Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a very deep dive the implications from President Trump’s tweet on Friday, August 17th about quarterly financial reporting by public companies.

Some of the highlights from this podcast are:

  1. What was the reason behind the tweet?
  2. Is this simply an attempt to require less transparency in financial reporting?
  3. Would a longer financial reporting cycle allow companies to plan to the longer term?
  4. Would this negatively impact short-sellers?

We unpack of all these points and consider the SEC’s response going forward.

For more reading: see Wall Street Journal Article, “The End of Quarterly Reporting? Not Much to Cheer About”.

See NYT Dealbook article, “Trump Asks S.E.C. to Study Quarterly Earnings Requirements for Public Firms”.

In this special five-podcasts series, Matt Kelly and I have been exploring the future of internal audit (IA), compliance and analytics. In the final episode, Part V, we discuss how IA can get started and provide some concluding remarks. We consider whether the technology is here today to implement the suggestions put forward this week. Can (or perhaps should) a company outsource internal control testing or internally develop a tool for analytics? We consider some of the biggest obstacles audit leaders cite for moving forward; lack of resources, business complexity, and lack of staff and how the Chief Compliance Officer (CCO) can aid IA in this evolution. We conclude with some thoughts that to succeed, an organization should know its objectives, get good data and think in terms of harnessing and channeling risk, rather than fulfilling compliance.

It begins with complete and accurate reports and all of the financial data present. You must begin with complete and accurate list of data. You need to think all of this through at the beginning and have strong internal controls around it because without good data you get bad data, which leads to bad internal controls and this leads to bad conclusions. From that point, Kelly noted, “everything we have talked about here goes out the window because it started with a bad foundation.”

From there it moves to the analytics. Fortunately there are multiple vendors which currently provide those types of products which have some type of data analytics capabilities. For instance, they exist in the gift, travel and entertainment (GTE) database space, third party management platforms and hotline reporting tools. The key is to have a central repository of data that you can trust, that is validated and tamper-proof. The next step is to extract the data out from its respective repositories with an analytics tool and present the data in a visualization tool.

The next requirement is staff. Right now (and for the foreseeable future) data analytics professionals can write their own tickets. So this may be a problem for startups or smaller companies. However, larger companies may have business analysts who could fill this role. Kelly said that you could potentially pair them with IA to perform analysis projects. IA are going to know how to audit and what questions to ask, however they may not know how to get the visualization and the analytics done well and that is where the business analysts come in.

The pairing of a subject matter expert (SME) with IA can also work. Kelly pointed to the example from the Cleveland Clinic where the Chief Integrity Officer, Don Sinko, has had success using employees from the nursing staff as they know the operations inside and out and when you pair them with an internal auditor it “creates a nucleus of operational knowledge.” Other examples are banks which use employees from the customer care centers because they have the greatest knowledge of the company’s problems.

Another key issue which Kelly pointed to was does the company truly understand its objectives? He stated, “What are the actual objectives? Does everybody know them? Does everybody know which one is ranked number one and which one is ranked two, three and four? You really need to think through this is what we want to achieve.” From there you should ask what are the risks that might prevent us from achieving these objectives? The next step is to then reverse engineer what business process controls are to minimize that is going wrong. Kelly said another way to consider it is that “you need to manage the risk and actually the more technical school of thought out there is, it’s an objective based risk management is what you need. What are my objectives? What are the risks to achieving them? How do I reduce those risks?” The implicit assumption is the business knows what its objectives are and which ones are more important than others.

The IA evolution that we have explored over this five-part series follows what I see as the evolution of compliance where it went from a paper program to doing compliance to operationalizing compliance and beyond that now. IA, compliance and a wide variety of other corporate disciplines really need to change their thinking about risk and looking at risk as not only an opportunity to harness and channel but also to more nimbly manage that risk going forward, not simply just fulfilling some legal compliance. Kelly added some thoughts from the compliance realm, which is that “many compliance officers’ wince at the idea of compliance as a bolt on addition which you engage in only at the end of the business process.” This outdated definition of the corporate compliance function, “is a drag at the end of the otherwise aerodynamic operation. It slows everything down and you don’t want that. You want compliance embedded throughout the whole organization and smart ethical conduct all the way through.”

This has a similar dynamic with IA because historically IA would do a financial statement audit and it would be bolt on because you only do the annual audit once a year. It was performed and completed after the end of the fiscal year. Now we are moving beyond this as Boards of Directors need more assurance on more risks. They need to know that risk is governed and it is governed all the way through from the risk management cycle.

Now overlay the same dynamic with the compliance function. As Kelly noted, “we’re talking about risk monitoring and internal audit as opposed to ethics and compliance and the compliance function. This is where internal audit needs to get to because this is where business processes are moving to. All information is becoming datafiedand you are able to monitor this data.” Kelly added a visualization when he said, “You are able to analyze when something drifts out of the Green Zone and into the Red Zone.” Kelly believes this is where we are headed and closed by stating, “I think we can probably get there, but there’s no reason why we cannot do so. With  some good thinking and good use of technology now, there is no reason why you could not start your organization on that path right away.”

