Tag: compliance

Categories
Blog

How to Evaluate a Risk Assessment

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his BioProcess International article, entitled, Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies:

Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

William C. Athanas, a partner in Holland and Knight, in an article in Industry Week entitled, Rethinking FCPA Compliance Strategies in a New Era of Enforcement, posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where virtually all violations are committed by just a few people. Athanas concluded by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick,” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.

The 2023 ECCP provided the following:

Risk Management Process—What methodology has the company used to identify, analyze, and address the particular risks it faces? What information or metrics has the company collected and used to help detect the type of misconduct in question? How have the information or metrics informed the company’s compliance program?

Updates and Revisions—Is the risk assessment current and subject to periodic review? Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls? Do these updates account for risks discovered through misconduct or other problems with the compliance program?

In the Treasury Department’s 2019 Framework for OFAC Compliance Commitments (OFAC Framework), the provided greater clarity by stating in the section entitled, Risk Assessments, the following:

II. The organization has developed a methodology to identify, analyze, and address the particular risks it identifies. As appropriate, the risk assessment will be updated to account for the conduct and root causes of any apparent violations or systemic deficiencies identified by the organization during the routine course of business, for example, through a testing or audit function.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.

There are several ways to look at ‘Likelihood’ factors. An Event can be highly likely if it is expected to occur. An Event can be likely with a strong possibility than an event will occur Event may occur at some point, even if there is no history to support it. It can be possible and there is sufficient historical incidence to support it. Finally, an Event can be unlikely and not expected, with only a slight possibility that it may occur. Responses to likelihood factors to consider include the existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; compliance failures or near misses; and training and awareness programs.

The priority rating is the likelihood rating and ratings that reflect the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These become the focus of your most significant risk management efforts, couple with audit and monitoring going forward. A variety of tools can be used to continuously monitoring risk going forward. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program, rather than letting the compliance program inform the risk assessment.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 18 – Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based on a risk assessment, on an understanding of your organization’s business from a commercial perspective, on how your organization has identified, assessed, and defined its risk profile, and, finally, on the degree to which the program devotes appropriate scrutiny and resources to this range of risks. The 2023 ECCP added a new emphasis on the cadence of Risk Assessments, mandating that risk assessments should be done not less than annually, but in reality, they should be done each time your risk changes. Over the past couple of years, every company’s risks have changed from going to Work From Home to Return to the Office to the Hybrid Work environments of 2024. What about geopolitical issues, the supply chain, or even potential compliance risks in the 2024 election cycle? Have you assessed each of these new paradigms for risks from a compliance perspective?

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable as your starting point.

Three key takeaways:

1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.

2. The DOJ will now consider both your risk assessment methodology for identifying risks and the gathered evidence.

3. You should base your compliance program on your risk assessment.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 17 – Podcasts for Compliance Training and Corporate Culture

One of the biggest benefits of podcasting is that it allows a compliance function to connect with their audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics.

Now take these same concepts of audience engagement and apply them internally to an organization. What do you potentially have? A mechanism to engage your employees, to engender trust, and to improve your overall corporate culture. Do you think this is a crazy way to improve culture? Think again about all the advantages podcasting has in place already.

A major US consumer product company started a podcast and had corporate executives on it. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Since you are only limited by your imagination in compliance, why not use some of that imagination to be creative in your compliance training and communications?

Three key takeaways:

1. Using podcast storytelling to tell longer, more involved stories about compliance.

2. You can use compliance department-branded podcasts to have ongoing communications about compliance.

3. A Daily Compliance News show will drive engagement.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Great Women in Compliance

Great Women in Compliance – Marlene Olsavsky and Kim White on Working with Stakeholders

Welcome to the Great Women in Compliance Podcast. Today Lisa Fine and Ellen Hunt visited Marlene Olsavsky and Kim White.

Kim White and Marlene Olsavsky are both seasoned professionals with extensive experience in the ethics, compliance, and business leadership fields. Kim, with over 20 years of experience in the ethics and compliance field, believes in promoting collaboration, compliance, and diversity through proactive communication and building strong relationships with business leaders. She emphasizes the importance of understanding the strategies and goals of business leaders and involving all parts of the team in driving them forward. Marlene, with 27 years of experience at Marlene Olsavsky’s Global Leadership, views compliance as essential for the success of a business. She emphasizes the importance of education, ownership, and accountability in promoting compliance within the organization and believes in setting expectations with leaders across the organization and acting on compliance issues with a sense of urgency and trust. Join Lisa Fine and Ellen Hunt as they delve deeper into these perspectives with Kim White and Marlene Olsavsky on this episode of Great Women in Compliance.

