Tag: compliance

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Assessing for Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand an entity’s financial and operational structure and how it is integrated with the corporate headquarters or the U.S. business unit’s financial and operational structure if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements, whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and whether there is a local petty cash fund.

As with many other areas around internal controls, it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as 1) approval of vendor invoices; 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

These reviews, questions, inquiries, and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud, and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out a breeding ground for fraud in the corruption context.

 Three key takeaways:

1. You must understand your company’s financial and operational structure and how that structure outside the U.S. is integrated with the corporate headquarters.

2. Are your financial statements and reporting systems integrated?

3. Always consider the fraud triangle.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls in International Locations

While a CCO should expect (or at least hope) that internal controls at locations outside the U.S. are of the same effectiveness as internal controls within U.S. business units and at the U.S. corporate office, unfortunately, that might not always be the case, it is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the CFO may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the U.S.) having completely different accounting, ERP, and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state where they were acquired rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the company’s profitability, and nobody wanted to be accused of negatively impacting profitability.

A third situation may exist at locations outside the U.S. with what began simply as a sales office and then expanded its scope of operations to become a business unit with its accounting and data processing functions. Unfortunately, it is not often a situation where there was a master plan for internal controls as the location’s scope grew. Processes are usually added and designed by the local personnel, which, in practice, means the country manager has total control over financial affairs and is not truly accountable to the corporate office. This can be particularly true if a country’s business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk.

Where should a CCO begin in any of the above scenarios? The first step is to determine the extent of centralization or decentralization of relevant processes or, put another way, to what extent are relevant processes performed at the corporate offices? The second step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach is to perform a location risk assessment, whose purpose is to capture each location outside the U.S. where your company conducts business in one place and assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can prioritize your approach to dealing with the risks.

 Three key takeaways:

1. Modifying your internal controls can work to operationalize your compliance program more fully.

2. Check the effectiveness of your internal controls for your international locations.

3. Revisit your internal controls when a country or region experiences large growth or disruption.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Four Key Internal Controls for Compliance

There are four significant controls that every compliance program should have in it. They are: 1) DOA; 2) maintenance of the vendor master file; 3) contracts with third parties; and 4) movement of cash/currency.

  1. Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the U.S. would be required inside your company.
  2. Your vendor master file can be one of the most powerful preventative control tools largely because payments to fictitious vendors are one of the most common occupational frauds.
  3. Your contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control.
  4. Your controls over the disbursements of funds and movement of should include such methods accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans or advances.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.

 Three key takeaways:

1. Remember the top four internal controls for an effective compliance program.

2. Effective internal controls should do more than protect but also prevent internal program violations.

3. Effective internal compliance controls are good financial controls.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – What Are Internal Controls?

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. Internal controls expert Joe Howell has said that internal controls are systematic measures, such as reviews, checks and balances, methods, and procedures instituted by an organization that performs several different functions. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes the diversion of company assets, such as by unauthorized sales discounts or receivables write-offs, as well as the distribution of assets.

Three key takeaways:

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. There are multiple FCPA enforcement actions that demonstrate the enforcement spotlight on internal controls.
Categories
31 Days to More Effective Compliance Programs

Day 31 – Using a Root Cause Analysis for Remediation

The 2020 Update re-emphasized the need to perform a root cause analysis and, equally importantly, use it to remediate your compliance program. It stated, “a hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step process in which one method can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Three key takeaways:

  1. The key is objectivity and independence.
  2. The critical element is how you used the information you developed in the root cause analysis.
  3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization.
Categories
31 Days to More Effective Compliance Programs

Day 30 – What is a Root Cause Analysis?

One of the most significant changes in the 2020 FCPA Resource Guide, 2nd edition, was the addition of a new Hallmark entitled “Investigation, Analysis, and Remediation of Misconduct,” which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

Ultimately, performing a root cause analysis is not simply sitting down and asking many questions. It would be best if you had an operational understanding of how a business operates and how they have developed its customer base. Overlay the need to understand what makes an effective compliance program with the skepticism an auditor should bring so that you do not simply accept an answer provided to you, as you might in an internal investigation. Marks noted that “a root cause analysis is not something where you can ask the five whys. You need these trained professionals who understand what they’re doing.”

