compliance auditing done right - scce official site · 2014-09-03 · 1 compliance auditing done...
TRANSCRIPT
1
Compliance Auditing Done RightSCCE 10th Annual Compliance & Ethics Institute
September 12, 2011
Scott Avelino
Win Swenson
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
2
2
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
3
Proprietary Material
Core Objectives of an Effective Compliance Program
4
Prevent
wrongdoing
Detect
occurrence
Respondappropriately
once discovered
4
3
Proprietary Material
Government Expectations
� Federal Sentencing Guidelines
− “The organization shall establish standards and procedures to prevent and detect criminal conduct.”
− “The organization shall take reasonable steps to: (a) ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (b) evaluate periodically the effectiveness of its compliance and ethics program; and (c) have a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”
5
Proprietary Material
Government Expectations
� Department of Justice
− “Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business.”
− “Prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts.”
− “The Department encourages … corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own.”
6
4
Proprietary Material
Other Practical Business Considerations
� Narrow the gap between policy and practice
� Ensure resources allocated to compliance are making a difference and achieving their intended results
� Provide directors and officers the information they need to discharge their oversight responsibilities
� Discover issues before someone else does
� Position the organization to qualify for maximum credit for identifying, remediating and self-reporting problems
� Demonstrate and reaffirm internal commitment to compliance
7
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
8
5
Proprietary Material
Risk Inventory – Sample Inputs
� Known laws or regulations that apply to the business
� Standards addressed in the code of conduct and related policies, or external codes, contracts or voluntary standards to which the company is a signatory
� Compliance topics arising from previous allegations, violations, enforcement actions or settlement agreements
� Line management or employee views of known issues or “near misses” that have arisen in the business
� Areas targeted in industry enforcement or litigation
� Business practice criticisms profiled in the media, shareholder resolutions or legislative activity
9
Proprietary Material
Risk Inventory – Sample Taxonomy
10
21.0 Digital systems use and security
20.0 Insider trading
19.0 Intellectual property and copyright of others
18.0 Protecting Assets
17.0 Accurate data, records, reporting and accounting
16.0 Political Activity
15.0 External communications
14.0 Community engagement
13.0 Dealing w ith governments
12.0 Bribery and corruption
11.0 Working with suppliers
10.0 Money laundering
9.0 Trade restrictions, export controls and boycott laws
8.0 Competition and antitrust
7.0 Conflicts of interest
6.0 Receiving and giving gifts and entertainment
5.0 Privacy and employee confidentiality
4.0 Respectful and harassment-free workplace
3.0 Fair treatment and equal opportunity
2.0 Environment
1.0 Health, safety and security
Sample Top-Level Compliance Risk Inventory
21.0 Digital systems use and security
20.0 Insider trading
19.0 Intellectual property and copyright of others
18.0 Protecting Assets
17.0 Accurate data, records, reporting and accounting
16.0 Political Activity
15.0 External communications
14.0 Community engagement
13.0 Dealing w ith governments
12.0 Bribery and corruption
11.0 Working with suppliers
10.0 Money laundering
9.0 Trade restrictions, export controls and boycott laws
8.0 Competition and antitrust
7.0 Conflicts of interest
6.0 Receiving and giving gifts and entertainment
5.0 Privacy and employee confidentiality
4.0 Respectful and harassment-free workplace
3.0 Fair treatment and equal opportunity
2.0 Environment
1.0 Health, safety and security
Sample Top-Level Compliance Risk Inventory
6
Proprietary Material
Risk Inventory – Sample Taxonomy
11
1.0 Competition and Antitrust
1.1 Price fixing
3.0 Trade Restrictions
2.0 Environment
3.2 Imports from a sanction country
2.1 Air emissions
3.1 Exports to a prohibited country
3.3 Restricted technology transfer to a company facility
2.3 Hazardous waste
2.2 Water emissions
1.3 Conditioned sales
1.2 Monopolization
Second-Level Risk Inventory
1.0 Competition and Antitrust
1.1 Price fixing
3.0 Trade Restrictions
2.0 Environment
3.2 Imports from a sanction country
2.1 Air emissions
3.1 Exports to a prohibited country
3.3 Restricted technology transfer to a company facility
2.3 Hazardous waste
2.2 Water emissions
1.3 Conditioned sales
1.2 Monopolization
Second-Level Risk Inventory
3.0 Trade Restrictions
2.0 Environment
