Categories
Trekking Through Compliance

Trekking Through Compliance – Episode 36 – Risk Management Lessons from Catspaw

In this episode of Trekking Through Compliance, we consider the episode Catspaw, which aired on October 27, 1967, and occurred on Star Date 3018.2.

Strange things happen to a landing party consisting of Jackson, Sulu, and Scotty when they beam down to planet Pyrus 7. When Kirk, Spock, and McCoy beam down to investigate, leaving DeSalle in command and Chekov as his sidekick, they are enveloped in fog. They also detect multiple life readings, even though the Enterprise’s sensors only detect the landing party. They are all captured by Korob and Sylvia.

Meanwhile,  Enterprise is breaking free through DeSalle’s efforts. Korob sets Kirk and Spock free and tells them to leave immediately because he can no longer control Sylvia. Kirk grabs Korob’s scepter, and after fending off attacks from McCoy, Scott, and Sulu, Kirk tells Sylvia that he has the scepter. Kirk breaks the scepter in front of Sylvia. The castle vanishes, and Sylvia and Korob appear as the bizarre blue and yellow puppet-like alien beings they are. Unable to survive in this galaxy without the transmuter, they shrivel up and melt away, and Sulu and Scott are returned to normal.

Commentary

The story follows a landing party encountering strange, supernatural events on planet Pyrus 7, leading to valuable compliance lessons. Key takeaways include maintaining situational awareness, establishing effective incident response, identifying and mitigating supply chain vulnerabilities, fostering a culture of skepticism, prioritizing resilience, and empowering cross-functional collaboration. The episode uniquely ties the plot’s elements to practical compliance and risk management learning.

Key Highlights

  • Story Synopsis
  • Fun Facts and Production Notes
  • Narcissism in Cat’s Paw
  • Risk Management Lessons

Resources

Excruciatingly Detailed Plot Summary by Eric W. Weisstein

MissionLogPodcast.com

Memory Alpha

Categories
Blog

AI in Compliance Week: Part 3 – Embracing AI-Powered Internal Controls

Integrating artificial intelligence (AI) into internal controls is pivotal in the ever-evolving corporate governance landscape. We have closely followed the discussion around this emerging trend and the insights from industry experts like Jonathan Marks. In Part 3 of my five-part blog post series, I will explore the key considerations and best practices for leveraging AI to enhance an organization’s internal control framework.

Let’s start with the basics: ‘ What are internal controls?’ The best answer I have ever heard is still provided by Jonathan Marks, who says, “Internal controls are the mechanisms, rules, and procedures implemented by an organization to ensure the integrity of financial and accounting information, promote accountability, and prevent fraud. They encompass the entire control environment, including the attitude, awareness, and actions of management and others concerning the internal control system and its importance to the entity.”

Consider that the foundation of any successful AI application lies in the quality and accessibility of data. Organizations must ensure that the data feeding into their AI systems is accurate, comprehensive, and the definitive “source of truth.” Failure to address data quality issues can lead to incorrect outputs that undermine the effectiveness of specific control mechanisms. Establishing robust data management practices, including data governance and integration, is crucial for unlocking the full potential of AI-powered internal controls. This is equally true for internal controls.

Effective implementation of AI-driven internal controls requires a skilled workforce. Companies must invest in developing internal capabilities to handle these advanced tools and accurately analyze the results. This may involve training existing employees, hiring specialized talent, and fostering a culture of continuous learning. Understanding the nuances of machine learning, natural language processing, and other AI techniques is essential for internal teams to leverage these technologies successfully. For the compliance professional, it may mean adding expertise or partnering with internal audit or your internal controls team to garner the talent needed to move to AI-powered internal controls.

The integration of AI into internal controls raises important ethical considerations. Acknowledging and addressing the inherent biases that can exist within specific AI algorithms is imperative. By creating AI systems that are open, fair, and responsible, organizations can preserve stakeholder trust and uphold their ethical norms. Incorporating ethical principles and bias mitigation strategies into designing and deploying AI-powered internal controls is critical.

Successful implementation of AI-driven internal controls often requires close collaboration with technology providers. Companies and compliance professionals should seek out respected partners who can offer customized solutions that align with their specific internal requirements. These collaborations can provide continuous assistance as the intelligence and capabilities of the AI systems evolve. By fostering a collaborative environment, companies can ensure that the integration of AI into their internal control framework is seamless and practical.

