Posted on 1 Comment

Focus on the Bad Actors! DOJ Outlines Key Policy Revisions Re-Focusing on Individual Accountability

American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act

“Fighting white-collar crime is a top priority for the Department, and we increased prosecutions in every priority area last year. Thanks to a series of initiatives and policy enhancements, we are making white-collar enforcement more effective and more efficient.”

“Under our revised policy, pursuing individuals responsible for wrongdoing will be a top priority in every corporate investigation.”

On November 29, 2018, keynote speaker Deputy Attorney General Rod Rosenstein outlined the revisions to the DOJ’s policy regarding individual accountability in corporate cases, both civil and criminal.

He emphasized holding “individuals responsible for wrongdoing,” thereby increasing the deterrent effect of prosecutions, an effect that he noted is often lost in corporate-level prosecutions, as well as creating policies that work in “the real world of limited investigative resources.”

Furthermore, Rosenstein noted that the revised policy will offer corporations cooperation credit in civil corporate investigations, stating “the ‘all or nothing’ approach to cooperation introduced a few years ago was counterproductive in civil cases.”


Rosenstein noted that a corporation “must identify all wrongdoing by senior officials, including members of senior management or the board of directors, if it wants to earn any credit for cooperating in a civil case.” He also stated that a corporation can earn maximum cooperation credit, if it identifies “every individual person who was substantially involved in or responsible for the misconduct.

Practice Pointer – This is why it is imperative to triage allegations appropriately and when the situation warrants conduct an Independent Investigation!

Internal Investigation: Directed by management, either with company investigative resources or outside counsel  and consultants.

Independent Investigation: Directed by a committee of  the Board of Directors (e.g., audit committee or special  committee) with independent counsel and consultants.

Rosenstein revealed that prosecutors will also have permission and discretion to negotiate some amount of credit, even where maximum credit is not available to the corporation, providing the possibility for credit where a corporation meaningfully assists the government in its investigation and eliminating, in his words, a “binary choice” that could “delay the resolution of some cases while providing little or no benefit.”

For example: In a civil False Claims Act case, a company might make a voluntary disclosure and provide valuable assistance that justifies some credit even if the company is either unwilling to stipulate about which non-managerial employees are culpable, or eager to resolve the case without conducting a costly investigation to identify every individual who might face civil liability in theory, but in reality would not be sued personally.

Note that Rosenstein made clear that no credit would be available in cases where it is revealed that a corporation concealed misconduct or wrongdoing “by members of senior management or the board of directors.” In addition, he stated that prosecutors will have discretion to “negotiate civil releases for individuals who do not warrant additional investigation in corporate civil settlement agreements” and to “consider an individual’s ability to pay in deciding whether to pursue a civil judgment.”

In summary, Rosenstein’s remarks seem to be a logical and balanced approach to re-instituting the discretion that DOJ prosecutors once had in civil cases so that cases could be resolved more efficiently, while also ensuring a strong deterrent effect.

Criminal Cases

Switching gears, Rosenstein addressed individual accountability in criminal cases. Specifically, he stated that “absent extraordinary circumstances, a corporate resolution should not protect individuals from criminal liability.” As such, the revised policy instructs prosecutors that “any company seeking cooperation credit in criminal cases must identify every individual who was substantially involved in or responsible for the criminal conduct.” However, Rosenstein also emphasized that investigations should not be “delayed merely to collect information about individuals whose involvement was not substantial, and who are not likely to be prosecuted.”

The Top

Rosenstein stated that the new policy would focus on those at the top, including individuals “who play significant roles in setting a company on a course of criminal conduct” or “who authorized” such conduct. Finally, the revised policy eliminates any cooperation credit that a company would otherwise receive if the DOJ finds that a company is not operating in good faith to identify individuals who were substantially involved in or responsible for wrongdoing.

Some Key Takeaways 

  • Yates Memo The DOJ will continue to focus on individual accountability in investigations and prosecutions.  Note:  The Yates Memo puts a particular emphasis on the need to hold high-level officials responsible for misconduct.
  • Cooperation is key especially when there is alleged criminal conduct – Corporations must cooperate if they are seeking credit.
  • Investigations – Corporate investigations must be done with care.
  • Oversight The rule of law is not simply about words written on paper.  After all as Rosenstein remarked, it is the culture of a society and the character of the people who enforce the law determine whether the rule of law endures. 
  • Ignorance will not be tolerated – “Companies that self-report, cooperate, and remediate the harm they caused will be rewarded. Companies that condone or ignore misconduct will pay the price.”

