evaluating compliance and anti- fraud programs – a case

APRIL 28, 2020

Brad Knight, Managing Director | Risk Advisory ServicesPaul Greenspan, Managing Director | Forensic Investigation and Dispute Services

COURSE 2Evaluating Compliance and Anti-Fraud Programs – A Case Study with BDO’s Forensics Practice

3

BDO and Our Internal Audit Webinar Series

4

Polling Question 1

From which time zone are you joining us today?

A. EasternB. CentralC. MountainD. PacificE. Other

5

Brad Knight, CPA, CRMAManaging Director | Risk Advisory Services

Brad Knight leads BDO’s Risk Advisory Services in Atlanta and for the Southeast, and offers experience in variety of industries including: manufacturing, healthcare, supply chain, and technology.

He has been deeply involved in identifying and delivering governance, risk and compliance solutions to clients, including all aspects of SOX implementation and compliance, business process documentation, enterprise risk assessments, internal audit co-sourcing, internal controls assessments, and SOC reporting.

Brad has more than 15 years of experience leading and delivering internal audit, enterprise risk management, governance and compliance engagements to Fortune 500 and middle market companies. Prior to joining BDO, Brad worked at Brambles Ltd. where he oversaw and directed the organization’s global enterprise risk management programs.

404-942-2955 / [email protected]

PROFESSIONAL AFFILIATIONSAmerican Institute of Certified Public AccountantsInstitute of Internal Auditors

EDUCATION B.S., Accounting, University of Tennessee, KnoxvilleM.Acc., University of Tennessee, Knoxville

6

Paul Greenspan, CFEManaging Director | Forensic Investigation & Litigation Services

Paul Greenspan assists organizations and their attorneys with the financial, accounting, and regulatory aspects of investigations, business disputes, and compliance challenges. His primary areas of concentration include corporate compliance, fraud investigations, forensic accounting, anti-corruption compliance, damage calculations, expert testimony, and litigation support.

Paul has more than 18 years of forensics experience conducting internal and regulatory investigations of employee misconduct, misappropriation of funds, accounting irregularities, and suspect business practices. He has conducted anti-corruption compliance assessments and investigations in more than a dozen countries around the world. In addition, he has analyzed damages, produced expert reports, and been qualified as an expert witness in a variety of litigation matters, including employment disputes, complex fraud claims, breach of contract, and post-M&A disputes.

404-979-7157 / [email protected]

PROFESSIONAL AFFILIATIONSAssociation of Certified Fraud ExaminersAtlanta Bar AssociationAtlanta Compliance & Ethics Roundtable, Board Member

EDUCATION J.D. / M.B.A., University of FloridaB.A., Tulane University

7

Today’s Learning ObjectivesAt the conclusion of this course, participants will be able to:

Identify compliance-related considerations emerging from the COVID-19 crisis

Identify relevant regulatory guidance on the effectiveness of compliance programs

Effectively team with compliance functions within their organizations to assess compliance and anti-fraud programs

Conduct insightful conversations with management regarding risks of non-compliance

8

Polling Question 2

In your organization who is primarily responsible for assessing compliance and fraud risks?

A. Compliance OfficeB. Internal AuditC. General Counsel’s OfficeD. Chief Financial OfficerE. Don’t Know / Uncertain

9

COVID-19 Considerations

10

COVID-19 Compliance Considerations

Health & Safety PPE and social distancing for employees Facility closures and re-openings

Privacy and Cybersecurity Information about employees’ health status / test results What info can we ask for? What info can we share?

Increased cyber threats – phishing, ransomware, social engineering

Remote working may increase these risks

11


Supply Chain

Moving into new product lines

Regulatory approvals, esp. for healthcare-related products

Using new third party intermediaries

Due diligence procedures

Payment procedures

Import / Export Controls

Corruption

12


Human Resources

Absenteeism

New hires – start dates, validity of offers

Designation and documentation of employees as “essential”

Consult with Legal, as laws vary state to state

Contract Compliance Are you able to meet your commitments to your customers? Are your suppliers able to meet their commitments to you?

13


More Issues

Environmental

Antitrust

Anti-money Laundering

Anti-Corruption and Bribery

Sanctions and Export Controls

Regulatory Reporting Requirements

SEC Filings (for public companies) and Insider Trading

14


What procedures have you put in place to allow for exceptions to be granted from normal compliance operations?

How are you documenting these exceptions?

How are you staying abreast of rapidly-changing laws and regulations, and incorporating that information into your program?

