Categories
Compliance Into the Weeds

Compliance into the Weeds: The Convergence of Cybersecurity and Internal Controls

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent SEC enforcement action involving RR Donnelley, where a cyber breach was characterized as an internal control

In this episode, we discuss how criminal activities in cyberspace are outpacing regulatory measures and the law’s ability to keep up. The conversation touches on the idea that access controls for valuable corporate assets, whether financial data or sensitive information, are becoming indistinguishable in the eyes of cybercriminals. The discussion includes a thought-provoking perspective on merging cybersecurity and anti-money laundering functions, as both deal with improper electronic transactions. The core concern is not just the breach itself, but also the prevention of data exfiltration.

Key Highlights:

  • Corporate Jewels: Money vs. Data
  • Cybersecurity and Anti-Money Laundering
  • Improper Electronic Transactions
  • Focus on Data Exfiltration
  • Conclusion: Preventing Data Theft

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Navigating the New Frontier: SEC’s Enforcement Action on RR Donnelley and its Implications for Compliance

In the ever-evolving compliance landscape, the recent enforcement action by the Securities and Exchange Commission (SEC) against RR Donnelley is a significant case study. This incident underscores the importance of robust cybersecurity measures and highlights the SEC’s expanding reach into areas traditionally viewed outside its purview. As compliance professionals, understanding the intricacies of this case is crucial for adapting to the dynamic regulatory environment. Matt Kelly and I took a deep dive into the enforcement action in a recent Compliance into the Weeds episode.

RR Donnelley, a company historically known for its printing services and later for marketing services, faced an SEC enforcement action in November 2021 due to a cybersecurity breach. Hackers accessed and copied confidential corporate customer data, which was later posted on the dark web. The SEC’s main contention was that Donnelley failed to disclose this breach to investors promptly and had inadequate internal controls over its IT systems. Ultimately, the company was fined $2.1 million.

The SEC’s enforcement action was based on the premise that Donnelley’s cybersecurity measures were insufficient, leading to unauthorized access to its IT assets. Specifically, the SEC utilized provisions related to internal control over financial reporting to impose sanctions even though no direct accounting fraud or economic loss occurred. This approach represents a novel application of the SEC’s powers, using internal accounting control clauses to address cybersecurity issues.

Matt believes that the SEC’s enforcement hinged on the idea that poor cybersecurity equates to poor internal controls over assets. The SEC interpreted the Exchange Act to mean that access to a company’s assets, whether data or financial, should be controlled and authorized by management. Matt noted in his blog post that the statutory authority for that statement flows from the Exchange Act of 1934, which established the Securities and Exchange Commission and the anti-fraud securities laws we use today. The text of the Exchange Act states that companies must devise and maintain a system of internal accounting controls “sufficient to provide reasonable assurances” on four points:

  • Transactions executed according to management authorization;
  • Transactions are appropriately recorded;
  • Access to assets is permitted only according to management authorization;
  • Recorded accountability for assets is reconciled with existing assets.

The hackers’ ability to access Donnelley’s IT systems without authorization was viewed as a failure of these internal controls.

This interpretation broadens the scope of what compliance professionals must consider under the umbrella of internal controls. Traditionally, internal controls were seen in the context of financial reporting and safeguarding physical assets, most usually cash or cash equivalent. However, it is not simply cash as the only assets these requirements cover but all other corporate assets. Moreover, this case suggests that digital assets and the controls around them are equally critical.

Another critical aspect of the case was the failure to disclose the breach promptly. According to the SEC, Donnelley’s IT security team was aware of the breach but did not quickly escalate it to senior management. It took an external party’s notification for the CISO and senior executives to become fully aware and take action.

This scenario underscores the importance of having robust internal communication channels and protocols to ensure that significant cybersecurity incidents are promptly reported to senior management. Moreover, it highlights the need for transparency with investors regarding such breaches, aligning with the SEC’s mandate to protect investor interests.

Compliance professionals must now consider cybersecurity an integral part of internal control systems. Ensuring that IT systems are secure and that access to digital assets is tightly controlled should be a priority. This involves regular audits of cybersecurity measures, continuous monitoring of IT systems, and implementing robust access control mechanisms.

The case also highlights the necessity of clear and effective disclosure practices. Compliance teams should ensure that there are well-defined procedures for reporting cybersecurity incidents internally and disclosing them to investors when necessary. This might include setting up rapid response teams and informing senior management immediately of significant breaches.

