Monday, October 22, 2012

Auditing, Monitoring & Investigating- Corporate Compliance Turf Wars



One of the hotter current topics I see right now involves the varied approaches companies are taking to handling auditing, monitoring and investigating—particularly in area of bribery and corruption.  Internal audit, legal and compliance are all either fighting for (or are desperately trying to avoid) responsibility for these functions.
 
The arguments for each function all have merit.   Attorneys could have attorney-client privilege which could protect the rights of the company.  Internal audit does, in fact, know how to—well, audit.  Compliance deals with laws and regulations and therefore their risk assessment and competence may be more suitable for this type of audit than financial auditors. 

Today’s discussion will focus on a workable temporal/functional  framework.

Auditing

I am a CPA and auditing is a term of art.  Unfortunately, most compliance authors have resembled finger painters more than Michelangelo in applying that art to compliance guidance.  For my purposes, I define audit (in a compliance context) as a systematic testing of controls for the purpose of determining compliance. This testing usually has risk based and non-risk based components.  The reason for the non-risk based component is that you want to gain a comfort level with the effectiveness of controls overall.  The reason for the risk-based component is that you want to satisfy yourself that the controls are operating effectively in environments where there are greater incentives for circumvention or failure.

In the compliance world, I believe that auditing should focus (as much as possible) on current transactions.  It should not be an archeological adventure.  In the perfect world, the audit is much more likely to find a violation of company procedure than a violation of law.  Now, that violation of procedure may inform the parties about the likelihood of a violation of law, but that would likely require further investigation.

An audit, structured in this manner, reduces not only the temperature of attorneys concerned about privilege and but also compliance people concerned about subject matter expertise.  It would be executed by both internal audit and compliance.  The internal audit work would be at sites chosen by that group based on their risk assessment, likely based more on risks other than violations of the law.  It would be an add-on to their other tests and an efficient way to obtain evidence of general compliance with legal-related controls. In an FCPA context, for randomly transactions in the last 6 months they might test:

  •       Approvals over cash payments and T&E items. 
  •       Review and compliance with T&E policies.
  •       Proper background checks on file for consultants and agents.

The important thing to understand here is the audit objective.  The audit objective for these tests is to accumulate evidence of compliance with company policies and procedures.  Because the transactions are randomly chosen, or chosen on the basis of normal Internal Audit risk critieria, one would not expect a higher-than-average likelihood of non-compliance with policy and procedure.

Monitoring

Monitoring is the process of identifying and evaluating “smoke”.   It involves the belief that it would be wiser for a firefighter to scan the horizon for smoke rather than randomly searching a forest for fire.  How effective monitoring is in locating an actual problem depends on the tool.  Monitoring tools can be very effective if focused on the proper criteria.  They can ineffective if the criteria are either set too narrow or too broad.  Filters that are too narrow (“filter for transactions which involve a debit to bribery and a credit to cash”) will miss relevant transactions.  Filters that are too broad (“filter for all cash transactions outside of the United States”) will produce false positives that waste investigative resources and obfuscate problematic transactions in a pile of irrelevant data.

Effective monitoring has many advantages:
  •            It analyzes all data.  This is different than an audit.  An audit involves the selection of a sample.   That means some transactions are not analyzed at all.  Monitoring applies some level of scrutiny to all transactions.
  •            It focuses proactive resources efficiently on inherently riskier transactions.   This is a much more cost effective way to search for the needle in the haystack.  In effect, you x-ray the haystack first to see if it might contain a needle.
  •          Investigative follow-up in response to a monitoring finding produces a “Sentry Effect”.  I don’t remember where I first heard this and a Google search produced no results, so I may have made it up.  What I mean by this is the effect achieved on a population when they believe they are being watched, as if by a sentry.  It is a well-known behavioral phenomenon that compliance increases if the subject believes he is being watched.  Read this study on the impact of cameras on physician hand washing.  I saw the same impact when I was a compliance officer.  It was one thing to show up at a field office and ask for evidence of compliance with a policy. It was quite another to show up and ask for specific transactions where we had a concern about compliance with a policy.  More than once I heard a regional VP mutter about “big brother” knowing everything!