15


FERC – Federal Energy Regulatory Commission – April 2, 2020

The Chairman today announced that the Commission will exercise appropriate prosecutorial discretion in addressing events that arise during the emergency period. “I’ve said this before, but it bears repeating: The Commission will not second-guess the good faith actions that regulated entities take in the face of this emergency.” Enforcement staff will take the current emergency into account when evaluating compliance programs as part of its analyses under the Penalty Guidelines, or as part of an audit for operations taking place during the emergency. Staff also will take the crisis into account in assessing the timeliness of self-reports, including the self-report credit under the Penalty Guidelines.

16


Office of Foreign Assets Control (OFAC) – April 20, 2020

OFAC understands that the COVID-19 pandemic can cause technical and resource challenges for organizations. As OFAC has articulated … the agency supports a risk-based approach to sanctions compliance. Accordingly, if a business facing technical and resource challenges caused by the COVID-19 pandemic chooses, as part of its risk-based approach to sanctions compliance, to account for such challenges by temporarily reallocating sanctions compliance resources consistent with that approach, OFAC will evaluate this as a factor in determining the appropriate administrative response to an apparent violation that occurs during this period. OFAC will address these issues on a case-by-case basis.

17

COVID-19 Compliance Considerations - Fraud

The Fraud Triangle is a model used to explain how a person comes to commit occupational fraud.

18

COVID-19 Compliance Considerations - Fraud

People are desperate and fearful = Pressure and Rationalization Government response Enormous amounts of money Being rolled out extraordinarily quickly Variety of new and proposed programs = confusion Oversight entities

New work environments – working remotely from home – may increase likelihood of fraud schemes Employees are looking for and using workarounds Physical separation may lead to lack of communication Remote working may inhibit normal security protocols that have

been carefully built over years

19

Polling Question 3

Has your organization reviewed its fraud and compliance risk assessments since the emergence of COVID-19?

A. YesB. NoC. Unsure / UncertainD. N/A

20

Overview of Regulatory Guidance on Compliance and Anti-Fraud Programs

21

Overview of Regulatory Guidance

Federal government has made clear that it expects organizations to have robust, risk-based compliance programs

Regulators’ expectations have become more and more explicit

Expectation is built into various aspects of the law and regulations

General thrust of these expectations is consistent across different laws, regulatory guidelines, pronouncements, memos, informal guidance, etc.

22

U.S. Sentencing Commission -Federal Sentencing Guidelines for Organizations

Built-in incentive for having a effective compliance program - greatly reduced fines Outlines 7 key criteria for establishing an “effective compliance program” (§8B2.1)

1) Standards and procedures to detect and prevent criminal conduct2) High-level program oversight3) Due care regarding individuals with discretionary authority in the program4) Communications and training to all levels5) Monitoring, auditing, and evaluation of the program, including employee

reporting mechanisms without fear of retaliation6) Consistent enforcement - incentives and discipline7) Respond appropriately to detected wrongdoing and prevent similar

conduct, including updating the program Other regulators have developed their own guidance based on this model

23

Department of Justice - Principles of Federal Prosecution of Business Organizations

Includes a section on Corporate Compliance Programs (USAM 9-28.800):While the Department recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees, the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.

The fundamental questions any prosecutor should ask are: Is the corporation's compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation's compliance program work?

24

Department of Health & Human Services – Office of Inspector General

Health Care Provider Compliance Training Slides

25

Department of Health & Human Services – Office of Inspector General50+ pages of suggested ways to measure various elements of a compliance program

26

Department of Justice – Antitrust Division

27

Department of Justice – Antitrust DivisionElements of An Effective Compliance Program

Design and comprehensiveness of the program Culture of compliance within the company Responsibility for, and resources dedicated to, compliance Risk assessment techniques Compliance training and communication to employees Monitoring and auditing techniques, inc. continuous

improvement Reporting mechanisms Incentives and discipline Remediation methods

28

DOJ and SEC – The FCPA Guide

Released in November 2012 jointly by the DOJ Criminal Division and SEC Enforcement Division

29

DOJ and SEC – The FCPA GuideHallmarks of Effective Compliance Programs

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption

Code of Conduct and Compliance Policies and Procedures Oversight, Autonomy, and Resources Risk Assessment (“One-size-fits-all compliance programs are generally

ill-conceived and ineffective …”) Training and Continuing Advice Incentives and Disciplinary Measures Third-Party Due Diligence and Payments Confidential Reporting and Internal Investigation Continuous Improvement: Periodic Testing and Review M&A: Pre-Acquisition Due Diligence and Post-Acquisition Integration

30

DOJ Criminal Division –Evaluation of Corporate Compliance Programs

31


Released April 2019

Most recent and comprehensive guidance – approximately 20 pages

“This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”

https://www.justice.gov/criminal-fraud/page/file/937501/download

32


Guidance is organized in three sections:

I. Is the corporation’s compliance program well designed?

II. Is the corporation’s compliance program being implemented effectively?

III. Does the corporation’s compliance program work in practice?

Includes many questions that prosecutors should ask when evaluating a compliance program…which means you should be asking these same questions! And incorporate them in audit plans.

