Posted on 1 Comment

Speaking and Training on Fraud, Compliance, Ethics, and More…

Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.

“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive 

If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.

I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.

I will do my best to get back to you quickly.

Thank you!

 

Jonathan Pic

Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow

Selected Training Programs

Management Override of Internal Controls

The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:

  • Identify red flags of management overriding controls
  • Ascertain an approach to auditing for management override
  • Assess the latest trends and research regarding management override of controls
  • Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.

Operationalizing Compliance – Master Class with Tom Fox, Esquire

The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.

If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.

Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the training include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

Ethics and Governance Training

This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.

Corporate Governance During a Crisis

We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:

  • What type of crisis plan do you have, if any?
  • What to do and how to formulate a plan of action?
  • Who to call first, how to prioritize tasks, and where to prioritize resources?
  • Who (internal and external players) to get involved and when to get them involved
  • What data is needed when a crisis hits?
  • How to prepare for the media and when to reach out?
  • How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?

Fraud Risk Assessment Process and Guidance

Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.

FCPA (Bribery and Corruption): Building a Culture of Compliance

This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.

Fraud Investigations

Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.

Third Party Risk Management and Oversight

Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.

Putting the Freud in Fraud: The Mind Behind the White Collar Criminal

To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.

In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.

  • Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
  • Discover what role company culture plays in the commission of fraud.
  • Hear cutting-edge ideas and methods to help detect and deter fraud.

Fraud Overview

This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.

Triaging a Whistleblower Allegation

As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.

Skepticism: A Primary Weapon in the Fight Against Fraud

What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.

Root Cause Analysis 

The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).

Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.

This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.

Posted on 1 Comment

New DOJ Guidance Addresses ‘Effectiveness’ of Compliance Programs

Background

The DOJ issued New April 2019 Guidance  (“Guidance”, or “2019 Guidance”) detailing how prosecutors will evaluate the effectiveness of corporate programs to prevent fraud and other misconduct, a key consideration in determining the penalties imposed against companies.  This is an update from the On February 8, 2017, the DOJ published Guidance entitled, “Evaluation of Corporate Compliance Programs”.

Brian Benczkowski, the head of the Justice Department’s criminal division, said the revised guidance is intended to aid not only prosecutors but also companies, giving them deeper insight into what the government will demand of compliance programs.

The 2019 Guidance contains 12 high-level topics (below) that are grouped to track the Three Core Questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual and candidly are the key questions the board of directors should be asking.  After all it’s expected the organization’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it (See U.S.S.G. § 8B2.1(b)(2)(A)-(C)).

core image

Three Core Questions

  1. Is the Corporation’s Compliance Program Well Designed?
  2. Is the Corporation’s Compliance Program Being Implemented Effectively?
  3. Does the Corporation’s Compliance Program Work in Practice?

“Any well-designed compliance program entails policies and procedures that give both content and effect to ethical norms and that address and aim to reduce risks identified by the company as part of its risk assessment process,” according to the Guidance. “As a threshold matter, prosecutors should examine whether the company has a code of conduct that sets forth, among other things, the company’s commitment to full compliance with relevant federal laws that is accessible and applicable to all company employees.”

Prosecutors, according to the guidance, “should also assess whether the company has established policies and procedures that incorporate the culture of compliance into its day-to-day operations.”

looking down.jpg

The High-level Topics

  1. Risk Assessment
  2. Policies and Procedures
  3. Training and Communications
  4. Confidential Reporting Structure and Investigation Process
  5. Third Party Management
  6. Mergers and Acquisitions (M&A)
  7. Commitment by Senior and Middle Management
  8. Autonomy and Resources
  9. Incentives and Disciplinary Measures
  10. Continuous Improvement, Periodic Testing, and Review
  11. Investigation of Misconduct
  12. Analysis and Remediation of Any Underlying Misconduct

The 2019 Guidance has a twelfth topic because it split the 2017 Guidance’ topic of “Confidential Reporting and Investigation” into two separate sections—”Confidential Reporting Structure and Investigation Process” (4)  and “Investigation of Misconduct (11).”

