Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: Compliance Know-How
Sep 7, 2017

What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road. 

Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.

Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach. 

Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context. 

The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective. 

A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise. 

There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI. 

This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away. 

This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies. 

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.” 

There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech. 

Three Key Takeaways

  1. Artificial intelligence has already disrupted the legal profession, the compliance profession may be next. ComTech will be the result.
  2. Document review will be the first area of significant AI use in compliance.
  3. Beware the limitations and disadvantages of ComTech. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 6, 2017

We previously considered how artificial intelligence (AI) can be used as business advantage for compliance. However, the power of AI can also extend the more traditional functions of prevention, detection and remediation. The first way is in simply the mass amount of data which could inundate a compliance practitioner. Many compliance practitioners are overwhelmed about the amount of data available to them and do not know how or even where to begin. 

Patrick Taylor, President and CEO of Oversight Systems, Inc. has noted that AI allows the compliance practitioner to understand the “subtle clues in that pattern of activity that will clue me in to take a different look”. He likened to seeing a pattern in “raked leaves” which allows you to then step in and take a deeper and broader look at an issue, either through an audit or investigation.  This is where compliance practitioner can step back and literally keep an eye on the big picture and longer term as opposed to just the immediate numbers and information in front of them. It may also be the best hope for finding that kind of systemic fraudulent behavior. 

This speaks to one of the difficult issues for the compliance practitioner, which is what does all the information mean? Consider the example of GlaxoSmithKline (GSK) in China. The Chinese business unit employees were working en masse to create fraudulent reimbursable invoices, inflating the cost of industry events to create a pool of money to pay bribes. They would stage an event around a drug product, or service in a hotel. They would inflate the hotel charge 20% above the actual costs and submit the entire amount to the corporate office for reimbursement. In some cases, GSK employees would submit invoices for events which never took place. 

Now layer on top of these deceptions, in China, there is a rampant sale of fake receipts. For every Marriott the Chinese business unit utilized, personnel they could buy an official Marriott receipt, which showed the price that was paid and it was a backup documentation for the auditor to look at on that expense report. Finally, there was the illegal sale of official Chinese government real tax stamps to tier on another level of complexity. 

Taylor said that AI would provide you the opportunity to detect even this type of massive and systemic fraud because, statistically those charges would not make sense. Taylor said the reason this type of fraud can be so difficult to detect and prevent is the charges were on credit cards, so recorded and there was paper documentation to back up the charges. Standard modalities of detection will not assist the compliance practitioner. You just know that something does not make sense. AI allows a compliance professional to gather and compute statistics across a wide variety of customers and situations; such as geographic and time dimensions. 

Using these two data points, you can analyze what is a reasonable amount to spend at a hotel or other venue. But also includes such variables as the time of year as some cities have tremendous seasonality in their hotel charges. Yet others do not and indeed there may even be zero variability in transportation cost across seasons. AI allows you to pull geographic, time, type of expense and even specific vendors statistics for a big-picture analysis. 

In a broader manner, consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer. 

Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications, but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with the BD representative, what was the spend on gifts, meals and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the Foreign Corrupt Practices Act (FCPA) perspective, is the BD representative entertaining a foreign government official under the Act? If so, what is the aggregate spending by any one such government official over a 12-month period by one BD representative? What is the BD spend on one particular state owned enterprise official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends? 

Moving on to any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and was there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance? 

If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee? 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. Obviously, AItion holds both promise and challenge for CCOs. However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Do you know what your information means?.
  2. AI can help both the detect and prevent prongs in a best practices compliance program.
  3. AI can help you to see the patterns in raked leaves. 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 5, 2017

Next we consider the introduction of Artificial Intelligence (AI) into the compliance profession. A few pieces claimed AI is revolutionary and would change the face of compliance. Well I have some news for such pontificators, technology has been involved in compliance since the profession began in earnest with the implementation of the US Sentencing Guidelines in 1992. One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it. 

A recent article in MIT Sloan Management Review, entitled “Building a More Intelligent Enterprise, by Paul J. H. Schoemaker and Phillip E. Tetlock explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The compliance professional who incorporates the techniques they advocate into their organization’s compliance program will not only move their compliance program forward but also make their company run more efficiently and, at the end of the day, more profitably. 

The reason is not simply that AI can make compliance more effective and more efficient but “in the knowledge economy, strategic advantages will increasingly depend on a shared capacity to make superior judgments and choices.” AI is a step which weds the human interaction and experiences with the data which is available to every company - its own internal information which is most generally sitting in siloed verticals and not being used. This data can “provide the foundation for operations research, forecasting models” when using AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities. 

