What is organizational culture? Eric Feldman, SVP at Affiliated Monitors has said it comprises the mission, vision and values of an organization. A similar way to consider it might be as a company’s values, visions, norms and beliefs. Whichever way you define it or look at it, corporate culture affects how groups within a company interact with each other. A key inquiry is whether the corporate incentive structure supports the articulated beliefs of a company. How does one measure or audit these articulations?
Jose Tabuena in an article entitled, “Can You Audit Corporate Culture” said that “an important feature of a good culture is that the majority of employees can be positively influenced by values and environments that reinforce strong company values. Such a climate arises when the workforce believes that certain forms of ethical reasoning and behavior are expected norms for decision making. The ethical climate of an organization serves many useful functions in organizations. It helps employees identify ethical issues and address those issues by giving answers to “What should I do?” when faced with an ethical dilemma.” The oft-used corporate tactic to blame the ubiquitous ‘rogue employee’ is an “attempt to deny the flaws in the system and the culture that spawned the bad acts in the first place.”
Some of the techniques for measurement include employee interviews, focus groups and employee surveys to measure corporate culture. This is because through “identifying cultural strengths and areas needing improvement, a cultural assessment can guide the creation of communications plans and culture-building initiatives that are tailored to the company's needs. In many cases, an effective strategy may be to target weak spots while simultaneously anchoring the overall message to positive values already strongly shared across the organization.” It is important to understand that corporate culture will not be uniform across geographies, functional areas or operating systems. But this can be useful in comparing the results.
Feldman noted some of the key areas of concern in a culture audit are the following
Operation Stresses. These can greatly influence a company's culture, making it periodically necessary to determine whether the company is on track. If your CEO says that your only goal is the make your numbers, that is an operation stress to hit the target goal and the implicit message is that you must do so by any means possible. Internal audits and other forms of evaluation and measurement allow for course correction and reinforcement as needed.
Retaliation. There is nothing more toxic in the workplace than the fear of raising your hand to report an issue and facing retaliation. It is also a harbinger of other negative cultural factors such as specific or even general distrust of management. Here you should consider whether employees are willing to address matters with their immediate supervisor or to use the compliance hotline and what would happen if they reported misconduct can be meaningful. An even better approach would be to measure a company on how issues are reported and ultimately addressed. A final test is the work place promotion and incentive history of internal whistleblowers going forward in the employment tenure with the organization.
Compensation and Incentives. Basically, does the compensation scheme and promotion to management consider compliance as a key indicia as employee promotion, compensation and incentive programs can convey positive cultural messages. Consider that Wal-Mart, after it began its years-long FCPA investigation in 2012, began basing a portion of compensation for top executives on the company's ability to meet compliance goals. If executives do not meet their compliance objectives, they risk having their annual bonuses reduced. Therefore, one measure to incentivizing compliance is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria. This can be leveraged down into the organization as well.
Senior Management Tone. You should question employee turnover and retention such for information. Through employee interviews, he believes that one can ascertain whether the turnover rate is attributed to organizational transition or stress stemming from management's philosophy and operating style, which might include such things as inappropriate compensation packages, unreasonable sales goals, requirements, etc.
HR Employee Lifecycle. It is important that a company actively recruit new hires based on its mission, vision and values of an organization and reinforce these when people join the company. All of this can be done through a rigorous hiring process, which incorporates a company’s ethical values into the process. But it does not stop at the hiring and onboarding process. It should occur during every Human Resources touchpoint in the employee lifecycle, during reviews and evaluations, consideration for promotion and even at departure. You will need to review the records of employees who have had poor compliance evaluations in the past years and determine whether those employees had appropriate qualifications relative to their job descriptions. The review should be performed with an eye toward ascertaining whether the company's hiring and promotion practices appropriately noted compliance qualifications, skill set, and delegated authority to their formal position and job description.