Key Highlights:

  • Kimberly White’s Leadership in Ethics and Compliance
  • Marlene Olsavsky’s Global Leadership at Pearson
  • The Crucial Partnership for Organizational Success
  • The Crucial Partnership Between Compliance and Business
  • Real-World Examples: A Tactical Approach to Compliance
  • Creating an Inclusive and Equitable Workplace
  • Embracing Growth Through Lifelong Learning

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Podcasting for Compliance Training and Corporate Culture

If there is one truism from the practice of law that translates to the practice of compliance, it is that you are only limited by your own imagination. This holds true in the 360-degree realm of communication in compliance, as communications obviously comes in many forms. Many compliance practitioners will well remember the 2012 Morgan Stanley declination. In this first declination made public, the Department of Justice recognized Morgan Stanley for emailing out 35 compliance reminders to Garth Peterson over seven years. Think about the power of 360-degrees of communications in the context of compliance reminders. Now imagine the power of short ethics and compliance video training clips going out over the same period of time and the effect it would have both on your employees and the regulators.

Podcast Storytelling

Why not tell the story of compliance through a podcast? I call it podcast storytelling and it can be a powerful tool. Each podcast series is 5-part series and constitutes one story arc. The podcasts are about 10–15 minutes in length. The podcast storytelling series can be a variety of interviews led by a noted podcast host such as the Voice of Compliance, yourself as the CCO, or by anyone from your organization. It can be an interview with one or more people, or it can be a solo podcast.

While there would be a fully integrated story line, each podcast and accompanying text is stand-alone compliance training and communications that could be used by anyone at your organization. The podcasts could be pushed out internally as well as via your organization’s social media channels. There is a full panoply of podcast sites available, such as iTunes, Spotify, IHeartRadio, Google Pods, and Amazon. From each podcast, you can create multiple short audio clips or other forms of social media sharing materials with key quotes and lessons learned that can be created as podcast cover art.

A series such as this allows your organization not only to tell a story more effectively but also to reach a much larger audience than in any other format—live, audio-video or in-person. Yet there is another reason why you should consider this type of approach for compliance training and communications. It will provide you with the equivalent of market research and feedback. The numbers of listeners and downloads will give you a reliable source of data that you can use in other communications and trainings.

Compliance Department Branded Podcasts

Want another option? How about a fully-produced, branded podcast series for your internal compliance function. It could be two 25–30-minute episodes per month, with the guest selected by your compliance team. This format allows your corporate compliance function to tell the story of its greatest asset, its people, through interviews. Cannot get out of the country to travel? Still working remotely? Your branded podcasts give you a way to reach your employees as we continue to struggle through the Covid-19 variants. You can use the branded podcast to tell the story of compliance successes in your organization. You can include other departments to share their successes, too. As with the podcast storytelling series, it would be done in a collaborative manner working with your communications team.

Compliance News of the Day

Want to make some short and snappy compliance communications? How about “Compliance News of the Day”? Have a daily curated news show of 3–4 compliance stories with a short summary of each story and how they relate to a compliance perspective to your organization. Make it fun so your employees want to check in daily. When the DOJ comes knocking and asks how often you send out compliance communications, you can point to your Compliance News of the Day as a great starting point.

As a compliance practitioner, you should strive to bring more storytelling into your compliance messaging, training, and communications. If you put the employee in the shoes of the person they’re watching, they will remember it, because they will see how it applies to their lives. Such training and communication experiences will last much longer than if you drone over a written policy or show a PowerPoint. Marc Havener has called this “expanding your classroom.” Ronnie Feldman calls this bringing memorable storytelling to your compliance communications and training.

 Using Podcasts to Improve Corporate Culture

One of the biggest benefits of podcasting is that it allows a compliance function to connect with their audience on a more personal level. Unlike traditional forms of advertising, which often come across as impersonal and sales-driven, podcasts enable businesses to build a loyal following by offering valuable and engaging content. This can include interviews with industry experts, behind-the-scenes glimpses of the business, and informative discussions on relevant topics.

Now take these same concepts of audience engagement and apply them internally to an organization. What do you potentially have? A mechanism to engage your employees, to engender trust and improve your overall corporate culture. Do you think this is a crazy way to improve culture? Think again about all the advantages podcasting has in place already.