The authors suggest that you use this strategy in an area which will have the greatest benefit for your company, stating, “The starting point for becoming an intelligent enterprise is learning to allocate analytical effort where it will most pay off — in other words, being strategic about which problems you decide to tackle head-on. The sweet spot for intelligent enterprises is where hard data and soft judgment can be productively combined.” For the compliance professional, this translates to your greatest risk area. Consider the possibility that you could identify through forecasting what your highest risk might be, then use AI to more efficiently and accurately assess the risk and finally tie both an AI technology solution with compliance subject matter expertise (SME) to manage the risk going forward. 

The key in such a scenario is in aiding the compliance practitioner to avoid judgmental “biases that often distort human information processing and by recognizing the precarious assumptions on which statistical models sometimes rest, the analytical whole can occasionally become more than the sum of its parts.” This means you should critically look at a variety of factors around where your compliance risks lie. Most compliance practitioners only rely on the Transparency International-Corruptions Perceptions Index (TI-CPI) for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach. 

Another technique which I have been involved with is known as boot-strapping. Here a group of SMEs would develop a model of possible risks which could be assessed with large amounts of data or other inputs. By modeling the experts’ knowledge in risk areas, you could develop not only a more comprehensive forecast and assessment of risk but it would also be more consistent, which would greatly help in your planning and risk management. 

The authors reported researchers who asked a group of corn experts to rate 500 ears of corn to predict their eventual prices in the marketplace, using a variety of factors. “The researchers then created a simple scoring model based on cues that judges claimed were most important in driving their own predictions. Both the judges and the researchers expected the simple additive models to do much worse than the predictions of seasoned experts. But to everyone’s surprise, the models that mimicked the judges’ strategies nearly always performed better than the judges themselves.” Most of the factors were subjective but that did not stop the model from being more efficient. The authors believe the boot-strapping model “remains one of the most compelling demonstrations of the potential benefits of combining the powers of models and humans, including the value of expert intuition.” 

Boot-strapping is the most straight-forward use of this type of technology, as it is “a simple input-output approach to modeling expertise without delving into process models of human reasoning.” Now consider how boot-strapping can be augmented by AI technologies “that allow for more complex relationships among variables drawn from human insights or from mining big datasets.” 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Innovation in your compliance program has been required since the implementation of the US Sentencing Guidelines.
  2. AI can help compliance in the knowledge economy.
  3. AI in compliance will benefit the business going forward.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 1, 2017

Welcome to the September edition of my yearlong podcast series of One Month to a More Effective Compliance Program. In the month of September, I will be focusing on innovation in compliance. I will look at innovation from a variety of angles including AI and ComTech, structural innovations, tools and tactics and innovation in leadership. At this end of September, you will have a number of solid ideas you can use to move your compliance program forward. 

I begin this month by considering the starting point, which is an innovation strategy. In the most recent Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) issued by the Department of Justice they all include an element along the following strictures, “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]. This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. 

All of this means you should begin with an innovation strategy for your compliance program. Gary P. Pisano, in an article in the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy” discussed such an approach. He began by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” The key to success is something that every CCO or compliance practitioner should take to heart; which is, a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance, IE., employees, third parties and customer, show how the company will capture that compliance value going forward and finally which types of compliance innovation to pursue.

First, some basic definitions useful for the compliance practitioner to think through innovation in the compliance function. Pisano defined a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good strategy, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary and with sufficient feedback. 

There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; IE., your employees and relevant third parties? Your innovation can make compliance faster, easier, quicker, nimbler and so on. Focus on that creation of value going forward. Pisano’s next question was “How will the company capture a share of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process. Both are equally valid.

Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs. 

The author noted there are four essential tasks in creating and implementing an innovation strategy. Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ or speaker from the Securities and Exchange Commission (SEC) I have ever heard say when they talk about the basics of any best practices compliance program. It is that both compliance and innovation strategies must evolve. Pisano wrote that every innovation “strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program is that the latter creates an active, vibrant and effective compliance program. That is the bottom line for innovation. 

Three Key Takeaways

  1. Both the DOJ and SEC expect innovation in your compliance program.
  2. Innovation in compliance should have a strategy going forward.
  3. The key is to demonstrate how the compliance innovation will benefit the business going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Aug 31, 2017

In the August edition of One Month to More Effective Continuous Improvement I have considered some of the techniques to create continuous improvement in your compliance program.

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.

You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One technique that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

Over the month of August I have presented a variety of specific tools and techniques for the compliance practitioner to utilize. They include financial audit, the culture audit, continuous controls monitoring, various risk management strategies which can become continuous monitoring. The tools are both quantitative and qualitative. Pick and choose the right tools for your company’s business and compliance profile. 