Rosenstein summed up his remarks by stating that corporate enforcement policies should encourage companies to implement improved compliance programs, to cooperate with DOJ investigations, in an effort to resolve cases expeditiously, and to assist in identifying culpable individuals so that they also can be held accountable when appropriate.

Closing Thoughts

I personally think this is another step in the right direction; however, I would like to see more emphasis and incentive placed on the board of directors to do right, after all they are part of “the top“, but I am pleased they were called out twice.  After all, the starting point for setting the tone begins with the corporation’s governing authority; generally, this means the board of directors. 

Having an investigative team that understands governance, risk management, and compliance is more important than ever!

I welcome your thoughts, comments, and opinions.


Jonathan T. Marks

Harvard Law
Greg Paw
Posted on

Robotic Process Automation: Using Technology for Forensic Investigations and Compliance

yogi berra

As My good friend Robert Mainardi says, When presented with any new technique, approach, or methodology, there is always the temptation to jump right in and start using it without developing the proper standards., which taken further could mean, If you don’t know where you are going, you’ll end up someplace else. – Yogi Berra


Moravec’s paradox is the discovery by artificial intelligence and robotics researchers that, contrary to traditional assumptions, high-level reasoning requires very little computation, but low-level sensorimotor skills require enormous computational resources.

What this probably means is that it’s hard to teach machines to do things that are easy for most humans, like walking. but comparatively easy to teach them things that are challenging for most humans, like the game of chess.

So, applying technology, including robotic process automation to repetitive, manually intensive monitoring and testing activities allows the organization’s internal audit, compliance, or investigative team to focus their efforts on intricate or complex issues requiring judgement, like conducting a root cause analysis on a compliance breakdown or even worse, interviewing an alleged fraudster.

Today’s Landscape

Many organizations are facing tremendous pressure to increase their productivity, reduce costs and improve their bottom line. One way to accomplish these outcomes is by implementing technology that appropriately includes robotic automation solutions.

There are many forces driving change and disruption is the new normal.

Using the right technology to combat uncertainty and manage known and unknown risks that can deliver actionable insight, mitigate compliance risk, enable strategic decision-making, and possible reduce cost.


Embracing and leveraging emerging technology, including robotic automation, will continue to play a key part in driving a more efficient and rigorous compliance program and aid in conducting more efficient forensic investigations. For example, technology can be used to enhance continuous auditing or monitoring techniques, which some benefits are listed below.

  • Internal Audit  – Increase auditor business unit knowledge and exposure. Proactive identification of trends and root cause focus. Establish and foster business management relationships Enhance audit product offerings Manage audit workload more effectively and efficiently.
  • Audit Committee – Expansion of risk and audit coverage Standardization of audit results
  • Compliance and Management – Validate compliance with existing policies and procedures. Provide potential methodology for self-assessment
  • External Partners – Potential reduction in external work performed

How it Works

Robotic Process Automation (“RPA”) structures and connects multiple fragmented systems to capture process actions, such as transactions and data manipulation, to trigger responses and communication with other digital systems without changing the current IT landscape. Yes, we even have tools that can pull data from legacy systems without writing code!  This dramatically simplifies workflow with minimal disruption to your existing infrastructure.

RPA works like a virtual employee by replicating keystrokes and performing repetitive tasks that consume employees’ valuable time, and is expanding rapidly to take on even more challenging tasks.


Today, leading practices like my firm Baker Tilly, couple advanced RPA technologies with extensive process subject matter expertise to design and deploy effective RPA solutions that achieve higher rates of success and outcomes related to error and cost reduction.

For an organization, implementing RPA is a journey and requires a shift in mindset to innovate their way of doing business and assimilate the ‘robots’ in their human workforce. This is accomplished by first identifying high volume, repetitive, manual or low-value business processes, and then transforming these manual processes to an automated platform that should provide higher efficiency, better security, and better quality with a rapid ROI.

The automation journey leads to the establishment of a robotic center of excellence that supports adoption and optimizes the robots for future business applications across the organization.


The Forbes Insights Report “Audit 2025” notes that “audit is changing at an unprecedented pace as technology continues to evolve and clients increasingly expect more.” Forensic investigations, and compliance likewise are ripe for evolution as it continues to harness incredible revolutions in high tech.

Baker Tilly can help. Please reach out to me and we can have a confidential discussion.

As always, I welcome your thoughts and comments and remember no topic is undiscussable!



Jonathan T. Marks, CPA, CFE


Robert Mainardi – Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology

What is Robotic Process Automation?,” Institute for Robotic Process Automation.

Posted on

Fraud Risk Management: Some Reasons Why We Fail

I’m often am asked what can be done to make a fraud risk management program better, assuming one exists.  In order to make something better, one must recognize and come to terms with any gaps or weaknesses.

