What is the Appropriate Deterrent for Compliance Violations – Fines or Jail Time?

Posted on December 3, 2010 by

Are fines for corporate compliance violations an effective deterrent or are these penalties just being absorbed as a cost of doing business?

At a November 30 U.S. Senate judiciary hearing (Examining Enforcement of the Foreign Corrupt Practices Act) Senator Arlen Specter (D., Pa.) raised this specific argument. The senator pointed out the U.S. Department of Justice’s current practice of imposing large fines on organizations, yet noted that they do not consistently seek criminal sentences.

During this hearing, Specter related the case of the Siemens’ FCPA violation where Siemens was found guilty of significant FCPA violations that resulted in hundreds of millions in government contracts.  According to Specter, “$1.6 billion (in fines) is a lot of money, but not when you take a look at other figures involving Siemens.” 

In 2008, Siemens posted $100 billion in revenue and $8 billion in profit. “The only impact on matters of this sort is a jail sentence,” said Specter. “Fines are added to the cost of doing business … and end up being paid by shareholders. No one likes to pay fines – but it does not amount to a whole lot for what is going on here.”

The DOJ has prosecuted about 50 individuals under the FCPA since 2009. However, in most of the high profile cases related to large corporations, the only penalties have been fines. 

Do you agree with Senator Specter? Should we be seeking jail sentences for corporate compliance violations that break federal laws? Is 1.5 percent of revenue a trivial amount that is merely absorbed by shareholders?

Posted in GRC | Tagged , , , , , | Leave a comment

Governance, Risk and Compliance Roundup: November 16-30

Posted on December 1, 2010 by

FEDS DRILL OIL SERVICES WITH FCPA
The FCPA (Foreign Corrupt Practices Act) has snagged another raft of companies between the rock of justice and the hard place of the global oil business. The SEC and Department of Justice (DOJ) have announced a batch of settlements with oil services companies, and just in time for quarterly filings. For the Feds, it means high-profile collars; for the companies, at a combined tab of $236.5 million, welcome (if expensive) closure to ongoing scrutiny.  Read more at Westlaw Business Currents.  

RISK INTELLIGENT PROXY DISCLOSURES:  TRANSPARENCY INTO BOARD-LEVEL RISK OVERSIGHT
Deloitte analyzed risk disclosures in proxy statements of the 398 S&P 500 companies filing a proxy on or after February 28,2010, through July 1 2010. This report from Deloitte outlines their findings.  

A LITTLE EXTRA ON THE ROAD
Corporate accountants have long known that otherwise law-abiding people commit travel expense fraud. And while new software programs help detect fraud, businesses report that travel fraud increased in the last few years as the distressed economy put more financial pressure on both employees and employers.  Read more at the New York Times

UK BRIBERY ACT GUIDANCE INDUCES NO ONE
The UK is cracking down on corruption with a new anti-bribery law that will effectively flip the burden of proof from prosecutors to defendants in bribery cases. With almost a presumption of guilt, companies operating in the UK will need to be able to establish that they have taken robust measures to prevent bribery for fear of facing unlimited fines or jail time if they do not. The Bribery Act (“the Act”) paves the way for Britain to become a world leader in anti-sleaze by codifying and significantly expanding existing bribery laws throughout the UK. But with recent Ministry of Justice’s (MoJ) guidance on the Act leaving more questions than answers, businesses and legal advisers are scratching their heads as to how exactly to avoid being caught. Read more at Westlaw Business.

HOW TO ESTABLISH A PROGRESSIVE INTERNAL AUDIT PROGRAM THAT COVERS ALL THE BASES
The internal audit: It’s a necessary part of conducting business that, done right, can at once assess operations, identify areas for improvement, manage risks and help maintain compliance. Now more than ever, audit committees, chief financial officers and other stakeholders need greater assurance that internal controls and risk management procedures are effective and efficient.  Read the entire article from Crowe Horwath. 

