Auditing, Monitoring & Investigating- Corporate Compliance Turf Wars

One of the hotter current topics I see right now involves the varied approaches companies are taking to handling auditing, monitoring and investigating—particularly in area of bribery and corruption.  Internal audit, legal and compliance are all either fighting for (or are desperately trying to avoid) responsibility for these functions.

 

The arguments for each function all have merit.   Attorneys could have attorney-client privilege which could protect the rights of the company.  Internal audit does, in fact, know how to—well, audit.  Compliance deals with laws and regulations and therefore their risk assessment and competence may be more suitable for this type of audit than financial auditors. 

Today’s discussion will focus on a workable temporal/functional  framework.

Auditing

I am a CPA and auditing is a term of art.  Unfortunately, most compliance authors have resembled finger painters more than Michelangelo in applying that art to compliance guidance.  For my purposes, I define audit (in a compliance context) as a systematic testing of controls for the purpose of determining compliance. This testing usually has risk based and non-risk based components.  The reason for the non-risk based component is that you want to gain a comfort level with the effectiveness of controls overall.  The reason for the risk-based component is that you want to satisfy yourself that the controls are operating effectively in environments where there are greater incentives for circumvention or failure.

In the compliance world, I believe that auditing should focus (as much as possible) on current transactions.  It should not be an archeological adventure.  In the perfect world, the audit is much more likely to find a violation of company procedure than a violation of law.  Now, that violation of procedure may inform the parties about the likelihood of a violation of law, but that would likely require further investigation.

An audit, structured in this manner, reduces not only the temperature of attorneys concerned about privilege and but also compliance people concerned about subject matter expertise.  It would be executed by both internal audit and compliance.  The internal audit work would be at sites chosen by that group based on their risk assessment, likely based more on risks other than violations of the law.  It would be an add-on to their other tests and an efficient way to obtain evidence of general compliance with legal-related controls. In an FCPA context, for randomly transactions in the last 6 months they might test:

•       Approvals over cash payments and T&E items. 
•       Review and compliance with T&E policies.
•       Proper background checks on file for consultants and agents.

The important thing to understand here is the audit objective.  The audit objective for these tests is to accumulate evidence of compliance with company policies and procedures.  Because the transactions are randomly chosen, or chosen on the basis of normal Internal Audit risk critieria, one would not expect a higher-than-average likelihood of non-compliance with policy and procedure.

Monitoring

Monitoring is the process of identifying and evaluating “smoke”.   It involves the belief that it would be wiser for a firefighter to scan the horizon for smoke rather than randomly searching a forest for fire.  How effective monitoring is in locating an actual problem depends on the tool.  Monitoring tools can be very effective if focused on the proper criteria.  They can ineffective if the criteria are either set too narrow or too broad.  Filters that are too narrow (“filter for transactions which involve a debit to bribery and a credit to cash”) will miss relevant transactions.  Filters that are too broad (“filter for all cash transactions outside of the United States”) will produce false positives that waste investigative resources and obfuscate problematic transactions in a pile of irrelevant data.

Effective monitoring has many advantages:

•            It analyzes all data.  This is different than an audit.  An audit involves the selection of a sample.   That means some transactions are not analyzed at all.  Monitoring applies some level of scrutiny to all transactions.
•            It focuses proactive resources efficiently on inherently riskier transactions.   This is a much more cost effective way to search for the needle in the haystack.  In effect, you x-ray the haystack first to see if it might contain a needle.
•          Investigative follow-up in response to a monitoring finding produces a “Sentry Effect”.  I don’t remember where I first heard this and a Google search produced no results, so I may have made it up.  What I mean by this is the effect achieved on a population when they believe they are being watched, as if by a sentry.  It is a well-known behavioral phenomenon that compliance increases if the subject believes he is being watched.  Read this study on the impact of cameras on physician hand washing.  I saw the same impact when I was a compliance officer.  It was one thing to show up at a field office and ask for evidence of compliance with a policy. It was quite another to show up and ask for specific transactions where we had a concern about compliance with a policy.  More than once I heard a regional VP mutter about “big brother” knowing everything!