Key Considerations for AI-Powered Internal Controls

There are a few key considerations for organizations to ensure the ethical deployment of AI-powered internal controls:

  1. Transparency and Explainability: The AI system’s decision-making process should be as transparent and explainable as possible. Organizations should be able to explain how the system arrives at its decisions and recommendations and provide clear documentation on the data, algorithms, and assumptions used.
  2. Fairness and Non-Discrimination: The AI system should be carefully audited to ensure it does not exhibit biases or discriminate against protected groups. Organizations should implement testing and monitoring processes to detect and mitigate unfair or discriminatory outcomes.
  3. Human Oversight and Accountability: Clear human oversight and accountability measures should be implemented. Employees should be able to understand, challenge, and override the AI system’s decisions when appropriate. There should also be defined processes for addressing errors or unintended consequences.
  4. Data Privacy and Security: The data used to train and operate the AI system must be adequately secured and protected to respect employee privacy. Organizations should have robust data governance policies and procedures in place.
  5. Ongoing Monitoring and Adjustment: The ethical performance of the AI system should be continuously monitored, and organizations should be prepared to adjust or refine as issues are identified. This may require establishing an AI ethics review board or similar governance structure.
  6. Alignment with Organizational Values: The deployment of the AI system should be aligned with the organization’s ethical principles and values. There should be a clear understanding of how the system supports the organization’s mission and commitment to employee wellbeing.
  7. Employee Engagement and Education: Employees should be informed about using AI-powered internal controls and receive training on interacting with the system. This can help build trust and ensure the system is used appropriately.

By addressing these key areas, organizations can work towards the ethical deployment of AI-powered internal controls and build trust with their employees. Collaboration with ethicists, legal experts, and other stakeholders can help refine best practices in this rapidly evolving landscape. However, this remains an evolving and complex area that requires ongoing vigilance and adaptation.

Ethical AI Deployment

There are some examples of organizations that have successfully navigated the challenges of ethical AI deployment.

Microsoft has been faced with ensuring fairness and mitigating bias in AI systems. To meet this, the company developed a comprehensive, Responsible AI Standard outlining principles and practices for ethical AI development.

IBM was challenged to achieve transparency and explainability in AI-powered decision-making. To meet this challenge, IBM has invested in explainable AI (XAI) technologies, such as its AI Explainability 360 toolkit. This enables developers to understand and interpret the inner workings of their AI models.

Google faced privacy and security concerns when using employee data for AI development. Google has established a Responsible AI Principles framework emphasizing data privacy and security, including differential privacy and secure multi-party computation techniques.

Salesforce must ensure alignment between AI-powered tools and the organization’s ethical values. To this end, it developed guidance through its AI Ethics & Humanism Council on the responsible development and use of AI across the company. This includes aligning AI systems with Salesforce’s core values.

Anthem needs to gain employee trust and acceptance in using AI-powered internal controls. To do so, Anthem has implemented an “AI Ambassadors” program, where select employees are trained to help their colleagues understand and navigate the company’s AI-powered systems, fostering greater acceptance and trust.

These examples demonstrate how leading organizations have proactively addressed the ethical challenges of AI deployment through a combination of technical, policy, and organizational approaches. By prioritizing principles like fairness, transparency, privacy, and alignment with corporate values, these companies have made progress in ensuring the responsible and trustworthy use of AI within their organizations, particularly around AI-powered internal controls.

Both compliance and internal audit professionals must recognize the pivotal role that AI can play in enhancing the effectiveness of internal controls. By proactively exploring the incorporation of AI into their control mechanisms, organizations can gain a significant advantage in managing the complexities of modern enterprises and the ever-increasing data landscape. The deliberate integration of AI into internal controls will be a crucial factor in determining the success and resilience of an organization’s overall governance framework.

Integrating artificial intelligence into internal controls represents an opportunity for organizations to strengthen their control environment and make more informed decisions. Compliance professionals can help AI-powered internal controls become a cornerstone of effective corporate governance by addressing data quality, skill development, ethical considerations, and collaboration. I am excited to see how this technology continues to evolve and reshape the way we approach internal control systems and your compliance program.

Join us tomorrow as we examine the role of compliance in keeping AI decisions fair and unbiased.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”

Categories
Blog

Internal Reporting and Triaging of Claims

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Internal reporting. The 2020 FCPA Resource Guide, 2nd edition, has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states:

An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

The Evaluation reinforced this language with the following found under Reporting and Investigation:

How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

The reason is that a business’s own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.

