Blood on the TracksOn this week in 1975, Bob Dylan’s 15th studio album, Blood on the Tracks, reached the Number 1 album slot on the Billboard charts. This was in spite of no song rising above the 31st slot on the single charts. It came out in the final semester of my senior year in high school so its personal nature was very poignant to me. Two interesting facts were that Phil Ramone was an engineer on the recording sessions and Buddy Cage played steel guitar (shout out to Chris Bauer). While I probably enjoyed it because I found it to be the most accessible Dylan album to that point, the critics most generally praised it as well, finding it to be his most reflective. Indeed his son Jakob has been quoted as saying, “When I’m listening to Blood On The Tracks, that’s about my parents.”

Last week we had a second Foreign Corrupt Practices Enforcement Action (FCPA) from the Securities and Exchange Commission (SEC). This one involved the California based entity SciClone Pharmaceuticals, Inc. (SCLN) which was assessed a penalty of $2.5MM, profit disgorgement of $9.42MM and prejudgment interest of $900K for a total penalty of $12.8MM to settle SEC charges that it violated the FCPA when employees in China pumped up sales for five years by making improper payments to professionals employed at state health institutions. The penalty was for the conduct of its Chinese subsidiary, SciClone Pharmaceuticals International Ltd.

Many of the allegations reached back over 10 years, to 2005, when the Chinese subsidiary created a special VIP program for high volume customers called health care professionals (HCPs). According to the SEC Cease and Desist Order, this special program provided “weekend trips, vacations, gifts, expensive meals, foreign language classes and entertainment” to selected VIPs. It was described internally as “luring them with the promise of profit.” Clearly not the tone a Chief Compliance Officer (CCO) would want to see from his or her top salespersons. Oops, SCLN did not have a Chinese compliance officer at the time of the incidents in question because it did not have a compliance function at the company, so I guess that tone issue never came up.

Clearly the VIP program went beyond the pale as it provided for vacations for both the VIPs and their family members. But this program also had less egregious activities such as golf tournaments followed by beer drinking. However, the subsidiary’s conduct became more nefarious in 2007 when it hired “well-connected regulatory affairs specialist (Specialist) to facilitate” the application of certain licenses the company needed to distribute a new product in China.

This Specialist originally intended to send two foreign officials who were responsible for approving this license to Greece for an academic conference related to this new medical product. However visas could not be obtained in time so “the Specialist instead provided them at least $8,600 in lavish gifts.” In addition to the foregoing, the company sent many other Chinese government officials to in the US, Japan and the Chinese resort island of Hainan where “significant sightseeing was involved” in addition to an educational component.

The company even managed to fall prey to the well known Chinese bribery conduit of travel agencies by failing to conduct any due diligence on a number of travel vendors who were used to funnel bribes and improper gifts and trips involving improper sightseeing and tourist expenditures. Then again this may have been intentional given the overall posture of the subsidiary and its parent. Nevertheless it was another compliance program failure.

Finally, as part of SCLN’s internal investigation, after the discovery of all of the above, an “internal review of promotion expenses of employees from 2011 to early 2013. This review found high exception rates indicating violations of corporate policy that ranged from fake fapiao, inconsistent amounts or dates with fapiao, excessive gift or meal amounts, unverified events, doctored honoraria agreements, and duplicative meetings. A portion of the funds generated through the reimbursements were used as part of the sales practices described above that continued through at least 2012.”

Noting the foregoing conduct, the SEC Order held that SCLN did not have the appropriate internal controls in place for any type of FCPA compliance program. Both the subsidiary and parent engaged in false accounting entries by “recording the payments to health care providers as sales, marketing, and promotional expenses.” So SCLN violated both prongs of the Accounting Provisions of the FCPA , those being the accounting and internal controls provisions.

However, SCLN did make a come back which led to the relatively low fine and penalty. As noted in the Order, the company took steps, “to improve its internal accounting controls and to create a dedicated compliance function. These include the following: (1) hiring a compliance officer for its China operations; (2) undertaking an extensive review of the policies and procedures surrounding employee travel and entertainment reimbursements; (3) substantially reducing the number of suppliers providing third-party travel and event planning services; (4) improving its policies and procedures around third-party due diligence and payments; (5) incorporating anti-corruption provisions in its third-party contracts; (6) providing anti-corruption training to its third-party travel and event planning vendors; (7) disciplining employees (and their managers) who violate SciClone’s policies; and (8) creating an internal audit department and compliance department.”