Given the technical nature of cybersecurity, collaboration between compliance and IT departments is essential. Compliance officers should work closely with CISOs and IT security teams to understand potential risks and ensure appropriate controls are in place. This partnership is vital for creating a comprehensive compliance strategy that addresses traditional financial risks and emerging digital threats.

The SEC’s approach, in this case, signals that regulators are willing to use existing frameworks to address new types of risks. Compliance professionals should prepare for increased scrutiny and be proactive in ensuring their organizations meet regulatory expectations. This may involve regular training, staying updated with regulatory changes, and conducting thorough risk assessments.

The RR Donnelley case serves as a wake-up call for compliance professionals, emphasizing the need to adapt to an evolving regulatory landscape. By broadening the scope of internal controls to include cybersecurity and enhancing disclosure practices, compliance teams can better protect their organizations and meet regulatory expectations. Collaboration with IT and staying vigilant about regulatory trends will be vital to navigating this new frontier in compliance. Perhaps more ominously, Matt, in another blog post on the United Healthcare cyber-attack in Q1 2024, asked, ” If the SEC applied that theory of enforcement against Donnelley, shouldn’t that same theory now be applied against UnitedHealth? At this point, we should discuss exactly how UnitedHealth’s breach happened. Change Healthcare had not implemented multi-factor authentication on a critical computer server, which allowed attackers to use stolen employee credentials to gain access. In other words, UnitedHealth had allowed poor access control on a critical system.”

In other words, Watch This Space.

Categories
Blog

Design-Centric Internal Controls: The Foundation for Compliance Excellence

The dynamic world of compliance is continually evolving. New regulations, emerging technologies, and changing market conditions demand that organizations remain vigilant and proactive in their compliance efforts. One crucial aspect of this ongoing vigilance is the design and implementation of internal controls. Recently, I had the pleasure of discussing this topic with Adrienne Bellehumeur. In this blog post, we will explore the key insights from our conversation and delve into the importance of design-centric internal controls.

Adrienne is a chartered accountant and entrepreneur in Canada who has advocated for a design-first approach to internal controls for many years. Adrienne says design-centric internal controls are essential because they lay the foundation for effective compliance. She likens this approach to baking a cake: the design is the cake itself, while testing and other compliance activities are the icing. Without a solid foundation, no amount of testing can ensure the effectiveness of internal controls.

The necessity of robust internal controls has never been more critical. With the increasing complexity of regulatory requirements (on both sides of the border) and the rapid advancement of technology, organizations must continuously assess and improve their internal control systems. Adrienne points out that while internal controls have existed for over two decades, many organizations have become complacent. This complacency can lead to outdated processes that may not adequately address current risks and regulatory expectations.

Adrienne outlined five principles to improve and energize control design work:

  1. Think of Design as the Cake and Testing as the Icing: Focus on building solid and well-thought-out processes before jumping into testing. This approach ensures that the foundation is solid and can withstand scrutiny.
  2. Assess the Organization’s Level of Maturity: Tailor the internal control program to the organization’s stage of development. A one-size-fits-all approach is ineffective, as different organizations have varying needs and challenges.
  3. Focus on Habits, Not Theory: Practical, habitual practices are more effective than theoretical concepts. Encourage habits like regular access control reviews and inventory management to embed compliance into the organizational culture.
  4. Support Continuous Improvement: Internal controls should not be static. Regularly review and update controls to ensure they remain effective and relevant. Continuous improvement helps organizations stay ahead of emerging risks and regulatory changes.
  5. Keep It Interesting: Vary the techniques used in internal control assessments to maintain engagement and effectiveness. Workshops, interviews, and creative diagramming can provide fresh perspectives and uncover new insights.

One of the most intriguing aspects of Adrienne’s approach is her use of workshops to discuss and improve internal controls. These workshops involve stakeholders, including internal auditors, compliance officers, and business unit leaders. By fostering open dialogue and collaboration, these sessions can identify inefficiencies, propose improvements, and build stronger relationships between auditors and the internal team.

Adrienne emphasizes that these workshops should occur before external audits. This pre-audit preparation allows organizations to address issues internally, reducing the likelihood of negative findings during the audit. Moreover, involving the internal team in the design process helps build a sense of ownership and commitment to maintaining robust controls.

For the internal auditor, leveraging technology is crucial for adequate internal controls. Adrienne highlighted the decreasing reliance on transactional testing, thanks to automation and data analytics advancements. Modern internal controls must adapt to these changes by incorporating technology that enhances efficiency and accuracy.

