Posted on 3 Comments

Slush Funds and the Juniper Networks FCPA Settlement

juniperOverview

After what appears to be a 73 month investigation, as part of an internal administrative order, Juniper Networks, Inc. – NYSE: JNPR (“Juniper”, or “the Company”) will pay $11.7 million as part of a settlement with the Securities and Exchange Commission (“SEC”); however, in an 8-K filed on February 9, 2018, Juniper disclosed that the Department of Justice (“DOJ”)  had completed its investigation and, citing Juniper’s cooperation, decided to take no further action against the company – no criminal charges. Apparently the DOJ had sent the letter closing its investigation in the fourth quarter of 2017. 

The SEC settlement is broken down as follows: $6.5 mil­lion civil penalty; $4 mil­lion in dis­gorge­ment—rep­re­sent­ing the amount of profit the com­pany made as a re­sult of the con­duct; and, about $1.2 mil­lion in in­ter­est.

What Happened?

From 2008 to 2013, sales em­ploy­ees in Rus­sia agreed to in­crease dis­counts on sales made by third-party part­ners, ac­cord­ing to the set­tle­ment. The dis­counts were fun­neled into an off-book funds or referred to as “common funds” (in the fraud space called “slush funds”) which were directed partially by Company sales representatives and used to pay for cus­tomer trips, including travel for foreign officials to various locations where there were no Juniper facilities or industry conferences related to Juniper’s business – the trips had lit­tle to no busi­ness purpose

The trips “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.

Dur­ing a sim­i­lar pe­riod, sales em­ploy­ees at the Company’s Chi­nese subsidiaries paid for ex­cessive travel and en­ter­tain­ment of cus­tomers, in­clud­ing for­eign officials. Certain local mar­ket­ing em­ploy­ees fal­si­fied trip agen­das to un­der­state the amount of en­ter­tain­ment of­fered on the trips. These sales employees submitted the falsified and misleading trip agendas to Juniper’s Legal Department to obtain event approval, apparently subsequent to the event taking place and without adequate review. 

Juniper learned of the “common funds,” which were against corporate policy, in late 2009. However, diverting funds and using them to pay travel expenses continued through 2013. 

Deeper Into the Weeds

The con­duct by the Company’s Russ­ian and Chi­nese sub­sidiaries violated the FCPA’s in­ter­nal con­trols and record-keep­ing pro­vi­sions.

The crux of this matter focuses on Juniper’s overseas subsidiaries who appear to have exploited weak oversight of accounting policy and the apparent override of weak internal controls to create “off book “common fund accounts” or slush funds used to pay bribes. 

The SEC’s order states the bribery happened from 2008 to 2013. Juniper’s subsidiary in Russia, JNN Development Corp., worked with local partners in that country to increase discounts those partners would supposedly offer to customers — except, of course, those discounts never actually reached Juniper’s customers.  Instead, the local partners diverted that money into a slush fund to cover travel and marketing expenses for customers, including foreign government officials. Those customers received free trips which, to use the SEC’s words, “were predominantly leisure in nature and had little to no educational or business purpose.” That would include trips to places where there were no Juniper facilities, nor any industry conferences related to Juniper’s line of work.

At least some of these trips were directed by JNN executives, which is not surprising. More disturbing is that Company executives allegedly knew about this behavior as early as 2009, and told JNN stop — but the funneling of monies into the “common funds” and the improper trips continued into 2013.

Meanwhile, from 2009 through 2013, roughly the same four years, sales employees at Juniper’s Chinese subsidiaries were busy falsifying trip and meeting agendas for customer events in an attempt to conceal the real value of entertainment involved on the trips. Apparently, falsified agendas were submitted to Juniper’s legal department for approval. Against Juniper’s travel policies, the legal department approved numerous trips without adequate review and after the events had taken place.

best practice.jpg

Key Best Practices

Fraud detection and prevention is not a hobby. Ensure you have the proper skills on your team!

