Continuous improvement requires that you not only audit and monitor but also that you test your controls. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. Finally, under Prong 9 of the Evaluation of Corporate Compliance Programs, under the area of Control Testing, it asks the following question: What control testing has the company generally undertaken? Controls testing is key component enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for continuous improvement.

As the COSO 2013 Internal Controls Framework provides a roadmap to test your controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing testing and evaluation” program going forward.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.”  A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

COSO suggests a four-pronged approach in your testing, which I have adapted for the compliance practitioner. (1) Make an overall test of your company’s controls. This should include an analysis of whether each control is present and functioning and they are operating together in an integrated manner. (2) There should be a control component evaluation to determine if any control deficiency is found you can move to see if there are any compensating controls. (3) Test whether each control furthers the legal or business requirement you are trying to meet and then determine if a deficiency exists, what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis for continued improvement.

Another way to think through testing could be to consider the controls to affect the principle and would allow internal control deficiencies to be noted along with an initial review of the control failure. The next step would be to roll up the results of the evaluations. Next would be a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall testing allows you to consider if the controls are operating together in an integrated manner. This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could test if your internal controls were up to the new situations or needed adjustment.

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, this could be deemed a control failure (The Guidance states the following policies should exist: on “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”).

If there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? COSO suggests that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The key is to document the reasoning of the boundaries and then follow them.

This Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the both SOX 404 requirements and the FCPA’s internal controls provisions. Finally, it provides a way to continuously improve your controls.

Three Key Takeaways

  1. Testing of controls helps to provide reasonable assurance of achievement of the entity’s controls.
  2. There are two over-arching requirements for effective controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Tem Hallmarks of an Effective Compliance Program as your guide to test against.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at

Today I consider a fraud audit by using data analytics to help detect or prevent bribery and corruption where the primary sales force used by a company are its FCPA and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.

Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, related case studies where his organization used data analysis to review employee expense reports and how that experience can be used to formulate the same type of fraud analysis for a CCO or compliance practitioner. Also of this can be used as ongoing monitoring to facilitate continuous improvement of your compliance program.

One common technique fraudsters use is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions. An example might be where procurement cards (P-cards) are used for certain low dollar-value expenses. If a company has a procurement card limit for employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month; it would want to identify any use of P-cards for larger dollar transactions used for inappropriate or illegal purchases.

Contrast this with the problem of split payments. This is the situation where a single invoice is divided and the full amount of the payment is made in two or more simultaneous transactions, all done by different types of internal corporate payments. The key is to understand where the invoices are coming from and if only one vendor or supplier, investigate who is splitting the payments and why.

Another area to focus on using data analytics is gift, travel and entertainment (GTE), to identify out-of-policy expense reports and out-of-compliance expenses. Here the biggest issue is “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.

In the case of double dipping, a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. An example might be where an employee takes another employee out for a business meal; they pay for the meal on one expense report. Then separately a coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”

Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. These are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. The reason is that when you are tasked with approving an employee’s expense report, the reviewer most often has single report in front of themselves for review. This makes it difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.

This same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, more than the employee’s spending limit, the approver might not have approved both, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, you can aggregate those multiple trip or P-card reports into a single report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.

This double dipping technique led to two anti-bribery compliance enforcement actions. One in the US involving Eli Lily and a second in China involving the US pharmaceutical entity GSK. So the risk is real and by using ongoing data monitoring you might not only get ahead of the legal violation but you would have a much more efficient business process going forward.

Three Key Takeaways

  1. The typical fraud audit will get down into the weeds with data analytics.
  2. Split dollar expenses are key metric.
  3. Double-dipping can lead to larger problems.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at

Alan Peckolick, died last week. According to his obituary in the New York Times, he “overcame a failed art school career to emerge as a leading designer of some the world’s most distinctive logos”. In an interview with the Huffington Post, he said, “Basically, for me, if a word was a beautiful word, it wasn’t the sound of the word that intrigued me but the look of the word. I saw each letterform as a piece of design. Cat is not ‘cat’ — it’s c-a-t. That’s what led to the beginning of the expressive topography.” And expressive it was, serving a multiple of visual senses.

I thought about Peckolick and his work when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about voluntary monitoring. One of the insights I gained was achieving multiple and intersecting compliance goals through voluntary monitoring. These are the goals laid out in the 2012 FCPA Guidance and Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) as both continuous improvement and analysis and remediation of non-compliant conduct under the Foreign Corrupt Practices Act (FCPA).

According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor in order to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.

The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they’re worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.

DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.

Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it’s very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.” 

The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

Feldman pointed out yet another reason for such a proactive approach. It can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.