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. There are a variety of tools for continuous improvement which will enhance both your compliance and business processes.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

A big shout out and thank you to this month’s sponsor Affiliated Monitors. They use a variety of the tools and techniques I have described over the month in their services. I hope you will check them out. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 30, 2017

Continuous improvement also requires you to consider the backbone of your compliance program, your written Code of Conduct, policies and procedures. Under Prong 9, in the Department of Justice’s Evaluation of Corporate Compliance Programs, it states, Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries

Moreover, under Prong 4, the Evaluation considers not only the design of your Code of Conduct but its accessibility with a variety of questions and factors. These include what was considered for your Code of Conduct, how the Code improvement was implemented, whether the gatekeepers were consulted and most importantly whether they bought into the entire process. Finally, is your Code accessible to all employees.

I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the 2012vFCPA Guidance, your compliance program should be thoughtful and well considered. In “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to update your Code?

After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.

  1. Get buy-in from decision makers at the highest level of the company

Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee

A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment

The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

  1. Determine translations and localizations

You must translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” The Evaluation also makes this requirement for accessibility mandatory.

  1. Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.

  1. Stay on Target

If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

If you are a compliance practitioner, I urge you to look at your company’s Code of Conduct, policies and procedures. If your Code is pre-2012, you need to update sooner rather than later and consider what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ you need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

Three Key Takeaways

  1. Continuous improvement includes your Code of Conduct.
  2. When was the last time you assessed and updated your Code of Conduct.
  3. Who, what, how are important issues of continuous improvement for your Code of Conduct.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 28, 2017

A Program Manager in a Power Plant Process group told me about the ‘Mock Audit’ that his company performs in its power plants across the country. He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization.

The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.

To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.

The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.

I thought about this concept of the Mock Audit in the context of continuous improvement under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?

I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.

One of the more constant complaints that I have heard from business unit folks is that compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment findings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.

The 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. The concept of the Mock Audit is one that can facilitate continuous improvement. As it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.

Three Key Takeaways

  1. Always remember we wear the same color shirt.
  2. Review your findings with the group being assessed.
  3. Use the Mock Audit to both learn and educate. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 25, 2017

Compliance does not exist in a time-warp vacuum, with programs living in 1977 when the first major anti-corruption legislation, the Foreign Corrupt Practices Act was passed. The law has advanced since that time, as has compliance and society as well. One of the ways that you can engage in continuous improvement for your compliance program is based upon the two-way use of social media. Social media can be used not only to communicate with your employee base but also for your employee base to communicate with you, most particularly if you are prepared to listen. 

For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of several business leaders I have studied is the art of listening. In an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative. 

I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.” 

However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout is an employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.” 

For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena. 

An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform - including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen. 

Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.” 

Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s. 

But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”. 

Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy. 

Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization through continuous improvement. 

Three Key Takeaways

  1. Social media is a two-way approach to communications.
  2. Twitter or a similar tool can facilitate your compliance program improvement.
  3. Study and embrace technology to move your compliance program forward.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 24, 2017

The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. 

Yet ongoing monitoring is not limited to the financial component of compliance. Another approach to review emails as both a preventative and detection program through the technique of email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.

In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.

Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Ongoing monitoring is not limited to financial monitoring, a holistic approach would look at other indicia of corruption.
  2. Where there is smoke, there is most usually fire.
  3. Continuous improvement can be achieved in a variety of efficient, cost effective ways.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 23, 2017

Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis. 

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed. 

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party. 

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”. 

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions. 

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance. 

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward. 

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.

Aug 22, 2017

There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior IndicationsWere there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring. 

According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue. 

The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they're worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region. 

DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.

Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it's very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.” 

The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.” 

Feldman pointed out yet another reason for such a proactive approach. It can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.  

He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.” 

Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization. 

Three Key Takeaways

  1. A voluntary monitorship can be reactive proactivity to look at a particular issue.
  2. A voluntary monitorship can be used to test a compliance program.
  3. A voluntary monitorship report can be used in a variety of legal and business manners.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 21, 2017

Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under Prong 5 of the DOJ’s Evaluation of Corporate Compliance Programs, is the following topic and question Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? I found this to focus as much on continuous improvement as it did with risk assessment through the emphasis on the risks which established and demonstrated by the organization. In other words, were you monitoring the risk that you have not only identified but also have revealed themselves to your organization. 

I visited with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to consider risk-based monitoring and how it helps to facilitate continuous improvement in a compliance program. Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” 

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test. 

Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation. 

Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.” 

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team. 

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations. 

Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the words of Hui Chen, the former DOJ Compliance Counsel, operationalize compliance. Her intonation to operationalize compliance speaks use of a wide variety of tools to input information so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed it back into your compliance program in both the prevent and detect prongs.  

Three Key Takeaways 

  1. How do you monitor manifested risks?
  2. A risk-based monitoring approach allows you to see things in almost real-time.
  3. Management of risk can serve your compliance program in a variety of ways. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 18, 2017

Determining effectiveness has been on my mind in large part since the release of the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation). Obviously the new by-word from the Evaluation is operationalization but a key in determining operationalization is determining your compliance program effectiveness. I put that question to Vincent DiCianni, CEO and founder of Affiliated Monitors and Eric Feldman, SVP of Affiliated Monitors recently. 

