compliance auditing done right - scce official site · 2014-09-03 · 1 compliance auditing done...

1

Compliance Auditing Done RightSCCE 10th Annual Compliance & Ethics Institute

September 12, 2011

Scott Avelino

Win Swenson

Proprietary Material

Discussion Topics

� Rationale for Conducting Compliance Audits

� Identifying Risk Areas to Audit

� Determining Audit Scope, Roles and Responsibilities

� Selecting Appropriate Compliance Audit Techniques

� Sample Work Plan Elements

� Documenting and Acting on Results

2

2


Discussion Topics







3


Core Objectives of an Effective Compliance Program

4

Prevent

wrongdoing

Detect

occurrence

Respondappropriately

once discovered

4

3


Government Expectations

� Federal Sentencing Guidelines

− “The organization shall establish standards and procedures to prevent and detect criminal conduct.”

− “The organization shall take reasonable steps to: (a) ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (b) evaluate periodically the effectiveness of its compliance and ethics program; and (c) have a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”

5


Government Expectations

� Department of Justice

− “Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business.”

− “Prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts.”

− “The Department encourages … corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own.”

6

4


Other Practical Business Considerations

� Narrow the gap between policy and practice

� Ensure resources allocated to compliance are making a difference and achieving their intended results

� Provide directors and officers the information they need to discharge their oversight responsibilities

� Discover issues before someone else does

� Position the organization to qualify for maximum credit for identifying, remediating and self-reporting problems

� Demonstrate and reaffirm internal commitment to compliance

7


Discussion Topics







8

5


Risk Inventory – Sample Inputs

� Known laws or regulations that apply to the business

� Standards addressed in the code of conduct and related policies, or external codes, contracts or voluntary standards to which the company is a signatory

� Compliance topics arising from previous allegations, violations, enforcement actions or settlement agreements

� Line management or employee views of known issues or “near misses” that have arisen in the business

� Areas targeted in industry enforcement or litigation

� Business practice criticisms profiled in the media, shareholder resolutions or legislative activity

9


Risk Inventory – Sample Taxonomy

10

21.0 Digital systems use and security

20.0 Insider trading

19.0 Intellectual property and copyright of others

18.0 Protecting Assets

17.0 Accurate data, records, reporting and accounting

16.0 Political Activity

15.0 External communications

14.0 Community engagement

13.0 Dealing w ith governments

12.0 Bribery and corruption

11.0 Working with suppliers

10.0 Money laundering

9.0 Trade restrictions, export controls and boycott laws

8.0 Competition and antitrust

7.0 Conflicts of interest

6.0 Receiving and giving gifts and entertainment

5.0 Privacy and employee confidentiality

4.0 Respectful and harassment-free workplace

3.0 Fair treatment and equal opportunity

2.0 Environment

1.0 Health, safety and security

Sample Top-Level Compliance Risk Inventory

21.0 Digital systems use and security

20.0 Insider trading

19.0 Intellectual property and copyright of others

18.0 Protecting Assets

17.0 Accurate data, records, reporting and accounting

16.0 Political Activity

15.0 External communications

14.0 Community engagement

13.0 Dealing w ith governments

12.0 Bribery and corruption

11.0 Working with suppliers

10.0 Money laundering

9.0 Trade restrictions, export controls and boycott laws

8.0 Competition and antitrust

7.0 Conflicts of interest

6.0 Receiving and giving gifts and entertainment

5.0 Privacy and employee confidentiality

4.0 Respectful and harassment-free workplace

3.0 Fair treatment and equal opportunity

2.0 Environment

1.0 Health, safety and security

Sample Top-Level Compliance Risk Inventory

6


Risk Inventory – Sample Taxonomy

11

1.0 Competition and Antitrust

1.1 Price fixing

3.0 Trade Restrictions

2.0 Environment

3.2 Imports from a sanction country

2.1 Air emissions

3.1 Exports to a prohibited country

3.3 Restricted technology transfer to a company facility

2.3 Hazardous waste

2.2 Water emissions

1.3 Conditioned sales

1.2 Monopolization

Second-Level Risk Inventory


1.1 Price fixing


2.0 Environment

3.2 Imports from a sanction country

2.1 Air emissions

3.1 Exports to a prohibited country

3.3 Restricted technology transfer to a company facility

2.3 Hazardous waste

2.2 Water emissions

1.3 Conditioned sales

1.2 Monopolization

Second-Level Risk Inventory


2.0 Environment


Top-Level Risk Inventory


2.0 Environment


Top-Level Risk Inventory


Sample Likelihood Considerations

12

Sample Likelihood Factors Rating

Known instances / allegations

Previous history

Pervasiveness of the risk across operations

Complexity of the risk

Results of employee surveys and focus groups

Violations by other companies or industry peers

Industry / competitor litigation trends

Government enforcement priorities

Criticisms by the media or NGOs

Other internal considerations

High / Probable

(Score = 7 – 9)