Lessons Learned

Mike Volkov has called the SCLN enforcement action, “A Textbook Case of FCPA Violations for Gifts, Meals, Entertainment and Travel”. I would add that it is the textbook case for CCOs and compliance practitioners to study for lessons learned. The first thing is to review your own compliance program to see if any of these anomalies that SCLN engaged in appear in your Chinese operations or any other high risk areas. Beyond these general reviews, I would suggest a more detailed transaction monitoring and data analytics approach, which would involve:

  • Tracking not only the expenses paid for gifts, travel and entertainment by employees but tying this information back to the foreign government officials who received these benefits;
  • Look to any third parties who may have been involved in any of the foregoing, such as the ubiquitous Chinese travel agencies or the more iniquitous ‘Specialist’ who might be involved in facilitating license approvals;
  • Consider the positions which were lavished with such gifts, entertainment or travel. Did any of these persons make any approvals or decisions which allowed your company to obtain or retain business immediately before or after such treatment?

Finally, consider the thoughts of Scott Lane, Executive Chairman of the Red Flag Group, where he described the line of sight a compliance practitioner needed. Lane described the data points that a CCO or compliance practitioner should have visibility into going forward. By looking down a straight line at all of this information derived from the SCLN enforcement matter, the compliance function can identify measures to improve any high risk issues before they move to FCPA violations. While gifts, travel and entertainment expenses might be on your company’s radar for compliance department pre-approval, if they are spent on one or two government officials who may influence deal making authority regarding your company’s business it may well merit a more detailed analysis.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Spud WebbOn this day 30 years ago, history was made when Spud Webb won the 3rd NBA Slam Dunk contest. Webb joined future Hall-of-Famers Michael Jordan, who won the inaugural contest in 1984, and Dominic Wilkins, who won the second event in 1985, as the Slam Dunk champ. What made Webb’s win so noteworthy? It was his size. He was 5 feet, 9 inches tall and the shortest player in the league at that time. Webb played for 12 seasons in the NBA, mostly with the Atlanta Hawks, but for anyone who tuned in that day, we will never forget when Spud Webb stood the tallest of the all the players.

I thought about Webb, his biggest moment of personal glory and individual responsibility when I read Sunday’s Fair Game column in the New York Times (NYT) by Gretchen Morgenson, entitled “Fixing Banks by Fining the Bankers. Morgenson has written several pieces about the banking scandals coming out of the 2008 financial crisis and beyond, coupled with the lack of personal accountability in all of the settlements with US regulators.

She began her piece with the certain truism, “Ho-hum, another week, another multimillion-dollar settlement between regulators and a behemoth bank acting badly.” The settlement she referenced referred to two financial institutions, Barclay’s and Credit Suisse, who agreed to pay $154.3MM, regarding their misrepresentations to investors around high-frequency trading. But what concerned Morgenson was the following, “As has become all too common in these cases, not one individual was identified as being responsible for the activities. Once again, shareholders are shouldering the costs of unethical behavior they had nothing to do with.”

Morgenson identified the reason behind the continued failings of banks “could not be clearer: Years of tighter rules from legislators and bank regulators have done nothing to fix the toxic, me-first cultures that afflict big financial firms.” She believes it is a failure of banks to change their culture. In her piece she quoted the Chairman of FINRA, Richard Ketchum, who said firms that continue to have violations are because of “poor cultures of compliance”. He finds the opposite to be true stating, “Firms with a strong ethical culture and senior leaders who set the right tone, lead by example and impose consequences on anyone who violates the firm’s cultural norms are essential to restoring investor confidence and trust in the securities industry.”

The rules and regulations of compliance can set down the written standards for employees to follow. Yet for a compliance program to be effective, it is much more than the paper part of the program. Morgenson believes that banks must change their culture to help stop these systemic breakdowns. Yet she did not end her piece there as she explored what regulators can do, more than simply talk, to facilitate this change in culture.