Aretha Franklin died yesterday. She was truly the “Queen of Soul”. Writing in the online publication Slate, Marissa Martinelli said sherose to superstardom in 1967 with songs like “(You Make Me Feel Like) a Natural Woman” and “Respect,” a reimagining of the Otis Redding song that surpassed the original’s fame. She won a total of 18 Grammys over the past five decades, including a Lifetime Achievement Award, and in 1987 became the first woman to be inducted into the Rock and Roll Hall of Fame.”

Jack Hamilton, also writing in Slate, said, “Aretha Franklin’s was the voice of the 20th century. No other singer left such a definitive mark on the course of popular music—simply put, there is singing before Aretha Franklin, and there is singing after her. Her combination of technique, precision, nuance, and sheer power was approached by vanishingly few others”. Rolling Stone magazine, in its article “100 Greatest Singers of All Time”, listed her as No. 1. Mary J. Blige, quoted in the same article, said, “Aretha is a gift from God. When it comes to expressing yourself through song, there is no one who can touch her. She is the reason why women want to sing.” Jon Pareles, in his New York Times obituary, simply called her “one of the greatest American singers in any style.”

What was her greatest song? She brought Barack Obama to tears with her rendition of the Carol King standard, “(You Make Me Feel Like) a Natural Woman” at the 2015 Kennedy Center honors. “Think” from the movie the Blues Brothers is always a crowd favorite. Her version of “Amazing Grace” as reported in Cheal and Daily’s book “The Life of a Song”marked her return to gospel music. However for my money it was her cover (and perhaps the greatest cover of all-time) of Otis Redding’s R-E-S-P-E-C-T that is her top number. David Remnick, writing in the New Yorker said, ““Respect” is as precise an artifact as a Ming vase.”

Producer Jerry Wexler, who signed Franklin to the Atlantic label after a disappointing five years with Columbia, was quoted in a Slate article by Carl Wilson, “The call for respect went from a request to a demand,” Jerry Wexler has said. “[It] started off as a soul song and wound up as a kind of national anthem.” Wexler went on to add the song ““virtually defined the national consciousness at that moment in history”. Wilson wrote “Fifty-plus years later, “Respect” remains a song that lives in the world’s mouth, ready to the air in domestic arguments and political protests alike. It literally spells out a fundamental human need, in a way mainstream pop had not heard before, with both maximum dignity and maximum playfulness.”

While many assumed that Wexler brought the song to Franklin to record for her first album on Atlantic Records, she had actually been performing it live for some time. Wilson noted, “she’d heard Redding’s version years before on the radio and had been performing it live for some time. She’d worked out with her sisters how to reverse the gender point of view, and she came into the studio with her own take on the rhythm of the song already in place. Wexler recalled, “That stop-and-stutter syncopation was something she invented. She showed the rhythm section I had shipped up from Alabama—Jimmy Johnson, Tommy Coghill, and Roger Hawkins—how to do it. … But the creation of the background vocals and ingenious wordplay was done on the spot in the studio.”

This week on the Innovation in Compliance podcast, I interviewed Ellen Hunt, the Chief Audit Executive and Ethics & Compliance Officer at AARP. Hunt said the greatest impact executives can have on how they lead corporate culture is how they interact every day with their staff and others. If they show that they are not above the Code of Conduct, if they ask their folks to check the Code of Conduct and check in with the Compliance office, if they include the compliance team when there are major initiatives and projects, and if they are uniform and consistent in enforcing discipline, this sets the tone not just at the top but throughout. In other words R-E-S-P-E-C-T.

Next week I am doing a one-week podcast series on ethical culture in a company, with Vincent DiCianni and Eric Feldman from Affiliated Monitors, Inc. (AMI), the sponsor of the series. They both say that how employees are treated by senior management is one of the key indicia of an ethical culture. If there is no R-E-S-P-E-C-T by management of its employees (and I have worked in places where it assuredly did not exist) there will not an ethical culture.

Institutional justice is another part of this. For instance in the area of discipline, this means that your compliance program must have the teeth to strongly and forcefully discipline employees who violate your compliance regime; all the way from the Boardroom to the Shop Floor and everyone in between. It also includes any third parties your organization may employee who may be high producers for your company. This means senior management must be committed to compliance through word, deed and action.

The #MeToo movement has led many senior executives to re-evaluate abusive behavior and many companies to no longer tolerate it. I think Franklin’s anthem about R-E-S-P-E-C-T is about as close as a perfect way to say it. Wilson closed his article with, “The song still has America’s number, too. There’s a sharper pang to its singer’s passing at a juncture when respect seems in especially thin supply in its political culture. After more than 50 years, the planet seems far away from running out of fools, and it’s down one more inimitable genius.”

Goodbye to the Queen of Soul. As the Righteous Brothers said,

If you believe in forever,

Then life is just a one-night stand.

If there’s a rock and roll heaven,

Well you know they’ve got a hell of a band, band, band.

Rock and Roll heaven significantly upgraded today.