33


Sample from the Risk Assessment section

34


I. Is the Corporation’s Compliance Program Well Designed?

A. Risk Assessment

B. Policies and Procedures

C. Training and Communications

D. Confidential Reporting Structure and Investigation Process

E. Third Party Management

F. Mergers & Acquisitions

35


II. Is the Corporation’s Compliance Program Being Implemented Effectively?

A. Commitment by Senior and Middle Management

B. Autonomy and Resources

Prosecutors should evaluate whether “internal auditfunctions [are] conducted at a level sufficient to ensure their independence and accuracy,” as an indicator of whether compliance personnel are in fact empowered and positioned to “effectively detect and prevent misconduct.” JM 9-28.80

C. Incentives and Disciplinary Measures

36


III. Does the Corporation’s Compliance Program Work in Practice?A. Continuous Improvement, Periodic Testing, and Review

Internal Audit - What is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process? How are audits carried out? What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often does internal audit conduct assessments in high-risk areas?

B. Investigation of MisconductC. Analysis and Remediation of Any Underlying Misconduct

Prosecutors will review Internal Audit’s role and performance within the overall compliance program.

37

Benefits of an Effective Compliance Program

Two weeks ago, the SEC charged a former banker at Goldman Sachs’ UK subsidiary with FCPA violations for paying bribes to government officials in Ghana to help a Goldman client win a power plant contract there.

However, the SEC did not charge Goldman itself because of the bank’s efforts to stop the alleged wrongdoing.

38


39


In Feb. 2019, the former President and former Chief Legal Officer of Cognizant were charged with FCPA violations for allegedly approving the payment of $2m in bribes to Indian government officials related to licenses and permits for construction a large new facility there.

The company agreed to a cease-and-desist proceeding with the SEC and paid $25m in penalties, disgorgement, and interest, but it also received a declination letter from the DOJ (i.e., the DOJ decided not prosecute the company.)

40


From the DOJ declination letter:

41

Polling Question 4

Has your organization compared its compliance program to the relevant guidance issued by federal regulators and enforcement agencies?

A. YesB. NoC. Don’t knowD. “What’s a compliance program?”

42

Effective Fraud & Compliance Assessments

43

Managing Fraud Expectations

How important is fraud risk to your organization and stakeholders?

Whose job is it to find fraud?

Can someone within your organization find fraud?

How do you currently prevent and/or detect fraud schemes?

Does your organization currently conduct an evaluation of fraud risks?

44

Internal Audit’s Role and ResponsibilityThe Institute of Internal Auditors sets forth certain standards regarding fraud:

IPPF Standard 1210.A2 | Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

IPPF Standard 2120.A2 | The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

IPPF Standard 2210.A2 | Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

45

Internal Audit’s Role and ResponsibilityCOSO views the management of fraud risk as the responsibility of “personnel at all levels of the organization – including every level of management, staff and internal.”

Five Fraud Risk Management Principles

Control Environment

Risk Assessment

Control Activities

Information & Communication

Monitoring Activities

The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

The organization selects, develops, and deploys preventive and detective fraud control activities or mitigate the risk of fraud events occurring or not being detected in a timely manner.

The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.

The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

COSO Internal Control – Integrated Framework Presentation May 2013 by COSO.org

46

Fraud Risk Assessment – Common Elements

The organization considers the potential for fraud in assessing risks to the achievement of objectives.

Involve stakeholders Brainstorm and identify potential fraud schemes Disregard the control environment Use a risk based approach – likelihood and impact Consider emerging risks Document a thorough risk assessment

47

Fraud Risk Management Process

Establish a fraud risk management policy as part of organizational

governance

Perform a comprehensive

fraud risk assessment

Select, develop and deploy

preventative and detective fraud

control activities

Establish a fraud reporting

process and coordinated approach to

investigation and corrective action

Monitor the fraud risk

management process, report

results and improve the

process

48

5 Questions Every Organization Should Be Asking

1) Does the organization have a fraud response plan in place that outlines key policies and investigation methodologies?

