Data Analysis 4I continue my exploration of the use of data analytics in a best practices compliance program. Today we look at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third parties. A vast majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company and is not a sham.

I asked Joe Oringel, co-founder and Managing Director of Visual Risk IQ, how data analysis might help a Chief Compliance Officer (CCO) or compliance practitioner detect such conduct and also move toward preventing such conduct in the future. Oringel described different case studies from his organization’s clients where they used data analysis on accounts payable invoices and how that experience can be used to formulate similar data analysis for a CCO or compliance practitioner. There are a number of more complex analytics that can be run in combination to identify suspicious third parties, and some of the simplest can be to look for duplicate or erroneous payments.

Oringel said that a key to moving from detection to prevention is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at a time for errors or overpayment. Changing this from a one-time annual or biannual event to something that is done daily or weekly dramatically changes the value of such internal controls. This more frequent, preventative analysis is integral to the foundation of how Visual Risk IQ works with many of its clients. While the company does perform periodic look-back audits, it also works with technology to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

Oringel provided several client examples where duplicate invoices had been submitted but were not immediately caught. In one instance, Invoice No. 0000878-IN, was paid for $1,617.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded without the hyphen and was not detected by the system of controls. The problem was that it was the same invoice with slightly different writing on the face of it, and both were scanned into the company’s imaging system and queued for payment. The Visual Risk IQ’s team used data analysis to locate such overpayments, and to identify that the second payment should not be made because it is a match of one that had been previously approved.

In another example, Oringel detailed a query which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. He gave an example where a duplicate payment of more than $75,000 was made. One payment in that amount was made to a law firm named ‘Kilpatrick Stockton’ and the second was made to a different vendor, the law firm ‘Kilpatrick Townsend’. Oringel and his team recognizing that these were related entities, even though they had been established as different vendors in the vendor master. Because of the amount and the date were similar enough as detected by data analysis, the invoices warranted a human inspection.

Oringel said such an inquiry could also be used to test in other ways. He posed the example if a “vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person. They share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paolo.” He noted that until you inspect the other demographic information about your vendors, consultants or third parties and compare them to watch list individuals, you just do not know. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, he has seen data analytics uncover overcharges and fraudulent billings. Oringel said that continual transaction monitoring and data analysis can prove its value through more frequent review, including the Hawthorne effect which states that individuals tend to perform better when they know they are being monitored.

Oringel emphasized that the techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments “not only by day or by month, but also by vendor or even by employee who may have keyed the invoices” into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. Oringel stated, “That’s the value of analytics. Analytics allows us to sort and resort, combine and aggregate, so that patterns can be investigated more fully.”

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis 3I continue my exploration of the use of data analytics in a best practices compliance program. Today we look at how data analytics can be used to help detect or prevent bribery and corruption where the primary sales force used by a company are its own employees. Several significant corruption actions in China, involving both the Foreign Corrupt Practices Act (FCPA) and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.

I asked Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, how data analysis might help a Chief Compliance Officer (CCO) or compliance practitioner detect such conduct, and also move towards helping prevent such conduct in the future. Oringel related case studies from his organization where they used data analysis to review employee expense reports and how that experience can be used to formulate the same type of data analysis for a CCO or compliance practitioner.

As discussed earlier in this series, Visual Risk IQ recommends by beginning with brainstorming. This step includes understanding an organization’s Procurement and Travel & Expense policies, and asking questions about how those policies can be circumvented. One common technique that takes place is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions.

In the example we discussed, Visual Risk IQ’s client uses procurement cards (P-cards) for certain low dollar-value expenses. The Company has a procurement card limit for most employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month. The Company wanted to identify any use of P-cards for larger dollar transactions that may have required capitalization as fixed assets, in addition to identifying inappropriate or personal purchases. Through the use of data analytics, Oringel shared how his team identified the purchase of a $9,500 computer system, but that an employee had split the purchase into multiple invoices across multiple days using one invoice per day from the same computer vendor. The transactions looked like these listed below:

Date Purchase Vendor Amount
Monday Computer XYZ Computers $2,800
Tuesday Monitor XYZ Computers $2,400
Wednesday Printer XYZ Computers $1,800
Thursday Software XYZ Computers $1,500
Friday XYZ Computers $1,000
Total $9,500

In total, the five transactions easily circumvented the organization’s $3,000 single transaction limit and their capital expense limit as well. The single computer system purchase was with the same merchant but split across multiple days and invoices. Clearly this series of transactions was a problem.