A major US consumer product company started a podcast and had corporate executives on it. Who were the biggest fans of the podcast? It turned out it was the company employees, many of whom had never met their corporate executives. This allowed the executives to be humanized in a way no number of town hall meetings or other similar corporate events could ever achieve.

Since you are only limited by your imagination in compliance, why not use some of that imagination to be creative in your compliance training and communications.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 16 – Tailored and Effective Compliance Training

One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA, your specific company compliance program, and to create and foster a culture of compliance. While it seems axiomatic that compliance training is the mainstay of any best practices compliance program, the conversation around training has evolved over the years.

The importance of determining the effectiveness of your compliance program has been enshrined by the DOJ. The 2023 Update confirmed that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein and the more robust assessment and results provide you with a start to fulfilling the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three key takeaways:

1. How and why have you tailored your compliance training and how do you determine its effectiveness?

2. Try an “espresso” shot of training

3. Present your training in both local languages and a variety of media.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Innovation in Compliance

Innovation in Compliance – Steve Vincze on Building Trust: Overcoming Challenges as an Outsider

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. My guest in this episode is Steve Vincze, founder of Trestle Compliance.

Steve Vincze is a seasoned professional with a rich background as an in-house corporate commercial compliance lawyer, specializing in building trust and implementing compliance programs in businesses. His perspective on the subject is rooted in the belief that developing a human connection is key to building trust and implementing successful compliance programs. Drawing from his experience, including being recruited by Tap Pharmaceuticals to implement their first compliance program, he emphasizes the importance of modeling the behavior he wants from others and creating an environment where people feel comfortable sharing. He views compliance programs as tools to empower individuals rather than restrict them, and he strives to change the perception of compliance by demonstrating that it can be a tool for confidence and success. Join Tom Fox and Steve Vincze on this episode of the Innovation in Compliance podcast to learn more about his unique approach.

Key Highlights:

  • Establishing Trust through Human Connection
  • Experienced Professionals Providing Comprehensive Consulting Solutions
  • Expert Compliance Program Implementation Services
  • The Impact of Artificial Intelligence on Data Security

 Resources:

Steve Vincze on LinkedIn

Trestle Compliance

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

Tailored and Effective Compliance Training

One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. While it seems axiomatic that compliance training is a mainstay of any best practices compliance program, the conversation around training has evolved over the years. The 2020 FCPA Resource Guide, 2nd edition, started the conversation stating:

Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.

Beginning in the fall of 2016, through the announcement of the FCPA Enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This conversation continued with the 2017 Evaluation where it asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training. It evolved further in the 2023 ECCP with the mandate that training must be “truly effective”. Finally, the training must be presented in a language in which the employees understand, which means in a local language, if the training is outside the US or other non-English-speaking countries.

Also raised in the 2017 Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. This added two requirements. The first was to assess your employees for risk to determine the type of training you might need to deliver by risk ranking your employees. Obviously, the sales force would be the highest risk but there may be others who are deserving of high-risk training as well. From this risk ranking, you were required to develop tailored training for the risks those employees will face.

The 2023 ECCP spelled this out in greater detail. It stated, “Prosecutors should assess … periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise. … for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on how to obtain ethics advice on a case-by-case basis as needs arise. Other companies have invested in shorter, more targeted training sessions to enable employees to timely identify and raise issues to appropriate compliance, internal audit, or other risk management functions. Prosecutors should also assess whether the training adequately covers prior compliance incidents and how the company measures the effectiveness of its training curriculum.”

Under Training and Communication, the following questions were posed by the DOJ:

Risk-Based Training—What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?

Form/Content/Effectiveness of Training––Has the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? Whether online or in-person, is there a process by which employees can ask questions arising out of the trainings? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing? Has the company evaluated the extent to which the training has an impact on employee behavior or operations?

I would suggest that you start at the beginning with an evaluation of your compliance training and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and Board members have attended compliance training. You should review the documentation and confirm attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

Some other metrics you should consider in the post-training evaluation phase include an increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance? Is there a decrease in compliance violations or other acts of non-compliance?

Consider using surveys to provide feedback on not simply compliance training but to determine effectiveness of a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.

What are “espresso shots” of training to help facilitate effective training? Tina Rampino, Associate Managing Director, at K2 Integrity suggests keeping your compliance training segments concise as “shorter, bite-size learning is a trend in training programs.” This means that instead of offering half-day and full-day sessions, break programs into shorter segments of 20 minutes or less, which are easier for participants to absorb—and schedule. Jessica Czeczuga, a Principal Instructional Designer, suggested training effectiveness through micro-learning and metrics; including the adoption of micro-learning techniques for content delivery, the utilization of interruptive training methods for behavior disruption and tailoring targeted training for at-risk employees.

The importance of determining effectiveness of your compliance program has been enshrined by the DOJ. The 2023 Update confirmed that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein, the more robust assessment and results provide you with a start to fulfill the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Categories
Blog

The SAP FCPA Enforcement Action-Part 1: Introduction

The year in Foreign Corrupt Practices Act (FCPA) enforcement started off with a bang on January 10 with the announcement of a resolution of the outstanding SAP enforcement action. The bribery schemes used by SAP were massive in scope and literally worldwide in geographic area. As usual, Harry Cassin at the FCPA Blog broke the story for the compliance profession. SAP SE agreed to pay the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) approximately $222 million in penalties and disgorgement. SAP also entered into a three-year deferred prosecution agreement (DPA) with the Department of Justice imposing a $118.8 million criminal penalty and an administrative forfeiture of $103.4 million. Cassin went on to the note that the DOJ “will credit up to $55.1 million of the criminal penalty against amounts that SAP pays to resolve an investigation by law enforcement authorities in South Africa for related conduct, and up to the full forfeiture amount against disgorgement that SAP pays to the SEC or South African authorities.”

The SEC Press Release noted that the illegal actions included bribery schemes in the following countries: South Africa, Malawi, Kenya, Tanzania, Ghana, Indonesia, and Azerbaijan. SAP was held liable by the SEC based up its ownership of American Depositary Shares (ADR) shares which are listed on the New York Stock Exchange and violating the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above. The SEC total fine and penalty was nearly $100 million. This figure represents disgorgement to the SEC of “$85 million plus prejudgment interest of more than $13.4 million, totaling more than $98 million, which will be offset by up to $59 million paid by SAP to the South African government in connection with its parallel investigations into the same conduct.”

What They Said

In a DOJ Press Release, Acting Assistant Attorney General for the Criminal Division, Nicole M. Argentieri said, “SAP paid bribes to officials at state-owned enterprises in South Africa and Indonesia to obtain valuable government business. Today’s resolution—our second coordinated resolution with South African authorities in just over a year—marks an important moment in our ongoing fight against foreign bribery and corruption. We look forward to continuing to strengthen our relationship with South African authorities and others around the world. This case demonstrates not only the critical importance of coordinated international efforts to combat corruption, but also how our corporate enforcement policies incentivize companies to be good corporate citizens, by cooperating with our investigations and appropriately remediating, so that we can take strong action to address misconduct.”

U.S. Attorney Jessica D. Aber for the Eastern District of Virginia also noted, “SAP has accepted responsibility for corrupt practices that hurt honest businesses engaging in global commerce,” said. “We will continue to vigorously prosecute bribery cases to protect domestic companies that follow the law while participating in the international marketplace.”

Postal Inspector in Charge of Criminal Investigations Eric Shen noted,  “When the mails are used in furtherance of a fraud or corruption scheme, borders are not an obstacle for U.S. Postal Inspectors. Postal inspectors, with our FBI law enforcement partners and Justice Department prosecutors, followed the wide-spread trail of bribes and corruption from South Africa to Indonesia. This joint effort resulted in the defendant company paying a significant criminal penalty and agreeing to long-term remedial measures.”

Assistant Director in Charge of the FBI’s Los Angeles Field Office, Donald Always added “This successful resolution against SAP is another example of the power of relationships and persistence. The sustained diligence by the prosecution team and continuous collaboration with South African law enforcement, regulators, and prosecutors identified corrupt activity in multiple countries. The FBI will continue our nonstop efforts to identify, investigate, and prosecute companies willfully engaging in corrupt activities around the world.”

Finally, Charles E. Cain, Chief of the SEC Division of Enforcement’s FCPA Unit, said in the SEC Press Release, “Our order holds SAP accountable for misconduct that spanned seven jurisdictions and persisted for several years and serves as a stark reminder of the need for global companies to be attuned to both the risks of their business and the need to maintain adequate entity-level controls over all their subsidiaries.”