What are some of the best practices for a hotline? Start with the following:

Availability. Your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.

Anonymity. There must be a manner to make reports anonymously if the reporter so desires.

Escalation. You must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.

Follow-up. There must be a sufficient follow up protocol to make sure any reported events receive the warranted attention. There should also be a way to keep the incident reporter informed as to the progress of the matter within your investigative protocol.

Oversight. There should be multiple levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

After your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.

Marks’ five-stage process for early assessments are as follows:

Stage 1. These consist of allegations that have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team.

Stage 5. These are serious allegations that involve one or more members of the senior management team or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually places the company into crisis management mode and could result in the restatement of audited financial statements or added regulatory scrutiny.

Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 14 – Internal Controls

What are internal controls? The best definition I have come across is from Jonathan Marks, partner at BDO, who defined internal controls as:

An internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives. This, along with continuous auditing, continuous monitoring, and training, reasonably assures:

• The achievement of the process objectives linked to the organization’s objectives;

• Operational effectiveness and efficiency;

• Reliable (complete and accurate) books and records (financial reporting);

• Compliance with laws, regulations and policies; and

• The reduction of risk fraud, waste, and abuse, which aids in the decline of process and policy variation, leading to more predictive outcomes.

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, map your existing internal controls to the Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you determine whether adequate internal compliance controls are present in your company. From there, you can move on to see if they are working in practice.

Three key takeaways:

1. Effective internal controls are required under the FCPA

2. Internal controls are a critical part of any best practices compliance program

3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash or currency

Categories
Compliance Into the Weeds

Compliance into the Weeds: COSO Fraud Risk Management Framework

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds!

Get ready to dive into the fraud risk management and prevention world with Compliance into the Weeds, hosted by Tom Fox and Matt Kelly. In this episode, they break down the recently released fraud risk framework by COSO and the Association of Certified Fraud Examiners and how it’s necessary for today’s cyber-based fraud and cryptocurrency. They stress the importance of data analytics and internal hotlines to prevent fraud and that all employees need to be trained to detect and prevent fraud in their industry. The hosts also discuss how financial reporting controls may not always detect fraud and how anti-fraud controls are essential. With the rise of new types of fraud like ESG and greenwashing, the hosts recommend the fraud risk report for audit and compliance professionals to stay informed about risks swirling around corporations today. Take advantage of this informative and fascinating podcast. Tune in to Compliance into the Weeds now.

Key Highlights:

·      Fraud Risk Management: COSO Report 2nd Edition

·      Effective Fraud Prevention Training for Employees

·      Importance of Anti-Fraud Controls in Fighting Fraud

·      COSO Fraud Risk Guidance and the Fraud Pentagon

Notable Quotes:

“But when you think about it, we have a lot of external factors, such as the rise of cryptocurrency, which is riddled with fraud and corruption risk. New methods of cyber-based fraud, which didn’t exist, say, 2016, the 2010s before that. Rise of ransomware in particular, which wasn’t quite a big thing back then that it is all over the place now.”

“Most frauds, you the risk management function, you might never catch them. By looking for them, you’ll have to depend on somebody else coming to you from the enterprise, say, I think this person over here is doing something sketchy.”

“Fraud is having a moment. And fraud risk is on the forefront of many people’s minds from many different areas.”

“We need to do better at finding ways to assess and understand your fraud risk and then implementing new controls as necessary to push that risk down to acceptable levels.”

Resources

Matt 

LinkedIn

Blog Post in Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Episode 111 – The Duty of Oversight Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. Everything Compliance has been honored by W3 as the top talk show in podcasting. In this episode, we have the quintet of Jay Rosen, Karen Woody, Jonathan Marks, Tom Fox, and Matt Kelly, who review the recent Delaware Court of Chancery decision creating a duty of oversight for corporate officers. We conclude with our fan-fav Shout Outs and Rants section.

1. Matt Kelly sets the stage for our discussion and poses a question about what it all means for CCOs going forward. He rants to the State of Texas Legislature for creating a ‘Gold Card’ for physicians who have over 90% of all requested procedures covered by insurance. (1:30)

2. Jonathan Marks looks at the case from the internal audit and corporate governance perspectives. He rants about the Pentagon’s failure to shoot down a Chinese spy balloon.