Set List (from YouTube)

R-E-S-P-E-C-T, click here.

(You Make Me Feel Like) a Natural Woman at the 2015 Kennedy Center honors, click here.

Amazing Grace, click here.

Think (clip from the Blue Brothers movie), click here.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018

In this special five-podcasts series, Matt Kelly and I are exploring the future of internal audit (IA), compliance and analytics. In Part IV, we consider the new relationships which can be created based upon the evolution of IA. These changes will allow IA to work more closely with 1stand 2nd lines of defense. However, how does your organization prepare for that empowered audit function? Finally, we will consider corporate culture and ask if analytics and monitoring can drive behavior even more forcefully than ethics?

Typically, IA is thought of a part of the Third Line of Defense. However, through the use greater use of analytics, IA can move closer to the second or first line of defense or at least work more closely with those who are traditionally seen as the first or second lines of defense. This speaks to one of Kelly’s key points, that the evolution of IA will change the relationship between audit and other functions. Kelly also said it raises in important question, “As internal audit moves towards better analytics and risk monitoring drives up the importance of strong control design,  people really need to start thinking about how to detect, how to monitor the risks that are important to my business process.”

Consider internal financial controls and the review of its effectiveness by an external auditor. In most situations bribes are funded through marketing or similar internal budgetary items. An external auditor will only consider material costs so if your marketing budget is over $100,000,000,000 annually for a worldwide, multi-national, a bribe payment of even $1,000,000 hidden in marketing expenses might not be considered material. Therefore, under this IA evolution, the function would need to not only understand the company’s risk but work with the first line business process owners to “clarify what your risks really are and figure out how to manage more accurately, more closely and more effectively.”

This does not mean IA will become a new department of risk monitoring as it will always need to maintain independence and objectivity. It does mean that other corporate departments, such as compliance, should consider taking advantage of IA’s expertise to help create a control for compliance risk that can be monitored and the results quantified. By having that conversation between IA and compliance, both corporate functions can become aware of the types of controls they are using and how they can be made more efficient or even streamlined. Now imagine that conversation with other risk areas in a corporation; anti-harassment, anti-trust, anti-bidding rigging, IT security and data privacy. It is all about the operational risk for each corporate function. But the business process owner would continue to actively manage the risk.

CCOs and heads of other functional units need to be having those conversations now as Boards of Directors are starting to ask those same questions. But it comes with something along the lines of “If not, why not?” Boards see these types of conversations are improving the overall risk management process. I believe that compliance is uniquely suited to having those conversations now with IA to move the process down into the business unit to more fully operationalize the compliance function into an organization. This is certainly the approach advocated by the Department of Justice (DOJ).

Now consider a world where analytics is more prominent. If your organization is more analytics driven, how will it work in your corporate culture? Obviously, if abused or mis-used, a data driven analytics culture can also wind up being a negative place to work. In most organizations, we have seen that that which is managed or measured gets managed well. However, if you measure and manage everything, then you are micromanaging people. Everyone involved will need to consider how does this really impact the human beings who are in an organization? You should also realize that if you are managing and observing everything, what does that say about making your organization a nice place to work? Is it an interesting and challenging place to work or is it simply an organization which manages risk well? Finally, will analytics and monitoring drive behavior even more forcefully than ethics? Those are the types of conversations every company should be having now, not later.

Tomorrow we conclude with getting started and moving forward.

To celebrate the Month of 1000 podcasts I am running for each of my podcasts this month, in this episode, the Everything Compliance gang focuses on the past five years; giving a retrospective of where we were, where we are and where we are going from their own perspectives. After the commentary we follow with rants and shout outs.

  1. Matt Kelly considers how did the 2013 Internal Controls Framework and the 2016 ERM Framework change things (or not)? He notes the two Frameworks provided widely distributed information to consider compliance in a disciplined way. Matt rants on Elon Musk. 
  1. Mike Volkov explores FCPA enforcement over the past 5 years. He lists the top 3 developments: (1) the long road to the FCPA Corporate Enforcement Policy; (2) The Yates Memo and individual prosecutions and (3) The global framework, built by the DOJ and SEC for anti-corruption investigation and enforcement. Mike rants on disgraced Representative Chris Collins.
  1. Jonathan Armstrong focuses on the evolution of data privacy. Numerous actors, including legislatures, regulators, individuals and pressure groups have all influenced EU/UK policy in this area. Further as US companies have become larger and larger, EU/UK Fair Trade/anti-trust and privacy laws will be used to greater effect on these entities. Armstrong shouts out to compliance when walking one’s bovine in Norwich City.
  1. Jay Rosen considers changes in compliance from the vendor perspective. He notes that many vendors brought a business process approach to not only how law firms and investigative firms worked but also how companies approached compliance programs. Jay rants on the NFL owners attempting to stop players from exercising free speech.
  1. Tom throws in a shout out for retiring Wall Street Journal reporter Ben DiPietro, who retires from the WSJ Risk and Compliance Journal on August 14.

The members of the Everything Compliance panelist are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at
  • Jonathan Armstrong– Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

The host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist.