Tag: compliance

Categories
Corruption, Crime and Compliance

DOJ’s Compliance Frontier: Incentives and Disincentives

On this episode of the Crime, Corruption and Compliance podcast, host Michael Volkov discusses the Department of Justice’s recent focus on incentives and disincentives as part of an effective ethics and compliance program. This includes awards for ethical conduct, clawbacks, and deferred payment schemes to hold officers and employees accountable for misconduct, and requirements for executives to be evaluated on their compliance with laws and regulations. Michael also talks about how companies can create appropriate policies and procedures to incentivize and monitor compliance, and how to design and implement a compensation system that ensures compliance.



Key ideas you’ll hear in this episode: 

  • DOJ stresses the need for positive incentives for ethical conduct, including awards and annual employee performance reviews.
  • Companies already have a strong disincentive for engaging in misconduct, which is termination.
  • Recent enforcement actions against companies like Novartis and Wells Fargo have highlighted the gap in the incentive-disincentive framework.
  • DOJ is examining the efficacy of clawbacks and deferred payment schemes as an important alternative to massive criminal fines against companies. This will hold the bad actors accountable, as well as those who had supervisory responsibilities and failed to act.
  • Clawbacks and punishments for bad actors will need to be incorporated into settlements and terminations. Company policies will need to include more protections and discretion to pull back benefits from bad actors.
  • There are a number of issues to consider when implementing a clawback program, including who it applies to, how it is triggered, and how much of the company’s bonus payments should be subject to clawback.
  • DOJ anticipates requiring a wide clawback program that extends to senior management level. Crafting these measures will require a collaborative process within the company involving legal and business representatives, human resources, ethics and compliance, senior management, and potentially union representatives or work councils.
  • Danske Bank is the first to implement a compliance compensation requirement in their settlement papers with the Justice Department. The settlement includes a provision that executives will be evaluated on their compliance efforts and a failing score will make them ineligible for bonuses.
  • Companies need to design and implement compensation systems to incentivize compliance behavior and create disincentives for non-compliant conduct.

 

KEY QUOTES:

“Your company policies are going to have to incorporate more protections and more discretion for the company to pull back on benefits to bad actors. Bad actors here, I mean not just the actual bribe payer or scheme designer, but also those people who failed to conduct proper oversight and monitoring of the department that engaged in the misconduct.” – Michael Volkov 

 

“In practice, companies need to formulate appropriate policies and procedures, document their system, and demonstrate commitment to enforcement of the policies to incentivize compliance behavior and create clear disincentives for noncompliant conduct.” – Michael Volkov

 

“A compliance-oriented compensation system has to be implemented along with other clawback and deferred payment systems.” – Michael Volkov

 

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Code of Conduct as an Internal Control

In 2016, the SEC announced one of the most interesting non-international-focused FCPA enforcement actions. It involved a clear quid pro quo benefit paid out by United Airlines, Inc. to David Samson, the former chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, New Jersey.

At the time, United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to influence the recipient improperly.” Only the United Board of Directors could grant a waiver to the code, and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s policies.”

The company was also sanctioned for not having internal controls to prevent such actions as those taken by Smisek. The SEC also found this was a violation of Section 13. This was in the face of detailing the protocol for the United instituting or reinstituting a route. The Order stated, “United had insufficient internal accounting controls to prevent approval of the South Carolina Route in derogation of United’s Policies.” All the underlying facts, enforcement theories, and remediation point towards the failure of internal controls when domestic bribery corruption occurs.

 Three key takeaways:

1. It is very unusual for the FCPA to form the basis of a domestic bribery violation.

2. A Code of Conduct can be an internal control.

3. Even a CEO must follow internal controls.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
Great Women in Compliance

Jen Hoar on Corporate Intelligence

Welcome to the Great Women in Compliance Podcast, hosted by Mary Shirley and Lisa Fine. Have you ever wondered about corporate intelligence?  What it means, how it is done, and how it relates to our work in ethics and compliance.  In today’s episode, Lisa speaks with Jen Hoar, who is a Managing Director at Forward Risk and Intelligence.  Jen calls herself a “recovering journalist,” and reflects on how that career path brought her to where she is today.

Lisa and Jen discuss what corporate and human source intelligence are, and the strategies she uses to obtain relevant information.  She also explains the distinction between corporate intelligence and corporate espionage.  They talk about the art of interviewing in her world, and how it is similar – and different – to internal investigations and what many of us do.  Jen also provides some great tips and advice for talking to and connecting with people.

A special thank you to Kelly Paxton for this recommendation, and if you haven’t listened to her podcast, “Fraudish,” you should definitely check it out.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance(CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Into the Weeds

ChatGPT for the Compliance Professional

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt and I take a deep dive into ChatGPT, a natural language processing tool that works by indexing every piece of written content on the Internet. We discuss the impact of the Biden administration’s proposals for AI and discusses NIST’s voluntary AI framework and  the utility of chat GPT in the workplace. What should your organization consider about incorporating AI into both their shipping decisions and mission-critical processes. If you’re interested in efficient and advanced AI technology, you don’t want to miss this episode.

