. Effective and deliberate planning will result in a more successful outcome. In this context, controls integrated into the fabric of systems and process design will undoubtedly result in controls that are more efficient and cost effective to operate, test, and demonstrate operating effectiveness in the future.
Historically, controls have been used to look in the rear-view mirror and detect issues, with some being preventative and none being predictive. The modern company leverages controls not only proactively to manage risk, but also to improve agility and speed and identify revenue enhancement and cost management opportunities.
What role does data analytics play in modern internal audit functions, and how can organizations leverage it effectively?
All activities performed by internal audit functions can benefit from data analytics. The insights derived from data analytics have been found to deliver value in internal controls evaluation, fraud detection, compliance monitoring and other key activities. Data analytics can be applied to a broad range of cases, providing a corresponding rise in the value derived from the technology. However, using data analytics effectively requires the right tools, people with the right skills, and an approach designed to maximize the technology’s advantages. To help internal audit functions successfully implement data analytics and get the most out of their capabilities, companies should develop best practices and use technology to provide maximum value to their organization.
What emerging trends do you see shaping the future of business process optimization, financial risk management, and regulatory compliance?
Financial trends are emerging in light of the change and uncertain economic conditions that have buffeted the industry in recent years. Nonetheless, investors’ views of the industry are improving. Some comment trends include challenging economic circumstances that demand fiscal discipline and pursuit of mergers or divestitures that drive efficiency and create new opportunities, increasing cybersecurity threats in a world that has become increasingly digital, an evolving regulatory landscape, and a difficulty attracting and retaining talented workers.
Capital management is paramount. Despite supply chain disruptions, unprecedented inflation, global economic uncertainty and tightening resources, the investment community’s views toward investing have become more favorable, partly due to entities distributing earnings to investors for the last several years while maintaining cash flows from operations. Organizational readiness is key to business resilience. More specifically, organizations that treat cybersecurity as a category of enterprise risk (as opposed to strictly an IT phenomenon) are eminently better prepared to recover from cyber-attacks. This is because enterprise risk preparedness introduces key concepts of multi-disciplinary teams and the regular practice of critical incident response protocols — both required to bounce back from a cyber incident.
The second component of business resilience focuses on identifying the required niche expertise not present within your employee base. Once these specialists are identified (e.g., outside counsel, forensic experts), getting them plugged into initiative-taking planning and practice exercises increases your resilience quotient dramatically. The third component of an effective business resilience strategy consists of cyberinsurance coverage. Engaging with a qualified cyberinsurance broker is a key takeaway, both for fit and function — at the time of policy selection/renewal and for assistance during an actual incident. Despite recent dramatic increases in insurance premiums, cyberinsurance remains critical to effective business resilience.
New regulations are coming, as the traditional guidance for companies is experiencing the effect of several factors impacting their business, which may not have been significant in the past 20 years. These impacts include the changing atmosphere around new financial reporting regulations, tax legislation, and a shifting focus on growth, while minimizing expenses. All of these areas will have a considerable influence on where the finance industry goes over the next several years.