By Nina Gross and Jeff Harfenist
Nina Gross leads BDO’s Global Forensics practice in Washington, D.C., having 30 years of forensic accounting, investigation and consulting experience working with multinational organizations and their counsel. Ms. Gross has significant experience assisting clients in responding to sensitive investigative matters, as well as advising organizations on compliance, due diligence and anticorruption programs designed to deter and prevent the recurrence of fraud.
Jeff Harfenist leads BDO's Global Forensics Southwest practice and has more than 25 years of forensic accounting experience. He conducts fraud-related investigations involving numerous issues, including alleged violations of national anti-corruption laws (including the FCPA and U.K. Bribery Act), embezzlements, kickbacks, Ponzi schemes, diversion of assets, and financial reporting fraud. He also advises organizations on compliance, due diligence and anticorruption programs for the prevention of fraud.
The U.S. Department of Justice (DOJ) recently released a list of factors that prosecutors should consider when evaluating compliance programs in the context of determining whether to bring criminal charges against, or negotiate agreements with, an offending corporation. The factors, included in the document “ Evaluation of Corporate Compliance Programs,” consist of 119 questions across 11 topic areas:
• Analysis and remediation of underlying misconduct• Senior and middle management• Autonomy and resources• Policies and procedures• Risk assessment• Training and communications• Confidential reporting and investigation• Incentives and disciplinary measures• Continuous improvement, periodic testing and review• Third-party management• Mergers and acquisitions
Much of what the DOJ looks for in a compliance program is apparent from this listing of factors—including performing compliance risk assessments; designing appropriate policies and procedures, ongoing data analytics and other monitoring processes for signs of violations; remediating identified weaknesses; performing due diligence; and conducting thorough investigations.
However, there are two closely-related themes that can be found within all 11 categories and detailed questions—the integration of compliance in certain key aspects of an organization’s activities and the effective communication of all compliance-related matters. In other words, the involvement of compliance personnel and compliance activities in other company functions, as well as effective compliance communications, are at the core of a successful compliance program.
In this article, we will examine the five most important elements of integration and communication emphasized by the DOJ.
Compliance should play an important role in an organization’s strategic and operational decision-making. Too often, compliance is an after-thought, considered only after a company’s strategic direction has already been decided. Just as enterprise risk management is best conducted in a strategy setting, compliance risk assessments should be driven by, and integrated into, strategic decision-making. A key characteristic of compliance risk assessment and risk management is the proactive identification of compliance issues that can only occur if compliance is involved early and at the highest levels.
In its recent guidance, the DOJ indicates that compliance should have the opportunity to engage in meaningful conversations with the board of directors and external auditors without senior management present. This enables compliance to freely communicate any concerns with current strategic or operational decisions that have compliance ramifications or issues that senior management is not properly addressing.
Once an organization’s compliance risks are identified, it is essential that compliance personnel remain involved throughout the preparation and rollout of all related policies and procedures. To do so, compliance should work closely with the individual business units affected by the policies and procedures being developed. By working together, these groups can develop sound and practical policies and procedures that can best address an organization’s compliance risks.
In the guidance, the DOJ devotes five questions to training. Compliance should have significant involvement in both the delivery and the development of training. The training content should be customized based on the company’s compliance risk assessment, as well as the specific policies and procedures developed to address each compliance risk.
Compliance personnel should also work closely with business units to identify which individuals should receive training. If a separate training and development function exists, compliance should involve them in determining the best methods and duration of training, based on the audience and the nature of the content to be delivered.
The compliance group should provide input into the processes used for screening new vendors and other third parties prior to engagement. Too often, companies learn the hard way that many third parties that become involved in corrupt or fraudulent activity had previously exhibited signs of misconduct—behavior that could, and should have, been identified prior to entering into a relationship. Not all vendor and other third-party due diligence processes are alike. Compliance can play a vital role in customizing the due diligence process based on the compliance risks associated with each relationship.
Due diligence is important not only for vendors, but also for merger and acquisition targets. The DOJ makes two important points in this regard. The first question asks who was involved in reviewing the acquired and merged entities, with the implication that compliance should participate. The second question is even more pointed: “How has the compliance function been integrated into the merger, acquisition, and integration process” of the entities involved in the transaction? The role for compliance extends well past the due diligence phase. Post-merger and post-acquisition integration of compliance programs is key to preventing future issues involving the merged business unit(s).
The DOJ’s guidance asks who was involved in analyzing identified misconduct and developing the remediation steps in response. While compliance may or may not be directly involved in the investigation, the team should play a role in analyzing the misconduct and developing the remediation plan. The DOJ guidance explicitly indicates an expectation that compliance should have “full access to reporting and investigative information.”
Analysis of the misconduct should consider whether:
• The design of preventive and detective compliance controls was flawed;• The operation of the controls broke down, due to either the natural erosion of controls that often occurs over time or the care with which individuals carried out their control-related responsibilities; or• An intentional override or circumvention of compliance-related controls took place
The answers to these questions usually determine how individual policies and procedures need to be modified to guard against similar future misconduct.
How an organization handles its communications following a misconduct is equally critical. While companies have differing communication styles and opinions, it is vital that they implement a thoughtfully crafted organization-wide communication plan that informs everyone that the misconduct has been identified and the individuals involved have been disciplined. This sends a valuable message that:
• Compliance and ethics are important to senior management and the board;• Breaches will not be tolerated; and• Whistle-blower calls and other tips are taken seriously and thoroughly investigated (if applicable)
Most noncompliance events result in the identification of weaknesses in the design and/or operation of compliance-related controls. However, remediation must go beyond simply rewriting policies and procedures, and involve additional training led by the compliance team. This training may include educating staff on existing policies and procedures that had not been properly followed.
It can be easy to get lost in the details of the 119 questions in the DOJ’s corporate compliance guidance document; nevertheless, the guidance stresses some key factors for compliance professionals, boards and other stakeholders to focus on. Companies can develop solid compliance programs by integrating compliance into other relevant organizational activities and developing thoughtful compliance-related communications systems in advance. With the ever-increasing myriad of risks in today’s competitive environment, it is important to plug the compliance team in early and keep it plugged in daily.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)