  • Check your allegation triage process and escalation protocols.
  • Analyze your governance framework and ensure business practices and ethics are key component of the framework.
  • Conduct risk based ethics and compliance training.
  • Revisit your risk assessment continuously, not a prescribed periods. Remember achieving strategy equals risk management, plus, effective internal controls!
  • Russia and China are inherently high-risk countries and markets for bribery.
  • Ensure Fraud controls are properly designed to deter, detect, or prevent unethical behavior or worse fraud.
  • Discounts and rebates have historically been a source of consternation by many organizations. Ensure procedures are designed to test both the design and effectiveness of the controls surrounding any discount or rebate program. \
  • Monitor customer sales activities for suspicious activity-follow the money!
  • Revisit your policies and procedures and determined if they address pertinent issues, such as what constitutes acceptable behavior by employees.Ensure your internal audit plan is truly risk based.
  • Assess the skills of internal audit. If there is a deficiency in skills related to fraud and FCPA, strongly consider augmenting your internal audit team with outside professionals who can “tuck in” and provide those skills.
  • Review your third-party risk management program.
  • Have your compliance program reviewed at a minimum every three (3) years by a outside independent professionals to ensure that it is not stale.

Board Members

  • Seek to understand communication protocols and the escalation process-
  • Review the allegation log  frequently, but no less than every 60 days, to ensure investigations are being done timely.  Question investigations that have stopped or have lingered on beyond 60 days;
  • Ensure the board (audit committee) is being briefed timely on all serious matters by the chief audit executive and chief compliance officer; and,
  • Question the discipline applied to the bad actors and whether the risk assessment, compliance and ethics training, and monitoring protocols need to be modified.
  • Challenge your Chief Compliance Officer to provide evidence of the existence of a strong ethics and compliance program

In Juniper they never mention what if any discipline was applied to those that ignored the “cease and desist”. In addition, they also don’t mention internal audit, which seems odd.

Cooperation and Remediation

According to the SEC, Juniper cooperated by disclosing facts in a timely way and “voluntarily produced and translated documents” to the agency during the investigation.  They also “provided the [SEC] staff presentations regarding its investigation.”

As part of its remedial action, Juniper instituted a compliance preview and required pre-approval of non-standard discounts. It also now requires pre-approval for third-party gifts, travel, and entertainment, channel partner marketing expenses, and some operating expenses in high-risk markets. 

Closing

Governance, risk, and compliance are no joke – get in the game! 

Having an appropriate compliance structure that collaborates and works in harmony with internal audit and the legal function is a must to ensure risks are handled appropriately.

I welcome your thoughts and comments!

Best!

Jonathan Pic

Jonathan T. Marks, CPA, CFE

 

Attribution:  SEC, DOJ, Stanford, WSJ

 

Posted on

Niki A. den Nieuwenboer will be kicking off the 2020 IIA Philly Fraud Symposium sponsored by Baker Tilly – Mark your calendars for March 20th!

download

We just confirmed our first awesome speaker Niki A. den Nieuwenboer, Assistant Professor of Organizational Behavior and Business Ethics at The University of Kansas School of Business.

Niki A. den Nieuwenboer

You all should know that leadership matters in fostering ethical conduct at work. However, the focus is often on top level managers and their “tone at the top.” The role of middle managers has remained somewhat of a mystery until now.

Niki den Nieuwenboer will lead a robust and enlightening discussion on her recent study that examined a case where middle managers, in response to upper management pressures, coerced front-line employees to deceive upper management about their performance.

She plans on spotlighting the creative role that middle managers played in finding ways to cheat, and discuss implications for ethics management and fraud prevention.

Stay tuned for more announcements about the symposium line-up and registration information as we round out the day!

 

Best!