She considered two separate approaches regulators might consider. The first was suggested by Andreas Dombret, a member of the executive board of Deutsche Bundesbank, who noted, “Most companies have codes of ethics, but they often exist only on paper.” To help make the message of doing business ethically and in compliance, he also suggested banking regulators could help encourage a more ethical approach by routinely monitoring how a bank cooperates with the regulatory authorities particularly in an oversight rule. Finally he asked, “How often is the bank the whistle-blower?” He felt this question was important because “Not only to get a lesser penalty but also to show that it won’t accept that kind of behavior. We are seeing more of that.”

These suggestions would seem to be more aligned with an industry with significant oversight, such as banking. So I found the second area she explored more directly applicable to the Foreign Corrupt Practices Act (FCPA. It met her criticisms that it was either the shareholders or perhaps the company D&O insurance carrier who foot the bill for any FCPA violation.

She explored an idea posited by Claire A. Hill and Richard W. Painter, professors at the University of Minnesota Law School, in a new book they published, entitled “Better Bankers, Better Banks”. In this book the law professors urged “making financial executives personally liable for a portion of any fines and fraud-based judgments a bank enters into, including legal settlements. The professors called this “covenant banking.”

This covenant banking plan had some very interesting elements that spoke to the issue of individual v. corporate liability, similar to the discussion compliance professionals have engaged in since the release of the Yates Memo. Morgenson said the covenant banking plan “contains a crucial element, requiring the best-paid bankers in the company to be liable for a fine whether or not they were directly involved in the activities that generated it. Such a no-fault program, the professors argued, would motivate bankers not only to curb their own problematic tendencies but to be on the alert for colleagues’ misbehavior as well.” She quoted the book’s authors stating that this plan would help to change corporate culture as it “discourages bad behavior and its underlying ethos, the competitive pursuit of narrow material gain.”

Moreover, the professors believe, “If bankers aren’t willing to institute a system involving personal liability, regulators and judges could require it as part of their settlements or rulings. Something like covenant banking could be included in nonprosecution agreements. Or a judge overseeing a case in which a company is paying $50 million could require individuals to pay $10 million of that personally.” Finally, “A regulator could give a company the choice of a far lower fine if it were to be paid by managers, not shareholders. A company choosing to pay the higher fine and billing it to the shareholders would have some explaining to do”.

While most banks or non-financial institutions subject to the FCPA might well be reluctant to put such corporate strictures in place, it certainly could be a part of a civil penalty which comes before a court for review and consideration, such as when the Securities and Exchange Commission (SEC) goes to court when filing a Cease and Desist order in a FCPA enforcement action.

The Yates Memo recognized that individual accountability will help to drive compliance with the FCPA. The problem in going after individuals is that it is often difficult to pinpoint any single or series of actions by a senior manager that may have lead to the violation. It can be as nefarious as the General Motors (GM) nod or simply the diffusion of liability was the basis for the original creation of the corporate structure long ago.

Yet, by focusing on corporate culture Morgenson, the banking industry and banking regulators are hitting on a key theme. Paper programs are only that if there is not the culture of compliance set by senior management that the company will follow the rules. I was also intrigued that both FINRA Chairman Ketchum and banker Dombret recognized the business problem which poor cultures of compliance led to, lack of faith in capital markets and the securities industry. If companies will work to enhance culture, they move to addressing this most serious and long-term business issue.

Spud Webb was the first ‘Little Big Man’ in the modern era of the NBA. His 12-year run of success led to players such as the five-foot, five-inch Earl Boykins and five-foot, three-inch Muggsy Bogues. In 2006, 5’9” Nate Robinson of the New York Knicks became the second-shortest player to emerge victorious in the NBA slam-dunk contest. Webb changed NBA culture just as corporate culture can be changed as well.

For a YouTube video clip of Spud Webb at the 1986 Slam Dunk contest, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

SECThe Foreign Corrupt Practices Act (FCPA) enforcement journey, which began last summer with the guilty plea of Vicente Garcia for the payment of bribes to obtain contracts in Panama for his employer, SAP International, ended this week with the release of the Securities and Exchange Commission (SEC) civil action against the parent of SAP International, SAP SE, a German company. The case was concluded via a Cease and Desist Order (the “Order”). The fine was a relatively small $3.7MM with prejudgment interest of another $188K.