Oringel contrasted the above example with a similar issue they identified related to split transactions. The organization had an employee who was responsible for maintaining and scheduling a fleet of over 100 vehicles. One of the responsibilities was paying various bills related to the vehicles, including the State Department of Motor Vehicles, and the taxes billed individually per car. Visual Risk IQ wrote queries, similar to those that identified the inappropriate computer system purchases, and identified this employee as one who routinely exceeded the P-Card’s single transaction limit with the same vendor when multiple transactions in a month were evaluated together.

Their split limit query identified that this employee often completed multiple transactions with the same vendor, the State Department of Motor Vehicles, on the same day. However the “aha!” moment was quite different than the employee splitting transactions to purchase items above her limit in violation of the company policy. Here Visual Risk IQ’s data analysis demonstrated that those transactions were not fraudulent, improper or inappropriate, rather, the employee’s spending limit needed to be raised because the card was being used as intended, and this employee had more spending responsibilities than most others in the organization. There were benefits to paying the tax bill via P-Card, but the organization had set her spending limit before vehicles were managed centrally, so with the larger fleet and central management of vehicles, the organization needed to raise her spending limit specifically for that vendor. For other transactions, she would have the same transaction limits as other employees, but because her responsibilities involved registering so many vehicles, Visual Risk IQ recommended that the root cause be remediated by changing some of the controls in place.

Another area that Oringel and Visual Risk IQ have focused on is travel and entertainment (T&E). Oringel advocates using analytics to identify out-of-policy expense reports and out-of-compliance expenses. This is achieved by using similar logic, as noted above, for accounts payable and when used on employee expense accounts Oringel said that it is often called “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.

In the case of double dipping, Oringel said a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. He gave the following example, “An employee takes another employee out for a business meal; and they pay for the meal on one expense report, all while, at the same time, the coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”

Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. Oringel noted those are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. He cautioned it is not that the approver is not doing a good or prudent job, “but typically, when you’re tasked with approving an employee’s expense report, what we have is just their single report in front of us. It’s difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.”

Oringel said the same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, in excess of the employee’s spending limit, the approver might not have approved both of them, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, Oringel and Visual Risk IQ is able to aggregate those multiple trip or P-card reports into a single screen or report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
 
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis Quick Start MethodologyToday, I continue my exploration of data analysis with Joe Oringel, co-founder and Managing Director of Visual Risk IQ, a consulting firm that helps audit and compliance people see and understand their data. Today, we look at how to set up a data analysis program and how to use it to help monitor for a compliance program.

I asked Oringel how he helps clients think through a project that involves data analytics. As a lawyer, I was intimidated by the issues of not only how to get the data but how to use it going forward. Oringel then laid out their firm’s five-step process and said that for any Visual Risk IQ analytics project, the steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 – Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, Visual Risk IQ’s team might ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data. This brainstorming process that Oringel and his team uses is central to their work with helping clients to develop queries specific to their organization.

Step 2 – Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Many data sources are internal (e.g. sales or expense transactions) but increasingly external sources from vendors and business partners are used too. Even the US Government is an occasional data source for analytics, as various Federal Departments publish watch lists of debarred individuals and companies.

Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool. Once data is confirmed to be complete and accurately loaded and mapped into the analysis tool, then the real fun can begin.

Step 3 – Writing the Queries

Oringel identified Step 3 as writing the queries. Though it can be valuable to double-check the accuracy of reports that are provided from existing internal and external systems, Oringel recommends using data analysis to answer questions that are not readily reported from internal systems. Often comparing data across multiple data files can yield the most interesting results.

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

A simple example would be “Show me any purchasing transaction that didn’t have the proper pre-approval.” This answer can be identified by comparing the dates between purchase orders and invoices, and then looking for any vendor invoice date that is prior to the purchase order date. Other query techniques are similarly simple, yet effective.

Step 4 – Analyze and Report Results

Oringel said that Step 4 is to analyze and report the results. I have wondered how a compliance practitioner would be able to not only view but then use such information. He said that Visual Risk IQ’s tagline comes from this notion. “See. Analyze. Act.” has been a part of their firm since 2006. By summarizing results in a way that measure something important, an action step becomes apparent. In the example above, if a vendor’s invoice date pre-dated its purchase order then the action step is to understand if the date it was received may be later than the date on the document itself. Perhaps the vendor has backdated that invoice in hopes of earlier payment, instead of our purchase order having been created after the fact to cover up the lack of required pre-approval.