AI and data analytics can provide deeper insights into organizational processes, helping identify potential risks and areas for improvement. By integrating these technologies into the internal control framework, organizations can achieve higher precision and responsiveness.

Adrienne’s expertise in documentation is particularly relevant to internal controls. I wholeheartedly agree that good documentation practices are the backbone of any effective compliance program and form the basis of information management. Clear, accurate, accessible documentation supports transparency, accountability, and continuous improvement.

Companies must establish simple rules for naming, classifying, and managing documents. This foundational step ensures that all relevant information is readily available for internal reviews, audits, and regulatory inspections.

The compliance landscape continually evolves, with new challenges like ESG and AI gaining prominence. Adrienne articulated that a back-to-basics approach can help organizations navigate these new areas. Organizations can build a solid foundation that supports emerging compliance requirements by focusing on fundamental principles of good information management and documentation.

For instance, effective ESG reporting relies on accurate and comprehensive data. Similarly, AI systems must be underpinned by robust data management practices to ensure transparency and accountability. By strengthening these foundational elements, organizations can more easily adapt to new regulatory expectations and technological advancements.

Adrienne and I also discussed the role of internal controls in supporting whistleblower programs. With the Department of Justice (DOJ) formulating new rules for financial incentives in whistleblower programs, organizations must ensure their internal controls can detect and address issues before they escalate. Adequate internal controls can help prevent whistleblower claims by identifying and mitigating risks early. For example, strong documentation practices provide a clear audit trail that can validate the organization’s actions and decisions. Additionally, fostering a culture of transparency and accountability encourages employees to report concerns internally, allowing the organization to address them proactively.

Design-centric internal controls are essential for building a robust and effective compliance program. By focusing on the principles outlined by Adrienne Bellehumeur, organizations can enhance their internal control frameworks, support continuous improvement, and stay ahead of emerging compliance challenges. A proactive approach to internal controls is crucial for long-term compliance success, whether through innovative workshops, leveraging technology, or strengthening documentation practices.

Categories
FCPA Compliance Report

FCPA Compliance Report: Adrienne Bellehumeur on Design – Centric Approaches to Internal Controls

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance.

In this edition of the FCPA Compliance Report, Tom Fox welcomes back Adrienne Bellehumeur, a chartered accountant and expert in internal controls and documentation.

Adrienne discusses her recent article on design-centric internal control and emphasizes the importance of focusing on design as the foundation for effective control programs. She outlines five key principles for improving control design and details her approach to challenging processes and governance systems. The conversation also touches on the necessity of continuously updating controls to adapt to evolving business and regulatory environments.

Adrienne shares tips on fostering better design through workshops, effective interviewing, and continuous improvement, while also addressing new developments such as AI and ESG. The episode finishes with insights into how internal controls can support whistleblower programs and the importance of back-to-basics documentation and information management.

Highlights in this Episode:

  • Professional Background
  • Design-Centric Approach to Internal Controls
  • Challenges and Importance of Good Design
  • Principles for Improving Control Design
  • Back to Basics: Adapting to New Business Developments
  • Whistleblower Programs and Internal Controls

 Resources:

Adrienne Bellehumeur on LinkedIn

Risk Oversight

New Approaches to Control Design

Tom Fox

Instagram

Facebook

YouTube

Categories
Compliance Into the Weeds

Compliance into the Weeds: Analyzing The Trump Conviction: Compliance Lessons from an Unprecedented Case

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode of ‘Compliance Into the Weeds’, Tom and Matt take a deep dive into last week’s trial verdict against Donald Trump in NYC and lessons for the compliance professional.

We explore the importance of internal controls, consistent consequence management, and effective leadership. They also delve into how compliance officers can learn from the storytelling strategies used in the trial and emphasize the application of the rule of law.

Key Highlights:

  • Overview of Trump’s Criminal Conviction
  • Internal Controls and Compliance Lessons
  • Consequences Management and Consistent Enforcement
  • Ethical Leadership and Communication
  • Who is your audience? Storytelling in Compliance
  • Final Thoughts and Rule of Law

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Internal Controls and Humans in the Loop: Lessons from Citigroup’s $126 Million Mistake

The Citigroup internal control debacle in compliance and ethics is a glaring reminder of the critical importance of robust, well-designed, functioning, and effective internal controls. The U.K. Financial Conduct Authority fined Citigroup £27.7 million, and the Bank of England’s Prudential Regulation Authority fined Citigroup £33.9 million, and Citigroup’s own internal losses costs added to a total loss of some $126 million. Citigroup’s mistakes underscore the perils of inadequate internal controls and provide many lessons for compliance professionals. Matt Kelly and Tom Fox discussed the matter in the most recent Compliance into the Weeds episode.