The facts were straightforward, which Garcia had previously admitted to in his guilty plea and sentencing hearing last December. He circumvented SAP internal controls to create a slush fund from which to pay bribes. To do so, he had to actively evade an internal compliance system that had stopped him from hiring a corrupt agent to facilitate the bribe payments. Frustrated by the success of the SAP compliance function to stop his initial bribery scheme, he then turned to using a previously approved distributor to facilitate the payment. He did so through giving this distributor an extra ordinary discount. The corrupt distributor then sold the SAP products to the Panamanian government at full price and used the price difference to fund the bribes to the corrupt government officials. This led to a $14.5MM sale to the distributor with $3.7MM in profits to SAP. Hence, the amount of profit disgorgement.

The bribery scheme is a clear lesson for any company that utilizes a distribution model in the sale chain. Bill Athanas, a partner in Waller Lansden Dortch & Davis LLP, has articulated a risk management technique for this type of bribery scheme, which he has called Distributor Authorization Request (DAR) and it provides a framework to help provide a business justification for any such discount, assess/manage and document any discount offered to a distributor. 

It begins with a DAR template, which is designed to capture the particulars of a given request and allows for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

Yet in addition to the DAR risk management technique advocated by Athanas is more robust transaction monitoring in your compliance program going forward. As noted in the Order, one of the remedial measures engaged in by SAP after the bribery and corruption was detected was that the company “audited all recent public sector Latin American transactions, regardless of Garcia’s involvement, to analyze partner profit margin data especially in comparison to discounts so that any trends could be spotted and high profit margin transactions could be identified for further investigation and review.”

This is the type of transaction monitoring which a Chief Compliance Officer (CCO) or compliance practitioner traditionally does not engage in on a pro-active basis. However this is clearly the direction that US regulators want to see companies moving towards as compliance programs evolve.

Here a couple of questions would seem relevant. What happened? and How do you know? In answering these questions, it is clearly important that there should be an understanding of the business cause of significant sales and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. While a company would usually only consider an analysis of variations at the level at which the sales increase was material, this was not the path taken by SAP in their post-incident investigation. Moreover, such a sales increase would most probably be material for the Panama region and certainly for the employee in question.

Once the appropriate level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on discounts to distributors; etc., might help to get at the true underlying reason for a spike in sales. Further, a company should review its findings over subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods? The answer to such a question might identify red flags indicating the need for further review.

A final lesson to be considered is when you have an employee like Garcia. Is he a rogue employee? Does rogue mean his behavior is only sociopathic so that he appears to operating within the rules? Or were there clear signs that greater scrutiny needed to put in place? What about his clear attempt to bring in a corrupt agent, at the last minute of a deal to facilitate it? This is a clear red flag and was not approved by SAP compliance. Does this put the company on notice that an employee is not only willing to go beyond the rules but also engage in illegal conduct down the road? How many passes does such an employee get before they are shown the door?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

LBJ-Box 13
The political season is finally upon us, with the Iowa Caucuses starting the race to the White House. In honor of this election cycle commencement, we pay tribute the long and time-honored Southern tradition of midnight voting, where people who have or had reposed for long periods in local cemeteries miraculously arose to vote when needed in elections. In Texas this event is most honored in the first election of Lyndon Johnson to the Senate in 1948, where Johnson won the election by 87 votes out of 988,295 cast statewide. (Thereby garnering the nickname Landslide Lyndon.)

Midnight voting came into play as the winning margin was provided sometime after the first results came, from a single voting precinct in Jim Wells County, Box 13, where Johnson astoundingly secured 202 previously uncounted votes that were somehow ‘found’. It later turned out that the names of the voters came from deceased residents of the county. Also rather amazingly none of those voters denied that they had not in fact voted for Johnson.

The moral of the story – the dead can get you out of a lot of problems. And people say Texans are slow on the take.

I thought about Johnson, Box 13 and midnight voting when reading about the ongoing corruption issues around the Prime Minister of Malaysia, Najib Razak. The issues surround how $681MM mysteriously appeared in his personal bank account. I said ‘mysteriously’ because the PM said it was a personal gift from the prior King of Saudi Arabia. I said prior King; that is because he is dead and is no longer available for comment about whether or not he actually made the gift. As to the living Saudi government, it denies there is any record of such a payment.

Matthew Stephenson, writing in his Global Anti-Corruption Blog, in a post entitled “Malaysia’s Anticorruption Credibility Problem, noted that the Malaysian Attorney General, Mohamed Apandi Ali, said the money was a “political donation” and the money was provided “without any consideration”. Moreover the PM had returned some $620MM of the money and “had not done anything unlawful.”

Being a good Texan, I recognized midnight voting has moved over to the corruption and money-laundering arena in Malaysia. Stephenson, with perhaps more intellectual rigor, stated “it’s more than passing strange that he [the PM] didn’t just announce that it was a political donation form the Saudi royal family right away.” Stephenson also queried about the difference between the amount received, $681MM and the amount returned, $620MM. Stephenson posed a couple of reasonable questions “Where did it go? What was it spent on?” Maybe the spare $61MM is for the PM’s household account.

Yet just when I was fired up to go see the first Houston appearance of the Broadway hit, All The Way, which is about LBJ and the passage of the Civil Rights Act; things got decidedly worse for the Malaysian government when last week the Swiss government announced initial findings in a separate corruption and money-laundering investigation. In an article in the Wall Street Journal (WSJ), entitled “Swiss Prosecutors Say Malaysia Funds Diverted, John Revill reported, “Switzerland’s top prosecutor said $4 billion may have been appropriated from state-owned companies in Malaysia.”

These allegations center on the Malaysian sovereign wealth fund, 1Malaysia Development Berhad (1MDB). Michael Peel and Jeevan Vasagar, writing in the Financial Times (FT), in an article entitled “Swiss wreck effort to contain 1MDB scandal”, said the Swiss investigation, “follows a case opened last August against two unnamed former 1MDB officials on charges including bribery. The Swiss attorney-general said there were “allegations of criminal conduct” in four cases involving 1MDB, in a period spanning 2009 to 2013.” The reporters went on to note, “the four cases involved a “systematic course of action carried out by means of complex financial structures”. They added the cases related to five companies: PetroSaudi, a Saudi Arabia-based oil group with offices in the UK and Switzerland; SRC, a former subsidiary of 1MDB; Genting and Tanjong, two Malaysian conglomerates involved in leisure and property; and ADMIC, a joint venture between 1MDB and Aabar Investments, which is controlled by Abu Dhabi’s International Petroleum Investment Company.”

Even Singapore has become involved, as reported by the BBC Online, in an article entitled “Malaysia 1MDB scandal: Singapore seizes bank accounts”, they said, “The authorities in Singapore say they have seized a large number of bank accounts as part of an investigation into possible money-laundering linked to a fund owned by the Malaysian state.” The article went on to note, “Singapore said it would not tolerate being used as a refuge for illicit funds. In a joint statement by its central bank and the police’s anti-fraud agency it said: “In connection with these investigations, we have sought and are continuing to seek information from several financial institutions, are interviewing various individuals, and have seized a large number of bank accounts.””

So now we have moved from ‘a dead guy gave me $681MM’ to potentially $4bn gone from the country’s sovereign wealth fund. What is the lesson to be learned from such ethereal activities? For the compliance practitioner, it points to the need not only to keep abreast of current events but also to know who your counter-parties are in any relationship. If your company has done business with 1MDB in the past now would be a very propitious time to review all those contracts, review your documentation of third parties involved, perform transaction analysis on the gifts, travel and entertainment expenses of any employees involved in securing those contracts and then take a very hard look to see if there are any way pools of money could have been generated to pay bribes, even if only through contract discounts.

Has your company had any interactions with PM Razak? One might think with his (apparent) $61MM in pocket money he kept from the dead Saudi King’s gift, he would not have asked for anything from your company. Yet you had probably take a close look at any interactions. As Stephenson detailed in his blog post, the entire credibility of the Malaysian government has been called into question over these allegations and the government’s response thereto.

Finally, what about the company’s named in the Swiss investigation into the potential $4bn? If your company has any interactions or contracts with such entities, now might be a very good time to make sure you have engaged in all five steps in the lifecycle of third party management. If you are considering doing business with these entities, you may well want to put those plans on hold and do some deeper digging. It is all in the public record now and there is no excuse not to investigate going forward.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis Quick Start MethodologyToday, I continue my exploration of data analysis with Joe Oringel, co-founder and Managing Director of Visual Risk IQ, a consulting firm that helps audit and compliance people see and understand their data. Today, we look at how to set up a data analysis program and how to use it to help monitor for a compliance program.