Feldman began by explaining that you need to consider both outcomes and outputs. Outcomes will show you the results of specific actions, such as investigations and conclusions to them. DiCianni added that the numbers are attractive because they can form a “straight line” about your compliance program is function. Yet DiCianni cautioned the numbers only give you one view of a compliance program. You also need to consider the qualitative side of the equation. 

This is where outputs are equally important as the form the qualitative portion of determining compliance program effectiveness. More importantly you cannot conflate the two. Feldman explained that hotline data is good example, so if your number of hotline reports drops dramatically, the company may well believe their compliance program is effective. However, Feldman cautioned this could be a tenuous conclusion “because just as easily one could conclude that your culture has taken a turn for the worse, that employees are afraid of retaliation, they don't have faith and trust in the anonymity of your hotline system and therefore they're just not reporting, but things are still going on. In fact, there may be more activity going on”. 

Some important consideration are such softer measures as how employees feel about whether the company is committed to a speak-up culture. Feldman noted that by interviewing employees, you can determine if they feel “comfortable going to their managers and if their managers are involved, going to upper level management, Ethics and Compliance Office, or a corporate reporting hotline if and when they see misconduct, or do they mind their own business and look the other way because they're afraid something will happen to them?” The best way to make that determine is through in person interviews.

Another key way to determine if you have any effective compliance program is to see if there is a correlation about what a company says on paper on its vision, mission and values around compliance. Here a key metric is performance incentives, bonuses, promotions and assignments. Feldman explained you must ascertain if the financial packages are based solely on hitting your numbers “or are there elements that balance out the financial measures with ethical measures, integrity measures. For example, is a manager is effectively disseminating the ethics message and building an ethical culture in his or her work group and are they rated on that in a performance appraisal, that should be part of their bonus system.” 

One valuable resource to assist the compliance practitioner in this task is entitled “Measuring Compliance Program Effectiveness: A Resource Guide, and was issued by the Health Care Compliance Association (HCCA) and the Department of Health and Human Services, Office of Inspector General (OIG) in March 2017. Although it was publicly released after the Justice Department Evaluation, it was drafted prior to that documents release and hence did not have the benefit of the DOJ’s thinking on measuring compliance program effectiveness.   

The document is an excellent resource on not only “what to measure” but equally important “how to measure” the seven elements of a compliance program as detailed in the US Sentencing Guidelines. While the focus is towards the health care industry, the concepts are broad enough for any industry or compliance practitioner to use to determine the effectiveness of their compliance program. Did I mention the cost - it is available at no charge on the OIG website. 

Once again, although focused on health care compliance, the Resource Guide is practical for the non-health care compliance professional. Further, it ties into many of the concepts articulated in the Evaluation. For example, in the Evaluation, Prong 2. Senior and Middle Management, the following questions appear under the heading Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  

In the Evaluation under Prong 3. Autonomy and Resources, the following questions appear under the heading Funding and ResourcesHow have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made? 

These are a just couple of examples of how a compliance professional can begin to think through the questions laid out by the DOJ in its Evaluation. Moreover, by using the Resource Guide, you will be able to more fully determine the operationalization of your compliance program. The stated purpose is to give compliance professionals “as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit its needs.” Yet it is decidedly not a checklist but rather allows any Chief Compliance Officer (CCO) to assess the effectiveness (and operationalization) of their program. 

It also allows the tailoring and measurement of how you manage your company’s risks. As the Resource Guide states, “The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different.” 

DiCianni concluded by emphasizing the need for both a quantitative and qualitative approach to measuring compliance program effectiveness. Numbers are important but they only tell part of the equation. He stated, “Both are very important, but I think without having consideration of both sides of the equation, I do not will obtain a full understanding of how effective compliance program is in its operation.” 

Three Key Takeaways

  1. You should test your compliance program effectiveness through both a qualitative and quantitative approach.
  2. Bring in an outside party to interview your employees.
  3. The HCCA/OIG Guide is an excellent resource to consider compliance program effectiveness.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 17, 2017

I continue my discussion of continuous improvement using big data in a best practices compliance program, with some thoughts on how to use it going forward. In an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team, featured a chapter by Alistair Croll, entitled “The Feedback Economy which informs today’s discussion. 

Croll believes that big data will allow continuous improvement through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to prevent, detect and remediate in a compliance program is going forward. 

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the Chief Compliance Officer (CCO) or compliance practitioner this means that if your compliance program is able to collect and analyze information better, you can act on that information faster. 

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud. 

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.” 

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signals well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machine learning to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.” 

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many CCOs or compliance practitioners, displaying the data is most difficult because it is not generally in a readable form. To say lawyers are not as proficient as other corporate types in excel or similar tools would be to state the obvious, yet that is about as sophisticated as many practitioners can get. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments. 

Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. Once again lawyers are particularly ill suited to consider such information for reasons as diverse as training and temperament. This is yet another reason why compliance has evolved to Compliance 2.0, Compliance 3.0 and beyond. Big data allows you to make a quicker assessment of the impact of measured risks. It advocates “fast, iterative learning.” 

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”. 

The three prongs of any best practices compliance program are prevent, detect and remedy. Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed compliance program. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of continuous improvement, I do not know what does.

Three Key Takeaways

  1. Use big data to continuously improve your compliance program.
  2. The OODA Loop is an excellent way to think about using data to continuously improvement.
  3. Always remember the human (IE., CCO) element.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 16, 2017

In 2015, the Securities and Exchange Commission (SEC) announced resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving the Hitachi Ltd (Hitachi). There were several interesting aspects to this enforcement action and plenty of lessons to be learned by the compliance practitioner going forward. This enforcement action also presented one of the clearest cases for keeping track of current events for continuous improvement I have seen. 

Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories. 

The bribery schemes themselves were notable only for their blantantness. Andrew J. Ceresney, Director of the SEC’s Enforcement Division, said in the SEC Press Release “Hitachi’s lax internal control environment enabled its subsidiary to pay millions of dollars to a politically-connected front company for the ANC to win contracts with the South African government. Hitachi then unlawfully mischaracterized those payments in its books and records as consulting fees and other legitimate payments.” Moreover, according to the Complaint: 

  • Hitachi was aware that Chancellor House Holdings (Pty) Ltd. was a funding vehicle for the ANC during the bidding process. 
  • Hitachi nevertheless continued to partner with Chancellor and encourage the company to use its political influence to help obtain government contracts from Eskom Holdings SOC Ltd., a public utility owned and operated by the South African government.
  • Hitachi paid “success fees” to Chancellor for its exertion of influence during the Eskom tender process pursuant to a separate, unsigned side-arrangement.  

The enforcement action does point up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in an article in the Wall Street Journal businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190, 819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.” 

This case demonstrates the need for a CCO to keep track of current events. It does not mean you must read the biggest newspapers on a daily basis, although that certainly would help. You must rely on your business folks on the ground to keep track in the changes of personnel of joint ventures or other local partnerships. Moreover, there are several automated due diligence services which literally provide daily updates on a wide variety of persons and individuals who might change positions in a government or move from the public sector to the private sector or back.

In many under-developed countries, there is a relatively small group of well-educated technocrats who move back and forth from the government to the private sector and back. They are also often involved in political parties. So today’s private might be tomorrow’s Politically Exposed Person (PEP) or indeed may have been yesterday’s PEP. This requires you to navigate carefully as these are most usually jurisdictions which are high-risk for corruption. 

For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. Yet it also means you will need to keep abreast of just who your counter-parties during the entire course of your commercial relationship. This means keeping up with current events is a must and can facilitate continuous improvement.  

Three Key Takeaways

  1. The Hitachi FCPA enforcement action demonstrates the need to keep track of current events for continuous improvement.
  2. Many product and services providers in the compliance space provide ongoing monitoring for PEPs and SDNs.
  3. Make sure your partners are still who they say they are! 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 15, 2017

Another mechanism to facilitate continuous improve comes from ideas around risk assessments. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well-articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program. 

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course, this can be a notoriously expense exercise. However, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters. 

The idea comes from Jan Farley, the Chief Compliance Officer at Dresser-Rand and he calls it the ‘Desktop Risk Assessment’. I think it is an excellent tool for continuous improvement. Moreover, it is a tool you can employ at little to no cost by you or your compliance team and on an ongoing basis. It is something you can use as often as quarterly, semi-annually or annually. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following: 

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings - Are escalation protocols appropriate?
  • What are the opportunities to improve compliance? 

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities. 

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so. 

If you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you. 

Three Key Takeaways 

  1. As a compliance professional you are only limited by your imagination.
  2. Use the Desktop Risk Assessment to supplement the full Risk Assessment, performed biennially.
  3. You must remediate as appropriate.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 14, 2017

Continuous improvement requires that you not only audit and monitor but also that you test your controls. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. Finally, under Prong 9 of the Evaluation of Corporate Compliance Programs, under the area of Control Testing, it asks the following question: What control testing has the company generally undertaken? Controls testing is key component enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. 

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for continuous improvement. 

As the COSO 2013 Internal Controls Framework provides a roadmap to test your controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing testing and evaluation” program going forward. 

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.” 

COSO suggests a four-pronged approach in your testing, which I have adapted for the compliance practitioner. (1) Make an overall test of your company’s controls. This should include an analysis of whether each control is present and functioning and they are operating together in an integrated manner. (2) There should be a control component evaluation to determine if any control deficiency is found you can move to see if there are any compensating controls. (3) Test whether each control furthers the legal or business requirement you are trying to meet and then determine if a deficiency exists, what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis for continued improvement. 