Moderate / Reasonably Possible

(Score = 4 – 6)

Low / Remote

(Score = 1 – 3)

7


Sample Significance Considerations

13

Sample Financial Impact Sample Non-Financial Impact Sample Rating

> $30,000,000

Criminal investigation

Major class action litigation

Major change to corporate strategy

Resignation or dismissal of C-Level executives

National media attention

Financial restatement

High / Material

(Score = 7-9)

$10,000,000 < $30,000,000

Regulatory intervention / probation

Complex litigation

Major change to business unit strategy

Resignation or dismissal of business unit executives

Regional / trade media attention

Moderate / More than Inconsequential

(Score = 4-6)

<$10,000,000

Regulatory sanction

Isolated litigation

Major change to functional strategy

Resignation or dismissal of functional executives

Ability to meet performance targets threatened

Low / Inconsequential

(Score = 1-3)


Sample Prioritization Considerations

14

8


Discussion Topics





� Conducting Fieldwork


15


Scope Considerations

� Corporate

� Business Unit

� Geography

� Business Process

� Job Function

� Agents, JVs, Third Parties

16

9


Site Selection Considerations

� Size / Revenue / Materiality

� Local Operating Environment (e.g., TI Corruption Perception Index)

� Management Experience / Turnover

� Prior history, incidents, findings

� Significant cash operations

� Time elapsed since last audit

17


Roles and Responsibilities

� 3 Lines of Defense

− Business Owners− Standard Setters− Assurance Providers

� 2 Key Principles

− Objectivity− Competence

18

Assurance

Providers

Standard

Setters

Business

Owners

10


In Practice

� Business and Functional Self-Auditing

� Compliance Risk SMEs (e.g., human resources, safety)

� Corporate Compliance

� Internal Audit

� External Resources

19


Discussion Topics







20

11


Audit This: There Must Be At Least 25% Green Balls

and Absolutely No Brown Ones

21


Substantive Testing

� Determine Statistical Sample Size

� Collect Sample

� Test for Compliance

22

12


Substantive Testing - Features

23

Strengths Limitations

� Tangible analysis and specific results.

� Good when there’s something tangible to inspect (e.g., customer files, vendor invoices, bank statements, expense reports, inventory, etc.).

� Can be aided by technology.

� Lots of educated guesswork.

� Time and resource intensive.

� Backward looking.

� Wrongdoing can involve conduct that does not necessarily leave a clear paper trail (e.g., kickbacks, fraud).


Process/Controls Testing

� Who filled the pit?

� Did they get communication and training on the requirements?

� Did a supervisor monitor them as they filled the pit?

� Did they have access to brown balls?

� Does somebody else test the pit each time its filled?

24

13


Process/Controls Testing – Features

25


� Less resource intensive

� Evaluates the quality of controls management relies on to prevent and detect compliance violations – which can be a proxy for predicting the state of compliance today and prospectively

� Probative, but not determinative on whether compliance has been achieved


Eliciting Observations / Perceptions

Can apply to both process and

substantive testing

� Has anyone ever seen any brown balls being used?

� Does the pit crew feel pressure to cut corners?

� Did the pit crew find the training useful and easy to understand?

� Does the pit crew feel comfortable raising questions and concerns?

26

14


Observations / Perceptions – Features

27


� Not resource intensive

� Tells you what people really think

� Subjective, open to misinterpretation or misunderstanding

� Not necessarily determinative


Upshot

� Triangulate in light of the risk area being audited

28

Process/Controls

Substantive

Perceptions

15


Discussion Topics







29


Audit this: Anticorruption at GPS Device Co.