Here a few things to think about when it comes to your fraud risk management program.

  • Have you defined your risk universe (see below)
  • Are you looking for fraud (internal audit and compliance programs)
  • Do you truly understand your culture?
  • Have you reviewed the human factor (i.e. gatekeepers) when it comes to designing internal controls?
  • Are you listening to what your hotline data is telling you and are you learning from other failures or frauds (schemes, trends, etc.)
  • Was there ever an independent review of your governance framework?
  • Are you sure your “Tone or Conduct at the Top” resonates down, through, and across the organization, or is there “Rot at the Top“, meaning bad apples, are creating bad bunches and ultimately there is a bad crop (A-B-C Theory of Bad Behavior)?
  • Do your key stakeholders truly understand the business, its strategy, and objectives?
  • Are you using the meta-model of fraud to conduct your risk assessments?
  • Is your training limited, poor, or non-existent?
  • Are you treating symptoms vs. identifying the probable root cause of compliance failures or incidents of fraud?
  • Have you operationalized your compliance program?

Practice Pointers

  • Listen, really listen to your employees while they are employed and on their way out the door.
  • Understand that fraud comes in many forms. So do its causes.
  • Designing the right fraud risk management program depends
    on a few things including your fraud risk assessment and your control environment.
  • A problem in your control environment should be a full-stop moment.
  • Control environment is defined by the “Tone at [from] the Top”, or now referred to as “Conduct at the Top”. The Control Environment encompasses the culture, ethical values, teamwork, morale, and development of employees.
  • Close or remediate all gaps, if possible.


Fraud risk management should be viewed as an evolution and not a revolution. Learn from prior incidents and frauds.  Use the information garnered from hotline data, surveys, audits, and continuous and on-ongoing monitoring activities to tune or calibrate your programs.

Update the risk assessment as changes happen, not at predefined intervals!

“You ultimately need to understand the risks within the organization, but you also need to understand the risks out side the organization and within the ecosystem the organization operates.” JTM

I welcome your comments and suggestions.


Jonathan T. Marks

Posted on 1 Comment

Fraud and Related Party Transactions

Related party transactions could be a “red flag“, and must be evaluated with the proper skepticism!
Perceived opportunities to commit management fraud include the ability of the fraudster to obfuscate the misbehavior behind complex transactions or related-party structures, which are usually not disclosed.  Remember, as I say, “fraud is not about obstruction – it’s a game of deception, deflection, and distraction!”

Failure to disclosure should lead to further inquiries!

Due to their nature, related parties should be part of the fraud risk assessment process and considered during an investigation, but are often overlooked!Related party relationships are frequently linked to sham transactions and could occur as follows:

  • Sales activity between two parties, often related by law or industry, where insufficient consideration is given for the sales transaction.
  • Seller provides total financing to transfer consideration.
  • Below FMV transactions.
  • Borrowing or lending on an interest-free basis or at a rate of interest significantly above or below market rates.
  • Exchanging property for similar property in a non-monetary transaction.
  • Loans with no scheduled terms for when or how the funds will be repaid.
  • Loans with interest accruing differently from market rates.
  • Loans to parties lacking the capacity to repay.
  • Loans advanced for valid business purposes and later written off as uncollectible.
  • Non-recourse loans to shareholders.
  • Agreements requiring one party to pay the expenses on the other’s behalf.
  • Business arrangements where the entity pays or receives payments of amounts at other than market .
  • Consulting arrangements with directors, officers, or other members of management.
  • Goods purchased or sent to another party at less than cost.
  • Material receivables or payables from/to related parties such as officers, directors, and other employees.

Here is a research paper for some additional color.

board meeting


Related-party transactions create the potential for a conflict of interest. Conflicts of interest fraud schemes include:

  • Purchase schemes, which involve the over-billing of a company for goods or services by a vendor in which an employee has an undisclosed ownership or financial interest
  • Sales schemes, which involve the underselling of company goods by an employee to a company in which the employee maintains a hidden interest

Some questions to ask management

  • Are periodic comparisons of vendor information with employee information, such as addresses and telephone numbers performed on a regular basis?
  • Are vendors who employ former company employees under increased scrutiny?
  • Does the organization have a reporting procedure for personnel to report their concerns about vendors receiving favored treatment?
  • Are employees required to complete an annual disclosure document that includes business ownership, income, and investment information?
  • Does the organization require vendors to sign an agreement allowing vendor audits?
  • Are vendor audits conducted by someone independent of the purchase, sales, billing, and receiving departments?
  • Are hospitality expenses being appropriately monitored?