Order and Information

The SEC Order found that SAP violated the FCPA by employing third-party intermediaries and consultants from at least December 2014 through January 2022 to pay bribes to government officials to obtain business with public sector customers in the seven countries mentioned above.” Additionally, “SAP inaccurately recorded the bribes as legitimate business expenses in its books and records, despite the fact that certain of the third-party intermediaries could not show that they provided the services for which they had been contracted.” Finally,  “SAP failed to implement sufficient internal accounting controls over the third parties and lacked sufficient entity-level controls over its wholly owned subsidiaries.”

The DOJ Information found that between approximately 2015 and 2018, “SAP, through certain of its agents, engaged in a scheme to bribe Indonesian officials to obtain improper business advantages for SAP in connection with various contracts between and among SAP and Indonesian departments, agencies, and instrumentalities, including the Kementerian Kelautan dan Perikanan (the Indonesian Ministry of Maritime Affairs and Fisheries) and Balai Penyedia dan Pengelola Pembiayaan Telekomunikasi dan Informatika (an Indonesian state-owned and state-controlled Telecommunications and Information Accessibility Agency).”

Given SAP’s prior SAP enforcement history, its recidivist status FCPA status,  its culture of non-compliance (at the very least), a non-prosecution agreement (NPA) from 2021 with the DOJ’s National Security Division, as well as administrative agreements with the Departments of Commerce and the Treasury relating to export law violations; one might wonder  SAP was able to receive such a superior result. Over the next several blog posts, we will be exploring that issue as well a host of others for the compliance professional. I hope you will join me over the next few blog posts.

Categories
Blog

Monitoring and Improvement of Internal Controls

What happens when controls are continually overridden? Does that necessarily mean that companies are engaging in activities that violate the FCPA or some other law such as Sarbanes-Oxley (SOX). Cristina Revelo said she would start out with some basic questions, such as “How often would something be manually approved? How often are controls skipped, what are the level of approvals that you have and what is your documentation? What are the reasons, and are you documenting how often a certain department is requiring those overrides?” While it could indicate that a company lacks a culture of compliance or that everything is an emergency, it might mean something else. It might mean that your internal controls need to be evaluated and then recalibrated. The Department of Justice calls this continuous monitoring leading to continuous improvement. Joe Oringel, co-founder of Visual Risk IQ, calls it continuous controls monitoring.

However, many compliance professionals, and particularly lawyers, think once a control is in place, it’s set in stone, and it’s there forever. This derives from the unfortunate fact that once again many compliance professionals and most lawyers do not understand internal controls. Yet, internal controls, much like the rest of a compliance program can and should be continually monitored and continually improved based on the information about such things as the number of overrides. Such a review can be evidence of a management problem or a culture of non-compliance at the organization. However, it could be that perhaps the controls need to be adjusted.

How do you assess and then update your internal controls? Companies should also think about updating and reviewing their controls at least annually. In this manner, they can identify any violations of their internal controls. It also allows a deep dive into any specific areas of control failures. Another approach would be more robust controls through greater monitoring of your controls. For example, you could review your controls quarterly to allow you to spot any trends that are moving in the wrong direction. You can even start out by having your compliance function perform a self-review of its controls and test exemplar transactions. This is not a full-blown audit but simply desktop testing to make sure controls are being properly followed. Once again, simply because there is a control override or excessive use of a compensating control does not mean something is illegal. It may mean that the control is not working as it was designed.

Revelo said it could be an instance of “too short an approval time period and employees need a little bit longer because depending on their industry or how business works. This also helps to both identify frustrations from employees where there is a control, but every time it needs to be executed, it is impossible for me to do, or it’s impossible for me to comply with it a hundred percent.” These quarterly reviews can then be collated into an annual report for review and assessment and the report can form the basis of an annual report to the Compliance Committee of the Board of Directors or even the full Board.

The key is to have a process for monitoring the controls and taking input, literally from each line of defense. If a control is overridden too often, you need to change it. If a control is ineffective, you can use that information to craft a new internal control. Internal controls are not static, but dynamic and, with proper oversight, you can set up internal controls and literally improve them with appropriate documentation. (Hint-Document, Document, and Document.)

Revelo emphasized that it is not simply identifying the issues but remedying them as well “because that actually might look worse if you identify a lot of issues, but do not fix them. You are better off by remediating everything you are identifying.” From there you can conduct a root cause in that analysis as to why there was failure in a control or violation of a compliance procedure. Revelo concluded, “you need to really do that in an in-depth manner and then remediate.”