Key Highlights Include

  • Impact of Chat GPT on Jobs -The Quality of Chat CPG for non-English Speakers
  • The Biden Administration’s Nonbinding Guidelines for Artificial Intelligence.
  • The Benefits of Adopting a Voluntary AI Framework by NIST for Defense Contractors
  • The Impact of Artificial Intelligence on Shipping and Work Processes

 Notable Quotes

  1. “Chat GPT can answer pretty much anything. It won’t necessarily tell you where it is getting this information. It will just give you information pretty much like the way Tom, I am answering your question right now. Just imagine text-based bot answering those questions in the same way. That’s what it is.”
  2. “Will it make your job easier? Probably for a lot of people who struggle to come up with written content. Yes, it could. But specifically then for compliance officers and let’s bring it back to what matters for our audience. We’ll chat GPT as used by others make my job harder. Compliance officers. Now I think, actually, you have a lot to worry about there, and we could get into that.”
  3. “But I just view this as a huge boom to anyone who is interested in research, anyone who is interested in learning, can’t replace the weekly and business journalist, Matt. So you’re good to go at Radical Compliance.”
  4. “But you have identified really, I think, the heart of the problem that compliance officers need to think about now. Because to me, it’s just 1 more tool.”
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Gifts, Travel and Entertainment

While many compliance practitioners believe that employee expense reports are a sufficient internal control of gifts because there are other ways in which a gift can be presented, other controls must be considered. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three primary areas:

  1. The expense report format, including what information it requires.
  2. Controls over the submitting employee and the preparation of the expense report.
  3. Controls to ensure the approvers do their review process properly.

Internal controls around gifts can be used in various ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation; however, by using some of the techniques that Howell has suggested, you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is that good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and, thereby, have a better-run company. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Third Parties

Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts of how bribery occurs in the healthcare industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China,” for the following “This is a systemic problem, and foreign pharmaceutical companies are in a conundrum. If they want to grow in China, they must give bribes. It’s not a choice because officials in the health ministry, hospital administrators, and doctors demand it.”

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel, and entertainment, and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk, such as the higher risk recognized in China. Within this context, there are four general internal controls to consider. 

Three Key Takeaways:

  1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
  2. General areas of review for internal compliance controls.
  3. Third parties are still at the highest risk of corruption-related issues.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Risk Assessments and Internal Controls

Today, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparing the risk assessment, the next step is to prioritize listing the risks and which locations are common. This begins by mapping existing internal controls to risks and assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, assigning a risk weight to each element in the risk assessment may be useful. For example, a construction company might assign a higher weight to the presence of movable fixed assets. A company that sells exclusively through local distributors might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured; the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then prioritize the locations dealing with control risks.

Top Risks Include:

Sales are conducted through third parties.

·       A U.S.-based international sales manager who is responsible for growing the business?

·       Sales channel uses a U.S.-based sales force that only travels to locations outside the U.S. for temporary visits of generally short duration.

·       Gifts, travel, and entertainment.

· High-risk jurisdictions.

·       Business ventures.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal controls over financial reporting and could be useful for companies complying with internal compliance controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture, such that even if an employee saw inappropriate behavior, it would not be expected that the employee would make any report or comment.

Three key takeaways:

1. Third-party risks are still your highest risks under the FCPA, so use your internal controls appropriately to help prevent this risk from becoming a violation.

2. Use mapping and gap analysis to collate risks to existing controls.

3. Always consider the regional and geographic variances.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Assessing for Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand an entity’s financial and operational structure and how it is integrated with the corporate headquarters or the U.S. business unit’s financial and operational structure if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements, whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and whether there is a local petty cash fund.

As with many other areas around internal controls, it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as 1) approval of vendor invoices; 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

These reviews, questions, inquiries, and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud, and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out a breeding ground for fraud in the corruption context.

 Three key takeaways:

1. You must understand your company’s financial and operational structure and how that structure outside the U.S. is integrated with the corporate headquarters.

2. Are your financial statements and reporting systems integrated?

3. Always consider the fraud triangle.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls in International Locations

While a CCO should expect (or at least hope) that internal controls at locations outside the U.S. are of the same effectiveness as internal controls within U.S. business units and at the U.S. corporate office, unfortunately, that might not always be the case, it is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the CFO may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the U.S.) having completely different accounting, ERP, and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state where they were acquired rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the company’s profitability, and nobody wanted to be accused of negatively impacting profitability.

A third situation may exist at locations outside the U.S. with what began simply as a sales office and then expanded its scope of operations to become a business unit with its accounting and data processing functions. Unfortunately, it is not often a situation where there was a master plan for internal controls as the location’s scope grew. Processes are usually added and designed by the local personnel, which, in practice, means the country manager has total control over financial affairs and is not truly accountable to the corporate office. This can be particularly true if a country’s business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk.

Where should a CCO begin in any of the above scenarios? The first step is to determine the extent of centralization or decentralization of relevant processes or, put another way, to what extent are relevant processes performed at the corporate offices? The second step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach is to perform a location risk assessment, whose purpose is to capture each location outside the U.S. where your company conducts business in one place and assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can prioritize your approach to dealing with the risks.

 Three key takeaways:

1. Modifying your internal controls can work to operationalize your compliance program more fully.

2. Check the effectiveness of your internal controls for your international locations.

3. Revisit your internal controls when a country or region experiences large growth or disruption.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Four Key Internal Controls for Compliance

There are four significant controls that every compliance program should have in it. They are: 1) DOA; 2) maintenance of the vendor master file; 3) contracts with third parties; and 4) movement of cash/currency.

  1. Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the U.S. would be required inside your company.
  2. Your vendor master file can be one of the most powerful preventative control tools largely because payments to fictitious vendors are one of the most common occupational frauds.
  3. Your contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control.
  4. Your controls over the disbursements of funds and movement of should include such methods accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans or advances.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.

 Three key takeaways:

1. Remember the top four internal controls for an effective compliance program.

2. Effective internal controls should do more than protect but also prevent internal program violations.

3. Effective internal compliance controls are good financial controls.