This week I am engaging in a week-long series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I am joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I want to demonstrate how the Internal Audit (IA) function can be used to more fully operationalize compliance.

The Department of Justice (DOJ) clearly feels IA is an important mechanism for compliance to use to operationalize compliance. In its Evaluation of Corporate Compliance Programs (Evaluation), Prong 9 it asks the following questions: “Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”

According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.

Berland noted that IA is doing compliance “all the time” as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.

It should be apparent there are numerous benefits to compliance having closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.

One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”

When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.

From the compliance aspects, IA is “really kind of the watchdog or monitoring facility for the entire company”. This dovetails explicitly into this ‘gatekeeper’ function. Additionally and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. Berland noted, “I have certainly seen numerous opportunities, or numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: “Are these people aware of standards of business conduct?; Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?”” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjuction with audit and HR could develop a remediation plan.

With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes.  Such integration can work to strengthen IA’s network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.

For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.

Tomorrow I will conclude this week long series with a look at operationalization of compliance through the corporate Controller’s Office.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

I am excited to announce at Compliance Week 2017 the publication of my latest book 2016-The Year in Corporate FCPA Enforcement: Cardinal and Provident, published by Compliance Week. In it I take a look the most prolific year in FCPA enforcement and what it means for the compliance practitioner.

We have never seen and may well never see again a year of FCPA corporate enforcements as we did in 2016. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) combined twenty-seven corporate enforcement actions and nearly $2.48bn in total fines and penalties, the highest since the statute’s enactment in 1977. The vast majority of that amount, some 90 percent, was generated by a few very large and significant FCPA enforcement actions involving the following entities: VimpelCom, Och-Ziff, Embraer, JPMorgan, Odebrecht/Braskem, and Teva. While these cases all involved substantial, company-wide bribery schemes, which led to their massive penalties, the majority of 2016’s FCPA enforcement actions involved relatively small-to-medium-sized penalties which involved less systemic, routine bribery schemes. Yet these smaller cases usually provided some of the most interesting fact patterns, which can be studied by chief compliance officers (CCOs) and compliance professionals to help prevent and detect bribery in their organizations.

What do these enforcement actions signify? More importantly what are the lessons to be drawn from these cases for compliance going forward? What about the FCPA Pilot Program, what does it portend for the future. Finally I consider the public comments of the regulators around FCPA enforcement and compliance. You can parse the facts and figures but if you want to understand what 2016 means going forward for the compliance profession, this is the book for you. If you are a compliance professional, this is the single must have  book around the the most prolific year in FCPA enforcement history.

You can purchase of copy of the book, from Compliance Week by clicking here.

If you are attending Compliance Week 2017, drop by the Compliance Week booth for an autographed copy!


In this second of a two-part series, we conclude the panel’s discussion of the first 100 days of the Trump administration as it relates to compliance. This episode concludes with the panelists’ rants.

  1. Matt Kelly opens with a discussion of regulatory enforcement under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, industry responses to deregulation issues and lays down some markers around compliance issues under the new administration.

For Matt Kelly’s posts see the following:

Compliance in the Trump Era: More Markers Placed

Trump Administration Whacks Telco Firm for $892 Million

Drone Industry Pan Trump’s Regulatory

Trump Risk Disclosures Start Rolling In

First SEC Whistleblower Award of Trump Era

Sessions Dodges, Weaves, Promises on FCPA

  1. Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program and DOJ Compliance Counsel, Hui Chen.

For Mike Volkov’s posts see the following:

Yates, AG Sessions and Individual Criminal Prosecutions

New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance

FCPA Remediation Focus on Supervisory Personnel

FPCA Pilot Program Motors On


For the Cordery Compliance client alerts see the following:

EU conflicts minerals compliance legislation 

DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010?


For Jay Rosen’s posts see the following:

 Still in the Enforcement Business and Evaluation of Corporate Compliance Programs

“It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength”


For Tom Fox’s posts see the following:

The Trump Administration-Kaos is Bad for Business

The Trump Administration-Failures in Leadership and Management

The Trump Administration-Preparing for a Catastrophe

The Trump Administration-the Business Response

DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration


The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at

Joseph Wiseman, was most famous for his role in the first James Bond film adaptation, playing the title character of Dr. No. In the compliance world, Dr. No is famous for many a business development (BD) specialists’ moniker of a compliance professional, that being “Dr. No from the Land of No”. Yet the character Dr. No was innovative, brilliant and marvelously evil, all the while originating a series of ruthless and diabolical Bond villains which continues up to this day.

How agile is your compliance program? How does this fit into the operationalization requirement laid out in the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation)? While many have argued that compliance programs should lead to greater productivity and efficiencies, it may be that agility is equally critical. How often do you consider agility in the context of your compliance regime?