Another way to think through testing could be to consider the controls to affect the principle and would allow internal control deficiencies to be noted along with an initial review of the control failure. The next step would be to roll up the results of the evaluations. Next would be a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall testing allows you to consider if the controls are operating together in an integrated manner. This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could test if your internal controls were up to the new situations or needed adjustment. 

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, this could be deemed a control failure (The Guidance states the following policies should exist: on “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”). 

If there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? COSO suggests that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The key is to document the reasoning of the boundaries and then follow them. 

This Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the both SOX 404 requirements and the FCPA’s internal controls provisions. Finally, it provides a way to continuously improve your controls.

Three Key Takeaways

  1. Testing of controls helps to provide reasonable assurance of achievement of the entity’s controls.
  2. There are two over-arching requirements for effective controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Tem Hallmarks of an Effective Compliance Program as your guide to test against. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 11, 2017

Today I consider a fraud audit by using data analytics to help detect or prevent bribery and corruption where the primary sales force used by a company are its FCPA and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.

Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, related case studies where his organization used data analysis to review employee expense reports and how that experience can be used to formulate the same type of fraud analysis for a CCO or compliance practitioner. Also of this can be used as ongoing monitoring to facilitate continuous improvement of your compliance program.  

One common technique fraudsters use is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions. An example might be where procurement cards (P-cards) are used for certain low dollar-value expenses. If a company has a procurement card limit for employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month; it would want to identify any use of P-cards for larger dollar transactions used for inappropriate or illegal purchases.

Contrast this with the problem of split payments. This is the situation where a single invoice is divided and the full amount of the payment is made in two or more simultaneous transactions, all done by different types of internal corporate payments. The key is to understand where the invoices are coming from and if only one vendor or supplier, investigate who is splitting the payments and why.       

Another area to focus on using data analytics is gift, travel and entertainment (GTE), to identify out-of-policy expense reports and out-of-compliance expenses. Here the biggest issue is “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.

In the case of double dipping, a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. An example might be where an employee takes another employee out for a business meal; they pay for the meal on one expense report. Then separately a coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”

Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. These are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. The reason is that when you are tasked with approving an employee’s expense report, the reviewer most often has single report in front of themselves for review. This makes it difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.  

This same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, more than the employee’s spending limit, the approver might not have approved both, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, you can aggregate those multiple trip or P-card reports into a single report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.

This double dipping technique led to two anti-bribery compliance enforcement actions. One in the US involving Eli Lily and a second in China involving the US pharmaceutical entity GSK. So the risk is real and by using ongoing data monitoring you might not only get ahead of the legal violation but you would have a much more efficient business process going forward.

Three Key Takeaways

  1. The typical fraud audit will get down into the weeds with data analytics.
  2. Split dollar expenses are key metric.
  3. Double-dipping can lead to larger problems.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 10, 2017

What is organizational culture? Eric Feldman, SVP at Affiliated Monitors has said it comprises the mission, vision and values of an organization. A similar way to consider it might be as a company’s values, visions, norms and beliefs. Whichever way you define it or look at it, corporate culture affects how groups within a company interact with each other. A key inquiry is whether the corporate incentive structure supports the articulated beliefs of a company. How does one measure or audit these articulations?

Jose Tabuena in an article entitled, “Can You Audit Corporate Culture” said that  “an important feature of a good culture is that the majority of employees can be positively influenced by values and environments that reinforce strong company values. Such a climate arises when the workforce believes that certain forms of ethical reasoning and behavior are expected norms for decision making. The ethical climate of an organization serves many useful functions in organizations. It helps employees identify ethical issues and address those issues by giving answers to “What should I do?” when faced with an ethical dilemma.” The oft-used corporate tactic to blame the ubiquitous ‘rogue employee’ is an “attempt to deny the flaws in the system and the culture that spawned the bad acts in the first place.”

Some of the techniques for measurement include employee interviews, focus groups and employee surveys to measure corporate culture. This is because through “identifying cultural strengths and areas needing improvement, a cultural assessment can guide the creation of communications plans and culture-building initiatives that are tailored to the company's needs. In many cases, an effective strategy may be to target weak spots while simultaneously anchoring the overall message to positive values already strongly shared across the organization.” It is important to understand that corporate culture will not be uniform across geographies, functional areas or operating systems. But this can be useful in comparing the results.

Feldman noted some of the key areas of concern in a culture audit are the following

Operation Stresses. These can greatly influence a company's culture, making it periodically necessary to determine whether the company is on track. If your CEO says that your only goal is the make your numbers, that is an operation stress to hit the target goal and the implicit message is that you must do so by any means possible. Internal audits and other forms of evaluation and measurement allow for course correction and reinforcement as needed.