Because the investigation of monitoring findings involves a higher risk of problem detection, I would recommend this be performed by the compliance department with legal on speed dial.  It takes subject matter expertise to either confirm or reject the finding and it takes an appreciation of the legal environment to know when a finding needs:

Investigating

Perhaps I am old school. Then again, perhaps I am a veteran viewer of the adage that “no good deed goes unpunished”.  I simply cannot recount all the instances I have seen where well-intentioned compliance or audit personnel have created a lengthy unprivileged inculpatory record replete with legal opinions expressed by non- lawyers.  My rule of thumb is simple.   If the problematic item you have found has past implications, you should put pencils down and call the attorneys.  Do not engage in the unauthorized practice of law and do not pass go.  Lawyers understand privilege, privacy laws, and disclosure obligations.  They also know when to involve outside counsel.  There are companies that have gone the way of the dinosaur due to failure of CPAs to understand this.

This is not to say that internal audit or compliance won’t have a role in investigating the issue.  It is just to say that the lawyers should be calling the shots.

Conclusion

I have heard this model described as a temporal/functional approach to compliance.  It takes advantage of the skillsets and insights of each the disciplines.   It also protects all of the stakeholders in the process of auditing, monitoring and investigating.

Corporate Integrity Agreements and DPA/NPAs

Michael Volkov has an excellent article comparing the requirements of Corporate Integrity Agreements (CIAs) and Deferred or Non Prosecution Agreements (DPAs).  Essentially, he notes that CIAs are generally more prescriptive in enumerating compliance obligations than DPAs.

The reasons for this difference primarily lie in the difference between the OIG-HHS and the DOJ.  The OIG-HHS has a long history of industry participation in compliance program guidance and oversight. As such, they have significant opinions about what works and what doesn’t.  This translates into more detail.  The DOJ with DPAs takes a more “hands off” approach.  Essentially, they rely on the company and the monitor to propose and evaluate the remedial compliance infrastructure.

For what it is worth, I think the OIG-HHS approach is more business friendly.  As a former compliance officer who had to live under an agreement, I preferred that my responsibilities be clearly delineated—not subject to the whims of a monitor.  The monitor may or may not have a complete understanding of my industry or what actually works in a company.  The monitor might be trying to sell more consulting work.  Often, the cure is worse than the disease in these matters.  The controls recommended by a monitor or an IRO may not only prevent bribery, they might prevent business!

I have seen this in action.  A large multinational engaged a firm to design their anti-bribery program.  My job was to tailor the program to the largest North American division.  The program was a nightmare.  It was a hodge podge of redundant and unnecessary controls no doubt authored by inexperienced staff who had never seen the inside of a company.  Belts hold your pants up just as well as suspenders, but both are not required to avoid embarrassment.

On the other hand, the more time that passes from the signing of the CIA, the less relevant that prescriptive document becomes.  Business models change, processes change, products change, and people change.  Some CIAs are 7 or more years.  They can become irrelevant quickly.  I must say, however, that I have always found the OIG-HHS to be very reasonable in amending the agreement when a requirement no longer makes sense.  The consistent oversight function within the OIG-HHS makes this a workable framework.  

Attorneys often like vague language around obligations. It makes it easier to defend the allegation of a breach.  For my money, however, I like to know what the requirements are.  That makes it easier to budget the cost and less disruptive to the ongoing business.

The Internal Investigation- What Should a GC Consider?

I am not a lawyer and this is not legal advice.  But….In my 30 year career, I have assisted counsel in many investigations.  I have also been a compliance officer for a company that went through internal investigations involving allegations that preceded my tenure.  Lastly, I advised the audit practice and general counsel’s office of a big 4 firm on the adequacy of many internal investigations performed by audit clients.  I have seen good investigations that have been thorough, efficient and contemplated the concerns of all stakeholders.  I have also seen unmitigated disasters.  Here are some questions you should ask and some of my observations.