 

Jonathan T. Marks, CPA, CFE

Posted on

Jonathan T. Marks, Baker Tilly Partner, is Speaking Today at the First Chair Event in Chicago on Triaging Whistleblower Allegations

frm

As the use of whistleblower programs continues to grow, many organizations find themselves struggling to manage burgeoning caseloads. As a result, serious fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips that contain allegations of ethical breaches can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, the most effective approaches often resemble the medical triage programs that hospitals and first responders use to allocate limited resources during emergencies, or a crisis situation. Here are some useful guidelines for designing and implementing a fraud triage system.

The Growing Use of Whistleblower Programs

Despite extensive fraud detection measures, closer management scrutiny, and increasingly sophisticated technology, the most common fraud detection method is still the simplest: somebody notices something suspicious and decides to speak up. According to the Association of Certified Fraud Examiners’ (ACFE) 2018 Report to the Nations on Occupational Fraud and Abuse, 40.0% of the cases reported in their study were uncovered as the result of tips (usually from an employee, supplier, or customer) —more than internal audit 15% and management review 13% combined. The ACFE study also demonstrates that dedicated reporting hotlines are particularly effective. In organizations where such hotlines were in place, 46.0 % of the cases reported were uncovered through tips, compared with only 30.0% percent of the cases in organizations without hotlines. These results are consistent with patterns that have been recorded in the ACFE’s biennial survey since its inception 20 years ago. On a broader scale, as a matter of best practice, the COSO Internal Control–Integrated Framework, along with various other enterprise risk management (ERM) frameworks and guidance from Institute of Internal Auditors (IIA), also emphasize the importance of establishing and maintaining effective whistleblower programs.

In addition to their demonstrated effectiveness, whistleblower programs have also been promoted through recent regulatory actions. For example, one section of the Dodd-Frank Wall Street Reform and Consumer Protection Act directs the Securities and Exchange Commission to make monetary awards to individuals who voluntarily provide information leading to successful enforcement actions that result in monetary sanctions over $1 million. A few years earlier, the Sarbanes-Oxley Act of 2002 required the audit committees of publicly traded companies to establish procedures to enable employees to submit confidential, anonymous information regarding fraudulent financial reporting activities. Dodd-Frank and Sarbanes-Oxley are only two examples out of a broad range of laws that encourage – and often mandate – whistleblower programs. A 2013 study by the Congressional Research Service found no fewer than 40 federal whistleblower and anti-retaliation laws, designed to protect employees who report misconduct. Eleven of those 40 laws were enacted after 1999. On February 21, 2018, the U.S. Supreme Court issued an opinion in Digital Realty Trust, Inc. v. Somers, a long-anticipated case that clarifies who is protected as a “whistleblower” under the Dodd-Frank Act’s anti-retaliation provisions. It states that to qualify as a “whistleblower” under Dodd-Frank, individuals now have a clear incentive to report all sorts of observations to the SEC before reporting those observations through their company’s internal reporting infrastructure. Now under Dodd-Frank an individual is only protected from retaliation if he or she has reported a potential violations to the SEC before he or she separates from the company. Such laws not only make whistleblower programs more common, they also make the timely resolution of tips even more critical, as we are about to explain.

There is momentum today to correct Dodd-Frank.

On July 9, 2019, the U.S. House of Representatives passed H.R. 2515, also known as the Whistleblower Protection Reform Act of 2019 (“WPRA”). The WPRA is designed to address a gap in the whistleblower protections afforded under the Dodd-Frank Consumer Protection and Wall Street Reform Act of 2010 (“Dodd-Frank”), as interpreted by the Supreme Court in Digital Realty Tr., Inc. v. Somers, 138 S. Ct. 767 (2018). Specifically, the Supreme Court in Digital Realty Trust ruled that the anti-retaliation provision of Dodd-Frank does not extend to protect employees who only make reports concerning violations of securities laws internally, as opposed to individuals who made a report to the U.S. Securities and Exchange Commission (“SEC”). The WPRA is designed to amend Dodd-Frank to ensure the statute’s protections extend to individuals who make internal reports of securities violations.

Responding to Tips – Why Timeliness Matters Dodd-Frank, Sarbanes-Oxley, and the various regulatory structures that were established to implement them are helping to mold a corporate environment where undervalued and underappreciated compliance professionals and in-house counsel are incentivized to “blow the whistle.” Such incentives can be helpful in creating a self-regulating environment, but they also make it essential that corporations establish a timely and effective process for remediating complaints. For example, to carry out its mandate under Dodd-Frank, the SEC established a separate Office of the Whistleblower, which has paid out more than $160 million to 46 whistleblowers in connection with 37 covered actions, as well as in connection with several related actions since it was founded in 2011. Three of the ten largest whistleblower awards were made by the SEC during FY 2017.

Under this program, there are exceptions if at least 120 days have passed either since the auditor (excluding external auditors who obtained the information during the audit of an issuer) or accountant properly disclosed the information internally (to their supervisor or to another person in the organization who is responsible for remedying the violation (i.e., the audit committee, chief legal officer, chief compliance officer, or their equivalents), or since they obtained the information under circumstances indicating that the entity’s officers already knew of the information. Then they can report the lapse directly to the SEC and be eligible for a sizable whistleblower award – from 10 percent to 30 percent of any fines or sanctions that are collected. The program’s website prominently features headlines such as “SEC Issues $17 Million Whistleblower Award” and “SEC Awards More Than $5 Million to Whistleblower,” to cite only two of many recent examples.Since the program’s inception, the SEC has ordered wrongdoers in enforcement matters involving whistleblower information to pay over $975 million in total monetary sanctions, including more than $671 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors .With incentives like that, it should be no surprise that whistleblower complaints are on the rise. Yet in most cases, such awards would not have been available if the companies involved had resolved the initial fraud complaints within 120 days.Unfortunately, our experience indicates that, while many companies invest in tips hotlines and similar whistleblower programs, a large portion of them fail to invest adequately in an allegation review process for promptly evaluating, prioritizing, and responding to the whistleblowers’ tips in a systematic, repeatable, and defensible manner. As the number of tips grows and investigators’ caseloads expand, complaints end up sitting in a queue waiting to be investigated, while the company remains vulnerable to the risks the tipsters were warning about, and the SEC timeline is running.

A 2018 study of customers of the compliance software company NAVEX Global found that case closure times have blipped to 44 days and has dropped to 40 days according to their 2019 study. This metric is important given that, under certain agency whistleblower provisions, an organization will have limited time to complete an internal investigation.

Moreover, when the various categories of fraud are compared, cases involving suspected accounting, auditing, and financial reporting fraud took the longest to resolve by far – 55 days! In other words, the average case closure time for cases of suspected financial fraud was almost halfway to the 120-day deadline – the point at which employees are incentivized to report the case directly to the SEC and expose the company to additional, sizable sanctions.

Hidden and Direct Costs of Delayed Response Even setting aside potential SEC sanctions, delays in investigating whistleblower tips are costly in other ways. Delayed responses to tips can cause employees and other potential sources to lose confidence in the hotline or other whistleblower program, undermining the effectiveness of the the compliance and ethics program and adding further complexity to the risk management effort. Most companies expend considerable time, effort, and resources in creating compliance and ethics programs. Failing to establish a system for dealing with allegations or tips in a timely manner can mean those expenditures are probably wasted. There are also direct costs associated with delays in handling tips. The losses resulting from a fraud scheme are directly related to how long the scheme goes on. The ACFE’s 2018 Report to the Nations found that the median losses for frauds that were uncovered in six months or less was $30,000. But at the other end of the scale, schemes lasting more than five years caused a median loss of $715,000. Simply put, the longer perpetrators are able to continue, the more financial harm they are able to cause. Clearly, the absence of an effective program for handling whistleblower complaints promptly and effectively can have a significant and direct financial impact – in addition to the regulatory, employee relations, and reputational risks such a shortcoming entails.

