Today I consider a fraud audit by using data analytics to help detect or prevent bribery and corruption where the primary sales force used by a company are its FCPA and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.

Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, related case studies where his organization used data analysis to review employee expense reports and how that experience can be used to formulate the same type of fraud analysis for a CCO or compliance practitioner. Also of this can be used as ongoing monitoring to facilitate continuous improvement of your compliance program.

One common technique fraudsters use is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions. An example might be where procurement cards (P-cards) are used for certain low dollar-value expenses. If a company has a procurement card limit for employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month; it would want to identify any use of P-cards for larger dollar transactions used for inappropriate or illegal purchases.

Contrast this with the problem of split payments. This is the situation where a single invoice is divided and the full amount of the payment is made in two or more simultaneous transactions, all done by different types of internal corporate payments. The key is to understand where the invoices are coming from and if only one vendor or supplier, investigate who is splitting the payments and why.

Another area to focus on using data analytics is gift, travel and entertainment (GTE), to identify out-of-policy expense reports and out-of-compliance expenses. Here the biggest issue is “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.

In the case of double dipping, a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. An example might be where an employee takes another employee out for a business meal; they pay for the meal on one expense report. Then separately a coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”

Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. These are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. The reason is that when you are tasked with approving an employee’s expense report, the reviewer most often has single report in front of themselves for review. This makes it difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.

This same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, more than the employee’s spending limit, the approver might not have approved both, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, you can aggregate those multiple trip or P-card reports into a single report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.

This double dipping technique led to two anti-bribery compliance enforcement actions. One in the US involving Eli Lily and a second in China involving the US pharmaceutical entity GSK. So the risk is real and by using ongoing data monitoring you might not only get ahead of the legal violation but you would have a much more efficient business process going forward.

Three Key Takeaways

  1. The typical fraud audit will get down into the weeds with data analytics.
  2. Split dollar expenses are key metric.
  3. Double-dipping can lead to larger problems.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

What is organizational culture? Eric Feldman, SVP  and Managing Director, Corporate Ethics and Compliance Programs at Affiliated Monitors has said it comprises the mission, vision and values of an organization. A similar way to consider it might be as a company’s values, visions, norms and beliefs. Whichever way you define it or look at it, corporate culture affects how groups within a company interact with each other. A key inquiry is whether the corporate incentive structure supports the articulated beliefs of a company. How does one measure or audit these articulations?

Jose Tabuena in an article entitled, “Can You Audit Corporate Culture” said that  “an important feature of a good culture is that the majority of employees can be positively influenced by values and environments that reinforce strong company values. Such a climate arises when the workforce believes that certain forms of ethical reasoning and behavior are expected norms for decision making. The ethical climate of an organization serves many useful functions in organizations. It helps employees identify ethical issues and address those issues by giving answers to “What should I do?” when faced with an ethical dilemma.” The oft-used corporate tactic to blame the ubiquitous ‘rogue employee’ is an “attempt to deny the flaws in the system and the culture that spawned the bad acts in the first place.”

Some of the techniques for measurement include employee interviews, focus groups and employee surveys to measure corporate culture. This is because through “identifying cultural strengths and areas needing improvement, a cultural assessment can guide the creation of communications plans and culture-building initiatives that are tailored to the company’s needs. In many cases, an effective strategy may be to target weak spots while simultaneously anchoring the overall message to positive values already strongly shared across the organization.” It is important to understand that corporate culture will not be uniform across geographies, functional areas or operating systems. But this can be useful in comparing the results.

Feldman noted some of the key areas of concern in a culture audit are the following are those when can greatly influence a company’s culture, making it periodically necessary to determine whether the company is on track. If your CEO says that your only goal is the make your numbers, that creates pressure to hit the target goals and the implicit message is that you must do so by any means possible. It provides an example of saying your values are around doing business ethically and in compliance but modeling the actions of making your numbers at all costs.

One of the key indicia of a toxic culture is the fear of raising your hand to report an issue and facing retaliation. It is also an omen of other negative cultural factors such general distrust of management. Here you should consider whether employees are willing to address matters with their immediate supervisor or to use the compliance hotline and what would happen if they reported misconduct can be meaningful. An even better approach would be to measure a company on how issues are reported and ultimately addressed. A final test is the work place promotion and incentive history of internal whistleblowers going forward in the employment tenure with the organization; are they promoted or even celebrated?

Next you should consider a company’s compensation and incentive structure, together with its employees’ promotion to management as key indicia of culture. Consider that Wal-Mart, after it began its years-long FCPA investigation in 2012, began basing a portion of compensation for top executives on the company’s ability to meet compliance goals. If executives do not meet their compliance objectives, they risk having their annual bonuses reduced. Therefore, one measure to incentivizing compliance is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria. This can be leveraged down into the organization as well.

What is the tone coming from management? Here, you should question employee turnover and retention such for information. Through employee interviews, you can determine whether the turnover rate is attributed to organizational transition or stress stemming from management’s philosophy and operating style, which might include such things as inappropriate compensation packages, unreasonable sales goals, requirements, etc. One only need to consider the Wells Fargo fraudulent accounts scandal to understand how the failure to use the information developed from such employee surveys was detrimental to the bank.