Companies must have a high-performance corporate culture for doing business ethically. One of the ways to do so is through the culture audit. It can also be a powerful tool for continuous improvement going forward. Find out what your employees are saying about your corporate mission, vision and values and most importantly remediate if those mission, vision and values are found wanting.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In today’s episode we consider an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team, featured a chapter by Alistair Croll, entitled “The Feedback Economy” which informs today’s discussion. Croll believes that big data will allow continuous improvement through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is.
Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the business leader this means that if your company is able to collect and analyze information better and you can act on that information faster.
Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.
The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.
A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”
Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”
Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.
Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.
Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.
Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of continuous improvement, I do not know what does.
In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA), in the 2012 FCPA Guidance, the Department of Justice (DOJ) and most recently in the Evaluation of Corporate Compliance Programs; made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of its suppliers to ensure compliance. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I find this to be a missed opportunity from both the compliance perspective and greater business efficiency.
Initially it should be noted that a company must obtain the right to audit for compliance in its contract with any third-party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:
The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:
In Industrial Engineer Magazine, in an article entitled, “Dynamic Changes” authors Tariq Aldowaisan and Elaf Ashkanani discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. More simply, the action steps for the process can be described as one to (1) capture the data; (2) analyze the data; and (3) report on the data.
There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:
This list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties. Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. After an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, Matt Kelly and I take a deep dive into the weeds on a Memo issued by Secretary of Defense James Mattis last week. It deals specifically with ethical conduct within the DOD and US military. It is one of the most power statements we have seen on ethics, the commitment to ethics, ethics training and the modeling of ethical behavior. It is short, only 250 words or so. We unpack the entire Memo and then engage in political speculation as to why it was released and what that may portend. Matt wrote about it earlier this week on his sight, Radical Compliance. It is so significant, I will post about it later this week. Every CCO and compliance practitioner should read Matt’s piece and the Memo.
See Matt Kelly’s blog post Secretary Mattis’ Insights on Ethics
For a copy of the Mattis Memo, click here.
Next I consider at how data analytics can be used for continuous improvement where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company. There are several more analytics that can be run in combination to identify suspicious third parties and some of the simplest can be to look for duplicate or erroneous payments, all of which can lead to continuous improvement.
A key to moving from detection to prevention to continuous improvement is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayments. Changing this from a one-time annual or biennial event to something that is done daily or weekly dramatically improves the value of such controls. This more frequent, preventative analysis is integral to a foundation of third party management. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.
Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. ABC-13, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between ABC and 13, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.
Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.
Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.
One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.
The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.
This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. The opportunity for continuous improvement through a feedback loop is obvious and a clear step you should take going forward.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Sheila Hooda is an independent director, advisor to CEOs, former C-level operating executive with 30+ years of global experience. She has provided strategic direction, driven growth and transformed Fortune 500 firms.
Ms. Hooda is CEO of Alpha Advisory Partners and serves on the boards of Mutual of Omaha Insurance Company and Virtus Investment Partners. She is a thought leader and regular contributor and speaker on governance, strategy and leadership.
Prior to her board service, Ms. Hooda has held senior operating roles at TIAA, Credit Suisse Investment Bank, Thomson Reuters and McKinsey & Co., across the US, Europe and Asia/India. Ms. Hooda is a lifetime member of the Council on Foreign Relations and also serves on boards focusing on Education, Women’s Empowerment and Global Policy.
In this episode we discuss the key role Board of Directors around oversight of strategy. She discusses her views on the Board’s role in working with senior mgmt strategy. We then consider risk as a key compoenet of strategy and the Board’s role in assessing risk as it intersects with strategy. We then turn to the stpe in the risk management process of (1) forecasting, (2) risk assessment and (3) risk based monitoring and the Board’s role in this process. We also discuss the types of information a senior executive should present to a Board around stratetgic risk and what types of training should a Board member received on risk, risk management and strategic risk.
Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.
Today I visit with Timur Khasanov-Batirov. Tim is a compliance practitioner with focus at high-risk markets and author of practical guide “Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States”. Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine. He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.
Tim has also recently released the first two installments of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.
We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions
1: Can we define this region as a single territory for the Compliance program structuring?
2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?
3: What is the biggest challenge in embedding corporate Compliance program in this region?
4: Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?