Retaliation. There is nothing more toxic in the workplace than the fear of raising your hand to report an issue and facing retaliation. It is also a harbinger of other negative cultural factors such as specific or even general distrust of management. Here you should consider whether employees are willing to address matters with their immediate supervisor or to use the compliance hotline and what would happen if they reported misconduct can be meaningful. An even better approach would be to measure a company on how issues are reported and ultimately addressed. A final test is the work place promotion and incentive history of internal whistleblowers going forward in the employment tenure with the organization.

Compensation and Incentives. Basically, does the compensation scheme and promotion to management consider compliance as a key indicia as employee promotion, compensation and incentive programs can convey positive cultural messages. Consider that Wal-Mart, after it began its years-long FCPA investigation in 2012, began basing a portion of compensation for top executives on the company's ability to meet compliance goals. If executives do not meet their compliance objectives, they risk having their annual bonuses reduced. Therefore, one measure to incentivizing compliance is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria. This can be leveraged down into the organization as well.

Senior Management Tone. You should question employee turnover and retention such for information. Through employee interviews, he believes that one can ascertain whether the turnover rate is attributed to organizational transition or stress stemming from management's philosophy and operating style, which might include such things as inappropriate compensation packages, unreasonable sales goals, requirements, etc.

HR Employee Lifecycle. It is important that a company actively recruit new hires based on its mission, vision and values of an organization and reinforce these when people join the company. All of this can be done through a rigorous hiring process, which incorporates a company’s ethical values into the process. But it does not stop at the hiring and onboarding process. It should occur during every Human Resources touchpoint in the employee lifecycle, during reviews and evaluations, consideration for promotion and even at departure. You will need to review the records of employees who have had poor compliance evaluations in the past years and determine whether those employees had appropriate qualifications relative to their job descriptions. The review should be performed with an eye toward ascertaining whether the company's hiring and promotion practices appropriately noted compliance qualifications, skill set, and delegated authority to their formal position and job description.

Companies must have a high-performance corporate culture for doing business ethically. One of the ways to do so is through the culture audit. It can also be a powerful tool for continuous improvement going forward. Find out what your employees are saying about your corporate mission, vision and values and most importantly remediate if those mission, vision and values are found wanting.  

Three Key Takeaways

  1. What are the mission, vision and values of a company?
  2. What are the compensation incentives in the culture?
  3. Always be closing? 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 9, 2017

In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA), in the 2012 FCPA Guidance, the Department of Justice (DOJ) and most recently in the Evaluation of Corporate Compliance Programs; made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of its suppliers to ensure compliance. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I find this to be a missed opportunity from both the compliance perspective and greater business efficiency. 

Initially it should be noted that a company must obtain the right to audit for compliance in its contract with any third-party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following: 

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company. 

In Industrial Engineer Magazine, in an article entitled, “Dynamic Changes” authors Tariq Aldowaisan and Elaf Ashkanani discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. More simply, the action steps for the process can be described as one to (1) capture the data; (2) analyze the data; and (3) report on the data. 

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following: 

  • Review of contracts with supply chain vendors to confirm that the appropriate compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third-party vendor.
  • Review compliance training program; both the substance of the program and attendance records.
  • Does the third-party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third-party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third-party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third-party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third-party vendor.
  • Regarding any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

This list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties. Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. After an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

Three Key Takeaways

  1. Is your supply chain vendor committed to the audit process?
  2. Capture the data, analyze the data, report on the data.
  3. Supply Chain audits are no longer cutting edge but are now simply best practices.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 7, 2017

Today I visit with Timur Khasanov-Batirov. Tim is a compliance practitioner with focus at high-risk markets and author of practical guide “Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States.  Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine.  He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.

Tim has also recently released the first two installments of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.

We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions

1: Can we define this region as a single territory for the Compliance program structuring?

2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?

3: What is the biggest challenge in embedding corporate Compliance program in this region?

4:  Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?  

5: Is it legally permissible to deploy our FCPA/UKBA programs in the countries of the region?

6: What is the most effective way to deliver training in this part of the world?

7: If there are any important things to remember when imposing penalties for misconduct on local personnel?

8: Do people on the ground appreciate compliance & ethics efforts?

 

Aug 4, 2017

Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for continuous controls monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, controls monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to controls monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a controls monitoring process that yields sustainable, repeatable results? 

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained that their firm has a five-step process. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain. 

Brainstorm 

Under this step, the controls monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the controls monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session. 

Acquire and Map Data 

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple controls processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International - Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third-party controls. All data should initially be secured and then transmitted to the controls monitoring tool. Of course, you need to take care that your controls monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries 

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the controls monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following: 

  • Business courtesies provided to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments. 

Analyze and Report 

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions. 

Refine and Sustain 

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient controls, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.   