A Triage Approach While there is no single, one-size-fits-all method for following up on whistleblower complaints, the most effective approaches are similar in many ways to medical triage programs, such as those implemented by hospitals and first responders during emergencies to help medical professionals prioritize the treatment of patients. In medical triage, those with serious, life-threatening injuries are treated ahead of those whose conditions are less severe. In the same way, a fraud triage program helps risk, audit, and fraud professionals prioritize the investigation of tips and whistleblower complaints. Those that indicate serious, material risks are addressed differently and more aggressively than those that reflect mere misunderstandings, minor errors, personal grievances, or false tips, all of which could tie up investigators unnecessarily. Under a fraud triage program, the same principles apply. Hotline tips or complaints that do not indicate fraudulent behavior can be delegated to human resources, IT, or other line or support functions that are capable of handling them more efficiently. Meanwhile, complaints that involve suspected fraud, but which are less significant in terms of financial losses, control failures or other risks, may be set aside temporarily while larger, more material cases receive immediate attention.

Proper Staging of the Allegation – the Critical First Step A swift and thorough triage process leads directly to a more appropriate and timely response. The specifics of that response will vary, of course depending on the nature and severity of the case, but the fundamental elements of the treatment include forming the right team to investigate, understanding root causes, and providing timely disclosure to all constituencies. Before such a response can be planned and executed, however, the tip or allegation must be evaluated or “staged” based on a consistent set of criteria. Navigant’s fraud governance framework identifies five such stages:

Stage 1 Stage1 allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact. These may include employee-to-employee disputes, isolated cases of small-scale employee theft, and the normal policy complaints, misunderstandings, and personal disagreements that are often raised through a whistleblower program. In most cases, these complaints are best handled by human resources or management personnel.

Note: Human Resources and management should be trained on proper investigation protocols, including the escalation process. A basic level of review should be performed and documented to corroborate that no further investigation is warranted. This review and documentation could be performed by a branch or office manager. For an employee who is the target of such a complaint, management should consider placing such employee on a temporary legal hold which triggers the retention of email and other documents until the risk of retaliatory litigation has passed.

Stage 2 These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports. If the allegation is substantiated, then the result of the remediation process is a change to a business process or business rule, followed by an enhancement of the company’s preventive or detective internal controls. Because they indicate a deficiency in internal controls, such allegations are escalated to the internal audit function in order to obtain a deeper understanding of the control environment. Internal audit should evaluate what controls are currently in place, and determine where the breakdown in internal controls occurred. It is also important to assess if the allegations are signs of a bigger problem or if they could have an impact on financial reporting. If financial reporting is affected, sensitivity testing must be performed to calculate the low case, medium case, and worst case financial impact. Internal audit’s review also might identify multiple violations. Again, the employees affected should be put into a legal hold which triggers the retention of email and other documents until the risk of litigation passes. In some cases, employee termination may be warranted.

Stage 3 These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management. Such cases require the same level of investigation as Stage 2 cases, along with an internal investigation that usually is conducted under the direction of the general counsel, involving compliance and internal audit as well. In some instances, the investigation might need to be performed independently by a function or person who is not directly involved in the control environment.

Stage 4 These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team. Such cases are generally addressed through an internal investigation, usually under the direction of outside counsel operating under privilege. The investigation often involves the use of independent, outside experts as well.