Oringel recommends summarizing the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant.

  Step 5 – Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Yet there are other remedial steps that Oringel believes are critical at this stage. He said that when a condition or transaction is identified as being a potential issue, documenting the next action step and ensuring its proper completion is important. If an employee incorrectly submitted a personal or duplicate expense (e.g. they claimed $20 for a lunch yet they were listed as having attended a lunch paid by someone else on the same day) and they were reimbursed for a personal expense on a travel expense trip report, then the organization should ask for reimbursement of that expense and ensure thorough follow-up.

Consistent action when these circumstances arise is important. Seeking and obtaining reimbursement for improper expenses should not be based on whether the employee is an officer or a manager or an individual contributor, or even the amount of the error.

I turn briefly to the COSO Framework, which was updated in 2013 and became much more prescriptive with respect to the elements of an effective internal control program. There are five objectives under the COSO Framework and the fifth and final objective is monitoring activities. Monitoring activities are those that management should perform to ensure that the control environment, risk assessment, control activities, information and communication layers have been affected.

The only way that I know to make sure that the principles of effective internal controls have been followed are to do some monitoring. Oringel turned to one of his favorite subjects for an analogy, how his children are performing in school. He believes that he and his wife have set a robust “tone-at-the-top” around the importance of attendance, homework and strong academic performance and that they provide some direction for the children about what is important in terms of their results at school. There are some control activities that he can utilize in terms of reviewing their schedule, homework, how much time they spend studying versus playing video games, but the best technique to make sure they are getting the outcomes that they want for them academically is to do some monitoring and an evaluation of their performance.

A way to do that is to monitor their academic performance through the application, in his hometown called “PowerSchool.” It allows the parents and the students, together or separately, to log on and to answer the questions, “Was the homework assignment turned in?”; “What was the grade on the homework assignment?”; “Was the most recent grade better or worse than last time?”; Oringel said, “We use PowerSchool as a data-driven monitoring tool to make sure that our kids are performing in school the way that we want them to.”

Tomorrow we begin to consider some case studies from projects Oringel and Visual Risk IQ have engaged in and how they demonstrate the use of data analysis in an anti-corruption compliance program.

——————————————————————————————————————————————————————————————————————————————————————————————————

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis 1This week I will begin a five-series exploring data analysis and how it can be used by the Chief Compliance Officer (CCO) or compliance practitioner to support a best practices compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance regime. My partner in this exploration is Joe Oringel, a co-founder and Managing Director at Visual Risk IQ, a data analytics services firm, who I interviewed for this series.

Today, we will focus the basics of data analysis and how it differs from other forms of data testing such as sampling and inspection of documents. Next I will consider how to think through the use of data analysis and the COSO Framework. Then I will explore some of the ways Oringel and his team have used data analytics to assist companies in ways that are analogous to FCPA based compliance programs. Additionally Oringel and I recorded a three-podcast series where we explored these issues in an interactive format. If you check out the podcasts you will be eligible to receive an additional White Paper, at no cost, on the complete series and topic.

Being a recovering trial lawyer, I began with the basics, which is: what are data analytics and data analysis? Oringel kept it simple, saying that it’s merely using data to answer questions. He noted that such analysis predates computers since Sherlock Holmes became well known for using deductive reasoning to make determinations from data based evidence. In the 21st century business world, the best evidence that we have as to whether something took place or not is most often digital evidence. Oringel pointed to a variety of authoritative digital data sources, which intone that modern data analysis is a process of inspecting, cleansing, transforming, and modeling data with the goals of highlighting useful information and supporting our decision-making, so data analysis is answering a question with data.

Oringel next pointed to another set of definitions for data analysis, which derived from Thomas Davenport, who is a well-known academic and author who teaches at Babson College. Davenport incorporates the notion of time to categorize data analytics as answering certain questions about either the past, the present or even the future. Incorporating time into analytics focuses these efforts so you can build repeatable patterns into the questions that should be asked and answered.

Oringel, who has both academic and professional training as an internal auditor, said that external financial auditors, like the Big Four, usually focus on answering the question, “What has happened?” This is really a focus on historical transactions, looking backwards and looking at the reporting of transactions, for example what was recorded in the books and records of the company? How was the transaction recorded? Why was the transaction recorded a certain way?