1.0 Competition and Antitrust
Top-Level Risk Inventory
3.0 Trade Restrictions
2.0 Environment
1.0 Competition and Antitrust
Top-Level Risk Inventory
Proprietary Material
Sample Likelihood Considerations
12
Sample Likelihood Factors Rating
Known instances / allegations
Previous history
Pervasiveness of the risk across operations
Complexity of the risk
Results of employee surveys and focus groups
Violations by other companies or industry peers
Industry / competitor litigation trends
Government enforcement priorities
Criticisms by the media or NGOs
Other internal considerations
High / Probable
(Score = 7 – 9)
Moderate / Reasonably Possible
(Score = 4 – 6)
Low / Remote
(Score = 1 – 3)
7
Proprietary Material
Sample Significance Considerations
13
Sample Financial Impact Sample Non-Financial Impact Sample Rating
> $30,000,000
Criminal investigation
Major class action litigation
Major change to corporate strategy
Resignation or dismissal of C-Level executives
National media attention
Financial restatement
High / Material
(Score = 7-9)
$10,000,000 < $30,000,000
Regulatory intervention / probation
Complex litigation
Major change to business unit strategy
Resignation or dismissal of business unit executives
Regional / trade media attention
Moderate / More than Inconsequential
(Score = 4-6)
<$10,000,000
Regulatory sanction
Isolated litigation
Major change to functional strategy
Resignation or dismissal of functional executives
Ability to meet performance targets threatened
Low / Inconsequential
(Score = 1-3)
Proprietary Material
Sample Prioritization Considerations
14
8
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Conducting Fieldwork
� Documenting and Acting on Results
15
Proprietary Material
Scope Considerations
� Corporate
� Business Unit
� Geography
� Business Process
� Job Function
� Agents, JVs, Third Parties
16
9
Proprietary Material
Site Selection Considerations
� Size / Revenue / Materiality
� Local Operating Environment (e.g., TI Corruption Perception Index)
� Management Experience / Turnover
� Prior history, incidents, findings
� Significant cash operations
� Time elapsed since last audit
17
Proprietary Material
Roles and Responsibilities
� 3 Lines of Defense
− Business Owners− Standard Setters− Assurance Providers
� 2 Key Principles
− Objectivity− Competence
18
Assurance
Providers
Standard
Setters
Business
Owners
10
Proprietary Material
In Practice
� Business and Functional Self-Auditing
� Compliance Risk SMEs (e.g., human resources, safety)
� Corporate Compliance
� Internal Audit
� External Resources
19
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
20
11
Proprietary Material
Audit This: There Must Be At Least 25% Green Balls
and Absolutely No Brown Ones
21
Proprietary Material
Substantive Testing
� Determine Statistical Sample Size
� Collect Sample
� Test for Compliance
22
12
Proprietary Material
Substantive Testing - Features
23
Strengths Limitations
� Tangible analysis and specific results.
� Good when there’s something tangible to inspect (e.g., customer files, vendor invoices, bank statements, expense reports, inventory, etc.).
� Can be aided by technology.
� Lots of educated guesswork.
� Time and resource intensive.
� Backward looking.
� Wrongdoing can involve conduct that does not necessarily leave a clear paper trail (e.g., kickbacks, fraud).
Proprietary Material
Process/Controls Testing
� Who filled the pit?
� Did they get communication and training on the requirements?
� Did a supervisor monitor them as they filled the pit?
� Did they have access to brown balls?
� Does somebody else test the pit each time its filled?
24
13
Proprietary Material
Process/Controls Testing – Features
25
Strengths Limitations
� Less resource intensive
� Evaluates the quality of controls management relies on to prevent and detect compliance violations – which can be a proxy for predicting the state of compliance today and prospectively
� Probative, but not determinative on whether compliance has been achieved
Proprietary Material
Eliciting Observations / Perceptions
Can apply to both process and
substantive testing
� Has anyone ever seen any brown balls being used?
� Does the pit crew feel pressure to cut corners?
� Did the pit crew find the training useful and easy to understand?
� Does the pit crew feel comfortable raising questions and concerns?
26
14
Proprietary Material
Observations / Perceptions – Features
27
Strengths Limitations
� Not resource intensive
� Tells you what people really think
� Subjective, open to misinterpretation or misunderstanding
� Not necessarily determinative
Proprietary Material
Upshot
� Triangulate in light of the risk area being audited
28
Process/Controls
Substantive
Perceptions
15
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
29
Proprietary Material
Audit this: Anticorruption at GPS Device Co.