He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”

Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

What is organizational culture? Eric Feldman, SVP  and Managing Director, Corporate Ethics and Compliance Programs at Affiliated Monitors has said it comprises the mission, vision and values of an organization. A similar way to consider it might be as a company’s values, visions, norms and beliefs. Whichever way you define it or look at it, corporate culture affects how groups within a company interact with each other. A key inquiry is whether the corporate incentive structure supports the articulated beliefs of a company. How does one measure or audit these articulations?

Jose Tabuena in an article entitled, “Can You Audit Corporate Culture” said that  “an important feature of a good culture is that the majority of employees can be positively influenced by values and environments that reinforce strong company values. Such a climate arises when the workforce believes that certain forms of ethical reasoning and behavior are expected norms for decision making. The ethical climate of an organization serves many useful functions in organizations. It helps employees identify ethical issues and address those issues by giving answers to “What should I do?” when faced with an ethical dilemma.” The oft-used corporate tactic to blame the ubiquitous ‘rogue employee’ is an “attempt to deny the flaws in the system and the culture that spawned the bad acts in the first place.”

Some of the techniques for measurement include employee interviews, focus groups and employee surveys to measure corporate culture. This is because through “identifying cultural strengths and areas needing improvement, a cultural assessment can guide the creation of communications plans and culture-building initiatives that are tailored to the company’s needs. In many cases, an effective strategy may be to target weak spots while simultaneously anchoring the overall message to positive values already strongly shared across the organization.” It is important to understand that corporate culture will not be uniform across geographies, functional areas or operating systems. But this can be useful in comparing the results.

Feldman noted some of the key areas of concern in a culture audit are the following are those when can greatly influence a company’s culture, making it periodically necessary to determine whether the company is on track. If your CEO says that your only goal is the make your numbers, that creates pressure to hit the target goals and the implicit message is that you must do so by any means possible. It provides an example of saying your values are around doing business ethically and in compliance but modeling the actions of making your numbers at all costs.

One of the key indicia of a toxic culture is the fear of raising your hand to report an issue and facing retaliation. It is also an omen of other negative cultural factors such general distrust of management. Here you should consider whether employees are willing to address matters with their immediate supervisor or to use the compliance hotline and what would happen if they reported misconduct can be meaningful. An even better approach would be to measure a company on how issues are reported and ultimately addressed. A final test is the work place promotion and incentive history of internal whistleblowers going forward in the employment tenure with the organization; are they promoted or even celebrated?

Next you should consider a company’s compensation and incentive structure, together with its employees’ promotion to management as key indicia of culture. Consider that Wal-Mart, after it began its years-long FCPA investigation in 2012, began basing a portion of compensation for top executives on the company’s ability to meet compliance goals. If executives do not meet their compliance objectives, they risk having their annual bonuses reduced. Therefore, one measure to incentivizing compliance is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria. This can be leveraged down into the organization as well.

What is the tone coming from management? Here, you should question employee turnover and retention such for information. Through employee interviews, you can determine whether the turnover rate is attributed to organizational transition or stress stemming from management’s philosophy and operating style, which might include such things as inappropriate compensation packages, unreasonable sales goals, requirements, etc. One only need to consider the Wells Fargo fraudulent accounts scandal to understand how the failure to use the information developed from such employee surveys was detrimental to the bank.

It is important that a company actively recruit new hires based on its mission, vision and values of an organization and reinforce these when people join the company. All of this can be done through a rigorous hiring process, which incorporates a company’s ethical values into the process. But it does not stop at the hiring and onboarding process. It should occur during every Human Resources touchpoint in the employee lifecycle, during reviews and evaluations, consideration for promotion and even at departure. You will need to review the records of employees who have had poor compliance evaluations in the past years and determine whether those employees had appropriate qualifications relative to their job descriptions. The review should be performed with an eye toward ascertaining whether the company’s hiring and promotion practices appropriately noted compliance qualifications, skill set, and delegated authority to their formal position and job description.

Companies must have a high-performance corporate culture for doing business ethically. One of the ways to do so is through the culture audit. It can also be a powerful tool for continuous improvement going forward. Find out what your employees are saying about your corporate mission, vision and values and most importantly remediate if those mission, vision and values are found wanting.

Three Key Takeaways

  1. What are the mission, vision and values of a company?
  2. What are the compensation and promotion incentives in the culture?
  3. Always be closing or doing business ethically and in compliance?

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at

Earlier this week, Matt Kelly broke the story of  Secretary of Defense James Mattis Memo on Ethics to all Department of Defense (DoD) employees, in a blog post entitled “Secretary Mattis’ Insights on Ethics”. On Wednesday, Matt and I devoted an entire Compliance into the Weeds podcast (Episode 49 – The Mattis Memo on Ethics) to the subject, discussing the substance of the Memo and speculating as to the reasons for its issuance and very soft release. I was so impressed by the Memo and its significance to the compliance practitioner and wider compliance profession that I decided to post a blog on it.

