LBJ-Box 13
The political season is finally upon us, with the Iowa Caucuses starting the race to the White House. In honor of this election cycle commencement, we pay tribute the long and time-honored Southern tradition of midnight voting, where people who have or had reposed for long periods in local cemeteries miraculously arose to vote when needed in elections. In Texas this event is most honored in the first election of Lyndon Johnson to the Senate in 1948, where Johnson won the election by 87 votes out of 988,295 cast statewide. (Thereby garnering the nickname Landslide Lyndon.)

Midnight voting came into play as the winning margin was provided sometime after the first results came, from a single voting precinct in Jim Wells County, Box 13, where Johnson astoundingly secured 202 previously uncounted votes that were somehow ‘found’. It later turned out that the names of the voters came from deceased residents of the county. Also rather amazingly none of those voters denied that they had not in fact voted for Johnson.

The moral of the story – the dead can get you out of a lot of problems. And people say Texans are slow on the take.

I thought about Johnson, Box 13 and midnight voting when reading about the ongoing corruption issues around the Prime Minister of Malaysia, Najib Razak. The issues surround how $681MM mysteriously appeared in his personal bank account. I said ‘mysteriously’ because the PM said it was a personal gift from the prior King of Saudi Arabia. I said prior King; that is because he is dead and is no longer available for comment about whether or not he actually made the gift. As to the living Saudi government, it denies there is any record of such a payment.

Matthew Stephenson, writing in his Global Anti-Corruption Blog, in a post entitled “Malaysia’s Anticorruption Credibility Problem, noted that the Malaysian Attorney General, Mohamed Apandi Ali, said the money was a “political donation” and the money was provided “without any consideration”. Moreover the PM had returned some $620MM of the money and “had not done anything unlawful.”

Being a good Texan, I recognized midnight voting has moved over to the corruption and money-laundering arena in Malaysia. Stephenson, with perhaps more intellectual rigor, stated “it’s more than passing strange that he [the PM] didn’t just announce that it was a political donation form the Saudi royal family right away.” Stephenson also queried about the difference between the amount received, $681MM and the amount returned, $620MM. Stephenson posed a couple of reasonable questions “Where did it go? What was it spent on?” Maybe the spare $61MM is for the PM’s household account.

Yet just when I was fired up to go see the first Houston appearance of the Broadway hit, All The Way, which is about LBJ and the passage of the Civil Rights Act; things got decidedly worse for the Malaysian government when last week the Swiss government announced initial findings in a separate corruption and money-laundering investigation. In an article in the Wall Street Journal (WSJ), entitled “Swiss Prosecutors Say Malaysia Funds Diverted, John Revill reported, “Switzerland’s top prosecutor said $4 billion may have been appropriated from state-owned companies in Malaysia.”

These allegations center on the Malaysian sovereign wealth fund, 1Malaysia Development Berhad (1MDB). Michael Peel and Jeevan Vasagar, writing in the Financial Times (FT), in an article entitled “Swiss wreck effort to contain 1MDB scandal”, said the Swiss investigation, “follows a case opened last August against two unnamed former 1MDB officials on charges including bribery. The Swiss attorney-general said there were “allegations of criminal conduct” in four cases involving 1MDB, in a period spanning 2009 to 2013.” The reporters went on to note, “the four cases involved a “systematic course of action carried out by means of complex financial structures”. They added the cases related to five companies: PetroSaudi, a Saudi Arabia-based oil group with offices in the UK and Switzerland; SRC, a former subsidiary of 1MDB; Genting and Tanjong, two Malaysian conglomerates involved in leisure and property; and ADMIC, a joint venture between 1MDB and Aabar Investments, which is controlled by Abu Dhabi’s International Petroleum Investment Company.”

Even Singapore has become involved, as reported by the BBC Online, in an article entitled “Malaysia 1MDB scandal: Singapore seizes bank accounts”, they said, “The authorities in Singapore say they have seized a large number of bank accounts as part of an investigation into possible money-laundering linked to a fund owned by the Malaysian state.” The article went on to note, “Singapore said it would not tolerate being used as a refuge for illicit funds. In a joint statement by its central bank and the police’s anti-fraud agency it said: “In connection with these investigations, we have sought and are continuing to seek information from several financial institutions, are interviewing various individuals, and have seized a large number of bank accounts.””

So now we have moved from ‘a dead guy gave me $681MM’ to potentially $4bn gone from the country’s sovereign wealth fund. What is the lesson to be learned from such ethereal activities? For the compliance practitioner, it points to the need not only to keep abreast of current events but also to know who your counter-parties are in any relationship. If your company has done business with 1MDB in the past now would be a very propitious time to review all those contracts, review your documentation of third parties involved, perform transaction analysis on the gifts, travel and entertainment expenses of any employees involved in securing those contracts and then take a very hard look to see if there are any way pools of money could have been generated to pay bribes, even if only through contract discounts.

