Are you regularly assessing your internal controls? This requirement was set out in the 10 Hallmarks of an Effective Compliance Program and was brought forward into the Evaluation of Corporate Compliance Programs. In the Evaluation, Under Prong 9 Continuous Improvement, Periodic Testing and Review, it stated “Control Testing Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Fortunately, the COSO 2013 Internal Controls Framework considered assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.

As the COSO 2013 Framework was designed to apply to a wider variety of corporate entities, your audit should be designed to test your compliance internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of compliance internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating compliance internal controls. (3) Assess whether each principle of your compliance internal controls is present and functioning. The task here is determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach is through a component evaluation which rolls up the results of the component’s principle evaluations and allows a re-evaluation of the severity of any deficiency in your compensating controls. Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For objective criteria such as written policies in categories as laid out in the FCPA 2012 Guidance, (the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments), if you do not have such controls; it would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.” Fortunately such a standard is easily met. 

However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, Document feature is critical in any best practices anti-corruption or anti-bribery compliance program. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions.

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.

 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

 

Today I visit with James Shields, the Creative Director for Twist and Shout Communications, a UK company which creates training video using comedy as the touchstone. You can check out a selection of the company’s offerings on its sight, Tuesday’s with Bernie. I visit with Shields about the creative process his company uses, how comedy can translate across a wide variety of cultures and language to be an effective training tool. The company has found that comedy generates a visceral reaction, a reaction based on feeling rather than intellect. Because of this reaction, employees are more interested and more engaged in compliance training; all of which makes it more effective. 

The company believes that both culture and behavioral change is an emotional process, not just ‘training’, and internal communication done properly can change a culture. Whether the subject is as dull as anti-corruption compliance or as fundamental as transformational change in the business, comedy will make employees sit up and take notice. They believe that by focusing on humor, the training will help break down both the individual training against compliance training as well as work to strengthen the overall corporate culture.

But more than simply stand-alone videos, the company seeing compliance training as a process. From the creative side the process includes an integrated story line which will engage employees, third parties and other relevant stakeholders. Shields also believes that putting comedy into context is important – the audience needs to relate to what they are seeing on screen so the environment and characters should feel familiar. That is when the message feels authentic and resonates much more strongly.

Finally Shields and the company have put together an entire training campaign structure. Why don’t you think about your training like you would a movie or other marketing campaign. They lay it out in White Paper entitled, “Engaging the YouTube Generationwhich you should definitely check out.

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. Your program must demonstrate continually improvement.

Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control Testing Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving Updates How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check. Responding to your investigation findings is critical.

The DOJ Evaluation of Corporate Compliance Programs focuses on this question in Prong 7 with the following: Response to Investigations What has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc., has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. The bottom line is that your return on investment here is going to be very high if you put the resources into remediation and it do this well. This is easier with the information that was provided in the 2017 FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the US Sentencing Guidelines for remediation.

Dan Chapman, former CCO at Parker Drilling and Cameron International, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management, because “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of Human Resources (HR), i.e. recruiting and retention.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the 2017 FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated, or, as Berland notes, “When you’ve got the energy, use it.”

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Are CCOs at risk? Indeed is should the entire compliance industry be running for cover. Adam Dobrik explores explore in GIR. Court Golumbic explores in “The Big Chill”: Personal Liability and the Targeting of Financial Sector Compliance Officers” in the NYU Compliance and Enforcement Blog.
  2. Tom and Mike Volkov argue the new FCPA Corporate Enforcement Policy has ended, once and for all, the debate around amending the FCPA to add a compliance defense. See Tom’s article in Compliance Week Magazine and listen to Mike Volkov’s podcast.
  3. The FCPA will be with us for years to come, argues Jaclyn Jaeger in her Compliance Week piece, “How the FCPA withstands the test of time
  4. Teva Pharmaceuticals resolves bribery case with Israel authorities. Chiam Gelfand reports in a guest post on the FCPA Blog.
  5. Ben DiPietro considers whether AI will have machine executable rules, in the Wall Street Journal Risk and Compliance Report.
  6. Roy Snell publishes a heartfelt letter to retiring Pat Kelly, the FBI Integrity and Compliance Officer in the SCCE Blog.
  7. Matt Kelly explore the salary misconduct penalty in two posts on his Radical Compliance blog, The Salary Penalty for Misconduct and More Thoughts. Matt & I explored the issue on the most recent episode of Compliance into the Weeds.
  8. Jonathan Marks explains why skepticism is an auditor friend in Skepticism – a Weapon to Fight Fraud in his Board and Fraud blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Join Tom and Dun & Bradstreet CCO Louis Sapirman for a SCCE Webinar on 360-Degrees of Compliance Communication. Registration and information is available here.
  12. Jay is too worried about Tom Brady’s hand to get out a weekend report. Should he be? Jacob Feldman reports in Sports Illustrated.
  13. We preview this week’s NFL playoffs.