30

Corporate

Americas

US

Canada

Mexico

Brazil

Europe

UK

France

Germany

Poland

Russia

Asia-Pacific

China

Japan

Australia

Profile

� Fastest growing unit in region

� New management team

� Accounting system slow to come online

� Sales state-owned enterprises

� No prior incidents

� Moderately high score on TI Corruption Index

16


Testing Considerations

� BU-specific compliance program elements to preventand detect violations

− Tests of Design

− Tests of Operating effectiveness

� Process-specific (e.g., sales, accounts payable) controls to prevent and detect violations

− Tests of Design

− Tests of Operating Effectiveness

� Substantive testing

� Subjective observations, perceptions

GPS Device Co.

31

Russia BU

Consumer

North

East

West

South

Government

Military

Aviation

Automobile

Infrastructure

Shared

Services

Human

Resources

Legal

Procurement

Finance


Sample Compliance Program Considerations

� Risk assessment

� Compliance oversight responsibility

� Code, policies and standards

� Due diligence procedures

� Communication and training

� Auditing and monitoring

� Hotline

� Investigations

� Discipline, remediation, etc.

32

17


Sample Process-Specific Considerations

33

Gifts, gratuities and

entertainment

Business Development

Vendors with

improper ties

Procurement

Ghost employees

Payroll

Visa applications

Staffing

Shipping and freight

forwarding

Logistics

Construction permits

Real Estate


Brainstorming Considerations

34

Opportunity

Pressures / Incentives

Rationalization

18


Sample Red Flags to Guide Focus

� Parties Involved

− Government officials or their family members − Entities owned by government officials of their family members − Entities run by former government officials− Agents, suppliers or (sub)contractors that have been pre-

designated by the customer− Agents who have multiple contracts / business relationships with

the site (e.g., consulting services, warehousing, office rentals, staffing services, etc.)

− Local suppliers contracted through sole-sourced bids− Third parties with no apparent expertise in the industry− Apparent lack of qualifications on the part of the agent to perform

services − Use of shell or nominee companies

35



� Pricing Terms

− Unusual rebate or discount pricing unrelated to volume pricing or discounts, e.g., prompt payment

− Unusually high costs for goods or services− The size of the commission paid to the agent in relation to the

services performed, and/or the size of any secondary contract paid to an agent in some other capacity (e.g., fees paid for warehousing equipment or renting office space)

36

19



� Payment Methods

− Any unusual means of payment− Cash transactions− Many petty cash transactions− Payment to suppliers or (sub)contractors in advance of their

services unless specifically authorized by the agreement and supported by a letter of credit, bank guarantee or surety bond.

− Non-monetary terms (e.g., barter / exchange of goods and services)

− Use of financial instruments not requiring a name (e.g., bearer checks)

37


Sample Controls Testing – Charitable Contributions

� Are potential charities screened to ensure that the recipient has no connection to a government or political official (or their agent or immediate family) capable of providing the company with an unfair competitive advantage?

� Are potential charities screened to ensure that the recipient is a legitimate organization, is not sanctioned by the U.S. government?

� Are opinion letters are sought from local legal counsel confirming that the donation is lawful under the laws of the country in which the donation is made?

� Are charitable contributions pre-approved before they are made?

� Are records and receipts for charitable contributions kept?

38

20


Sample Substantive Testing – Charitable Contributions

� Review the general ledger for charitable contribution costs.

� Select transactions for review and determine whether:

− Documentation supports the transaction− Policies and procedures were followed− Correct cost codes and accounting classifications were applied− Business purpose and support appears reasonable

39


Discussion Topics







40

21


Report Elements

� Objectives

� Scope

� Procedures Performed

� Findings

� Root Cause Analyses (including isolated vs. systemic considerations)

� Recommendations / Enhancement Opportunities

− Site-specific− Company-wide

� Action Plan

41


Report Distribution Considerations

� Legal

� Compliance

� Internal Audit

� Compliance Steering Committee

� Senior or Line Management

� Audit Committee

42

22


Privilege Considerations

� Attorney/Client Privilege

� Work Product Doctrine

� Self-Evaluative Privilege

43


Discussion Topics







44

23


Q

45

A


Thank You

Contact Information

Scott AvelinoCompliance Systems Legal Group(202) [email protected]

Win SwensonCompliance Systems Legal Group(617) [email protected]

46

compliance auditing done right - scce official site · 2014-09-03 · 1 compliance auditing done...

Documents