Has your company had any interactions with PM Razak? One might think with his (apparent) $61MM in pocket money he kept from the dead Saudi King’s gift, he would not have asked for anything from your company. Yet you had probably take a close look at any interactions. As Stephenson detailed in his blog post, the entire credibility of the Malaysian government has been called into question over these allegations and the government’s response thereto.

Finally, what about the company’s named in the Swiss investigation into the potential $4bn? If your company has any interactions or contracts with such entities, now might be a very good time to make sure you have engaged in all five steps in the lifecycle of third party management. If you are considering doing business with these entities, you may well want to put those plans on hold and do some deeper digging. It is all in the public record now and there is no excuse not to investigate going forward.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis Quick Start MethodologyToday, I continue my exploration of data analysis with Joe Oringel, co-founder and Managing Director of Visual Risk IQ, a consulting firm that helps audit and compliance people see and understand their data. Today, we look at how to set up a data analysis program and how to use it to help monitor for a compliance program.

I asked Oringel how he helps clients think through a project that involves data analytics. As a lawyer, I was intimidated by the issues of not only how to get the data but how to use it going forward. Oringel then laid out their firm’s five-step process and said that for any Visual Risk IQ analytics project, the steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 – Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, Visual Risk IQ’s team might ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data. This brainstorming process that Oringel and his team uses is central to their work with helping clients to develop queries specific to their organization.

Step 2 – Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Many data sources are internal (e.g. sales or expense transactions) but increasingly external sources from vendors and business partners are used too. Even the US Government is an occasional data source for analytics, as various Federal Departments publish watch lists of debarred individuals and companies.

Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool. Once data is confirmed to be complete and accurately loaded and mapped into the analysis tool, then the real fun can begin.

Step 3 – Writing the Queries

Oringel identified Step 3 as writing the queries. Though it can be valuable to double-check the accuracy of reports that are provided from existing internal and external systems, Oringel recommends using data analysis to answer questions that are not readily reported from internal systems. Often comparing data across multiple data files can yield the most interesting results.

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

A simple example would be “Show me any purchasing transaction that didn’t have the proper pre-approval.” This answer can be identified by comparing the dates between purchase orders and invoices, and then looking for any vendor invoice date that is prior to the purchase order date. Other query techniques are similarly simple, yet effective.

Step 4 – Analyze and Report Results

Oringel said that Step 4 is to analyze and report the results. I have wondered how a compliance practitioner would be able to not only view but then use such information. He said that Visual Risk IQ’s tagline comes from this notion. “See. Analyze. Act.” has been a part of their firm since 2006. By summarizing results in a way that measure something important, an action step becomes apparent. In the example above, if a vendor’s invoice date pre-dated its purchase order then the action step is to understand if the date it was received may be later than the date on the document itself. Perhaps the vendor has backdated that invoice in hopes of earlier payment, instead of our purchase order having been created after the fact to cover up the lack of required pre-approval.

Oringel recommends summarizing the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant.

  Step 5 – Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Yet there are other remedial steps that Oringel believes are critical at this stage. He said that when a condition or transaction is identified as being a potential issue, documenting the next action step and ensuring its proper completion is important. If an employee incorrectly submitted a personal or duplicate expense (e.g. they claimed $20 for a lunch yet they were listed as having attended a lunch paid by someone else on the same day) and they were reimbursed for a personal expense on a travel expense trip report, then the organization should ask for reimbursement of that expense and ensure thorough follow-up.

Consistent action when these circumstances arise is important. Seeking and obtaining reimbursement for improper expenses should not be based on whether the employee is an officer or a manager or an individual contributor, or even the amount of the error.

I turn briefly to the COSO Framework, which was updated in 2013 and became much more prescriptive with respect to the elements of an effective internal control program. There are five objectives under the COSO Framework and the fifth and final objective is monitoring activities. Monitoring activities are those that management should perform to ensure that the control environment, risk assessment, control activities, information and communication layers have been affected.

The only way that I know to make sure that the principles of effective internal controls have been followed are to do some monitoring. Oringel turned to one of his favorite subjects for an analogy, how his children are performing in school. He believes that he and his wife have set a robust “tone-at-the-top” around the importance of attendance, homework and strong academic performance and that they provide some direction for the children about what is important in terms of their results at school. There are some control activities that he can utilize in terms of reviewing their schedule, homework, how much time they spend studying versus playing video games, but the best technique to make sure they are getting the outcomes that they want for them academically is to do some monitoring and an evaluation of their performance.

A way to do that is to monitor their academic performance through the application, in his hometown called “PowerSchool.” It allows the parents and the students, together or separately, to log on and to answer the questions, “Was the homework assignment turned in?”; “What was the grade on the homework assignment?”; “Was the most recent grade better or worse than last time?”; Oringel said, “We use PowerSchool as a data-driven monitoring tool to make sure that our kids are performing in school the way that we want them to.”

Tomorrow we begin to consider some case studies from projects Oringel and Visual Risk IQ have engaged in and how they demonstrate the use of data analysis in an anti-corruption compliance program.