A GUIDE TO BOARD DIVERSITY
Although women and minorities have been seeking seats on corporate boards for many years, progress toward diversity in the boardroom continues to be glacial. More than half of public companies do not have a single minority director, while almost one out of three companies lacks a female director, according to the National Association of Corporate Directors.  Read more.

Posted in GRC | Tagged , , , , | Leave a comment

COSO 2.0: A PLAYBOOK FOR THE 2012 EDITION

Posted on November 19, 2010 by

COSO has just announced a project to modernize Internal Control – Integrated Framework. It is welcome news. The original COSO Internal Control – Integrated Framework was published in 1992 after an examination of the causes of the financial failures of the 1980’s. It is appropriate that COSO re examines the basic framework and updates it. Sudden corporate failures and catastrophic losses are continuing unabated.

Since the traditional Thanksgiving football weekend is almost upon us, I’d like to offer a suggested playbook for what I will call COSO 2.0.

GO LONG
COSO Internal Control Integrated Framework will be 20 years old in 2012, when the new version is published. But COSO 2.0 needs to be aimed at the world of 2025. COSO 1992 has been out of date for at least a decade. Yes, it has been updated with supplementary frameworks and some of those have been good. Yes, the original COSO has some fundamental truths that will remain unchanged. But they must be adapted to a world that is changing daily. We need to aim COSO 2.0 at a group of users and stakeholders in a business world and society we can only imagine today. Anything less will make COSO 2.0 irrelevant when it is published.

GO WIDE
In a recent workshop on integrated reporting at the Harvard Business School, participants made the case that today’s corporate reporting is irretrievably broken. For example, companies have one framework for reporting on internal control over financial reporting and other frameworks for reporting on non-financial data even though the most reported financial and non-financial data is intertwined. 

If COSO 2.0 is to be relevant, it must be capable of meeting the reporting reliability requirements of all aspects of corporate reporting and function well in a world of integrated reporting. The world of GRC professionals is about to get a wider playing field.

AIM HIGH
When COSO 1992 was issued it was the only game in town. It was a breakthrough. That is not true now. A number of general purpose and highly specialized frameworks exist. COSO 2.0 must either incorporate current best practice frameworks or decisively improve on them. Two notable frameworks are the OCEG Red Book Maturity model and in another area entirely, the Global Reporting Initiative (GRI) framework, and this does not even take into account numerous offerings by other groups such as ISO. COSO 2.0 must take into account the best of what exists today and borrow from it or replace it with something better. We don’t need another silo.

USE SPECIAL TEAMS
The COSO team consists primarily of auditors, accountants, academics and financial executives. Special teams are essential for winning. The COSO 2.0 team needs to add some risk specialists, (preferably quants) some operating managers, some technology experts and others from quality, environmental and sustainability movements. COSO 2.0 must be a team effort.

CONSIDER SOME LATERAL THINKING
How can we drive down the cost and bureaucracy of the control paradigm? Consider this analogy. Broken fire extinguishers don’t cause fires. Broken controls don’t cause business failure. Let’s get a better understanding of the real root causes of failure. How can we manage human performance better? By most accounts, humans are the root cause of about 50% of loss events and failures.. Let’s stop blaming broken controls and start looking at what we expect from people. What observable skills and behaviors must we expect from managers, executives and boards?

KEEP SCORE
COSO must be able to demonstrate it is reliable. How many SOX certifications were found to be flawed? A variety of stats suggest the number is at least 10-15%. That’s about the same as Russian roulette. Twice since 1992 COSO researched the rate of fraudulent financial reporting based on SEC records. That’s like coming to a conclusion on the nation’s health by counting tombstones in the nation’s cemeteries once a decade. Find a way to measure success and failure. Start by analyzing the best record we have ever had of control failures – published disclosures of past SOX deficiencies. 

Today we have far more access to information than was the case in 1992. We have real time news feeds of loss events and failures of all types, from oil spills to product recalls to compliance fines and penalties. Failures of all kinds can be tracked every day, not every decade. We need to keep score continuously. It can be done.

PLAY TO WIN
Winning the game means improving business performance. It does not mean improving control performance. COSO 2.0 needs to provide a clear understanding of how we can determine the completeness and appropriateness of business strategies and objectives and provide a basis for creating and assessing key performance indicators at the process level. If business has the right objectives, and is meeting those objectives, we should be able to come to some prima facie conclusions about how the business is managing risk and control.

Here is one performance indicator: Google the phrase “control management”. As a concept it does not seem to exist. COSO 2.0 should be the textbook of control management in the form of intelligent, cost effective, evidence based, not belief based  control design and should promote control as a manageable dimension of the business in the same way we manage human resources marketing or any other business function. Controls exist to achieve business results, not to support a control testing industry. We are in the game to win it.

NO TIME OUTS
If anything, COSO is off to a slow start. But a 2012 projected release date is ambitious. There is a huge amount of work to do and a short time to do it. Every GRC professional, certainly those who are members of the COSO organizations, will need to pitch in with ideas and comments as exposure drafts appear. The need for COSO 2.0 as I envisage it is urgent.

Oh, and by the way, try to keep it short and simple.

I’d love to hear your comments. What would you like to see in COSO 2.0?

Posted in GRC, Internal Audit | Tagged , , | Leave a comment

Planning for Internal Audit Value

Posted on November 19, 2010 by

As the recent financial crisis emerged and the ensuing recession developed, there were many cases where it appeared the internal auditing profession was in full retreat. I recall a story from Compliance Week at the height of the financial crisis where a chief audit executive suggested that auditors get back to good old fashioned expense account auditing and stop the silliness of enterprise risk management and other exotic audit activities.

From the other perspective, I just read an article in the November issue of Tone at the Top, entitled, What’s Your Definition of Value, published by the Institute of Internal Auditors. The story addresses the question of how internal audit adds value. This article leads me to think about how the focus of most internal audit departments in November is on planning for 2011. Perhaps a look at how to bring more value in the year ahead should be incorporated as a goal for the year ahead.

According to the article, internal auditors bring value to senior management, governing bodies, and other organizational stakeholders, “primarily through their insight into the organization; the objectivity with which they view the organization’s culture, system of internal control, and risks; and the assurance they provide that policies and procedures are being followed, that the organization is complying with laws and regulations, and that the internal controls in place are adequate to mitigate risks.”

Fair enough, but in many cases, internal auditors failed to detect or report the risks that caused their companies to fail or exposed them to massive losses. Adding value in auditing, as in every other discipline, requires planning and execution. It starts with doing the right thing and doing things right.

One criticism I have experienced with internal audit is their lack of relevance to the business. Relevance means doing the right thing. Doing the right thing means internal auditors must focus their resources on the economic value of the business, the business model, and the operating and strategic risks to both. Too often audit resources are focused on an accounting perspective and transaction streams.

The financial failures we have seen were not accounting failures; they were risk management failures at the heart of the business. Most were not on the radar of the internal auditors. (If they were, then internal auditors have some explaining to do.)

Doing things right does not just mean conducting audits. What executives and directors need is reliable information, not audit reports, and they are not the same thing. Doing things right means creating and communicating information on the status of risks and controls as they relate to the performance of the business and compliance with laws and regulations.

What are the major risks? What are the emerging risks? What strategies are in place to manage the risks? What are the known control issues and how are they impacting business performance. What incidents and events are we experiencing and what are they telling us about risk management practices?

Internal auditors need to unlock their working papers and share this information, not just their conclusions about control effectiveness. Internal auditors are key players in the world of governance risk and compliance. They have unrealized potential that we can’t afford to waste.

Posted in GRC, Internal Audit | Tagged , , | 1 Comment

Governance, Risk and Compliance Roundup: November 1 – 15

Posted on November 16, 2010 by

There has been plenty of compliance news over the past two weeks with stories related to the proposed SEC whistleblower rules and the increased enforcement actions of the FCPA. Here is a recap of these stories and other news that made headlines.