Three key takeaways:

  1. A root cause analysis is required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need trained professionals who understand what they’re doing.
Categories
The ESG Report

Why Compliance Should Lead the Corporate ESG Effort with Kristy Grant-Hart

What does remodeling a home have to do with ESG? In this episode of the ESG Report, Tom Fox and Kristy Grant-Hart discuss the role of compliance in leading the ESG initiative within a corporation. Kristy, the founder of Spark Consulting, explains how compliance professionals can expand their role to lead the E, S and G components of ESG. She also shares her personal experience of remodeling her new home with her husband and how it relates to ESG.

Kristy Grant Hart is a well-known figure in the compliance field. She is the founder and CEO of Spark Consulting, a global compliance and ethics consultancy that recently celebrated its 6th anniversary. Spark Consulting now has locations in Chicago, New York, Los Angeles, and London. The company also recently released a business simulation game called Compliance Competitor, which has been picked up by many companies. Kristy has over 15 years of experience in compliance and governance, working with clients across multiple industries. She is also the author of four books, including How To Be A Wildly Effective Compliance Officer and The Compliance Entrepreneurs Handbook, which was written with Kirsten Liston and Joseph Murphy.

 

You’ll hear Tom and Kristy talk about:

  • ESG is a bridge between compliance, governance, and board relationships.
  • ESG can be a huge driver for change and reputation enhancement.
  • CCOs are skilled at bringing together people and putting programs into a framework, and this lends itself well to running a successful ESG program. 
  • The renewed focus on G (Governance) is a positive development, as better governance leads to more ethical behavior and compliance. Compliance has a relationship with the board, the Audit and Risk Committee, and it makes sense for compliance to expand its remit of reporting and talk about different stakeholders in different ways for better board management.
  • The push for gender diversity on boards is a step towards greater perspective and understanding of different stakeholders.
  • Supply chain management is an important aspect of the compliance function.
  • The June 2020 Update to the Evaluation of Corporate Compliance Programs from the Department of Justice emphasizes the importance of institutional justice and fairness within corporations, which ties into ESG principles.
  • The compliance function and CCO must have access to all corporate data, not just compliance data, in order to effectively lead ESG efforts.
  • The S in ESG, which stands for social, encompasses issues such as diversity, equity and inclusion, and responsible sourcing in the supply chain.
  • The evolution of supply chain compliance and its integration into ESG efforts has been growing in recent years.
  • Compliance professionals already have a wide range of skills and experience that can be applied to leading E efforts within ESG. They have an important role to play, even if they are not experts in the field.
  • Remodeling a home can also be a valuable learning experience: her personal experience of learning new construction skills aligns with the idea that compliance professionals can learn and lead the E component of ESG.

 

KEY QUOTE

“I think that the more that we see diversity on boards, the better companies will do, but also the opportunities become more expansive and that’s something that I’m passionate about and feel that’s incredibly important. I also think compliance should have much more of a seat on boards.” – Kristy Grant Hart

 

Resources:

Kristy Grant-Hart on Website | LinkedIn | YouTube  

Kristy Grant-Hart books

Spark Compliance

Categories
31 Days to More Effective Compliance Programs

Day 29 – Post-acquisition Integration Plan

Your company has just made its largest acquisition, and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? An excellent place to start would be the 2020 FCPA Resource Guide, 2nd edition language:
Pre-acquisition due diligence is usually only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based on your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC view both the pre-and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is impossible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.

The earlier you can deploy these steps, the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had failed to engage in appropriate pre-acquisition due diligence.

Three key takeaways:

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes.
Categories
31 Days to More Effective Compliance Programs

Day 27 – Operationalizing Compliance Through Payroll

One of the areas articulated in the 2020 Update was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program. This includes payments to foreign officials, payments to third parties, and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low-hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The DOJ has provided its clearest statement on how it expects a company to do compliance in the future. Gone are the days when the DOJ considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, that the appropriate business unit should administer with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.

Three key takeaways:

  1. Payroll can be a key prevention and detection control.
  2. The 2020 Update specified tying the corporate compliance function to the corporate payroll function.
  3. Offshore payments remain a key indicator for a red flag.