A Citigroup trader made a fateful error on a seemingly ordinary Monday (more on this day later) in May 2022. He intended to sell $58 million worth of securities but mistakenly placed the amount in the units field, leading to an order to sell 444 billion units. Although some of Citigroup’s controls caught parts of the error, they did not see the entirety of the Fubar. This mistake led to a flash crash on European stock markets and cost Citigroup $126 million, including fines and losses.

Lesson 1: Simplify and Focus Controls

One of the primary lessons from this incident is the need to consider human nature when designing internal controls. Citigroup had what was termed ‘hard-block controls‘, which blocked $248 billion worth of the order, and those controls could not be overridden. However, there were also ‘soft-block controls’ in the form of a pop-up screen asking the trader if he wanted to move forward. The trader in question faced a warning screen with 711 individual red flags, a list so long that it became impractical to review. This scenario is akin to users scrolling through and ignoring lengthy user agreements—a typical human behavior.

Controls should be designed to be practical and actionable. Instead of presenting an overwhelming list of potential issues, a focused warning on the specific error or most critical issues could be more effective. This approach ensures that users pay attention to the most relevant information, reducing the risk of overlooked mistakes. Moreover, never present a front-line employee with 711 different red flags that they must navigate and try to (1) figure out what they did wrong and (2) remedy the situation.

Lesson 2: Strengthen Automated Controls

As noted, Citigroup had a mix of hard and soft controls. While some automated controls blocked a portion of the erroneous trade, others allowed it to proceed after a mere warning. This differentiation highlights the need for robust automated controls that do not solely rely on human intervention, especially in high-stakes environments. Automated controls should be comprehensive and prevent significant errors without relying exclusively on human review. Complex controls that automatically block erroneous transactions can prevent costly mistakes.

Lesson 3: Ensure Adequate Coverage

Remember when I open the tale of the story with the trade happening on an ‘ordinary Monday’? It was not an ordinary Monday as the trade occurred on a U.K. banking holiday, further complicating the situation. The primary monitoring team (Monitoring Team 1) was off due to the Bank Holiday, and the backup team (Monitoring Team 2) did not effectively manage or escalate the issue. Even when another monitoring team (Monitoring Team 3) discovered the error and sent the information back to Monitoring Team 2, the team in charge of the holiday, Monitoring Team 2, has yet to respond.  These lapses point to another critical area: adequate staffing and effective backup procedures.

Companies must ensure adequate staffing to monitor and manage risks always, including during holidays, weekends, and off-hours. Effective backup procedures and cross-training can ensure that critical functions are covered regardless of the timing. Adequate staffing also means competent staffing, with teams understanding how and when to respond.

Lesson 4: Implement Consistent Global Controls

A notable aspect of Citigroup’s failure was the inconsistency in control implementation across regions. While robust controls existed in New York, they were not in Europe. Citigroup had those hard-block controls, which stopped $248 billion worth of orders,  but only for its New York trading desk. Moreover, these hard-block controls had been implemented back in 2013. Yet, for some reason, these hard-block controls had not been implemented at the London trading desk. This discrepancy highlights the importance of consistent global controls. Once a risk is identified and control is implemented in one region, it is crucial to extend that control globally. This consistency ensures that all parts of the organization are equally protected against similar risks, preventing regional disparities in control effectiveness.

Lesson 5: Integrate The Human Element

Citigroup’s failure also demonstrates the need for a vital human element in internal controls. Despite having multiple layers of monitoring, human oversight needed to be improved due to insufficient staffing and ineffective backup systems. While automated controls are essential, they should be complemented with effective human oversight. Regular training and clear protocols can enhance the effectiveness of both human and computerized controls, ensuring a more resilient control environment.

This human element extends to reports of control weaknesses by internal audit, as Citigroup had previously identified internal control weaknesses yet failed to address them adequately. This ongoing neglect resulted in repeated issues and significant penalties. When internal audits flag control weaknesses, it is imperative to address these issues promptly. Delaying remediation can lead to repeated failures and compound risks, as demonstrated by Citigroup’s experience.

The Citigroup incident offers a comprehensive lesson in the importance of robust internal controls, consistent global implementation, and the need for practical, focused warnings. Compliance professionals should take these lessons to heart and ensure that their organizations are equipped to prevent similar costly errors.