Those subject to the 1934 Act

Regulation S-K requires disclosure of any transaction exceeding $120,000 “in which any related person had or will have a direct or indirect or material interest.” A related person is defined as a director or executive officer, a director nominee, a beneficial owner of more than five percent of the company’s voting stock, or an immediate family member or household member (other than a tenant or employee) of any of the aforementioned persons.

Transactions to be disclosed include, but are not limited to, any “financial transaction, arrangement or relationship (including any indebtedness or guarantee of indebtedness) or any series of similar transactions, arrangements or relationships.” The SEC released sample scenarios for such transactions, along with clarifications of terms, in Compliance and Disclosure Interpretations about Item 404 of Regulation S-K after adopting amendments to the rule in 2007.

Item 404 of Regulation S-K also requires disclosure of company policy concerning the “review, approval or ratification” of related-party transactions, including the types of transactions that are covered in the policy, the standards applied, who is responsible for applying the policy, and whether the policy is in writing.Directors should recuse themselves from any discussions or decision-making in regard to a transaction with a related party – this goes for public, private, and not-for-profit concerns.


Related party transactions need to be carefully evaluated. Corruption really cannot exist without a conflict of interest. Each and every corrupt act is driven by an underlying conflict.

Remember, just because someone discloses a related party or a conflict of interest doesn’t necessarily mean its legitimate!  In fact, it could be a way of earning your trust and reducing your level of skepticism!

I welcome your comments, thoughts, and suggestions. A site where no topic is undiscussable!



Jonathan T. Marks, CPA, CFE

Steve Albrecht
Joe Vona
Posted on

Board Member Composition: Participants, Passengers, and Prisoners?

I have spoken with many board members and attended many meetings over the years, and I am amazed at how many members literally are not engaged, which reminded that one of the traits of an effective leader, or Pilot, is being a good team builder. But how can you build a good team if you don’t understand the players?  I’m not speaking about understanding their skills, I am speaking about understanding their level of engagement.  That amorphous concept most ignore.

Board’s Role

First, let’s start with the role of the board.  As the organization’s ultimate decision-making body, the board of directors plays two critical roles: overseeing management on behalf of shareholders and other constituencies; and advising management, albeit with limited involvement in everyday company operationsnose in, hands off! The board should not attempt to run the operations of the organization; it should oversee how management runs the company.

Boards that routinely infringe upon management duties and responsibilities risk upsetting a structure that is intended to help both of them.

In contrast, members of management are full-time employees whose main responsibility is to operate the organization. 

So, what should board members be doing at a minimum?

Devote the time necessary to do the job. Being asked to serve as a director is, of course, an honor, but, unlike awards for good citizenship, it requires a continuing commitment of time. No one should undertake a directorship unless he or she is confident of having sufficient time to do the best job possible. Thus, directors should do their best to attend all board and committee meetings.

Directors should also fully prepare for board or committee meetings. Adequate preparation involves study, reflection, and formulation of any questions concerning the reports, proposals, or other documents to be considered at the meeting. Conscientious directors must also be prepared for unanticipated demands on their time and be willing to set aside other pursuits to deal with emergency situations if and as they arise. If a director has a poor attendance record at board and/or committee meetings, the same will be reported.

Be an active participant. Each director should actively participate in the board’s work and resolve all relevant questions before voting on an issue. Questions should generally be asked as they occur to directors rather than postponed until the meeting. By resolving as many matters as possible beforehand, directors can avoid clogging the flow of the meeting and allow their colleagues to concentrate on the matters of greatest importance.

On the other hand, if directors genuinely feel that an issue has not been resolved to their satisfaction, they should not hesitate to press the point with their colleagues and insist on a satisfactory answer.

Honor the office. Directors must always be conscious of the fact that they have been chosen for a position of special trust and confidence. Serving on a board of directors is a cooperative, collegial endeavor in which the ultimate goal is to advance the collective interest. Individual ego and interests must therefore be subordinated to the interests of the board, the shareholders, and, ultimately, the interests of all stakeholders in the corporation. Accordingly, while responsible directors should approach all matters with an open mind and be receptive to the opinions and ideas of others, in the end they must rely on their own sense of what is fair, equitable, and in the best interests of the corporation.

On-going training:  Board member training is often overlooked – board members simply don’t know what they don’t know! Training helps ensure at a minimum that members are current on leading board practices and understand emerging issues, which could enhance overall board member decision-making by helping calibrate a board members degree of skepticism when evaluating the reasonableness of the answers received to the questions we ask.

Applying the right amount of skepticism: Serving as a director requires professionalism, which includes applying the right amount of skepticism – trust can and often is a professional hazard, so verify.