30
Corporate
Americas
US
Canada
Mexico
Brazil
Europe
UK
France
Germany
Poland
Russia
Asia-Pacific
China
Japan
Australia
Profile
� Fastest growing unit in region
� New management team
� Accounting system slow to come online
� Sales state-owned enterprises
� No prior incidents
� Moderately high score on TI Corruption Index
16
Proprietary Material
Testing Considerations
� BU-specific compliance program elements to preventand detect violations
− Tests of Design
− Tests of Operating effectiveness
� Process-specific (e.g., sales, accounts payable) controls to prevent and detect violations
− Tests of Design
− Tests of Operating Effectiveness
� Substantive testing
� Subjective observations, perceptions
GPS Device Co.
31
Russia BU
Consumer
North
East
West
South
Government
Military
Aviation
Automobile
Infrastructure
Shared
Services
Human
Resources
Legal
Procurement
Finance
Proprietary Material
Sample Compliance Program Considerations
� Risk assessment
� Compliance oversight responsibility
� Code, policies and standards
� Due diligence procedures
� Communication and training
� Auditing and monitoring
� Hotline
� Investigations
� Discipline, remediation, etc.
32
17
Proprietary Material
Sample Process-Specific Considerations
33
Gifts, gratuities and
entertainment
Business Development
Vendors with
improper ties
Procurement
Ghost employees
Payroll
Visa applications
Staffing
Shipping and freight
forwarding
Logistics
Construction permits
Real Estate
Proprietary Material
Brainstorming Considerations
34
Opportunity
Pressures / Incentives
Rationalization
18
Proprietary Material
Sample Red Flags to Guide Focus
� Parties Involved
− Government officials or their family members − Entities owned by government officials of their family members − Entities run by former government officials− Agents, suppliers or (sub)contractors that have been pre-
designated by the customer− Agents who have multiple contracts / business relationships with
the site (e.g., consulting services, warehousing, office rentals, staffing services, etc.)
− Local suppliers contracted through sole-sourced bids− Third parties with no apparent expertise in the industry− Apparent lack of qualifications on the part of the agent to perform
services − Use of shell or nominee companies
35
Proprietary Material
Sample Red Flags to Guide Focus
� Pricing Terms
− Unusual rebate or discount pricing unrelated to volume pricing or discounts, e.g., prompt payment
− Unusually high costs for goods or services− The size of the commission paid to the agent in relation to the
services performed, and/or the size of any secondary contract paid to an agent in some other capacity (e.g., fees paid for warehousing equipment or renting office space)
36
19
Proprietary Material
Sample Red Flags to Guide Focus
� Payment Methods
− Any unusual means of payment− Cash transactions− Many petty cash transactions− Payment to suppliers or (sub)contractors in advance of their
services unless specifically authorized by the agreement and supported by a letter of credit, bank guarantee or surety bond.
− Non-monetary terms (e.g., barter / exchange of goods and services)
− Use of financial instruments not requiring a name (e.g., bearer checks)
37
Proprietary Material
Sample Controls Testing – Charitable Contributions
� Are potential charities screened to ensure that the recipient has no connection to a government or political official (or their agent or immediate family) capable of providing the company with an unfair competitive advantage?
� Are potential charities screened to ensure that the recipient is a legitimate organization, is not sanctioned by the U.S. government?
� Are opinion letters are sought from local legal counsel confirming that the donation is lawful under the laws of the country in which the donation is made?
� Are charitable contributions pre-approved before they are made?
� Are records and receipts for charitable contributions kept?
38
20
Proprietary Material
Sample Substantive Testing – Charitable Contributions
� Review the general ledger for charitable contribution costs.
� Select transactions for review and determine whether:
− Documentation supports the transaction− Policies and procedures were followed− Correct cost codes and accounting classifications were applied− Business purpose and support appears reasonable
39
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
40
21
Proprietary Material
Report Elements
� Objectives
� Scope
� Procedures Performed
� Findings
� Root Cause Analyses (including isolated vs. systemic considerations)
� Recommendations / Enhancement Opportunities
− Site-specific− Company-wide
� Action Plan
41
Proprietary Material
Report Distribution Considerations
� Legal
� Compliance
� Internal Audit
� Compliance Steering Committee
� Senior or Line Management
� Audit Committee
42
22
Proprietary Material
Privilege Considerations
� Attorney/Client Privilege
� Work Product Doctrine
� Self-Evaluative Privilege
43
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Selecting Appropriate Compliance Audit Techniques
� Sample Work Plan Elements
� Documenting and Acting on Results
44
23
Proprietary Material
Q
45
A
Proprietary Material
Thank You
Contact Information
Scott AvelinoCompliance Systems Legal Group(202) [email protected]
Win SwensonCompliance Systems Legal Group(617) [email protected]
46