Because the investigation of monitoring findings involves a higher risk of problem detection, I would recommend this be performed by the compliance department with legal on speed dial.  It takes subject matter expertise to either confirm or reject the finding and it takes an appreciation of the legal environment to know when a finding needs:

Investigating

Perhaps I am old school. Then again, perhaps I am a veteran viewer of the adage that “no good deed goes unpunished”.  I simply cannot recount all the instances I have seen where well-intentioned compliance or audit personnel have created a lengthy unprivileged inculpatory record replete with legal opinions expressed by non- lawyers.  My rule of thumb is simple.   If the problematic item you have found has past implications, you should put pencils down and call the attorneys.  Do not engage in the unauthorized practice of law and do not pass go.  Lawyers understand privilege, privacy laws, and disclosure obligations.  They also know when to involve outside counsel.  There are companies that have gone the way of the dinosaur due to failure of CPAs to understand this.

This is not to say that internal audit or compliance won’t have a role in investigating the issue.  It is just to say that the lawyers should be calling the shots.

Conclusion

I have heard this model described as a temporal/functional approach to compliance.  It takes advantage of the skillsets and insights of each the disciplines.   It also protects all of the stakeholders in the process of auditing, monitoring and investigating.

Wednesday, October 10, 2012

Corporate Integrity Agreements and DPA/NPAs


Michael Volkov has an excellent article comparing the requirements of Corporate Integrity Agreements (CIAs) and Deferred or Non Prosecution Agreements (DPAs).  Essentially, he notes that CIAs are generally more prescriptive in enumerating compliance obligations than DPAs.

The reasons for this difference primarily lie in the difference between the OIG-HHS and the DOJ.  The OIG-HHS has a long history of industry participation in compliance program guidance and oversight. As such, they have significant opinions about what works and what doesn’t.  This translates into more detail.  The DOJ with DPAs takes a more “hands off” approach.  Essentially, they rely on the company and the monitor to propose and evaluate the remedial compliance infrastructure.

For what it is worth, I think the OIG-HHS approach is more business friendly.  As a former compliance officer who had to live under an agreement, I preferred that my responsibilities be clearly delineated—not subject to the whims of a monitor.  The monitor may or may not have a complete understanding of my industry or what actually works in a company.  The monitor might be trying to sell more consulting work.  Often, the cure is worse than the disease in these matters.  The controls recommended by a monitor or an IRO may not only prevent bribery, they might prevent business!

I have seen this in action.  A large multinational engaged a firm to design their anti-bribery program.  My job was to tailor the program to the largest North American division.  The program was a nightmare.  It was a hodge podge of redundant and unnecessary controls no doubt authored by inexperienced staff who had never seen the inside of a company.  Belts hold your pants up just as well as suspenders, but both are not required to avoid embarrassment.

On the other hand, the more time that passes from the signing of the CIA, the less relevant that prescriptive document becomes.  Business models change, processes change, products change, and people change.  Some CIAs are 7 or more years.  They can become irrelevant quickly.  I must say, however, that I have always found the OIG-HHS to be very reasonable in amending the agreement when a requirement no longer makes sense.  The consistent oversight function within the OIG-HHS makes this a workable framework.  

Attorneys often like vague language around obligations. It makes it easier to defend the allegation of a breach.  For my money, however, I like to know what the requirements are.  That makes it easier to budget the cost and less disruptive to the ongoing business.

Monday, October 8, 2012


The Internal Investigation- What Should a GC Consider?



I am not a lawyer and this is not legal advice.  But….In my 30 year career, I have assisted counsel in many investigations.  I have also been a compliance officer for a company that went through internal investigations involving allegations that preceded my tenure.  Lastly, I advised the audit practice and general counsel’s office of a big 4 firm on the adequacy of many internal investigations performed by audit clients.  I have seen good investigations that have been thorough, efficient and contemplated the concerns of all stakeholders.  I have also seen unmitigated disasters.  Here are some questions you should ask and some of my observations.

Does the nature of the allegation require an independent investigation?

Most internal investigations can and should be led and managed by internal counsel.  The issue may require the use of outside counsel, but it does not usually require an independent committee of the board.  To me, this boils down to a simple analysis.  Is it reasonable that senior management could have directed or disregarded the behavior that would have led to the allegation?   The term “disregarded” will vary depending on the inherent risk the alleged offense actually occurring.  If the company sells commoditized products to quasi-governmental entities with a high commission in a high-risk location, then the expected rigor of the anti-bribery controls would be high.  Failure to have those controls in place might cause one to believe that management disregarded the risk of a bribe.  On the other hand, if a collusive accounting fraud took place in a division ineligible for a bonus then this would more likely be a circumvention of controls.  In other words, examine the actual allegation or the allegation inferred from the subpoena or search warrant.  Is it credible that such behavior could occur?  Could senior management have been involved?