3. Tom Fox shouts out to Hindenburg Research and all other short sellers who help uncover fraud, waste, and abuse.

4. Karen Woody looks at the case from a legal perspective and unpacks the court’s legal reasoning. Woody shouts to Amtrak and asks us to ‘ride the train more often.’ (11:08)

5. Jay Rosen reviews the changes wrought for CCOs over the past year, from CCO certification to the Delaware court decision. He shouts out to his twin daughters on their 15th birthday. (41:13)

The members of Everything Compliance are:

•       Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com

•       Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu

•       Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com

•       Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com

•       Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance – Episode 111, Shout Outs and Rants

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows with our fan-fav Shout Outs and Rants section.

1. Matt Kelly shouts out to the State of Texas Legislature for creating a ‘Gold Card’ for physicians who have over 90% of all requested procedures covered by insurance.

2. Jonathan Marks rants about the Pentagon’s failure to shoot down a Chinese spy balloon.

3. Tom Fox shouts out to Hindenburg Research and all other short sellers who help uncover fraud, waste, and abuse.

4. Karen Woody shouts out to Amtrak and asks us all to ‘ride the train more often.’

5. Jay Rosen shouts out his twin daughters on their 15th birthday.

Categories
31 Days to More Effective Compliance Programs

Day 8 – Internal Controls and Compliance

What are internal controls? The best definition I have come across is from Jonathan Marks, who defined internal controls as:
Internal control is an action or process of interlocking activities designed to support the policies and procedures detailing the specific preventative, detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes or objectives(s). This, along with continuous auditing, continuous monitoring, and training, reasonably assures: 

  • The achievement of the process objectives linked to the organization’s objectives;
  • Operational effectiveness and efficiency;
  • Reliable (complete and accurate) books and records (financial reporting);
  • Compliance with laws, regulations, and policies; and 
  • The reduction of risk fraud, waste, and abuse, which,
  • Aids in the decline of process and policy variation, leading to more predictive outcomes.

The DOJ and SEC, in the 2020 FCPA Resource Guide, stated:
Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as a controlled environment that covers the tone set by the organi­zation regarding integrity and ethics, risk assessments, and con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring. … The design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services, how the products or services get to market, the nature of its workforce; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.

This was supplemented in the 2020 Update with a pair of pointed questions: whether a company has made a significant investigation into its internal controls and whether they have been tested, then remediated based upon the testing?

The bottom line is that internal controls are just good financial controls. The internal controls that detail requirements for third-party representatives in the compliance context will help detect fraud, which could lead to bribery and corruption. As an exercise, map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where gaps may exist. This will help you to determine whether adequate compliance internal controls are present in your company. From there, you can move to see if they are working in practice.

Three key takeaways:

  1. Effective internal controls are required under the FCPA
  2. Internal controls are a critical part of any best practices compliance program
  3. There are four significant controls for the compliance practitioner to implement initially. (a) Delegation of authority (DOA); (b) Maintenance of the vendor master file; (c) Contracts with third parties; and (d) Movement of cash/currency.
Categories
Role of the Board of Compliance

Episode 02: Marchand (Blue Bell Ice Cream) with Tom Fox and Jonathan Marks

Understanding risk means understanding your business.

Tom Fox and Jonathan Marks discuss the Blue Bell Ice Cream case, what went wrong, the lessons that compliance officers and board members can learn and apply, suggest how to improve your business’s governance, and how to be wary of red flags.

▶️ Marchand (Blue Bell Ice Cream) with Tom Fox and Jonathan Marks

Key points discussed in the episode:

✔Tom Fox lays out the facts of the Blue Bell Ice Cream case.

✔Jonathan Marks emphasizes the importance of enterprise-wide risk management and identifying key risks by deeply understanding your business.

✔Members of boards and committees should be carefully considered, must be conscious of the laws and regulations, and proactively ask questions to ensure safe products and services.

✔Jonathan Marks shares his opinions on the court verdict on Blue Bell’s CEO Paul Kruse’s responsibility for the listeria outbreak.

✔ Jonathan Marks highlights the gravity of disclosing red flags earlier so they can be corrected, preventing further damage, and continuing enterprise risk management programs, taking the shame out of it.

✔Tom Fox presents what the Delaware Supreme Court said about the case.

✔When safety issues arise, assess the situation quickly and communicate it among those responsible. Be prepared and have a crisis management plan in place if there isn’t any. 

✔Risk drives compliance. Ensure the board is informed. Risk assessment is the foundation of any compliance program.

—————————————————————————-

Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.