SEC RELEASES PROPOSED RULES FOR WHISTLEBLOWER PROTECTION
On November 3, the SEC published a 181 page document outlining the proposed rules for whistleblower protection mandated under the Dodd-Frank act. The document outlines some principles whereby employees are asked to first utilize their internal compliance procedures prior to going to the SEC. It has created significant debate and concern regarding how these new bounties will incent employee behavior.

FEDERAL BRIBERY INVESTIGATIONS SPARK SHAREHOLDER LAWSUITS
Increased enforcement of the Foreign Corrupt Practices Act is leading to a sharp rise in related shareholder lawsuits against public companies, a Reuters Legal analysis of Westlaw data shows. Over the past four years, the Justice Department has filed 95 enforcement actions for alleged violations of the FCPA, which bars U.S. public companies from bribing foreign officials or executives at companies owned by foreign governments – compared to 23 such actions in the prior four years. More than 240 federal criminal or civil investigations related to potential FCPA violations are currently underway, government reports indicate.  Read more on Westlaw News and Insight.

FCPA SETTLEMENT DAY: DOJ GUIDANCE ON THE BEST PRACTICES OF A CORPORATE COMPLIANCE PROGRAM
An article on Corporate Compliance Insights highlights that recently resolved enforcement actions have provided to the FCPA compliance practitioner significant information on the most current DOJ thinking on what constitutes a best practice for FCPA compliance programs.  Read more…

CORPORATE GOVERNANCE WATCH: BOARD GOVERNANCE IS GETTING A MAKEOVER
This Westlaw Business article highlights how board governance is getting a makeover  as companies work to get ahead of Dodd-Frank driven changes. Proxy season is not quite here and change is already in the air and filtering into corporate bylaws as corporations review and amend their corporate bylaws. Dodd-Frank, the SEC’s expanded corporate governance and executive compensation disclosures, and various court rulings are setting up 2010 annual meetings to be – for good or for ill – a very interesting proxy season.

SPURRED BY DODD-FRANK, PLAINTIFFS’ BAR DIGS FOR WHISTLEBLOWERS
A newly expanded whistleblower program in the Dodd-Frank law has opened a fertile business opportunity for plaintiffs’ lawyers. And sparked a feverish multimedia marketing effort aimed at people in a position to report financial skullduggery to the SEC. Read the Westlaw Business article ...

Posted in Anti-Bribery, GRC, Internal Audit | Tagged , , | 1 Comment

Governance, Risk and Compliance Round-up: October 2010

Posted on November 1, 2010 by

As regular feature on the Inside-GRC blog, we will be providing a weekly summary of interesting topics related to governance, risk, and compliance. To start things off, I have provided a few topics that caught my eye as I was reviewing some of the most important stories during the month of October. In case you missed them, I have provided an abstract of these stories and a link below.  Please check back weekly to find out what’s new in GRC. Enjoy.

UNLOCKING THE VALUE OF INTERNAL AUDIT
Ernst & Young commissioned Forbes Insights to conduct a global survey about the evolving role of internal audit. Only 44% of respondents believe that internal audit is helping their organization achieve its business objectives. And fewer — 37% — say they involve internal audit in key business decisions and strategy. Read the full report at http://bit.ly/baNVGI

PRINCIPLES FOR ENHANCING CORPORATE GOVERNANCE
If you have not yet had the opportunity to do so, I would recommend reading the Basel Committee on Banking’s recently published document related to corporate governance. Although written to address the fundamental deficiencies in bank corporate governance that became apparent during the financial crisis, this report contains sound advice for any organization related to governance and risk management. Read the full report at http://www.bis.org/publ/bcbs176.htm

REGULATORY INTELLIGENCE: BOMBARDMENT OF REGULATIONS UPON ORGANIZATIONS
Michael Rasmussen provides a good article on his October 27 Corporate Integrity blog that discusses the current challenges with managing the volume of current and new regulations. Read the entire blog post at http://eepurl.com/bqKjn