2) Who carries out fraud investigations within the organization?

3) Who is tasked with identifying where fraud risk is present, and does it audit controls in these areas? (risk management, internal audit, other)

4) When fraud has occurred, is an investigation performed to understand how the controls failed and how they can be improved? Who is tasked with performing this investigation?

5) Who is tasked to investigate fraud, and, do they possess the proper skill sets to carry out such investigations?

49

Compliance Risk Assessments

Specifically identifies regulatory compliance and legal risks Laws and regulations with which the organization is required to comply in

all jurisdictions where it conducts business Critical organization policies

Should be linked with enterprise and internal audit risk processes Interrelationships exist between enterprise, internal audit and

compliance risk assessments Linkage helps an organization understand the full range of its risk

exposure

Assessments should be comprehensive, customizable and allow for both objective and subjective evaluation of risks

50

Compliance Risk Assessments

Effective compliance risk assessments capture elements of the organization’s mitigation strategies

Assess both inherent and residual compliance risk, similar to ERM processes

51

Assessing the Reporting Structure

The question of what is the “right” reporting structure for Compliance has been hotly debated over the years

Separate Chief Compliance Officer vs. secondary role for GC (or someone else)?

Report to Legal? Report to CEO/CFO? Report directly to Board? No “correct” answer – any can be successful Trend is toward separate Compliance function Keys: Who has responsibility and accountability for the compliance

program? Independence, Access, Influence, and Resources

52

Common Pitfalls in Fraud and Compliance Programs

Assumed communication amongst teams charged with managing risk in the organization

Lack of a Risk Assurance Map Lean organizational structures or overwhelmed assurance and

compliance functions unable to take a strategic view of the organization’s risks

Assessments should be comprehensive, customizable, and allow for both objective and subjective evaluation of risks

Lack of customized training (using a one-size fits all approach) Tone at the Top and fear of speaking up

53

Polling Question 5

Has your organization conducted a risk assurance mapping exercise to centralize risk identification and assessment?

A. YesB. NoC. Unsure / UncertainD. N/A

54

Today’s Case Study

55

Case Study - BackgroundCompany Background Publicly traded, global organization conducting business in 60+ countries Increasing competitive pressures and declining margins Pressure to meet forecasts and externally communicated targets Increasing levels of regulation across the globe

Relevant Facts Compliance function was a lone individual within the General Counsel’s office GDPR, FCPA, Sanctions, and other regulations overwhelmed resources ERM & Internal Audit were not integrated with Compliance function Fraud and Compliance Risk Assessments had not been conducted Hotline calls directed to General Counsel’s office for vetting and assignment of

resources, if deemed necessary

56

Case Study – What Happened?One business unit improperly accelerated revenues and deferred expenses at period-ends to meet its financial targets. A call to the hotline had gone ignored due to personal relationship(s)

The ERM function was not properly championed and enabled and could not obtain information sufficient to identify this as a risk

Incomplete enterprise risk assessments, inadequate communication of compliance risks, and nonperformance of fraud risk assessments meant Internal Audit was focused on the wrong risks and areas of the business

The Compliance function was overwhelmed with monitoring efforts and unable to adequately review KPIs and self-assessments for indicators

Management exerted significant pressure on line workers and middle management that resulted in these actions being rationalized to achieve:

The business’s financial targets

Individual targets relating to annual incentive plans

Continued employment

57

Case Study – What Should Have Happened?1. The business should have placed more emphasis on proactive

identification of compliance and fraud risks.2. The business’s assurance and compliance functions should have been

better aligned and communicating.

If the above had occurred, the business may have prevented occurrence of the fraud by implementing the following: Hotline calls: Increased communication between Counsel and Internal Audit could have

raised an issue, or calls could have been redirected to Internal Audit for follow up.

A risk assurance map could have been completed by ERM, Internal Audit, and Compliance to reflect the vulnerabilities within the organization.

Executive Management could have adequately supported Internal Audit and ERM in their efforts to review information and identify important risks.

Compliance and Fraud Risk Assessments could have been conducted.

58

Polling Question 6

Would you like to subscribe to Risk Advisory Services and Internal Audit Webinar Series updates (these may include webinar invitations, news, thought leadership articles, etc.)

A. YesB. No

59

Concluding thoughts

60

Questions

Brad [email protected]

404-942-2955

Paul [email protected]

404-979-7157

61

Coming Soon

62

Coming Soon

63

Coming Soon

evaluating compliance and anti- fraud programs – a case

Documents