Stage 5 These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny. In such instances, the board generally should engage outside counsel and forensic investigation experts to initiate a privileged and confidential fact-based investigation. The external auditors may also be involved and a disclosure to the SEC may be required. It’s important to note that, in both Stage 4 and Stage 5, engaging outside experts is generally necessary. Other critical elements of the Stage 4 and Stage 5 responses include having a qualified and experienced investigation team, along with a time-phased work plan that is minimizes disruptions to the organization’s day-to-day business as much as possible. The investigators will begin with fact-finding interviews to help them evaluate who else to interview and when. The investigators will also help the company identify a list of custodians who will be interviewed to understand where their data was being saved (for example, on email servers, mobile phones or other devices, flash drives, cloud servers, and network folders). Generally, a large-scale data collection effort will then ensue in order to search and preserve all potentially relevant information. The goal is to determine who knew what and when, and how high up the chain the knowledge went. The investigation will also assess if the audited financial statements be relied upon, so that counsel and board members can determine what disclosure requirements might apply. In addition, where internal control issues are noted, outside counsel can also recommend and assist in recommending new or enhanced policies, procedures, and controls.

Ownership, Responsibility and Follow-Up Obviously, the triage staging system described here is not the only plausible methodology an organization can use for evaluating allegations of wrongdoing and planning appropriate responses. Other thought leaders in the field have proposed evaluating tips according to various other criteria such as the severity of the allegation, the specificity of the information it contains, and similar factors. Ultimately, whatever triage process and framework is chosen it will need to be customized to reflect the company’s particular situation and its particular industry. In many instances, boards may choose to combine elements from several approaches.

Regardless of the specific criteria upon which the system is based, the importance of maintaining written policies and procedures cannot be overstated. Moreover, but in all cases it is important in all cases that the responsibility for developing, implementing, and maintaining the triage response system be clearly defined. The assignment of this responsibility will vary as well, depending on the size and nature of the organization, its governance structure, the volume of whistleblower complaints and other factors. It could fall to internal audit, the corporate general counsel, a board committee, a designee of the CFO, or some other person or group – but in all cases it’s essential to have a designated individual or business function that is responsible for initially capturing complaints and performing the triage o the allegation(s). Once the framework is set and data is being collected, it’s also important to step back and periodically assess what the data is saying. For example, if the complaint hotline is bombarded with a high frequency of inconsequential complaints related to minor personnel disputes uniform violations or employees complaining about having to work a holiday, then it may be time to provide additional training on how the complaint hotline is to be used. An increase in sexual harassment complaints or complaints related to substandard working conditions could be provide an early warning of a potential leading indicator for a class action lawsuit. Similarly, an increasing number reports of low dollar employee theft are usually signs of a larger cultural problem. Evaluating the data and trends captured in your complaint system can help you make decisions that could prevent the next “big event.” In that sense, an effective, well-designed, and consistently executed fraud triage effort can pay even bigger dividends that go beyond the direct benefit of helping you evaluate and prioritize tips and complaints more efficiently.

Lastly, as facts come to light, there might be a need to escalate the allegation. If an investigation starts with human resources or internal audit, they should be trained on what to do if the matter intensifies!

escalation process.jpg

Matters that generally require escalation include, but are not limited to:

  • Violation of law – antitrust and competition, anti-bribery and corruption, employment discrimination and harassment, fraud against third parties by employees
  • Accounting, books and records – public financial reporting, internal financial reporting and disclosure, insider trading, SOx, Dodd-Frank
  • Environmental, healthy, safety
  • Any employee theft, misappropriation, or fraud against the organization in excess of $$$$$$$ 
  • Code of Conduct Violations of the Executive Leadership team
  • Misconduct by Legal, Ethics and Compliance employees – failing to investigate or stopping an investigation
  • Third party frauds against, or thefts from, the organization

Care should be taken and consultation with legal counsel and compliance is wise move, unless they are or appear to be involved, then go directly to the Board of Directors

Board members, I would seek to understand the escalation process and I would review the allegation log to ensure investigations are being done timely, you are being briefed on all serious matters, proper discipline has been applied, and  internal controls are installed or enhanced to try to prevent and detect possible future bad or “carryover” behavior! 

I welcome your comments and suggestions.

Jonathan T. Marks

Attribution:

  • Buckley
  • NAVEX
  • ACFE
  • SEC

 

This material is protected by Copyright Laws and may not be reproduced in any form without my express written permission.