Always insist that you receive complete, accurate, and timely information.  Understand at a minimum who prepared it, who reviewed it, what data was used and why, and when was it prepared. 

Board Engagement

So what is a best composition of a board?  I’m not that smart to answer; however, I do believe that knowing your board is essential to effectively govern.

Below is an tool (list of categories) that I hope you find useful in determining your level of board engagement as you work towards building an exemplary board.


Participant (High) : This board member is , sometimes called “Engaged”, and devotes the necessary time to do the job. He or she wants to learn about the business, the space they operate, senior leadership, their shareholders and stakeholders, always comes prepared, is enthusiastic, cooperative, collegial and fully engaged with the process and offers their opinion on strategy, risk, and other topics with the ultimate goal of being advancing the collective interest.

Positive Passenger (Medium-High): This board member might be new and lack confidence to immerse themselves in the process; has a tendency to sit back and listen; wants to chime in, but doesn’t always.  Positive Passengers in my experience do often become Participants.

Passenger (Medium): This board member is physically present, but that’s all. They are just along for the ride.  They have no intention of disrupting any meetings, but neither will they  engage or play an active role in governing.

Negative Passenger (Medium-Low): This board member is capable of delivering, however, is either too busy to engage, doesn’t believe in the overall strategy, or has other issues that are not readily apparent or that are being addressed.

Protester or Disruptor (Low)These board members don’t want to be there for a variety of reasons and will let everyone know about it! They often disagree with everything, and generally go out of her way to make the experience as unpleasant as possible for everyone. Chances are, they think they know everything and can do it better, when in actuality they don’t and can’t.

stuck in a box

When it comes to Prisoners (below) , you could classify them as having high, medium or low engagement.

Prisoner: Similar to the Passenger, these board members resigned to being there but, are tired or like the Protester, feel trapped and are just waiting for their term to expire or want to escape. Unlike the Protester, however, they are not confrontational.  These board members can be high-risk when it comes to making decisions that require good or sound judgment, because they might just not care.

Positive Prisoner: These board members feel trapped, but aware and prepared to exit once they feel they have fulfilled their obligations. They are motivated at times, somewhat focused and do display confidence – in essence they are partially engaged, but may not care about the long-term strategy because they know they know they won’t be there.

Negative Prisoner:  These board members feel trapped and have gotten themselves in a place where they don’t want to be, but lack of motivation to exit.  You don’t get much from them as they are usually not engaged, but they are generally not disruptive. You’re stuck with them!


As the Pilot you should also be cognizant of some issues that might negatively impact or disrupt board dynamics.  Here are the more pervasive ones I have experienced –

  • Directors that overstep their boundaries of their oversight role – again nose in, hands off;
  • Directors that don’t challenge senior leadership enough or appropriately; and
  • Directors skills that have deteriorated for some reason or another, including age.

Exemplary Boards

board trust
Virtuous Cycle

What distinguishes exemplary boards is when the members are a mostly engaged and self-aware.  In addition, there is a virtuous cycle of Respect, Trust, and Candor, or what I have coined as the “RTC Factor“.  A successful board usually has chemistry that can’t be quantified and could possibly included a mix of passengers, participants, and prisoners.  Knowing your RTC Factor in my opinion increases the chairperson’s odds of being an effective leader, which could be the difference between achieving the objectives or not.

Exemplary Boards get into a virtuous cycle, discussed above, in which one good quality builds on another. Team members develop mutual respect; because they respect one another, they develop trust; because they trust one another, they share difficult information; because they all have the same, reasonably complete information, they can challenge one another’s conclusions coherently; because a spirited give-and-take becomes the norm, they learn to adjust their own interpretations in response to intelligent questions.

A virtuous cycle of respect, trust, and candor can be broken at any point. One of the most common breaks occurs when the CEO doesn’t trust the board enough to share information. 

To be clear, respect and trust don’t imply endless affability or absence of disagreement. Rather, they imply bonds among board members that are strong enough to withstand clashing viewpoints and challenging questions.


As a Pilot or leader, you must know your board members and keep them engaged and try to enhance the dynamic!

Sometimes board turnover is good. It brings new voices and hopefully new perspectives.

If you’re a board member and reading this, be honest with yourself and keep in mind the risks of not being engaged.

I welcome your thoughts and opinions and remember that no subject as undiscussable!


Jonathan T. Marks, CPA, CFF, CFE

Attribution and Trademarks:
HBR and Jeffrey Sonnenfeld
Pilots, Participants, Passengers, and Prisoners or the 4 P Evaluation Method are Trademarks of Jonathan T. Marks and may not be used without express written permission.