What law firm should be hired?

Independent or not?
There are terrific reasons to hire a law firm that knows the company.  They know management, the industry and the issues.  If the investigation needs to be independent, however, I would hire an independent law firm.  It just looks better to stakeholders and there are many good law firms out there.  Attorneys are entrepreneurs, as well.  They will make both of these arguments, depending on who they are trying to sell to!

Relevant experience
I would hire a firm that has three characteristics.  They should have attorneys with experience in your industry.  They should have white collar investigative experience and relationships with the ultimate enforcement body.  Finally, they should have securities attorneys who can contemplate ancillary litigation risk.  All three of these types of attorneys are critical to the success of the project.  That breadth of knowledge rarely, if ever, lies in one person.

It is not enough, however,  to have those skill sets in the firm you hire.  They must also play well together in the “firm sandbox”.  I have seen some firms that are more ruthlessly competitive internally than they are externally!  The risk is that they will not bring the appropriate resources to bear on your “bet the company” case.

Personality
The lead investigative attorney should have significant people skills and experience in these matters.  He or she is going to turn your company upside down for a period of months to years.  An internal investigation is distracting and disruptive. It is expensive and can drive a significant wedge between management and the board, divisions and senior management.  The investigation should be performed by an attorney who is empathetic to those issues.

There are law firms (usually comprised of former prosecutors) that view themselves as an extension of the Department of Justice. Their “scorched earth” tactics are, in my experience, less effective at fact gathering than the balanced alternative.  Further, their overreaching conclusions subject the company to horrific ancillary litigation risk.  Reports, if issued, should be carefully worded to convey the reasonable findings of an investigation and not be confused with language one uses in an indictment.   There is probably nothing more important than the final workproduct to all stakeholders.  Therefore, before I hired someone, I would obtain sample:

Reports
These are now widely available on the internet for many attorneys.  If not available, I would ask for a redacted sample.  I would look for a fulsome discussion on the scope and the limitations of the investigation.  Every investigation has scope limitations and the results should be interpreted accordingly.  Pay close attention to the conclusions.  Are they reasonable, given the scope?  Are the conclusions characterized by hyperbole? Did they stay within the original scope or greatly expand? Lastly-- and this is important, do they appear to be more interested in selling a second phase (a remediation phase) as opposed to reporting the results of the investigation?

How do you perform all of this diligence over the weekend after one of your offices has been raided on a Friday afternoon? Sadly, you don’t.  I have spent frantic Saturday mornings on the phone with attorneys (while watching my kids’ ballgames) bemoaning this fact.  The best advice I can give you is to line up an independent “bet-the-company case” attorney in advance.  If you don’t do that, at least have a trusted adviser attorney who can help you navigate the crucial first 96 hours until you can get such counsel in place.

I did not include location on this list.  Investigations are increasingly global and law firms have grown in response to this fact.  I believe that the nature of the allegation may make this an important consideration, but this factor can be lessened due to other law firm relationships and the litigation consultant retained by lead counsel.

Litigation Consultants (Fair warning- at this point, my own self-interest kicks in!)

I think the attorneys you retain should drive this decision, but that doesn’t mean you can’t weigh in.  I generally think the decision boils down to a relatively small universe of firms.

Accounting firms
Big 4 firms have good people, global reach and significant accounting expertise. Because they perform audits, they also have many more conflicts- some they can foresee and some they can’t. They also have positional conflict issues in some circumstances. You should weigh the pros and cons of these constraints on their ability to meet your engagement needs. You should also be aware of “bait and switch” tactics.  Just because the world’s foremost expert on SAB Topic 5 T resides within a firm doesn’t mean that he or she will have any available time for your engagement.  As a matter of fact, given the urgency of these engagements, normally you should assume they will not contribute to your engagement.

Global consulting firms
Global consulting firms have experienced significant growth due to the conflicts that accounting firms have experienced.  This has led to an exodus of former big 4 professionals who would like to be free of the conflicts an audit practice presents.  In your diligence, you should assess the global presence of the consulting firm.  Lack of in-country experience can be very detrimental to your engagement success.  You should also consider the industry expertise of the firm.