The Memo itself comes in at around 250 words and is worth citing in its entirety as to be one of the best statements of doing ethics that I have read in one place in some time. It is entitled “Ethical Standards for All Hands” and it reads as follows:

            Those entrusted by our nation with carrying out violence, those entrusted with the lives of our troops, and those entrusted with the enormous sums of taxpayer money must set an honorable example in all we do.

            I expect every member of the Department to play the ethical midfield. I need you to be aggressive and show initiative without running the ethical sidelines, where even one misstep will have you out of bounds. I want your focus to be on the essence of ethical conduct: doing what is right at all times, regardless of the circumstances or whether anyone is watching.

            To ensure each of us is ready to do what is right, without hesitation, when ethical dilemmas arise, we must train and prepare ourselves and our subordinates. Our prior reflection and our choice to live by an ethical code will reinforce what we stand for, so we remain morally strong especially in the face of adversity.

            Through our example and through coaching of all hands, we will ensure ethical standards are maintained. Never forget our willingness to take the oath of office and to accept the associated responsibilities means that every citizen who have never met us trust us to do the right thing, never abusing our position nor looking the other way when seeing something wrong.

            I am proud to serve alongside you.

            /s/ James Mattis

I want to go through it in detail. The opening paragraphs lays out the basic values of the US military: duty, honor and country. It then moves to the “ethical midfield” which is a phrasing I have heard once before when performing a risk assessment for a US energy company at their Singapore office. The head of the office told me “There is enough money to be made in the middle. I don’t have to go to the sides where I can get in trouble.” That formulation struck me then and has always stuck with me since that time.

Yet Mattis seems to be using more of a soccer or a football metaphor. Nevertheless, I found the same analogy, which is the closer you get to the ethical sidelines, the easier it is to have a misstep that would put you out of ethical bounds. He ends this paragraph with “Doing what is right at all times, regardless of the circumstances, or whether anyone is watching.” Many people say that is precisely what ethics is, is doing the right thing when no one is watching. Here, we have the secretary of the largest military on Earth saying that. It simply cannot be more powerful.

The next paragraph is about training and to ensure that each DoD employee will do what is right without hesitation. To do so, they must in the military parlance for education “train” to “prepare ourselves and our subordinates.” This seems to almost echo the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs around training. In Prong 6 Training and Communication it asks the following question, Form/Content/Effectiveness of Training Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? Here it seems Mattis is spot on that training must be real world based to give DoD employees the same ethical situations they will face in their jobs, which we know from the first paragraph includes “carrying out violence”.

The final sentence of this paragraph states, “Our prior reflection and our choice to live by an ethical code will reinforce what we stand for, and that we will remain morally strong in the face of adversity.” This final sentence seems to have drawn inspiration from the Preamble to the Foreign Corrupt Practices Act (FCPA) itself which said the law was passed in part, because bribe payments were not only “unethical” but also “counter to the moral expectations and values of the American public”. Moreover, such commercial bribery, tended “to embarrass friendly governments, lower the esteem for the United States among the citizens of foreign nations, and lend credence to the suspicions sown by foreign opponents of the United States that American enterprises exert a corrupting influence on the political processes of their nations”. Which is a way of saying that by having, training on and modeling high ethical standards, the US military will demonstrate the values of the country they defend.

In the penultimate paragraph the first line really struck me. It reads, “Through our example and through coaching of all hands, we will ensure ethical standards are maintained.” Here, he really seems to be focusing on the fact that it is not just your duty to engage in ethical behavior and ethical standards, but you Mr. General, Mr. Colonel, Mr. Lt Colonel, Mr. Major, Mr. Captain, Mr. First Lieutenant, Mr. Second Lieutenant, Mr. Sergeant, and/or Mr. Corporal must train the people below you. You must coach and model on ethics to all hands at all times to ensure that ethical standards are maintained. I thought Mattis was putting the onus to not only engage in ethics personally, but commanding to each leader that you are responsible for your fellow soldiers as well.

Finally, there is Secretary Mattis’ closing line I am proud to serve alongside you. Talk about a way to personalize yourself to your employees and to set the tone from the top. When was the last time you saw a Chief Executive Officer (CEO) or a Chief Compliance Officer (CCO) for that matter end a communication saying, “I am proud to work alongside you”?

How can a CCO or compliance practitioner use this document? Here I can only quote from Kelly’s blog post to say commit it to memory and “Try busting out language like that in your next meeting with the audit committee.” I would only add that you should bust it out anywhere else you have the chance. Thank you, Secretary Mattis.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017