By designing effective controls, ensuring adequate staffing, and promptly addressing risks, companies can safeguard against the significant financial and reputational damage resulting from control failures. The Citigroup case is a stark reminder of the high stakes involved, and the critical role that well-designed internal controls play in maintaining the integrity of global financial operations.

Resources

Matt Kelly in Radical Compliance

Categories
Compliance Into the Weeds

Compliance into the Weeds: Of Fat Fingers, Internal Controls and Compliance

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom and Matt delve deep into Citigroup’s $126 million trading error, resulting from poor internal controls.

They discuss how a simple ‘fat finger’ error by a trader led to a major flash crash on European stock exchanges in 2022, and how the failure of Citigroup’s internal controls allowed it to happen. The discussion covers multiple compliance lessons, including the importance of understanding the human element in control design, the need for adequate staffing and monitoring, and the necessity of consistent global risk management.

Fox and Kelly also highlight the importance of addressing findings from internal audits and maintaining urgency in improving internal controls. They emphasize that companies should think creatively about risk management, taking into account various global factors, including holidays and local regulations.

Key Highlights:

  • The Citigroup Internal Control Fiasco
  • Compliance Lessons from Citigroup’s Mistake
  • The Human Element in Compliance and Control Failures
  • Global Consistency in Risk Management

Resources:

Matt on Radical Compliance

 Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance: Episode 134, The AI Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we have a quintet of commentators; Jonathan Armstrong, Jonathan Marks, Matt Kelly, Jay Rosen, and special guest Karen Moore, all hosted by Tom Fox.

1. Matt Kelly discusses the role of the Board of Directors in AI. He rants about Kristi Noem killing her dog and that APRA should be ARPA.

2. Host Tom Fox shouts out to the revival of the Rock Opera Tommy on Broadway and to Pete Townshend

3. Jonathan Marks reviews AI and internal controls. He shouts out to Maureen Stanko and the So Much to Give Inclusive Cafe for starting a restaurant that utilizes people with autism as employees.

4. Jay Rosen considers compliance issues for AI. He shouts out to his favorite time of the sports year, with the NBA and NHL playoffs, MLB in full swing and the start of the WNBA.

5. Karen Moore considers the AI implications from the American Privacy Rights Act. She shouts out to Travis Clayton for being the first Rugby Union player to be signed to the NFL and to the Buffalo Bills for doing so.

6. Jonathan Armstrong reviews the EU AI Act. He shouts out to Kate Middleton for the grace and dignity which she has shown throughout her cancer diagnosis.

The members of the Everything Compliance are:

Jay Rosen– Jay can be reached at Jay.r.rosen@gmail.com

Karen Woody – Is one of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

Jonathan Armstrong – is our UK colleague, and is an experienced data privacy/data protection lawyer in London. He can be reached at windyridgehouse@gmail.com.

Jonathan Marks can be reached at jtmarks@gmail.com.

Special Guest Karen Moore can be reached at Kmoore51@fordham.edu

The host, producer, and ranter (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Blog

Ten Top Lessons from Recent FCPA Settlements – Lesson No. 9, Internal Controls

Over the past 15 months, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear, through three Foreign Corrupt Practices Act (FCPA) enforcement actions and speeches, their priorities in investigations, remediations, and best practices compliance programs. Every compliance professional should study these enforcement actions closely for the lessons learned and direct communications from the DOJ. They should guide not simply your actions should you find yourself in an investigation but also how you should think about priorities.

The three FCPA enforcement actions are ABB from December 2022, Albemarle from November 2023, and SAP from January 2024. Taken together, they point out a clear path for the company that finds itself in an investigation, using extensive remediation to avoid monitoring and provide insight for the compliance professional into what the DOJ expects in an ongoing best practices compliance program.

Over a series of blog posts, I will lay out what I believe are the Top Ten lessons from these enforcement actions for compliance professionals who find themselves in an enforcement action. Today, we continue with Number 9, Internal Controls. The DOJ has made it clear that any organization under FCPA scrutiny must use its internal controls to continuously test, monitor, and improve all aspects of its compliance program.

SAP

As a part of its remediation, the company conducted a gap analysis of internal controls. This remediation found those internal controls “lacking.” SAP also undertook a “comprehensive risk assessment focusing on high-risk areas and controls around payment processes and enhancing its regular compliance risk assessment process.” Using this risk assessment as a starting point, the company performed a gap analysis, determined the overall remediation regime needed, and effectuated that remediation. 