Ultimately, experience and personality plays a big part in this decision, as well. Your ultimate goal is a speedy, thorough resolution that is as minimally disruptive as possible.  That doesn’t happen with rookies.

One final thought

This is one of the most challenging processes your company will ever face.  Your management and key people may be at risk-- both from an employment and civil and/or criminal standpoint.  Your senior management and production people will be distracted and resentful.  Profitable divisions and revenue streams may disappear.  Competitors will use this in the marketplace and try and take your people.  Your company may face significant penalties and may be competitively disadvantaged for years.  The decisions you make in the first 96 hours are among the most impactful you will ever make.

Monday, October 1, 2012


The Compliance Officer in the Governance Structure


Where should the compliance officer be in the organization chart?  Should the compliance officer have access to the board of directors?  Should there be a compliance committee on the board or should it be part of the audit committee?

The simple answer is the more important compliance is to your revenue stream, the more likely it is that your compliance officer should have direct access to the CEO.  That is particularly true if there is a high inherent risk (as viewed through the prism of the fraud triangle) of a violation.  If you have a salesman that markets medical devices in a very competitive environment and he is 100% commission-based, you have a high risk of a kickback violation.  It is that simple.  Because the risk of a violation is high, the control structure design must be robust.

I remember years ago working on a health care fraud case at a large hospital in the Northeast.  I needed to interview the Compliance Officer and I literally needed a GPS to find his office.  He was located in a dark corridor, segregated from everyone else.  I finished the interview and told the defense counsel that we had a problem.  The attorney said, “why, what did he say?”  I told the attorney that he didn’t need to say anything.  His location and lack of interaction with the organization spoke louder than words.

On the other end of the spectrum, I worked on an accounting fraud case for an energy company.  The CEO was engaged.  The CEO addressed the VP of internal audit in meetings and made it clear that they had a relationship.  When the meeting was drawing to a conclusion, the CEO recapped the issues and asked for action plans from the key stakeholders.  The attitude of the CEO, the relationship with key management and the organizational respect for controls told me everything I needed to know-  we may have had a mistake, but we probably didn’t have a fraud.

In both of the aforementioned examples, compliance was key to revenue.  One organization disregarded that fact and the other embraced it.  I probably don’t have to tell you how the investigations turned out.

That is not to say that fraud can’t occur in a well-controlled organization.  I have seen it.  I worked on a bank fraud case where an accounts receivable financing arm committed a 300 million dollar loan fraud scheme through manipulation of the aging controls.  It required impressive collusion- at least 15 people were involved.  I used to say you couldn’t find 15 bad people anywhere outside of a University of Florida alumni meeting, but I guess I was wrong!  The organization, as a whole however, avoided prosecution, because it was obvious that this was isolated and collusive- therefore difficult for any control environment to detect.

As to whether there should be a separate compliance committee or just part of the audit committee charter, I would say the same considerations apply.  You should accept, however, that audit committees have a great deal on their plate.  If you add on compliance, it will be just that-- an add on that does not get the committee’s full attention.

Tuesday, September 25, 2012

FCPA Due Diligence


Caveat Emptor

Forget the emmys or that little election in November.  The event that we are all awaiting with bated breath is the DOJ issuance of FCPA guidance.  Noted FCPA expert Michael Volkov is making predictions on what the guidance will contain.  Among the predictions, Michael predicts a kinder, gentler DOJ approach to companies that acquire an FCPA problem as long as the target company is integrated into the acquirer’s compliance program.

So does that mean you can exclude FCPA from your due diligence checklist? As we say in the south, does a chicken have lips? Why do you think a public company’s stock drops when an FCPA investigation is announced.  The direct costs of defense?  Usually a pittance.  The management distraction factor?  Oh, it is bad, but companies adapt.  The looming DPA?  As burdensome and ineffective as a government mandated compliance program may be, it doesn’t account for the drop in value.  What is it then? 

Let’s dive into some finance fundamentals.  Value is derived from discounted cash flows.  The higher the discount rate, the lower the value.  What causes the discount rate to rise?  Uncertainty.  The higher the uncertainty that cash flows won’t occur as forecasted, the higher the discount rate.  Uncertainty can stem from government regulation, product obsolescence or competition.  If you have a product that will cure cancer, there is very little uncertainty as to the demand and the lack of competitors.  That will create enormous value with a given cash flow.  The same cash flow applied to a commoditized product will lead to significantly lesser value.