Agility begins with the ability to adapt and change to ever evolving business circumstances. The key to having such agility at the corporate level is a robust risk management process; consisting of forecasting, risk assessment and risk based monitoring. Jonathan Marks, a partner in the firm of Marcum LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

It is through the understanding of these risks that allows a company to be agile. If you understand the risks, you can manage them through adequate monitoring more efficiently and at a level closer to your businesses front lines. A recent article by Andrew Hill in the Financial Times (FT) entitled “The drive for success: Michelin’s revolutionary experiment in trust provides some interesting fodder on how a company might drive such agility to increase efficiencies. The Michelin initiative was around the manufacture and sales of tires but I found it had several important insights into the compliance space.

The Michelin program is named responsabilisation and it is designed to shift responsibility to the company’s workers. An example Hill provided was that a “team plans production a week in advance, deciding how it should organise itself to meet targets and absorb absences. As a by-product, staff solve safety problems and cut waste more quickly.” This is the essence of risk management systems.

It all started with trust. It was trust that the workers knew what they were doing and, if given the right tools, they could plan out the details of the manufacturing process. Barbara Brooks Kimmel and her entity Trust Across America continually articulates the need for trust in business and the Hill piece reinforces that point yet again. Here the trust is that the team leader will trust the workers to get it right. This does not mean there is no oversight but it does mean managers do not micromanage. It also means there are metrics which can be verified by managers in an oversight role. It is mixture of both empowerment and accountability.

What are some of the benefits Michelin has observed? Hill reports these included “team agreement; shared knowledge; improving results; pride; team’s leaders trust”. Moreover, it allows the front-line business and other corporate functions to become more directly engaged in the doing of compliance. This is the very essence of operationalizing compliance. It is moving compliance down into the heart, fabric and DNA of your company.

It also allows a more holistic approach to compliance as each function discipline within an organization integrates compliance into their day-to-day operations. Consider the lifecycle of the employment relationship which Human Resources (HR) oversees. Not only does HR have more touchpoints to discuss corporate values, culture and compliance but you can further operationalize compliance into HR by having internal controls from the compliance perspective. If you are going to hire the family member of a foreign government official, such hiring decisions must be going through the regular hiring process without an exception being granted for a family member who does not meet your standard hiring requirements. If an exception is granted it must be explained in writing and have appropriate management and compliance oversight and sign-off going forward. If a red flag appears, such as a top regional BD person lobbying for such a candidate to be hired, a Chief Compliance Officer (CCO) should determine if there is contract or other business advantage the company is seeking to obtain through the hiring of the family member.

For the CCO or compliance practitioner, it means that in addition to oversight, there should be a focus on long term compliance strategy. Jean-Dominique Senard, the Michelin’s chief executive explained, “It’s not about delegating everything. Big strategic decisions are taken at the appropriate level. It’s not too much to do with self-management…it’s independence in a strategic framework.” For a CCO, this could be decisions about more or greater technological developments and tools or it could be greater efficiencies in the risk management process.

Just as Michelin had to overcome resistance to its responsabilisation program you may face push-back as well from groups who do not believe in the basic premise that a compliance based initiative will improve business agility and from those who do not understand how it all will tie together. This will require education from both compliance and management. It will also require front line BD folks to trust that management will support them with oversight and not micro-management or pronouncements from “Dr. No from the Land of No”.


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

This week, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. What is the real risk in a FCPA enforcement action? See Mike Volkov’s post in Corruption, Crime and Compliance.
  2. FIFA fires its lead internal investigators for doing their job investigating. See Tom’s article in Compliance Week.
  3. ECI Report Finds Use of Corporate Monitors is on the Rise. For a copy of report, click here. For a webinar replay with Affiliated Monitors’ Eric Feldman and Nasdaq’s Michael Kallens click here.
  4. Why the judgment of CEOs and their actions really do matter. See James Stewart considers Barclays’ Jes Staley in his Common Sense column in the New York Times.
  5. What role do incentives play in a compliance program? See Tom’s two podcasts on the issue, incentives for executives and incentives in sales programs.
  6. Astros lead the MLB with the best record in baseball. The Rockets gag on the big one.
  7. Jay previews his Weekend Report, compliance lessons from a trip to the zoo.
  8. Listeners to this podcast can received a discount to Compliance Week 2017. Go to registrationand enter discount code CW17TOMFOX.

Jay Rosen can be reached:

Mobile (310) 729-6746

Toll Free (866)-201-0903

Tom Fox can be reached:

Phone: 832-744-0264


What do monitorships have to do with best practices in compliance. Find out on This Week in FCPA.