2010 INTERNATIONAL AUDIT COMMITTEE  MEMBER SURVEY
On October 12, KPMG’s Audit Committee Institute released the results of the 2010 International Audit Committee Member Survey, in which nearly 1,200 audit committee members from 34 countries identify their top concerns and share their views on a host of financial reporting issues and oversight challenges. There are some interesting findings in this report including that 72% of the respondents reported that there is currently no risk committee at the board level. Read the entire report at http://bit.ly/d7GFph

GLOBAL FRAUD REPORT – ECONOMIST INTELLIGENCE UNIT SURVEY RESULTS
This year’s annual Global Fraud Survey, commissioned by Kroll and carried out by the Economist Intelligence Unit, polled more than 800 senior executives worldwide from a broad range of industries and functions in July and August 2010. Fraud is alive and well in most corporations with almost 90% of the survey respondents reporting being victims of fraud. Read the full report at http://bit.ly/bKWgNq

TRANSPARENCY INTERNATIONAL PUBLISHES CORRUPTION PERCEPTIONS INDEX 2010
With governments committing huge sums to tackle the world’s most pressing problems, from the instability of financial markets to climate change and poverty, corruption remains an obstacle to achieving much needed progress. The 2010 Corruption Perceptions Index shows that nearly three quarters of the 178 countries in the index score below five, on a scale from 10 (highly clean) to 0 (highly corrupt). Read the results at:  http://bit.ly/bWjkMV

Posted in Compliance, GRC, Internal Audit, Risk Management | Tagged , , , , | Leave a comment

The New GRC Profession – The Whistleblower?

Posted on October 28, 2010 by

Reuters reported Wednesday on the Glaxo SmithKline PLC settlement  where Glaxo agreed to pay $750 million to settle a U.S. government investigation of manufacturing deficiencies.  This investigation was initiated by a suit from a former employee who is now entitled to $96 million from the Federal Whistleblower law.  The incentive provided by this settlement, along with the new whistleblower provisions provided by Dodd-Frank, raise the question: “Are employees now more empowered and incented to be whistleblowers – in effect independent auditors and freelance compliance monitors reporting corporate wrongdoing?”

I recognize that the concept of whistleblower payouts and protection is not new; and much of the current activity falls under the 1986 amendments to the federal false claims act and Section 806 of SOX.  I also want to be clear that I do believe, in concept, that providing whistleblower protection is a good thing.  However, what I do find interesting is the pervasiveness of whistleblowing and the impact that whistleblowers have on organizations. 

According to the recently published Fullbright and Jaworski Litigations Trends Survey, 22 percent of organizations have been subject to an allegation by a whistleblower in the past three years. Of those, 86 percent of claims initiated an internal investigation, 42 percent resulted in a regulatory investigations and 46 percent ended up in a third-party proceeding.

Statistics from the DOJ are equally interesting.  According to a November 2009 press release, the Justice Department has recovered $2.4 billion in false claims cases in fiscal year 2009 and more than $24 billion since 1986.  Furthermore, a majority of these claims were filed under qui tam provisions.  With the passage of Dodd-Frank, it is expected that these numbers will only climb higher. 

The Dodd-Frank Act requires the SEC and the CFTC to pay between 10 and 30 percent of any award received by the government to whistleblowers who voluntarily provide original information regarding a violation of securities or commodities laws (including the FCPA) leading to a government recovery that leads to monetary sanctions exceeding $1,000,000.

News of payouts of $96 million along with liberal provisions of Dodd-Frank will incent some employees to take on this new, lucrative, self appointed role of whistleblower.  The corresponding challenge for internal audit, risk management, and compliance professionals is how do you proactively work with these employees to report fraud and violations early in the process while they are incented by the law to wait for these problems to get big (over $1,000,000) and then report them to the SEC. 

Until the law changes or refined legislative guidance is passed, consider the whistleblower to be the newest, and potentially the most influential role in the stable of governance, risk, and compliance professionals.

Posted in Anti-Bribery, Compliance, GRC, Internal Audit | Tagged , , | Leave a comment