I next turn to the difference between data analysis and traditional internal auditing or sampling. Oringel believes this is the most significant change in technology in the last 25 to 30 years due to the advent of the personal computer and the associated spreadsheets and database softwares that allow auditors to make their conclusions with data, and to have those conclusions not be based on a sample of data, but, rather, on analyzing the population of data. He said “In the late 1980’s, early 1990’s, the predominant technique that internal auditors used was sampling. If an audit was designed to vouch fixed assets, auditors would pick a sample of 25 or more fixed assets; re-compute, or test, the acquisition date, and the disposition date; and finally re-compute depreciation by hand. If the fixed assets in our sample were properly recorded, then we looked up on a statistical chart or table and concluded that we were sufficiently confident that all of the fixed assets at the company were properly stated.”

He further said “with today’s digital accounting software, every fixed asset can be downloaded and the depreciation re-computed based on the acquisition date and the disposition date and the various depreciation rules for each asset class. If there are any differences in the valuation of any asset, the differences can be found through data analysis. Data analysis allows a company’s auditor, whether internal or external, to re-compute or model the financial recording of transactions, as they ought to be recorded and, therefore, have even greater confidence than if they had tested using sampling. By analyzing every asset and related transaction, a company is able to test the entire population and be much more confident in the results. This has obvious implications for any FCPA audit as there is no materiality standard under the FCPA.”

Data analytics can transition from a review of historical transaction to a review of current transactions simply by asking similar questions of similar data, but with a change in focus. This focus change is to answer the question “what is happening now and what should we do about it” instead of merely “what has happened.” When your bank or credit card company puts a freeze on your charge card because of suspicious transactions, they are using data analysis as an alerting function. More sophisticated companies use this sort of data analytics tools and processes as part of their Compliance program for areas like monitoring for improper payments or to identify vendors who may be a match with entities on a Denied Parties list.

This use of monitoring as an alerting task is a logical next step for compliance teams, but most are not yet for any number of reasons. The transition from data analytics as historical analysis to alerting through continual or continuous monitoring can be a challenge, and it is still an emerging best practice. Continual or continuous monitoring establishes these alerts and suggests us to take action based on something that happened just a quick moment ago.

I asked Oringel if he could provide an example along the lines of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), jointly released FCPA Guidance, which says that the goal of a best practices compliance program should be to Prevent Detect Remedy matters before they become FCPA violations. He translated the FCPA Guidance into “Stop, find and fix”. He believes that it is about asking the time period that you are pulling the data from, so if you are looking at transactions that happened 6 or 9 months ago, then your analytics are serving as a reporting function. He gave an example where a business development person entertained a government official, yet did not seek preapproval to do so. Unfortunately, the amount spent was more than was allowed under the company’s Gifts and Entertainment Policy for entertaining a foreign official. Now the compliance function needs to fix that policy violation and make sure that it does not happen again.

The next frontier for data analytics is a move from alerting to predictive analytics, which is using data analysis to predict what will likely happen in the future. This allows us to move from answering questions about what has happened in the past or present to what will likely happen in the future. While predictive analytics is common in many industries and processes, like Commercial Lending or Insurance, it is not at all common in compliance. Yet.

The “find” capability goes from the past to the present and to the future and may be where the most advanced audit and compliance teams go next. This actually moves to an almost a proscriptive action, where, because you were able to predict, or have an insight, going forward you are able to deliver a risk management solution to that potential situation.

Oringel concluded by saying that it is this future orientation, with data analysis as a predictor, that he believes is the next step in the compliance function using data. A company can score high risk employees in their unit by identifying the salespeople that tend to not respect the organization’s T&E policies; who spend too much on lavish meals or engage in other activities which contradict company policies, such as neglecting mandatory compliance training or simply being routinely late with expense report submissions.

============================================================================================================================================================================

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Winslow AZAs I end my week’s exploration of the intersection of bribery and corruption in international sports, I have also ended a week of solid listening to The Eagles 1970s studio albums. In honor of Glenn Frey, I will also end this week with a final tribute to Frey and his work with this seminal band from the 70s. Today, it is a tribute to the first Eagles hit, Take It Easy. While Jackson Browne was the primary author of this song, Frey stepped in to finish it when Browne could not complete it. The Eagles also opened their first album, titled The Eagles, with this cut.