ABB

The ABB Plea Agreement reported that ABB “performed a root-cause analysis of the conduct at issue. From there, the company revamped its internal controls, investing significant additional resources in control testing and monitoring throughout the organization. While not often seen as a part of internal controls, the company restructured its reporting by internal project teams to ensure compliance controls oversight.

Additionally, ABB essentially created its monitoring program around controls, testing its compliance program, and reporting to the DOJ. In the “Written Work Plans, Reviews, and Reports” section, ABB agreed to conduct a first review and prepare a report, followed by at least two follow-up reviews and reports. But more than simply reporting on control testing, ABB agreed to create and submit for review a work plan for this ongoing testing of its compliance program, as the program was detailed in the DPA. The DPA specified, “No later than one (I) year from the date this Agreement is executed, the Company shall submit to the Offices a written report setting forth:

  • a complete description of its remediation efforts to date;
  • a complete description of the controls testing conducted to evaluate the effectiveness of the compliance program and the results of that testing; and
  • It proposes to ensure that its compliance program is reasonably designed, implemented, and enforced so that the program is effective in deterring and detecting violations of the FCPA and other applicable anti-corruption laws.”

The bottom line is that all these companies worked very hard to significantly enhance their controls, testing, and monitoring and then improve based on that information. None of the actions taken by these companies were particularly new or even innovative. Indeed, these strategies have been available from the DOJ since at least the first edition of the FCPA Resource Guide in 2012. It was, however, the work by the company to understand the deficiencies in their internal controls regime and their superior efforts to upgrade them.

Albemarle

The Albemarle SEC Order was instructive regarding internal controls for a different reason than we have been considering throughout this series. The Order detailed a series of internal control failures by the company across multiple business units in several other countries. The entire story painted a picture of a company that did not have adequate or easily overridden internal controls.

Vietnam. The Order noted, “Albemarle’s system of internal accounting controls was insufficient to prevent or detect these improper payments, which Albemarle Singapore falsely recorded as legitimate commissions in books and records consolidated into Albemarle’s financial statements.”

India. A backdated agreement increased an India agent’s commission multiple times without compliance oversight or approval. Commissions went from “extremely high” to “far from any possible realistic justification.” Finally, “the agreement called for payment of a three percent commission to India Agent, a rate three times higher than that paid to Albemarle’s existing agent for India.”

Indonesia. Albemarle’s system of internal accounting controls was insufficient to prevent or detect the improper payments made to and through Indonesia Agent, which Albemarle Singapore falsely recorded as legitimate commissions and business expenses in books and records consolidated into Albemarle’s financial statements.”

China.  When an Albemarle business director questioned China Agent’s compensation as “high,” an Albemarle Netherlands business director provided the business justification that he anticipated significant returns on the contract.

UAE.  No due diligence was conducted on an agent until after the agent agreement had been executed. The agent provided no discernible services other than conveying confidential tender evaluations and competitors’ bids obtained from the customer.

Each of these resolutions drives home the importance of internal controls, creation, and remediation as a key part of your overall compliance regime during any investigation. The sooner you can start on your internal controls, the better off you will be in your negotiations with the DOJ and SEC.

Categories
Compliance Into the Weeds

Compliance into The Weeds: Compliance and Internal Controls in The Trump Organization

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt look at the Trump Organization Monitor and Independent Director of Compliance required in the trial court order.

The topic of internal controls within the Trump Organization has recently come under scrutiny, with the need for improved financial practices and systems of accounting control becoming increasingly apparent. Tom views internal controls as the backbone of financial reporting and compliance. He points out the inconsistencies and errors in the Trump Organization’s financial disclosures, emphasizing the need for accurate certifications and attestations about the organization’s financial health. Similarly, Matt underscores the importance of consistent and accurate financial disclosures. He raises concerns about the lack of basic financial controls within the Trump Organization and sees the need for a significant overhaul of internal controls to ensure transparency, accuracy, and compliance with financial reporting standards. Both Fox and Kelly’s perspectives are shaped by their extensive experience in the field of compliance and their understanding of the critical role internal controls play in maintaining financial integrity.

Key Highlights:

  • Compliance Monitor’s Oversight in Fraud Detection
  • Navigating Financial Compliance in the Trump Organization
  • Implementing Effective Accounting Control Systems at Trump
  • Enhancing Financial Integrity in the Trump Organization

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn