Tag: audit

Categories
Compliance Into the Weeds

Compliance into the Weeds: The WACKO Enforcement Action Involving BF Borgers

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly look into an absolutely wacko SEC enforcement action involving BF Borgers and its founder and principal, Benjamin Borger’s.

The auditing sector was recently rocked by the Securities and Exchange Commission’s (SEC) investigation into BF Borgers CPA, an auditing firm with over 1,600 problematic disclosures. The incident, which serves as a reminder of the critical role played by audit committees in ensuring appropriate audit procedures,.

Only a fraudster can admire the audacity of Benjamin F. Borgers in fabricating audit reports for hundreds of clients, which underscores the need for enhanced governance and regulatory measures to prevent similar incidents in the future.

We discuss the impact on smaller public companies, focusing on their struggles to find competent and affordable audit firms. Matt raised the question of where the company’s audit committees were during all this fraudulent work. He also speculates on potential legal repercussions for Borgers and his firm. Both perspectives highlight the gravity of the situation, the need for improved oversight, and potential consequences of such actions.

Key Highlights:

  • Audit Quality Oversight in Regulatory Environment
  • Finding New Auditors After Losing Previous Firm
  • Limited Options for Small Company Auditors
  • Proactive Monitoring of Audit Firms by Committees

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

Day 12 of One Month to Better 3rd Party Management – Auditing of Third Parties

Auditing third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and which the government will expect you to engage in going forward. As stated in the 2020 Update, under the section entitled, Management of Relationships, is the following query: Does the company have audit rights to analyze the books and accounts of third parties and has the company exercised those rights in the past? This means you must not only have audit rights but also exercise them.

 Three key takeaways:

1. Be prepared.

2. It is not an investigative interview but an audit interview.

3. Listen, listen, and listen.

Categories
Innovation in Compliance

The Agile Audit with Toby DeRoche

Tom Fox’s guest on this week’s show is Toby DeRoche, a professional auditor and Senior Manager of Risk Management at Verizon. He and Tom talk about the importance of risk assessment and how it has changed in recent years. 

Agile Audit

Agile Audit is simply auditing the things that matter at the current moment. It’s an iterative approach, going through the entire audit lifecycle and compressing it down to the essentials. “We’re saying, so here’s everything that I could audit, but here’s what’s most important to the organization today,” Toby tells Tom. “It’s this continual cycle… giving you the answers to what’s the most burning question you have related to risk and control in your organization today.” 

 

Focus on The Highest Risk

If an audit plan isn’t focused on relevant issues, or the highest risk, no one is going to care how well the auditing plan was executed. Focusing on low-risk issues wastes everyone’s time. “We should be focusing on the things that are the highest risk and only those things,” Toby says. If internal auditors aren’t focused on management support, strategic objectives, and challenges, then they aren’t doing their jobs. 

 

Communicating Vs Reporting

Tom asks Toby to differentiate between communicating and reporting results as an internal auditor. Giving reports is not communication, he responds; it’s just regurgitating facts. “A much more effective way of getting the information across is to make it more digestible,” Toby remarks, because it’s much more impactful, and people can more easily grasp what you’re trying to say. 

 

Looking Ahead

Companies in the future will have no choice but to use the concepts of risk assessment, continuous improvement, and continuous risk assessment. Auditing must be part of the company’s objectives. “Anything that we’re doing that’s not focused on what matters to management and the highest risk to them achieving their goals right now, then we’re completely missing the picture,” Toby stresses. 

 

Resources

Toby DeRoche | LinkedIn  

Only Audit What Matters 

Categories
Great Women in Compliance

Joelle Thorne-Peters – Be Audit You Can Be

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

This week we are pleased to feature Joelle Thorne-Peters who is a Compliance Audit expert.  She shares with us her thoughts on what Compliance audit is about, what to look for when hiring audit professionals and commentary on the enjoyable phrase “You don’t have to be a clown to audit the circus”.

She also shares some perennial issues that are always worth keeping in mind as stones to turn over, an emerging risk for our radars, espouses a view on where Compliance audit should sit in the organization and thoughts on how Compliance can better work with internal audit.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Great Structures Week V – The Tacoma Narrows Bridge Failure and Preventing Failure in Your Compliance Program

I conclude my Great Structures Week with a focus on structural engineering failures: suspension bridges and the challenges of wind in their construction and maintenance. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. In his chapter on suspension bridges he notes that the “Tacoma Narrows Bridge was the third longest span in the world when it opened to the world, this month of July in 1940.” Yet it collapsed only four months later, in one of the most famous visual images of a bridge’s collapsing. This is due to the “inherent flexibility of cable as a structural form”. A bridge can move in longitudinal vibration, that is up and down and in torsion, where it twists from side-to-side.

Most people recognize unstiffened suspension bridges as old as man and engineering itself. It was not until the 1820s that serious study was brought to bear on the issue of wind-related collapse of suspension bridges. The initial solution was to simply use more weight to reinforce the span. However, while that solution did bring some stability, it reinforced damage as the structure became a textbook example of Newton’s Second Law of Motion, which states that the acceleration of an object is dependent upon two variables – the net force acting upon the object and the mass of the object; meaning that once a heavy weight is in motion, it is more resistant to deceleration.

Yet it was scientific methodology that led to the disaster with the Tacoma Narrows Bridge. An engineer named Leon Moisseiff had developed a theory that long spanned suspension bridges were heavy enough that they did not require stiffening trusses because “their mass stabilized them against wind-induced vibrations.” However, this theory failed to take into account how air flows around a bridge and the “dynamic response of the structural system.” Ressler concludes this section by stating, “this case has become a classic symbol of the dangers of arrogance born of overconfidence in science-based design methods, and belt-and-suspenders engineering has made a bit of a comeback.”

I thought about the catastrophic failure of the Tacoma Narrows Bridge in the context of one of the greatest risks in Foreign Corrupt Practices Act (FCPA) compliance; that being third parties. Many non-compliance corporate employees assume that if a third party passes due diligence muster; they are in the clear. After all, you cannot stop a third party from making a bribe or other corrupt payment. Fortunately, the Department of Justice (DOJ) does not take such a myopic view as many business types. Under the FCPA, a company is responsible for the actions of its third-party representatives.

The real work around your third-party compliance program begins after the contract is signed and it is in the management of the third-party relationship. While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, in “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

Carol Switzer, writing in the Compliance Week magazine, set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen – Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Additionally, there several different functions in a company that play a role in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. This role can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

3rd Party Oversight Committee

A company can have a Third-Party Oversight Committee review documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group, but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Third-Party Oversight Committee should monitor the third-party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Third-Party  Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Third-Party Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Third-Party Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

 Audit

A key tool in managing the relationship with a third-party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed.

Perhaps now you will understand why I say that managing the relationship of your third party’s is where the real work of your FCPA compliance program comes to the fore. It also demonstrates a key difference in having a paper compliance program and doing compliance. Having a paper compliance program is simple but doing compliance is not always easy; you have to work at it to maintain an effective program.

I hope that you have enjoyed this week’s offering based around some of the world’s greatest structures, their engineering concepts and innovations and how they all related to a best practices compliance program. I am a huge fan of The Great Courses offerings and if you are interested in learning in a great many areas it is one of the best resources available to you.

Categories
Blog

Practicing Compliance

As usual during the Oscar season, Richard Lummis, my co-host on the podcast series 12 O’Clock High, a podcast on business leadership, and I do a special 4-part podcast series on Best Picture winning Oscar movies. We mine them for leadership lessons for the compliance and business leader in the 2020’s. It is also a great way to watch some fabulous old movies or even some which are not so old. Some movies are very intuitive on leadership lessons. Movies like Patton, Lawrence of Arabia or The Bridge on the River Kwai are clearly about leadership as well as multiple other themes.
This Oscar season we have a lineup of Schindler’s List, Gladiator, A Man for All Seasons and Platoon. The series premiers on Thursday, February 10, and runs for four consecutive weeks. I hope you will check it out. It is great to sit down with a movie, that you may not have seen in years and watch it with an eye towards leadership lessons. Equally enjoyable is reading the commentary on the movie, both film critique and more business and leadership focused commentary.
Next week’s offering will be Gladiator and one of the leadership lessons I garnered from the movie is the need to not only design your compliance strategy but practice it. Practicing is not often talked about in compliance. There is plenty of ink and commentary on designing a compliance program but almost none on practicing it after you design, create and implement it into a best practices compliance program.
One person who does talk about practicing compliance is Jonathan Marks. In a blog post entitled Crisis Management – Lights, Camera, Action! he wrote, “Even the best-prepared organizations will experience a crisis—and there’s rarely a perfect response. The ability to avoid disaster and avoid mismanagement of the situation—will largely be determined by the effectiveness of the organization’s crisis prevention efforts, crisis response plan, proper training of the crisis team, and leadership to manage the crisis effectively.” What is the solution to this imbroglio? Marks answers, “Practice, practice, practice…regularly conduct disaster rehearsal exercises or crisis management simulations that are impactful and help reveal blind spots that can be remediated and ultimately prepare you and your team for not if, but when something ugly happens.”
But you do not have to wait for a crisis to practice. You can do it on a regular basis and on a variety of areas in your compliance program. An obvious place to practice is around your internal reporting system. Can an internationally based employee reach the hotline to report a claim? Have you ever tested that proposition? Does your hotline work in each country where you have employees? In the local language of the employees?
However, being able to pick up the phone and make a hotline compliant is only the starting point. Do you have a triage protocol? Have you tested it? If you are a Chief Compliance Officer (CCO) have you sat down with your compliance team and run through some examples of reports that might come in to see where your team would send them and what advice they would provide at that point? Now think about the cost of performing such a ‘practice’ session. That is right it would be zero dollars. Always remember as a CCO or compliance professional you are only limited by your imagination and in this case, you can imagine many scenarios and use that imagination to practice your compliance team.
What about practicing formal internal and external audits? To do so you can employ a practice  audit. In the practice audit, the team will go through the factors which will be reviewed in a formal audit at your organization. The practice audit is a mechanism by which a compliance team can go into a location or business unit and not only try to determine what might need remediation but, equally importantly, help the employees move towards greater compliance. The team members who perform these practice audits need not always be compliance personnel. This allows you to train as you practice. These practice audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. Obviously, the entire experience can be a powerful training tool as well as a practice exercise.
In the movie Gladiator, the character Maximus survives several gladiatorial bouts in the Coliseum by practicing. While not often considered in compliance, think about practicing your compliance program to see if it works, determine what can be improved but also train as you are practicing. As I noted above, the cost be can very low even if you bring a seasoned compliance professional to lead the practice session.
Finally, I hope you will check out the podcast series Lummis and I have put together for this year’s Oscar season. We had a ton of fun re-watching the movies, researching the lessons and then recording the podcasts. I know you will both get a lot of leadership and ethical lessons out of these podcasts but also find them quite enjoyable. Happy Oscar Season.

Categories
Innovation in Compliance

Innovation in Compliance-Part 5: The Supply Chain Efficiency Premium

Today we conclude our five-part podcast series on an innovative approach to managing third party risk we consider how to use this information going forward. I have been joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation has been on helping companies manage their third-party supply chains through financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In our final episode, we discuss the supply chain efficiency premium.

I began by asking Gellert the following: What is the ability of the compliance procurement, credit professional and other cross functional areas to have seamless communication of their data analytics and findings? Obviously, this is vitally important with a hindrance of siloed information across those different business units. He stated, “what we are finding is the most evolved and sophisticated risk management programs are making sure that each one of those areas that may touch on risk is in some form or another connected with the others on findings, so there’s efficiency in that process”; from the Chief Information Officer (CIO) to the Chief Compliance Officer (CCO) to the Chief Financial Officer (CFO).
This means that data and analytics should be shared across business units to benefit from the supply chain. Continuous monitoring and understanding that when a company is deteriorating its financial health could be an indicator of problems. Further, fraud, and even corruption, is more likely to occur when the company is weak and under extreme financial duress and pressure. This is why having a leading indicator like the Financial Health Rating (FHR) is critical because it can communicate to a compliance professional when a company is weakening  and enables a risk management to be focused on those suppliers who require a more focused risk management solution.
Gellert related that another “big part of it is making sure that everyone in your organization is speaking from a common language and that the analysis and the findings are shared. This means developing workflow efficiency and also creating a return on the investment for an overall risk management program.” It also allows companies to help their suppliers. Finally, it allows your organization to have a dialogue with suppliers. “It comes from transparency around financials and other risk areas and being able to perform the appropriate risk analysis that can be fostered through a dialogue. The more a company understands the problems that its supplier may have, the more it can do things to help that supplier through those problems.”
The bottom line is that companies want to continue to work with their suppliers. It is not good or even efficient business to engage in looking for ways to stop working with them. The more a business can work with a supplier in a collaborative way to help them through times of difficulty benefits everyone and allows a company that is engaged in risk management and invested in a risk management process to be able to demonstrate the return on investment to the finance side of an organization.
With this process in place, you can develop a well mapped out workflow for handling problems when they arise so that if one comes up, it allows your organization to repurpose and reuse the workflow. Gellert said it “allows for maximum leverage, maximum workflow efficiency.” Once the “tools necessary to put these systems and process are in place, they can be replicated.” Lastly, “When that occurs, the business efficiency and the gain that can come from this kind of an analysis on financial health and other risk areas really does pay dividends in the companies that do it, I think are benefiting significantly across all the different business units that it touches.”
Gellert concluded, “It’s about creating ecosystem that can grow with your business. When your business is doing well, the last thing you want to do is have the opportunity to expand, but then all of a sudden there is a problem in your supply chain that you could have avoided, but you were not being proactive enough to do so. It is very much about creating the most resilient supply chain where you are reducing risks, but you’re also expanding the opportunities to grow over time.” This is the real supply chain efficiency premium.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.