I cannot think of anyone born after about 1970 who does not instantly recognize the opening cords from Bernie Leadon’s lead guitar on this iconic song. If this song alone does not make you want to go to Winslow Arizona, well probably nothing will. In fact the song made the town so famous that the city of Winslow erected a life-size bronze statue and mural commemorating the song, at the Standin’ on the Corner Park. The statue stands near a lamp post, the male figure securing an acoustic guitar between his right hand and the shoe of his right foot. Above his head, a metal sign, crafted in the style of US Route shields, displays the words “Standin’ on the corner”.

As I have noted this week, the world of sports continues to provide ample lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Although we no longer have the sad sack Astros to kick around, there are many other candidates out there you can draw inspiration from for your compliance regime. For today, I want recap some of these lessons.

Perhaps the clearest sign from the scandals reviewed this week and the ongoing Fédération Internationale de Football Association (FIFA) scandal is the role of regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in leading the international fight against bribery and corruption. Only the US had the wherewithal to bring the charges against FIFA. While the Swiss have tagged along, they certainly did not take anything like the lead in this matter. Further, the allegations of FIFA’s bribery was publicized in Britain as long ago as 2010 and the Serious Fraud Office (SFO) never brought charges against FIFA or its cronies.

The bottom line is that only the US government has the ability and, more importantly, the will to engage in such a worldwide investigation and coordinate the actions of numerous countries in providing assistance. Do you think the Swiss police would have been so involved if it was not for the US government lead in this investigation? From President Obama on down, the US government has made clear that it will lead the international fight against bribery and corruption. The FIFA indictments are yet one more indication that they will continue to do so.

From the International Association of Athletics Federations (IAAF) scandal there are certain aspects similar to FIFA but made even more invidious. Not only was a there a long entrenched self-serving and self-congratulatory cabal running the organization, but they even out did FIFA by allegedly extorting money from athletes who they expected of using performance enhancing drugs to suppress positive drug tests. These officials were allowed to not only run rampart but also engage in essentially self-government of themselves. Kind of like having the foxes guard the henhouse.

I think the lesson is the checks and balances required in any best practices compliance program that form the basis of compliance. While some of these checks and balances are in the form of multiple internal levels of oversight, such as a Compliance Committee, which might be made up of senior managers from various disciplines; another level is brought about by internal controls and the concept of the segregation of duties (SODs). No one person should be allowed have so much discretionary power that they can approve vendors, approve contracts; then approve invoices for payments on those same vendors and contracts they have previously approved.

In the corporate world this is fairly standard in the US but there continues to be Foreign Corrupt Practices Act (FCPA) enforcement actions, emanating from outside the US, where a Country or Regional Manager can make such multiple approvals. This is not only a recipe for disaster financially but also allows the creation of a pot of money to pay a bribe much easier. Internal controls also work towards having continuous oversight, if a technology solution is used it can facilitate both the prevent and detect prongs of a best practices compliance program.

The lesson for the US company which does not have a compliance program in place is that the basic forms of corporate governance are not only mandatory for a compliance and ethics regime but they are also the basics for any minimums of corporate governance in the 21st century. The level of any fraud, including bribery and corruption under the FCPA, can be low, yet the attendant costs can be far in excess of any fine or penalty. For FIFA and the IAAF, their cost will be played out in the international press and court of world public opinion for some time to come. For the former heads and senior members of those organizations, the cost may well be more pedestrian, with jail terms for felony criminal violations.

Finally, from the allegations around offers of bribes to throw matches in professional tennis is the clear lesson that employees that are offered bribes need to have an avenue to be able to report such conduct. For the CCO, it is important that employees have confidence and trust in the organization so they are willing to make such reports. To stop the scourge of bribery and corruption in any international sports group, the management must take the lead in communicating that such actions will not be tolerated and that anything less would result in expulsion and banishment. That is similar to any top management that must clearly set the expectation that it is more important for employees to follow the law than to make their quarterly numbers. For if management does not do so and communicates that making your quarterly numbers are more important, employees will find a way to make their quarterly numbers.

Moreover, it is important any company knows if a vendor, sales agent or any other party has offered or demanded a bribe to do business. Even if your employees tosses them out of the office on their collective ear, it is incumbent you be made aware of the demand/offer so you can bring it to the attention of the counter-party and take appropriate remedial action. Indeed, in many industries the number of agents or other representatives is small enough that they can be known. If there is a collective refusal to do business with such corrupt third parties, it can be a powerful driver of business behavior.

So I end this week with a fond farewell to Glenn Frey and I hope you are taking it easy about now. For a YouTube clip of The Eagles playing Take It Easy, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016