If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of controls monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking. 

Three Key Takeaways

  1. Create a process to monitor your controls.
  2. Use a compliance subject matter expert to work with your internal controls specialist to develop queries from the compliance perspective.
  3. Finally, do not forget the feedback loop nature of the process by integrating your results going forward. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 3, 2017

Next I consider how the Internal Audit (IA) function can be used to facilitate more effective continuous improvement.  According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.                                                             

IA is doing compliance all the time as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally. 

It should be apparent there are numerous benefits to compliance having a closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits. 

One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “GatekeepersHas there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?” 

When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.

From the compliance aspects, IA is really kind of the watchdog or monitoring facility for the entire company. This dovetails explicitly into this ‘gatekeeper’ function. Additionally, and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. I have certainly seen numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: "Are these people aware of standards of business conduct? Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?"” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjunction with audit and HR could develop a remediation plan.           

With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes.  Such integration can work to strengthen IA's network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits. 

For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up. 

Three Key Takeaways

  1. Internal audit can be used to provide continuous improvement to and for compliance.
  2. Internal audit can also fill a gatekeeper role in your compliance regime.
  3. Compliance should leverage IA resources and professionals, on audit techniques and analysis of internal controls. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 2, 2017

In the Evaluation of Corporate Compliance Programs under the section entitled, “Continuous Improvement, Periodic Testing and Review” it stated, “Internal AuditWhat types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?” 

Interestingly, Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed, audits are specifically delineated in the 2012 FCPA Guidance to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical for a compliance audit to have a chance for success: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. 

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls. 

In addition to the collection and analysis of evidence, an auditor's objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company's management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted. 

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place you must actually do the work going forward. 

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing: 

  • Contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review the compliance training program for any third party; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing. 

Auditing is a more limited review that targets a specific business component, region or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Three Key Takeaways

  1. Auditing takes a deep dive into your high-risk compliance areas.
  2. Internal audit should test your key FCPA risk areas as a part of their regular auditor rotation.
  3. The findings uncovered in an audit must be used in your compliance regime going forward. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 31, 2017

I conclude this one month series by considering the recently concluded Securities and Exchange Commission (SEC) resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company. I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls. 

In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise. 

According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period. 

However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton. 

In each of these attempts, the company bumped up against its own internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent”. In this initial attempt, the internal control held as the business folks abandoned their efforts to contract with the Angolan agent. 

The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria).

Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t]his is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.”” In other words, the internal controls held and were not circumvented or over-ridden.

The Angolan agent was then moved from commercial agent status to that of a supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team was able to contract with the Angolan agent for these services in September 2009 and increase the contract price, all without the Angolan agent going through the procurement internal controls. 

A second internal control which was over-ridden was the procurement requirement that the supplier procurement process begin with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backwards, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, there was a separate internal control that required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or over-ridden.   

Yet this arrangement was not deemed sufficient local content by Sonangol officials. After all of this and further negotiations, Halliburton entered into another agreement with the Angolan agent, where the company would lease commercial and residential real estate and then sublease the properties back to Halliburton at a substantial markup, and also provide real estate transaction management consulting services (the “Real Estate” contract).

This Real Estate contract also had to go through an internal control process. Initially, there were questions by the company about the Real Estate contract as a single source for the procurement function, the upfront payment terms to the Angolan agent, the high costs, and the rationale for entering into subleases for properties that would cost less if leased directly from the landlord. Indeed, “One Finance & Accounting reviewer at headquarters noted that he could not think of any legitimate reason to pay the local Angolan company over $13 million under the Real Estate Transaction Management Agreement and that it would not have cost that much to run Halliburton’s entire real estate department in Angola.” 

Halliburton internal controls required that when a single source was used by the company it had to be justified. This justification would require a showing of preference for quality, technical, execution or other reasons, none of which were demonstrated by the Angolan agent. Finally, if such a single source was used, the reasons had to be documented or in Halliburton’s internal controls language “identified and justified”. None were documented by the company. 

Finally, as the internal controls were either circumvented or over-ridden; “As a consequence, internal audit was kept in the dark about the transactions and its late 2010 yearly review did not examine them.” This was yet another internal control failure but was built on the previous failures noted above. 

So how many internal controls failures can you spot? Whatever the number, the lesson for the compliance practitioner is that you must do more than have internal controls. They must be followed and be effective. If you are doing business in high risk regions, you have to test the controls and then back up your testing by seeing if payments are being made in those regions. Perhaps the best concept would simply be Reaganian, trust but verify.  

Three Key Takeaways

  1. Internal controls must be shown to be effective.
  2. Circumvention and management over-ride of internal controls must be documented to pass muster.
  3. Internal controls must be tested and that testing verified with an independent source of investigation.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

1 « Previous 8 9 10 11 12 13 14 Next » 19