I asked Oringel how he helps clients think through a project that involves data analytics. As a lawyer, I was intimidated by the issues of not only how to get the data but how to use it going forward. Oringel then laid out their firm’s five-step process and said that for any Visual Risk IQ analytics project, the steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 – Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, Visual Risk IQ’s team might ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data. This brainstorming process that Oringel and his team uses is central to their work with helping clients to develop queries specific to their organization.

Step 2 – Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Many data sources are internal (e.g. sales or expense transactions) but increasingly external sources from vendors and business partners are used too. Even the US Government is an occasional data source for analytics, as various Federal Departments publish watch lists of debarred individuals and companies.

Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool. Once data is confirmed to be complete and accurately loaded and mapped into the analysis tool, then the real fun can begin.

Step 3 – Writing the Queries

Oringel identified Step 3 as writing the queries. Though it can be valuable to double-check the accuracy of reports that are provided from existing internal and external systems, Oringel recommends using data analysis to answer questions that are not readily reported from internal systems. Often comparing data across multiple data files can yield the most interesting results.

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

A simple example would be “Show me any purchasing transaction that didn’t have the proper pre-approval.” This answer can be identified by comparing the dates between purchase orders and invoices, and then looking for any vendor invoice date that is prior to the purchase order date. Other query techniques are similarly simple, yet effective.

Step 4 – Analyze and Report Results

Oringel said that Step 4 is to analyze and report the results. I have wondered how a compliance practitioner would be able to not only view but then use such information. He said that Visual Risk IQ’s tagline comes from this notion. “See. Analyze. Act.” has been a part of their firm since 2006. By summarizing results in a way that measure something important, an action step becomes apparent. In the example above, if a vendor’s invoice date pre-dated its purchase order then the action step is to understand if the date it was received may be later than the date on the document itself. Perhaps the vendor has backdated that invoice in hopes of earlier payment, instead of our purchase order having been created after the fact to cover up the lack of required pre-approval.

Oringel recommends summarizing the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant.

  Step 5 – Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Yet there are other remedial steps that Oringel believes are critical at this stage. He said that when a condition or transaction is identified as being a potential issue, documenting the next action step and ensuring its proper completion is important. If an employee incorrectly submitted a personal or duplicate expense (e.g. they claimed $20 for a lunch yet they were listed as having attended a lunch paid by someone else on the same day) and they were reimbursed for a personal expense on a travel expense trip report, then the organization should ask for reimbursement of that expense and ensure thorough follow-up.

Consistent action when these circumstances arise is important. Seeking and obtaining reimbursement for improper expenses should not be based on whether the employee is an officer or a manager or an individual contributor, or even the amount of the error.

I turn briefly to the COSO Framework, which was updated in 2013 and became much more prescriptive with respect to the elements of an effective internal control program. There are five objectives under the COSO Framework and the fifth and final objective is monitoring activities. Monitoring activities are those that management should perform to ensure that the control environment, risk assessment, control activities, information and communication layers have been affected.

The only way that I know to make sure that the principles of effective internal controls have been followed are to do some monitoring. Oringel turned to one of his favorite subjects for an analogy, how his children are performing in school. He believes that he and his wife have set a robust “tone-at-the-top” around the importance of attendance, homework and strong academic performance and that they provide some direction for the children about what is important in terms of their results at school. There are some control activities that he can utilize in terms of reviewing their schedule, homework, how much time they spend studying versus playing video games, but the best technique to make sure they are getting the outcomes that they want for them academically is to do some monitoring and an evaluation of their performance.

A way to do that is to monitor their academic performance through the application, in his hometown called “PowerSchool.” It allows the parents and the students, together or separately, to log on and to answer the questions, “Was the homework assignment turned in?”; “What was the grade on the homework assignment?”; “Was the most recent grade better or worse than last time?”; Oringel said, “We use PowerSchool as a data-driven monitoring tool to make sure that our kids are performing in school the way that we want them to.”

Tomorrow we begin to consider some case studies from projects Oringel and Visual Risk IQ have engaged in and how they demonstrate the use of data analysis in an anti-corruption compliance program.

——————————————————————————————————————————————————————————————————————————————————————————————————

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016