Tag: compliance

Categories
Great Women in Compliance

Jen Hoar on Corporate Intelligence

Welcome to the Great Women in Compliance Podcast, hosted by Mary Shirley and Lisa Fine. Have you ever wondered about corporate intelligence?  What it means, how it is done, and how it relates to our work in ethics and compliance.  In today’s episode, Lisa speaks with Jen Hoar, who is a Managing Director at Forward Risk and Intelligence.  Jen calls herself a “recovering journalist,” and reflects on how that career path brought her to where she is today.

Lisa and Jen discuss what corporate and human source intelligence are, and the strategies she uses to obtain relevant information.  She also explains the distinction between corporate intelligence and corporate espionage.  They talk about the art of interviewing in her world, and how it is similar – and different – to internal investigations and what many of us do.  Jen also provides some great tips and advice for talking to and connecting with people.

A special thank you to Kelly Paxton for this recommendation, and if you haven’t listened to her podcast, “Fraudish,” you should definitely check it out.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with a selection of other Compliance related offerings to listen in to.  If you are enjoying this episode, please rate it on your preferred podcast player to help other likeminded Ethics and Compliance professionals find it.  If you have a moment to leave a review at the same time, Mary and Lisa would be so grateful.  You can also find the GWIC podcast on Corporate Compliance Insights where Lisa and Mary have a landing page with additional information about them and the story of the podcast.  Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press publishing the related book; Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance(CCI Press, 2020).

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Compliance Into the Weeds

ChatGPT for the Compliance Professional

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt and I take a deep dive into ChatGPT, a natural language processing tool that works by indexing every piece of written content on the Internet. We discuss the impact of the Biden administration’s proposals for AI and discusses NIST’s voluntary AI framework and  the utility of chat GPT in the workplace. What should your organization consider about incorporating AI into both their shipping decisions and mission-critical processes. If you’re interested in efficient and advanced AI technology, you don’t want to miss this episode.

Key Highlights Include

  • Impact of Chat GPT on Jobs -The Quality of Chat CPG for non-English Speakers
  • The Biden Administration’s Nonbinding Guidelines for Artificial Intelligence.
  • The Benefits of Adopting a Voluntary AI Framework by NIST for Defense Contractors
  • The Impact of Artificial Intelligence on Shipping and Work Processes

 Notable Quotes

  1. “Chat GPT can answer pretty much anything. It won’t necessarily tell you where it is getting this information. It will just give you information pretty much like the way Tom, I am answering your question right now. Just imagine text-based bot answering those questions in the same way. That’s what it is.”
  2. “Will it make your job easier? Probably for a lot of people who struggle to come up with written content. Yes, it could. But specifically then for compliance officers and let’s bring it back to what matters for our audience. We’ll chat GPT as used by others make my job harder. Compliance officers. Now I think, actually, you have a lot to worry about there, and we could get into that.”
  3. “But I just view this as a huge boom to anyone who is interested in research, anyone who is interested in learning, can’t replace the weekly and business journalist, Matt. So you’re good to go at Radical Compliance.”
  4. “But you have identified really, I think, the heart of the problem that compliance officers need to think about now. Because to me, it’s just 1 more tool.”
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Gifts, Travel and Entertainment

While many compliance practitioners believe that employee expense reports are a sufficient internal control of gifts because there are other ways in which a gift can be presented, other controls must be considered. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three primary areas:

  1. The expense report format, including what information it requires.
  2. Controls over the submitting employee and the preparation of the expense report.
  3. Controls to ensure the approvers do their review process properly.

Internal controls around gifts can be used in various ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation; however, by using some of the techniques that Howell has suggested, you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is that good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and, thereby, have a better-run company. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls for Third Parties

Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts of how bribery occurs in the healthcare industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China,” for the following “This is a systemic problem, and foreign pharmaceutical companies are in a conundrum. If they want to grow in China, they must give bribes. It’s not a choice because officials in the health ministry, hospital administrators, and doctors demand it.”

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel, and entertainment, and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk, such as the higher risk recognized in China. Within this context, there are four general internal controls to consider. 

Three Key Takeaways:

  1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
  2. General areas of review for internal compliance controls.
  3. Third parties are still at the highest risk of corruption-related issues.

For more information on how to build out a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Risk Assessments and Internal Controls

Today, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparing the risk assessment, the next step is to prioritize listing the risks and which locations are common. This begins by mapping existing internal controls to risks and assessing whether the internal controls are sufficient to mitigate the risks.

To help with consistency in this evaluation process, assigning a risk weight to each element in the risk assessment may be useful. For example, a construction company might assign a higher weight to the presence of movable fixed assets. A company that sells exclusively through local distributors might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However, it is structured; the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then prioritize the locations dealing with control risks.

Top Risks Include:

Sales are conducted through third parties.

·       A U.S.-based international sales manager who is responsible for growing the business?

·       Sales channel uses a U.S.-based sales force that only travels to locations outside the U.S. for temporary visits of generally short duration.

·       Gifts, travel, and entertainment.

· High-risk jurisdictions.

·       Business ventures.

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal controls over financial reporting and could be useful for companies complying with internal compliance controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal controls and includes various scenarios which illustrate several practical examples of how the templates may be used.

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture, such that even if an employee saw inappropriate behavior, it would not be expected that the employee would make any report or comment.

Three key takeaways:

1. Third-party risks are still your highest risks under the FCPA, so use your internal controls appropriately to help prevent this risk from becoming a violation.

2. Use mapping and gap analysis to collate risks to existing controls.

3. Always consider the regional and geographic variances.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Assessing for Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand an entity’s financial and operational structure and how it is integrated with the corporate headquarters or the U.S. business unit’s financial and operational structure if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements, whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and whether there is a local petty cash fund.

As with many other areas around internal controls, it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as 1) approval of vendor invoices; 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

These reviews, questions, inquiries, and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud, and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out a breeding ground for fraud in the corruption context.

 Three key takeaways:

1. You must understand your company’s financial and operational structure and how that structure outside the U.S. is integrated with the corporate headquarters.

2. Are your financial statements and reporting systems integrated?

3. Always consider the fraud triangle.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Internal Controls in International Locations

While a CCO should expect (or at least hope) that internal controls at locations outside the U.S. are of the same effectiveness as internal controls within U.S. business units and at the U.S. corporate office, unfortunately, that might not always be the case, it is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the CFO may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the U.S.) having completely different accounting, ERP, and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state where they were acquired rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the company’s profitability, and nobody wanted to be accused of negatively impacting profitability.

A third situation may exist at locations outside the U.S. with what began simply as a sales office and then expanded its scope of operations to become a business unit with its accounting and data processing functions. Unfortunately, it is not often a situation where there was a master plan for internal controls as the location’s scope grew. Processes are usually added and designed by the local personnel, which, in practice, means the country manager has total control over financial affairs and is not truly accountable to the corporate office. This can be particularly true if a country’s business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk.

Where should a CCO begin in any of the above scenarios? The first step is to determine the extent of centralization or decentralization of relevant processes or, put another way, to what extent are relevant processes performed at the corporate offices? The second step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach is to perform a location risk assessment, whose purpose is to capture each location outside the U.S. where your company conducts business in one place and assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can prioritize your approach to dealing with the risks.

 Three key takeaways:

1. Modifying your internal controls can work to operationalize your compliance program more fully.

2. Check the effectiveness of your internal controls for your international locations.

3. Revisit your internal controls when a country or region experiences large growth or disruption.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Four Key Internal Controls for Compliance

There are four significant controls that every compliance program should have in it. They are: 1) DOA; 2) maintenance of the vendor master file; 3) contracts with third parties; and 4) movement of cash/currency.

  1. Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the U.S. would be required inside your company.
  2. Your vendor master file can be one of the most powerful preventative control tools largely because payments to fictitious vendors are one of the most common occupational frauds.
  3. Your contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control.
  4. Your controls over the disbursements of funds and movement of should include such methods accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans or advances.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption.

 Three key takeaways:

1. Remember the top four internal controls for an effective compliance program.

2. Effective internal controls should do more than protect but also prevent internal program violations.

3. Effective internal compliance controls are good financial controls.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Discipline and Rigor In Your Internal Controls

New York Times columnist David Brooks’ thoughts on building and maintaining order inform the discussion on rigor in your internal controls. In internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within a company’s operations. There is a clear need for rigor in your internal controls protocols. Adherence to that rigor can increase operationalization around the internal controls a company should consider, including gifts, travel, and entertainment expenses. Brooks said, “Building and maintaining order … requires toughness of mind and rigid discipline to serve your own work properly.” By having the rigor to institute and enforce the types of internal controls identified, you can go a long way toward detecting and, more importantly, preventing an FCPA violation from occurring.

Some of the key areas of Internal Control focus should be:

·       The Delegation of Authority (DOA)

Petty cash disbursements

·       Travel

·       P-Cards

·       Employee Expense Reports

·       Corporate checks and wire transfers, such as check requests, purchase orders, or vendor invoices.

·       Gifts and business entertainment

Three key takeaways:

1. You must maintain rigor around your internal controls.

2. Controls against fraud can also help to prevent corruption.

3. Building and maintaining good internal controls requires rigor.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – What Are Internal Controls?

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. Internal controls expert Joe Howell has said that internal controls are systematic measures, such as reviews, checks and balances, methods, and procedures instituted by an organization that performs several different functions. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes the diversion of company assets, such as by unauthorized sales discounts or receivables write-offs, as well as the distribution of assets.

Three key takeaways:

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. There are multiple FCPA enforcement actions that demonstrate the enforcement spotlight on internal controls.