That brings us to our FCPA conundrum.  Do you think that sales people or management will be required to pay bribes to generate sales for the cure for cancer?  Not likely.  On the other hand, if you have a commoditized product with multiple competitors, all the participants might be tempted to engage in corruption. 

The reason you perform due diligence, irrespective of any DOJ enforcement forbearance, is you want to know if that revenue stream you are purchasing is at risk!  If it is, then you will either reduce your price or walk away from the deal.

Wednesday, September 19, 2012


The Perfect Storm- FCPA (Part II)



Last week, we began a discussion on the application of the whistleblower provision of Dodd-Frank to FCPA violations.  Based on an analysis of the False Claims Act (FCA) amendments in 1986, and the related strengthening of whistleblower provisions, we concluded that enforcement actions will rise dramatically.

The questions today are:
  1. What is the inherent risk of an FCPA violation vs. an FCA violation?
  2. How effective are the relative control environments in their ability to mitigate the risks of violation? 
  3. Is the risk of a whistleblower action greater for violations under the FCPA than the FCA?


The inherent risk of the violation

I am a CPA.  It is ingrained in our DNA that the strength of the control environment needs to be directly proportional to the inherent risk of a violation.  Let’s examine the inherent risk of an FCA violation vs. an FCPA violation.

The submission of a false claim under the FCA usually requires either the intentional or reckless perversion of the claims submission process.  (I say usually because there are other false claims scenarios, such as reverse false claims, or bootstrapping anti-kickback theories.)  The claims submission process usually involves a fairly discreet pool of centrally located individuals with no apparent financial motive to submit a false claim.  In other words, medical coders or accounting personnel are usually not incentivized to overbill the government.  Therefore, the occurrence usually results from improper direction or training.  The false claim typically results in some level of incremental revenue which would benefit senior management or the company, but not necessarily the individual.  This also means the violation typically requires some level of intentional or inadvertent collusion.

An FCPA violation typically occurs when in-country management or the sales function makes, directly or indirectly, a payment to a foreign official in order to obtain business in that country.  Both in-country management and the sales function typically directly benefit from the activity.  Often, the result is not an increase in revenue, but a binary outcome of an all or nothing impact on revenue.  Further, there are often pressures from less scrupulous competitors that can literally leave the perpetrator with the feeling he “has no choice”.

If you view this within the prism of the Fraud Triangle, for a FCPA violation vs. an FCA violation:
  •         The individual motivation is usually higher for the FCPA violation.  (Variably compensated perpetrators.)
  •           The opportunity is greater for the FCPA violation (decentralized operations, less need for collusion).
  •      The rationalization is easier. (My competitors are doing this, what options do I have?  I won’t get the business if I don’t do this.)

In my opinion, this is not a close call.  The inherent risk of an FCPA violation is much greater than the inherent risk of an FCA violation.

The control environment

For the FCA, there are a variety of tried and true controls that can be applied to the claims submission process   Further, there is a body of standards that apply to the contents of the claim.  Is this cost allowable
 under the FAR?  Is this medical claim accurately coded?  One can develop training courses designed to ensure qualified people participate in the process.  There are certifications that evidence competency.  Sampling procedures can facilitate a relatively cost-effective audit.

For the FCPA violation, unless the perpetrator debited bribe and credited cash, it is not so easy.  The bribe can be quantitatively immaterial and, therefore, off the radar screen for traditional internal and external audits.  As a matter of fact, I am not aware of a single circumstance where an external audit has detected an FCPA violation.  In the case of Siemens, an external auditor discovered a 5 million dollar cash transfer, which Siemens disposed of in a one day investigation.  Did that result in a modification or even a delay to the auditor’s report?  No.  If you were to include FCPA violations in the scope of a financial audit, the audit would become cost prohibitive.

A payment that violates the FCPA is typically disguised as an “ordinary course of business” transaction.  If properly disguised, it can be very difficult to detect with traditional audit techniques.  One must invest significant time and effort to determine if payments to third parties exceed the fair market value of the services they rendered.  Often, this can be outside the typical professional knowledge of a CPA.  (For example, reviewing a civil engineers bill regarding services rendered for a potential building site.)  This is particularly true when the auditor is not familiar with rates and business arrangements in the country in question.