It is important that a company actively recruit new hires based on its mission, vision and values of an organization and reinforce these when people join the company. All of this can be done through a rigorous hiring process, which incorporates a company’s ethical values into the process. But it does not stop at the hiring and onboarding process. It should occur during every Human Resources touchpoint in the employee lifecycle, during reviews and evaluations, consideration for promotion and even at departure. You will need to review the records of employees who have had poor compliance evaluations in the past years and determine whether those employees had appropriate qualifications relative to their job descriptions. The review should be performed with an eye toward ascertaining whether the company’s hiring and promotion practices appropriately noted compliance qualifications, skill set, and delegated authority to their formal position and job description.

Companies must have a high-performance corporate culture for doing business ethically. One of the ways to do so is through the culture audit. It can also be a powerful tool for continuous improvement going forward. Find out what your employees are saying about your corporate mission, vision and values and most importantly remediate if those mission, vision and values are found wanting.

Three Key Takeaways

  1. What are the mission, vision and values of a company?
  2. What are the compensation and promotion incentives in the culture?
  3. Always be closing or doing business ethically and in compliance?

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA), in the 2012 FCPA Guidance, the Department of Justice (DOJ) and most recently in the Evaluation of Corporate Compliance Programs; made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of its suppliers to ensure compliance. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I find this to be a missed opportunity from both the compliance perspective and greater business efficiency.

Initially it should be noted that a company must obtain the right to audit for compliance in its contract with any third-party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company. 

In Industrial Engineer Magazine, in an article entitled, “Dynamic Changes” authors Tariq Aldowaisan and Elaf Ashkanani discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. More simply, the action steps for the process can be described as one to (1) capture the data; (2) analyze the data; and (3) report on the data.

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:

  • Review of contracts with supply chain vendors to confirm that the appropriate compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third-party vendor.
  • Review compliance training program; both the substance of the program and attendance records.
  • Does the third-party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third-party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third-party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third-party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third-party vendor.
  • Regarding any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing. 

 This list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties. Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. After an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

Three Key Takeaways

  1. Is your supply chain vendor committed to the audit process?
  2. Capture the data, analyze the data, report on the data.
  3. Supply Chain audits are no longer cutting edge but are now simply best practices.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Next I consider at how data analytics can be used for continuous improvement where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company.  There are several more analytics that can be run in combination to identify suspicious third parties and some of the simplest can be to look for duplicate or erroneous payments, all of which can lead to continuous improvement.

A key to moving from detection to prevention to continuous improvement is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayments. Changing this from a one-time annual or biennial event to something that is done daily or weekly dramatically improves the value of such controls. This more frequent, preventative analysis is integral to a foundation of third party management. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. ABC-13, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between ABC and 13, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.

Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.

Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.

The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. The opportunity for continuous improvement through a feedback loop is obvious and a clear step you should take going forward.

Three Key Takeaways

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.

You should generally plan your audit out four to six weeks in advance. It should be done in conjunction with your corporate legal department taking the lead to preserve the attorney/client privilege. You will need to work with the Business Sponsor to establish key business contacts and to facilitate the discussion of audit rights and the audit process with the third party. You should prepare initial document request lists for financial information queries, review findings from previous audits and their resolutions. If there are any opened or closed internal investigations, they should be similarly reviewed. Finally, if there are any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions in your industry, take care to review and finally be cognizant of them.

Next consider the entry points of foreign government involvement; both direct and indirect. In the direct category, there are the following areas: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process. You should ask for as much electronic information as possible well in advance of your audit. You should ask for some of the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer. It is important to try and obtain records in database or excel format and not simply in .pdf.

When you are ready to commence your interviews, the lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with auditors on your team, who will be reviewing the documents from the forensic perspective. You should focus on potential interviewees who interact with government entities, foreign government officials or third parties, including those personnel involved with:

  • Business Leadership;
  • Sales/Marketing/Business Development;
  • Operations;
  • Logistics; and
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

It is important that you conduct the audit interview as precisely that, an audit interview and not an investigative interview. This is not the time to play ‘got-cha’. The audit interview process also affords the opportunity to engage in training while you are interviewing people. For the interview topics, I suggest some or all of the following:

  • General policies and procedures;
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

Particular care should be given to the review you make around the General Ledger (GL) accounts. Here you need to review commission payments to agents and representatives, any facilitation payments, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotional expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally, any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, they a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts.

In the area of cash funds review the following:

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. Around payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

Around training you should determine whether your company provides industry specific training to government entities, and review GL accounts and expenses for related items. In looking at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and trace payments to the third party’s bank account.

Three Key Takeaways

  1. Start planning your third-party audit 4-6 weeks in advance of the actual audit.
  2. Use your business sponsor to help facilitate the process with the third-party.
  3. This is not a ‘got-cha’ interview but an open question and answer process where you have a golden opportunity to educate as you ask questions.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.