5: Is it legally permissible to deploy our FCPA/UKBA programs in the countries of the region?
6: What is the most effective way to deliver training in this part of the world?
7: If there are any important things to remember when imposing penalties for misconduct on local personnel?
8: Do people on the ground appreciate compliance & ethics efforts?
Show Notes for This Week in FCPA-Episode 64, for the week ending August 4, the 10 Year Anniversary Edition
In this special Saturday edition, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
Net 1 UEPS Technologies, Inc. obtains a full declination. Yet the company went through the investigation after being turned in by a competitor. Bryan Cave attorneys Mark Srere and Kristin Robinson explore in their article FCPA Investigations – Competitors Dropping the Dime.
Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for continuous controls monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, controls monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to controls monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a controls monitoring process that yields sustainable, repeatable results?
I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained that their firm has a five-step process. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.
Brainstorm
Under this step, the controls monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the controls monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.
Acquire and Map Data
The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.
Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple controls processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International - Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third-party controls. All data should initially be secured and then transmitted to the controls monitoring tool. Of course, you need to take care that your controls monitoring tool understands and properly maps this data in the form that is submitted.
Write Queries
This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the controls monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:
Analyze and Report
In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.
Refine and Sustain
This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient controls, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.
If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of controls monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this inaugural podcast of Across the Board, I consider the Holder Report to the Uber Board of Directors, which led to the resignation of CEO Travis Kalanick. In June, the law firm of Covington & Burling LLP (Covington), released its long-awaited report (Report) to the Special Committee of the Board of Directors of Uber Technologies, Inc. (Uber). It is truly one of the most unique corporate documents you will ever see. The Report was commissioned after Susan Fowler, a former engineer at Uber, published a blog post detailing allegations of harassment, discrimination, and retaliation during her employment at Uber, and the ineffectiveness of the company’s then-existing policies and procedures. The next day, Uber retained Covington. This podcast discusses the Holder Report and the role of the Uber Board.
Next I consider how the Internal Audit (IA) function can be used to facilitate more effective continuous improvement. According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.
IA is doing compliance all the time as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.
It should be apparent there are numerous benefits to compliance having a closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.
One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers – Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”
When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.
From the compliance aspects, IA is really kind of the watchdog or monitoring facility for the entire company. This dovetails explicitly into this ‘gatekeeper’ function. Additionally, and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. I have certainly seen numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: "Are these people aware of standards of business conduct? Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?"” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjunction with audit and HR could develop a remediation plan.
With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes. Such integration can work to strengthen IA's network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.
For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In the Evaluation of Corporate Compliance Programs under the section entitled, “Continuous Improvement, Periodic Testing and Review” it stated, “Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”
Interestingly, Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed, audits are specifically delineated in the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.
Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls.
In addition to the collection and analysis of evidence, an auditor's objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company's management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.
Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place you must actually do the work going forward.
Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:
Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, Matt Kelly and I explore last week’s announcement by the Securities and Exchange Commission (SEC) of the resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company continues to resonate and provide lessons for the compliance practitioner. We consider the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.
For more information, see my blog posts:
In this episode, I visit with Margaret Johnson, the author of the book from From SOS to WOW. This book can help you to move your leadership skills to a new level through by helping you bust through assumptions, unleashing your creative ideas and taking courageous action to finally make the move to where you really want to be personally or professionally. Johnson is a long-time business leadership coach who shares some of the techniques she uses to help folks achieve greater results in business and in life.
We discuss her growing up and college years in Michigan why she got to Texas as quickly as you could. She details her professional career in the energy and power industries and how that work prepare you for your current career. She then talks about what led her to write her book and how it can be used by a person to help achieve personal and professional goals.
You can find the book on Amazon.com by clicking here.
You can find out more about Margaret Johnson by checking out her website, ideasandbeyond.com.
Welcome to the August edition of One Month to More Effective Continuous Improvement. As you know, each month in 2017 I am presenting a series of podcasts on one topic which will allow you to create a more effective compliance program. This month I will discuss what techniques to create continuous improvement in your compliance program.
Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.
You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following:
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.