Posted on 1 Comment

Speaking and Training on Fraud, Compliance, Ethics, and More…

Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.

“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive 

If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.

I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.

I will do my best to get back to you quickly.

Thank you!


Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Selected Training Programs

Management Override of Internal Controls

The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:

  • Identify red flags of management overriding controls
  • Ascertain an approach to auditing for management override
  • Assess the latest trends and research regarding management override of controls
  • Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.

Operationalizing Compliance – Master Class with Tom Fox, Esquire

The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.

If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.

Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the training include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

Ethics and Governance Training

This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.

Corporate Governance During a Crisis

We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:

  • What type of crisis plan do you have, if any?
  • What to do and how to formulate a plan of action?
  • Who to call first, how to prioritize tasks, and where to prioritize resources?
  • Who (internal and external players) to get involved and when to get them involved
  • What data is needed when a crisis hits?
  • How to prepare for the media and when to reach out?
  • How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?

Fraud Risk Assessment Process and Guidance

Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.

FCPA (Bribery and Corruption): Building a Culture of Compliance

This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.

Fraud Investigations

Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.

Third Party Risk Management and Oversight

Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.

Putting the Freud in Fraud: The Mind Behind the White Collar Criminal

To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.

  • Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
  • Discover what role company culture plays in the commission of fraud.
  • Hear cutting-edge ideas and methods to help detect and deter fraud.

Fraud Overview

This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.

Triaging a Whistleblower Allegation

As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.

Skepticism: A Primary Weapon in the Fight Against Fraud

What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.

Root Cause Analysis 

The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).

Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.

This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.

Posted on

Baker Tilly Poll Shows GDPR Compliance and Privacy Governance Still a Challenge for Most Organizations

CHICAGO–()–A flash poll conducted by Baker Tilly Virchow Krause, LLP (Baker Tilly) indicates that while the number of respondent organizations that believe they are compliant with the General Data Protection Regulation (GDPR) increased more than 20 percent in the eight months following the May 25, 2018 enforcement date, nearly 67 percent of companies responding to the poll are still not compliant. Additional data showed 36 percent of respondents identified information technology (IT) as responsible for data privacy at their organization.

“GDPR is becoming the de facto standard for privacy regulations in the U.S. and across the globe. If an organization is compliant with GDPR, the organization is already approximately 90-95 percent compliant with the California Consumer Privacy Act”

Tweet this

“Privacy governance is relatively immature with organizations only beginning to incorporate it into their strategy,” David Ross, principal and growth leader of Baker Tilly’s privacy and cybersecurity practices, said. “At its core, privacy is a risk-based issue, not an IT or security problem. A sustainable privacy program requires a multi-disciplinary approach that incorporates governance, compliance and risk management disciplines from senior management, finance, IT, security, HR and other functional areas.”

“GDPR is becoming the de facto standard for privacy regulations in the U.S. and across the globe. If an organization is compliant with GDPR, the organization is already approximately 90-95 percent compliant with the California Consumer Privacy Act,” Mike Vanderbilt, director with Baker Tilly’s privacy practice, said. “Working toward a sustainable privacy program enables an organization to pivot and adapt as new regulations unfold.”

Baker Tilly recently held an educational webinar, “The rise of privacy: a risk-based approach to privacy oversight, compliance and management,” providing insight into how organizations can prepare for enforcement, ongoing monitoring and compliance in an evolving privacy regulatory landscape.

The webinar presenters discussed how to:

  1. Identify current and developing privacy regulations and emerging risks that impact oversight
  2. Assess the benefits, challenges and ultimate impacts of an integrated privacy oversight, compliance and risk management program
  3. Optimize a privacy assessment to enhance internal and external stakeholders’ trust and confidence in the organization’s data security and privacy processes and controls

Presentation slides and a recording of the webinar are available at

About Baker Tilly Virchow Krause, LLP (
Baker Tilly Virchow Krause, LLP (Baker Tilly) is a leading advisory, tax and assurance firm whose specialized professionals guide clients through an ever-changing business world, helping them win now and anticipate tomorrow. Headquartered in Chicago, Baker Tilly, and its affiliated entities, have operations in North America, South America, Europe, Asia and Australia. Baker Tilly is an independent member of Baker Tilly International, a worldwide network of independent accounting and business advisory firms in 147 territories, with 33,600 professionals. The combined worldwide revenue of independent member firms is $3.4 billion. Visit or join the conversation on LinkedIn, Facebook and Twitter.

Baker Tilly Virchow Krause, LLP is a member of the Baker Tilly International network, the members of which are separate and independent legal entities. Baker Tilly refers to the global network of accounting firms of Baker Tilly International Limited. Each member firm is a separate legal entity. Baker Tilly International Limited does not provide services to clients.

© Baker Tilly Virchow Krause, LLP

Posted on

How GDPR Could Impact Whistleblowers and the Ethics Hotline


Love it or hate it, from what I have experienced and read, whistleblowers and their “tips” are one of the most, if not the most important sources for uncovering fraud in organizations, which is supported by the Association of Certified Fraud Examiners (ACFE), which I highlight below.  Building from this theme, there have been some developments in 2018 that the general counsels’s office, compliance, and internal audit professionals and the like need to understand and consider.


The Figure below from the ACFE shows that the leading detection methods for fraud are tips, internal audit, and management review. This finding is not surprising, as these have been the three most common means of detecting occupational fraud in every edition of the report since 2010. Collectively, these three detection methods were cited in 68% of the cases in the ACFE’s current study.

Tips were by far the most common means of detection at 40% of cases—more than internal audit (15%) and management review (13%) combined.


On February 21, 2018, Justice Ruth Bader Ginsburg delivered the unanimous opinion of the Court, which held the anti-retaliation provisions of the 2010 Dodd-Frank Wall Street Reform and Consumer Protection Act do not extend to employees who have reported internally but extend only to employees who have reported suspected securities law violations to the Securities and Exchange Commission, which reversed the 9th Circuit decision.

On March 19, 2018,  The Securities and Exchange Commission announced its highest-ever Dodd-Frank whistleblower awards, with two whistleblowers sharing a nearly $50 million award and a third whistleblower receiving more than $33 million.  The previous high was a $30 million award in 2014.  Jane Norberg, Chief of the SEC’s Office of the Whistleblower said, “These awards demonstrate that whistleblowers can provide the SEC with incredibly significant information that enables us to pursue and remedy serious violations that might otherwise go unnoticed.”

On May 25, 2018, the European Union’s General Data Protection Regulation, or GDPR, took effect and will have major implications for organizations with connections to Europe.  I will focus on how GDPR could impact the whistleblower hotline, which we know does in most instances contain sensitive personal data or information.

Overview of GDPR

The GDPR could affect almost every U.S. consumer goods and services company, and plenty of other organizations, that do business in the EU.

GDPR is designed to protect an individual’s right to control the use of his or her personal data and is broadly drafted to apply to a wide range of personal data on any natural person, regardless of his or her nationality.

Under GDPR, personal data includes, but is not limited to, customer data, such as dates of birth, mailing addresses, IP addresses, product purchases, payment information, supplier data, and employee data. Personal data also includes “sensitive data,” such as health information and information on race and sexual orientation.

GDPR requirements for subject access rights are similar to many data privacy directives in place today.  The GDPR has two key additions: the right to be forgotten (or erasure) and the right for an individual to port his or her data to a new vendor or platform.


GDPR does create some uncertainty when it comes to the data collected and recorded in whistleblower or ethics hotlines, which capture allegations of wrongdoing or tips from internal and external sources.

Individuals have new, or expanded rights, including the ability to see information about themselves, find out its source, or demand that it be deleted.

Under Article 15, the data subject or individual has the right to obtain a confirmation if their personal data is being processed, and, if so, have access to the following information:

  • the purpose of processing
  • categories of personal data concerned
  • recipients of the data
  • the envisaged period for which the personal data will be stored or the criteria used to determine that period
  • the existence of the right for rectification (Article 16) or erasure or right to be forgotten (Article 17)
  • the right to lodge a complaint with a supervisory authority, and
  • where the personal data is not collected from the data subject, any information held as to its source.

Personal data included within the whistleblowing process might include –

  • personal data of the whistleblower submitting the report in case it hasn’t been submitted anonymously, and/or
  • personal data of third parties shared by the whistleblower in the report.


How GDPR will be enforced will be interesting. Organizations might be placed in a situation where they will have to consider an individual’s right to privacy vs. the organization’s decision to conduct an investigation.

Furthermore, an allegation raised by a whistleblower that turns out to be baseless, the subject of the claim could ask that their employer delete their record of the case, on the basis that the company no longer needs to hold that data and more likely than not the organization will have to comply.

According to the regulation, organizations can handle an individual’s data even without their consent to comply with a legal obligation, in the public interest, or in pursuit of their own “legitimate interests,” among other instances.

Twenty-eight (28) national agencies will be in charge of enforcement. The EU member states, will probably be most affected by the GDPR:

  • Austria
  • Belgium
  • Bulgaria
  • Croatia
  • Republic of Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • United Kingdom

The regulation allows each country to spell out how the rules will work within its borders on a variety of fronts. The national systems are expected to be similar, but differences are likely, leaving it unclear what organizations can expect.

A further complication is that much of the data handling covered by GDPR relates to staff, whose treatment is subject to separate national requirements.


What penalties organizations should expect for what types of noncompliance and what areas the authorities will focus on is another area of uncertainty.

Organizations that process personal data without consent could be fined as much as 4% of annual revenue, or €20 million ($23.3 million), whichever is higher, but national data-protection agencies can also just scold an organization for lesser violations.


Ears and eyes will be listening and reading the first few enforcement actions to see how the national regulators react to noncompliance.

Visit other relevant thought leadership pieces – Why GDPR Matters, Tipsters Not Trusting the System, and A ticking time bomb? Whistleblowing In Organizations Today.

I welcome your thoughts and comments on this subject.



  • ACFE
  • WSJ
  • FCPA Blog
  • – Why GDPR Matters