One of the hotter current topics I see right now involves the
varied approaches companies are taking to handling auditing, monitoring and
investigating—particularly in area of bribery and corruption. Internal audit, legal and compliance are all
either fighting for (or are desperately trying to avoid) responsibility for these
functions.
The arguments for each function all have merit. Attorneys could have attorney-client
privilege which could protect the rights of the company. Internal audit does, in fact, know how
to—well, audit. Compliance deals with
laws and regulations and therefore their risk assessment and competence may be
more suitable for this type of audit than financial auditors.
Today’s discussion will focus on a workable
temporal/functional framework.
Auditing
I am a CPA and
auditing is a term of art.
Unfortunately, most compliance authors have resembled finger painters
more than Michelangelo in applying that art to compliance guidance. For my purposes, I define audit (in a
compliance context) as a systematic testing of controls for the purpose of
determining compliance. This testing usually has risk based and non-risk based
components. The reason for the non-risk
based component is that you want to gain a comfort level with the effectiveness
of controls overall. The reason for the
risk-based component is that you want to satisfy yourself that the controls are
operating effectively in environments where there are greater incentives for
circumvention or failure.
In the compliance world, I believe that auditing should
focus (as much as possible) on current transactions. It should not be an archeological adventure. In the perfect world, the audit is much more
likely to find a violation of company procedure than a violation of law. Now, that violation of procedure may inform
the parties about the likelihood of a violation of law, but that would likely
require further investigation.
An audit, structured in this manner, reduces not only the
temperature of attorneys concerned about privilege and but also compliance
people concerned about subject matter expertise. It would be executed by both internal audit
and compliance. The internal audit work would
be at sites chosen by that group based on their risk assessment, likely based
more on risks other than violations of the law.
It would be an add-on to their other tests and an efficient way to
obtain evidence of general compliance with legal-related controls. In an FCPA
context, for randomly transactions in the last 6 months they might test:
- Approvals over cash payments and T&E items.
- Review and compliance with T&E policies.
- Proper background checks on file for consultants and agents.
The important thing to understand here is the audit
objective. The audit objective for these
tests is to accumulate evidence of compliance with company policies and
procedures. Because the transactions are
randomly chosen, or chosen on the basis of normal Internal Audit risk critieria,
one would not expect a higher-than-average
likelihood of non-compliance with policy and procedure.
Monitoring
Monitoring is the process of identifying and evaluating “smoke”. It involves the belief that it would be
wiser for a firefighter to scan the horizon for smoke rather than randomly
searching a forest for fire. How
effective monitoring is in locating an actual problem depends on the tool. Monitoring tools can be very effective if
focused on the proper criteria. They can
ineffective if the criteria are either set too narrow or too broad. Filters that are too narrow (“filter for
transactions which involve a debit to bribery and a credit to cash”) will miss
relevant transactions. Filters that are
too broad (“filter for all cash transactions outside of the United States”)
will produce false positives that waste investigative resources and obfuscate
problematic transactions in a pile of irrelevant data.
Effective monitoring has many advantages:
- It analyzes all data. This is different than an audit. An audit involves the selection of a sample. That means some transactions are not analyzed at all. Monitoring applies some level of scrutiny to all transactions.
- It focuses proactive resources efficiently on inherently riskier transactions. This is a much more cost effective way to search for the needle in the haystack. In effect, you x-ray the haystack first to see if it might contain a needle.
- Investigative follow-up in response to a monitoring finding produces a “Sentry Effect”. I don’t remember where I first heard this and a Google search produced no results, so I may have made it up. What I mean by this is the effect achieved on a population when they believe they are being watched, as if by a sentry. It is a well-known behavioral phenomenon that compliance increases if the subject believes he is being watched. Read this study on the impact of cameras on physician hand washing. I saw the same impact when I was a compliance officer. It was one thing to show up at a field office and ask for evidence of compliance with a policy. It was quite another to show up and ask for specific transactions where we had a concern about compliance with a policy. More than once I heard a regional VP mutter about “big brother” knowing everything!
Because the investigation of monitoring findings involves a
higher risk of problem detection, I would recommend this be performed by the
compliance department with legal on speed dial.
It takes subject matter expertise to either confirm or reject the
finding and it takes an appreciation of the legal environment to know when a
finding needs:
Investigating
Perhaps I am old school. Then again, perhaps I am a veteran
viewer of the adage that “no good deed goes unpunished”. I simply cannot recount all the instances I
have seen where well-intentioned compliance or audit personnel have created a
lengthy unprivileged inculpatory record replete with legal opinions expressed
by non- lawyers. My rule of thumb is
simple. If the problematic item you have
found has past implications, you should put pencils down and call the
attorneys. Do not engage in the
unauthorized practice of law and do not pass go. Lawyers understand privilege, privacy laws, and
disclosure obligations. They also know
when to involve outside counsel. There
are companies that have gone the way of the dinosaur due to failure of CPAs to
understand this.
This is not to say that internal audit or compliance won’t
have a role in investigating the issue.
It is just to say that the lawyers should be calling the shots.
Conclusion
I have heard this model described as a temporal/functional
approach to compliance. It takes
advantage of the skillsets and insights of each the disciplines. It also protects all of the stakeholders in
the process of auditing, monitoring and investigating.