Does the nature of the allegation require an independent investigation?

Most internal investigations can and should be led and managed by internal counsel.  The issue may require the use of outside counsel, but it does not usually require an independent committee of the board.  To me, this boils down to a simple analysis.  Is it reasonable that senior management could have directed or disregarded the behavior that would have led to the allegation?   The term “disregarded” will vary depending on the inherent risk the alleged offense actually occurring.  If the company sells commoditized products to quasi-governmental entities with a high commission in a high-risk location, then the expected rigor of the anti-bribery controls would be high.  Failure to have those controls in place might cause one to believe that management disregarded the risk of a bribe.  On the other hand, if a collusive accounting fraud took place in a division ineligible for a bonus then this would more likely be a circumvention of controls.  In other words, examine the actual allegation or the allegation inferred from the subpoena or search warrant.  Is it credible that such behavior could occur?  Could senior management have been involved?

What law firm should be hired?

Independent or not?

There are terrific reasons to hire a law firm that knows the company.  They know management, the industry and the issues.  If the investigation needs to be independent, however, I would hire an independent law firm.  It just looks better to stakeholders and there are many good law firms out there.  Attorneys are entrepreneurs, as well.  They will make both of these arguments, depending on who they are trying to sell to!

Relevant experience

I would hire a firm that has three characteristics.  They should have attorneys with experience in your industry.  They should have white collar investigative experience and relationships with the ultimate enforcement body.  Finally, they should have securities attorneys who can contemplate ancillary litigation risk.  All three of these types of attorneys are critical to the success of the project.  That breadth of knowledge rarely, if ever, lies in one person.

It is not enough, however,  to have those skill sets in the firm you hire.  They must also play well together in the “firm sandbox”.  I have seen some firms that are more ruthlessly competitive internally than they are externally!  The risk is that they will not bring the appropriate resources to bear on your “bet the company” case.

Personality

The lead investigative attorney should have significant people skills and experience in these matters.  He or she is going to turn your company upside down for a period of months to years.  An internal investigation is distracting and disruptive. It is expensive and can drive a significant wedge between management and the board, divisions and senior management.  The investigation should be performed by an attorney who is empathetic to those issues.

There are law firms (usually comprised of former prosecutors) that view themselves as an extension of the Department of Justice. Their “scorched earth” tactics are, in my experience, less effective at fact gathering than the balanced alternative.  Further, their overreaching conclusions subject the company to horrific ancillary litigation risk.  Reports, if issued, should be carefully worded to convey the reasonable findings of an investigation and not be confused with language one uses in an indictment.   There is probably nothing more important than the final workproduct to all stakeholders.  Therefore, before I hired someone, I would obtain sample:

Reports

These are now widely available on the internet for many attorneys.  If not available, I would ask for a redacted sample.  I would look for a fulsome discussion on the scope and the limitations of the investigation.  Every investigation has scope limitations and the results should be interpreted accordingly.  Pay close attention to the conclusions.  Are they reasonable, given the scope?  Are the conclusions characterized by hyperbole? Did they stay within the original scope or greatly expand? Lastly-- and this is important, do they appear to be more interested in selling a second phase (a remediation phase) as opposed to reporting the results of the investigation?

How do you perform all of this diligence over the weekend after one of your offices has been raided on a Friday afternoon? Sadly, you don’t.  I have spent frantic Saturday mornings on the phone with attorneys (while watching my kids’ ballgames) bemoaning this fact.  The best advice I can give you is to line up an independent “bet-the-company case” attorney in advance.  If you don’t do that, at least have a trusted adviser attorney who can help you navigate the crucial first 96 hours until you can get such counsel in place.

I did not include location on this list.  Investigations are increasingly global and law firms have grown in response to this fact.  I believe that the nature of the allegation may make this an important consideration, but this factor can be lessened due to other law firm relationships and the litigation consultant retained by lead counsel.

Litigation Consultants (Fair warning- at this point, my own self-interest kicks in!)

I think the attorneys you retain should drive this decision, but that doesn’t mean you can’t weigh in.  I generally think the decision boils down to a relatively small universe of firms.

Accounting firms

Big 4 firms have good people, global reach and significant accounting expertise. Because they perform audits, they also have many more conflicts- some they can foresee and some they can’t. They also have positional conflict issues in some circumstances. You should weigh the pros and cons of these constraints on their ability to meet your engagement needs. You should also be aware of “bait and switch” tactics.  Just because the world’s foremost expert on SAB Topic 5 T resides within a firm doesn’t mean that he or she will have any available time for your engagement.  As a matter of fact, given the urgency of these engagements, normally you should assume they will not contribute to your engagement.

Global consulting firms

Global consulting firms have experienced significant growth due to the conflicts that accounting firms have experienced.  This has led to an exodus of former big 4 professionals who would like to be free of the conflicts an audit practice presents.  In your diligence, you should assess the global presence of the consulting firm.  Lack of in-country experience can be very detrimental to your engagement success.  You should also consider the industry expertise of the firm.

Ultimately, experience and personality plays a big part in this decision, as well. Your ultimate goal is a speedy, thorough resolution that is as minimally disruptive as possible.  That doesn’t happen with rookies.

One final thought

This is one of the most challenging processes your company will ever face.  Your management and key people may be at risk-- both from an employment and civil and/or criminal standpoint.  Your senior management and production people will be distracted and resentful.  Profitable divisions and revenue streams may disappear.  Competitors will use this in the marketplace and try and take your people.  Your company may face significant penalties and may be competitively disadvantaged for years.  The decisions you make in the first 96 hours are among the most impactful you will ever make.

The Compliance Officer in the Governance Structure

Where should the compliance officer be in the organization chart?  Should the compliance officer have access to the board of directors?  Should there be a compliance committee on the board or should it be part of the audit committee?

The simple answer is the more important compliance is to your revenue stream, the more likely it is that your compliance officer should have direct access to the CEO.  That is particularly true if there is a high inherent risk (as viewed through the prism of the fraud triangle) of a violation.  If you have a salesman that markets medical devices in a very competitive environment and he is 100% commission-based, you have a high risk of a kickback violation.  It is that simple.  Because the risk of a violation is high, the control structure design must be robust.

I remember years ago working on a health care fraud case at a large hospital in the Northeast.  I needed to interview the Compliance Officer and I literally needed a GPS to find his office.  He was located in a dark corridor, segregated from everyone else.  I finished the interview and told the defense counsel that we had a problem.  The attorney said, “why, what did he say?”  I told the attorney that he didn’t need to say anything.  His location and lack of interaction with the organization spoke louder than words.

On the other end of the spectrum, I worked on an accounting fraud case for an energy company.  The CEO was engaged.  The CEO addressed the VP of internal audit in meetings and made it clear that they had a relationship.  When the meeting was drawing to a conclusion, the CEO recapped the issues and asked for action plans from the key stakeholders.  The attitude of the CEO, the relationship with key management and the organizational respect for controls told me everything I needed to know-  we may have had a mistake, but we probably didn’t have a fraud.

In both of the aforementioned examples, compliance was key to revenue.  One organization disregarded that fact and the other embraced it.  I probably don’t have to tell you how the investigations turned out.

That is not to say that fraud can’t occur in a well-controlled organization.  I have seen it.  I worked on a bank fraud case where an accounts receivable financing arm committed a 300 million dollar loan fraud scheme through manipulation of the aging controls.  It required impressive collusion- at least 15 people were involved.  I used to say you couldn’t find 15 bad people anywhere outside of a University of Florida alumni meeting, but I guess I was wrong!  The organization, as a whole however, avoided prosecution, because it was obvious that this was isolated and collusive- therefore difficult for any control environment to detect.

As to whether there should be a separate compliance committee or just part of the audit committee charter, I would say the same considerations apply.  You should accept, however, that audit committees have a great deal on their plate.  If you add on compliance, it will be just that-- an add on that does not get the committee’s full attention.