Posted on

The Compliance e-Book is Released

This e-book is intended as a guide for Chief Compliance Officers (CCOs) and those responsible for developing and implementing compliance policies and procedures for an organization. Compliance, when done properly and embraced fully, should be seen as a necessary business process.

It is our vision that companies have more than a best-in-class compliance program going forward.
The time is now for companies to take the next step up to make compliance a part of the business process of the organization. This would not only allow companies to meet the Department of Justice’s requirement that compliance programs be more fully operationalized, but it is our firm belief, that a more effective compliance program will make the company’s internal controls operate more efficiently and enable it to operate more profitably. With the increased efficiencies for compliance offered by data analytics and AI, a robust compliance program can demonstrate internal commercial inefficiencies which can be remediated for greater return from assets.

Get the e-book by clicking here!

Best, Jonathan T. Marks & Tom Fox

More thought leadership coming soon!

Posted on

e-Book Compliance Program Game Plan

immersicon_semi_fin_100K
Now, For Tomorrow!

This e-book is intended as a guide for Chief Compliance Officers (CCOs) and those responsible for developing and implementing compliance policies and procedures for an organization. Compliance, when done properly and embraced fully, should be seen as a necessary business process. It is our vision that companies have more than a best-in-class compliance program going forward.

The time is now for companies to take the next step up to make compliance a part of the business process of the organization. This would not only allow companies to meet the Department of Justice’s requirement that compliance programs be more fully operationalized, but it is our firm belief, that a more effective compliance program will make the company’s internal controls operate more efficiently and enable it to operate more profitably. With the increased efficiencies for compliance offered by data analytics and AI, a robust compliance program can demonstrate internal commercial inefficiencies which can be remediated for greater return from assets.

Get the e-book by clicking here!

Best,

Jonathan T. Marks & Tom Fox

jon and tom.png

Keep alert for additional thought leadership coming soon!

Posted on

Spotting an Ethical Meltdown!

When there is an allegation of fraud that turns into a reality, everyone usually asks the question, “Why wasn’t the alleged fraud caught sooner?”

Maybe because one profile of a fraudster includes a salesperson mentality that is cloaked with a “false sense of integrity“, hoping your level of skepticism is lowered in an effort to deceive you, or deflect, or direct you away from them and the evidence being concealed that could ultimately prove a fraud has occurred.

So how can you increase your odds of detecting an ethical meltdown, or worse, a fraud?

Let me try to lay it out for you.

Background

The word “ethics” is derived from the Greek word ethos (character), and from the Latin word mores (customs). In essence, it is what you do or don’t do when no one is watching.

It’s always clear what’s right or ethical in a perfect world, but we don’t live in a perfect world! In the real world, situations are often murky.

Someone’s wrong can be your right, which means your right will definitely, at some point, be someone else’s wrong. Most of the time the “right” choice can be subjective.

At some point, senior leadership and employees will have to make tricky ethical decisions and often those decision are impacted by ethical conflicts, which are influenced by pressure or some other factor(s). Recognizing these conflicts and the red flags can help deter a situationally ethical senior leader or employee from crossing over the line.

angel_devil_tug_war_1600_clr_6266

Some common ethical conflicts include the following –

Truth vs. loyalty – Honesty or integrity vs. commitment, responsibility, or promise-keeping.

Justice vs. mercy – Fairness, equity, & even handed application of a principle or rule conflict with compassion or empathy.

One vs. many – When the needs of an individual person or group conflicts with the needs of a larger group or society as a whole.

Short-term vs. long-term –  Now vs. then conflicts arise when immediate needs or desires run counter to future goals or needs.