——————————————————————————————————————————————————————————————————————————————————————————————————

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Winslow AZAs I end my week’s exploration of the intersection of bribery and corruption in international sports, I have also ended a week of solid listening to The Eagles 1970s studio albums. In honor of Glenn Frey, I will also end this week with a final tribute to Frey and his work with this seminal band from the 70s. Today, it is a tribute to the first Eagles hit, Take It Easy. While Jackson Browne was the primary author of this song, Frey stepped in to finish it when Browne could not complete it. The Eagles also opened their first album, titled The Eagles, with this cut.

I cannot think of anyone born after about 1970 who does not instantly recognize the opening cords from Bernie Leadon’s lead guitar on this iconic song. If this song alone does not make you want to go to Winslow Arizona, well probably nothing will. In fact the song made the town so famous that the city of Winslow erected a life-size bronze statue and mural commemorating the song, at the Standin’ on the Corner Park. The statue stands near a lamp post, the male figure securing an acoustic guitar between his right hand and the shoe of his right foot. Above his head, a metal sign, crafted in the style of US Route shields, displays the words “Standin’ on the corner”.

As I have noted this week, the world of sports continues to provide ample lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Although we no longer have the sad sack Astros to kick around, there are many other candidates out there you can draw inspiration from for your compliance regime. For today, I want recap some of these lessons.

Perhaps the clearest sign from the scandals reviewed this week and the ongoing Fédération Internationale de Football Association (FIFA) scandal is the role of regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in leading the international fight against bribery and corruption. Only the US had the wherewithal to bring the charges against FIFA. While the Swiss have tagged along, they certainly did not take anything like the lead in this matter. Further, the allegations of FIFA’s bribery was publicized in Britain as long ago as 2010 and the Serious Fraud Office (SFO) never brought charges against FIFA or its cronies.

The bottom line is that only the US government has the ability and, more importantly, the will to engage in such a worldwide investigation and coordinate the actions of numerous countries in providing assistance. Do you think the Swiss police would have been so involved if it was not for the US government lead in this investigation? From President Obama on down, the US government has made clear that it will lead the international fight against bribery and corruption. The FIFA indictments are yet one more indication that they will continue to do so.

From the International Association of Athletics Federations (IAAF) scandal there are certain aspects similar to FIFA but made even more invidious. Not only was a there a long entrenched self-serving and self-congratulatory cabal running the organization, but they even out did FIFA by allegedly extorting money from athletes who they expected of using performance enhancing drugs to suppress positive drug tests. These officials were allowed to not only run rampart but also engage in essentially self-government of themselves. Kind of like having the foxes guard the henhouse.

I think the lesson is the checks and balances required in any best practices compliance program that form the basis of compliance. While some of these checks and balances are in the form of multiple internal levels of oversight, such as a Compliance Committee, which might be made up of senior managers from various disciplines; another level is brought about by internal controls and the concept of the segregation of duties (SODs). No one person should be allowed have so much discretionary power that they can approve vendors, approve contracts; then approve invoices for payments on those same vendors and contracts they have previously approved.

In the corporate world this is fairly standard in the US but there continues to be Foreign Corrupt Practices Act (FCPA) enforcement actions, emanating from outside the US, where a Country or Regional Manager can make such multiple approvals. This is not only a recipe for disaster financially but also allows the creation of a pot of money to pay a bribe much easier. Internal controls also work towards having continuous oversight, if a technology solution is used it can facilitate both the prevent and detect prongs of a best practices compliance program.

The lesson for the US company which does not have a compliance program in place is that the basic forms of corporate governance are not only mandatory for a compliance and ethics regime but they are also the basics for any minimums of corporate governance in the 21st century. The level of any fraud, including bribery and corruption under the FCPA, can be low, yet the attendant costs can be far in excess of any fine or penalty. For FIFA and the IAAF, their cost will be played out in the international press and court of world public opinion for some time to come. For the former heads and senior members of those organizations, the cost may well be more pedestrian, with jail terms for felony criminal violations.

Finally, from the allegations around offers of bribes to throw matches in professional tennis is the clear lesson that employees that are offered bribes need to have an avenue to be able to report such conduct. For the CCO, it is important that employees have confidence and trust in the organization so they are willing to make such reports. To stop the scourge of bribery and corruption in any international sports group, the management must take the lead in communicating that such actions will not be tolerated and that anything less would result in expulsion and banishment. That is similar to any top management that must clearly set the expectation that it is more important for employees to follow the law than to make their quarterly numbers. For if management does not do so and communicates that making your quarterly numbers are more important, employees will find a way to make their quarterly numbers.

Moreover, it is important any company knows if a vendor, sales agent or any other party has offered or demanded a bribe to do business. Even if your employees tosses them out of the office on their collective ear, it is incumbent you be made aware of the demand/offer so you can bring it to the attention of the counter-party and take appropriate remedial action. Indeed, in many industries the number of agents or other representatives is small enough that they can be known. If there is a collective refusal to do business with such corrupt third parties, it can be a powerful driver of business behavior.

So I end this week with a fond farewell to Glenn Frey and I hope you are taking it easy about now. For a YouTube clip of The Eagles playing Take It Easy, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016