In summary, the adequacy of controls to detect a typical FCPA violation is much less than a typical FCA violation.  They primarily boil down to serendipity and whistleblowers.  Now about the whistleblower…

Is the risk of a whistleblower enforcement action greater for violations under the FCPA than the FCA?

First of all, I should disclose a bias that I have.  I believe any whistleblower provision with a monetary reward creates an incentive for the whistleblower to circumvent existing internal compliance controls.  Calling an internal hotline or emailing the compliance officer may get you a pat on the back.  On the other hand, going straight to the government could net you millions.  Do you see my point?

This has always been a problem under the qui tam provision of the FCA, but not an insurmountable one.  According to a study by the Ethics Resource Center, 84% of eventual whistleblowers attempted to use internal channels before going to the government.  (Now, to be fair, we don’t know how many just notified supervisors instead of calling a hotline or alerting the General Counsel or the Compliance Officer.)

This dynamic has been turned on its head under the Dodd Frank whistleblower provision that applies to the FCPA.  In a recent case a judge concluded that the would be whistleblower “did not fit within Dodd-Frank’s definition of a whistleblower”.  The logic was frightening.  Because the whistleblower had reported the matter internally rather than straight to the SEC, the suit was dismissed.  As a compliance professional, this is the worst nightmare.  Not only does a potential whistleblower have the monetary incentive to avoid internal reporting, according to this judge, he now must avoid internal channels to preserve his status.

Conclusion

I believe we are on the crest of an enforcement wave in the area of FCPA that will dwarf all previous corporate enforcement initiatives.  The enforcement will occur irrespective of who wins the election.  There will be SEC and DOJ task forces that teach all offices how to investigate these matters.  Future budgets will contain line items specifically focused on these matters.  It has been said "fraud has no fans."  It is also true that politicians do not like the outsourcing of revenues and jobs that inevitably occur with foreign operations. You ignore FCPA risk at your peril.  




Thursday, September 13, 2012


The Perfect Storm- FCPA


The Perfect Storm was a movie depicting the 1991 confluence of unusual meterological events that caused a storm resulting in damages of over 200 million dollars and the loss of 13 lives.  Although I wouldn’t expect much loss of life resulting from applying the whistleblower provisions of Dodd Frank to the Foreign Corrupt Practices Act (FCPA), 200 million dollars will be a pittance.  Book it.

I believe this based on what happened to the False Claims Act (FCA) enforcement environment after passage of the 1986 act which strengthened the whistleblower protections, among other things.  Look at the growth curve:




As you can see, the growth curve was exponential before leveling off in 1997 through today (although the last couple of years have seen another  jump).

Although the number of cases leveled off after 1998, the dollar value of settlements has skyrocketed.


Wouldn't you like to have invested in that income stream?  Well, I have some news for you.  If you are a shareholder, you have a chance to invest again right now, just like in 1987.  The only problem is the government is buying this stock.  You are shorting it.


This average dollar per settlement increase is largely due to a shift from relatively small health care providers to large pharma/med device companies.  One could infer, however, that it is also due to an increase in the sophistication of the government, relators and relator attorneys.  Oh, I forgot to mention relator attorneys.

Do a Google search on FCPA violations.  What is the first item that appears?






You see, back in 1987, when the qui tam provisions of the FCA were enhanced, Al Gore was in the senate and the internet had not yet become a part of our lives.  This lack of access of potential whistleblowers to qui tam attorneys created an elongated “ramp up” in cases.  As you can see, this is no longer a barrier to growth.

If I haven’t worried you already, let me go further.  FCA violations typically occur primarily in two industries- government contractors and health care.  That is a fairly discreet and small pool of potential violators.  As a matter of fact, while health care and defense contractors only comprise 13% of the S&P 500 (by market cap) the revenues associated with foreign operations are over 46% of the S&P 500 revenues.  I know market cap and revenues are a little apples and oranges, but directionally the pool of potential violators is much bigger.

I haven’t yet touched on a comparison of the inherent risk of a violation between FCA and FCPA.  Nor have I addressed the relative strength of control environments designed to address those risks.  Nor have I touched on the risk that a violation will not be detected.  All of these are factors articulated in the principles of corporate prosecution articulated by the DOJ in this link.

That fun will be for another day.  I will give you a hint though.  The perfect storm is about to become a perfect tsunami.