Red Flags

  • Pressure to maintain sales, budgets, etc.
  • Behavior that uses fear and silence
  • Leaders with a big or unconstrained ego/personality or hubris (infallibility and superiority)
  • Conflicts of interest that are overlooked or unaddressed
  • An attitude that goodness in some areas atones for evil in others

Here are some linguistical red flags that I find helpful too*-

  • “Well, Maybe just once…”
  • “No one will ever know…”
  • “It sounds too good to be true…”
  • “Everyone does it…”
  • “Shred that document…”
  • “We can hide it…”
  • “No one will get hurt…”
  • “What’s in it for me…”
  • “This will destroy the competition…”
  • “We did not have this conversation…”

figures_solve_puzzle_1600_clr_2127.pngBoard of Directors Role in Helping Thwart an Ethical Meltdown

  • Bolster your corporate governance framework by having it reviewed by an outside party;
  • Ensure the communication from senior leadership is appropriate and pure (not filtered);
  • Have a strong working relationship with CEO and work together to develop strong ongoing monitoring protocols;
  • Go out into the field and talk to mid-level managers – listen for a murmur;
  • Be sure the written policies are more than the bare minimum of compliance – require more than just the minimum;
  • Listen to dissenters carefully;
  • Understand that Tone and Conduct from the Top is not just the CEO’s responsibility – it’s also the Board of Directors; and,
  • Reward people who speak up and help minimize damage or even save the organization.

Closing Thoughts

Everyone in the organization is responsible for ethics and sustaining a culture of compliance!

Be cognizant of the common ethical conflicts and deal with them timely and appropriately.

Don’t ignore any red flag.

I welcome your thoughts, opinions, and suggestions.

Best!

img_7798-2

Jonathan T. Marks, CPA, CFE

*Tip – consider these when doing an email search during an investigation.

Posted on

PHorensically Speaking: Cost of Data Breach and New COSO Guidance On Cyber, Risk Appetite Statements, Compliance, and Boards Management of Strategic Risks

The Cost of Data Breach Report (“Report) found that the average total cost of a data breach, the average cost for each lost or stolen record (per capita cost), and the average size of data breaches have all increased beyond the 2017 report averages:

The average total cost rose from $3.62 to $3.86 million, an increase of 6.4 percent

The average cost for each lost record rose from $141 to $148, an increase of 4.8 percent

The average size of the data breaches in this research increased by 2.2 percent

The Report also highlights the relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences.

The mean time to identify (MTTI) was 197 days

The mean time to contain (MTTC) was 69 days

Companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve

USD 3.92 million – Average total cost of a data breach

United States – Most expensive country: USD 8.19 million

Healthcare – Most expensive industry: USD 6.45 million

25,575 records – Average size of a data breach

Data breaches can cause devastating financial losses and affect an organization’s reputation for years. From lost business to regulatory fines and remediation costs, data breaches have far reaching consequences.

The annual Cost of a Data Breach Report, conducted by the Ponemon Institute and sponsored by IBM Security, analyzes data breach costs reported by 507 organizations across 16 geographies and 17 industries.

You should read the report to discover all the factors that influence the cost of a data breach and which security measures can help organizations reduce the financial impact.

Risk Management

In the works, The Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) is in the process of developing guidance for companies on how to manage cybersecurity and other risks.

The COSO guidance is intended to help companies provide more detailed instructions on how to apply the 5 interrelated components, which are broken down to 20 principles of COSO’s risk-management framework—which include board-level oversight of risk management—to information security. Specifically, how companies can apply the principles of enterprise risk management, or ERM, to protect against cyberattacks.

Other COSO Guidance expected soon should include how to better craft risk-appetite statements; how to better manage risk and compliance across an enterprise; and guid­ance for board di­rec­tors on man­ag­ing strate­gic risks—the kind that arise when com­pa­nies ex­pand, launch new prod­ucts or change pric­ing mod­els.

Compliance

COSO’s guidance On compliance is being drafted in partnership with the Society of Corporate Compliance and Ethics (“SCCE”). More to come…

I welcome your thoughts and comments!

Best,

Jonathan T. Marks

Attribution:

IBM, Ponemon, WSJ, COSO