Under each of the above topics, the 2019 Guidance sets forth multiple sample questions that prosecutors are likely to ask during an investigation. A few examples are:

  • Risk Assessment: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?
  • Training and Communications: Risk Based Training What training have employees in relevant control functions received?
    • Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
  • Confidential Reporting Structure and Investigation Process: Effectiveness of the Reporting MechanismDoes the company have an anonymous reporting mechanism, and, if not, why not?
    • How is the reporting mechanism publicized to the company’s employees?
    • Has it been used?
    • How has the company assessed the seriousness of the allegations it received
    • Has the compliance function had full access to reporting and investigative information?
  • Mergers and Acquisitions (M&A): Process Connecting Due Diligence to Implementation What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process
    • What has been the company’s process for implementing compliance policies and procedures at new entities?
  • Commitment by Senior and Middle Management: Conduct at the Top How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation?
    • What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
    • How have they modelled proper behavior to subordinates?
    • Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
    • Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
  • Continuous Improvement, Periodic Testing, and Review: Internal AuditWhat is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process?
    • How are audits carried out?
    • What types of audits would have identified issues relevant to the misconduct
    • Did those audits occur and what were the findings?
    • What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
    • How have management and the board followed up?
    • How often does internal audit conduct assessments in high-risk areas?
  • Continuous Improvement, Periodic Testing, and Review: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

Some Other Points of Focus

  • Compliance must adopt a risk-based approach (See Closing Thoughts below).
  • Compliance must have appropriate processes for the submission of complaints, and processes to protect whistleblowers.
  • The word “resource” appears twenty one (21) times in the Guidance, so I am certain that if your organization is not properly resourced that will more likely than not be a problem.
  • Compliance must have independent access to the Board and Audit Committee.
  • Compliance needs to be integrated with other functions like internal audit, and depending on structure, the legal function. See discussion on whether the compliance should be a separate function!
  • Compliance must adopt strong third-party controls.
  • Root cause was mentioned nine (9) times in the Guidance! Treating symptoms and the not the root cause could at some point result in recidivism, which will more likely than not be problematic!

Closing Thoughts

The 2019 Guidance seeks to understand how the organization approaches compliance and then what worked and what didn’t.  So, one might consider reading both the old and new Guidance to understand how the evaluation of an organization’s compliance programs has changed.

If you are going to have your organization’s compliance program evaluated and you should!

Why? Prosecutors must evaluate if the organization has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.

Then you might want to first make sure your risk profile is up to date as well as your fraud or misconduct risk assessment!  Why?  The section within the Guidance on “Risk Assessment” was moved to be first of the 12 topics addressed in the 2019 Updated Guidance (Note: It was the fifth topic addressed in the 2017 Evaluation Guidance) and just maybe the DOJ is sending a subliminal message here, which some of us have already picked up and that is the risk assessment drives the compliance program!

By the way if you’re already a client don’t worry. We have been doing all of this for some time and this is not a best practice guide!  This doesn’t mean the writing should be ignored, I use it as a tool to help me think through compliance programs strategically and evaluate risk.  Boards and senior management should use the guidance for the same.

I welcome your comments.

Best!

img_7798-2

Jonathan T. Marks, CPA, CFE

Attribution
DOJ

 

Posted on 2 Comments

FCPA Settlement – Petrobras Board Involved

The Department of Justice (DOJ) said in a release, “Executives at the highest levels of Petrobras — including members of its executive board and board of directors — facilitated the payment of hundreds of millions of dollars in bribes to Brazilian politicians and political parties and then cooked the books to conceal the bribe payments from investors and regulators.”

Background

On September 26, 2018, Petróleo Brasileiro S.A. (“Petrobras” or the “Company”), the Brazilian majority state-owned oil and gas company, settled Foreign Corrupt Practices Act (“FCPA”) charges with the U.S. Department of Justice (the “DOJ”) and the Securities and Exchange Commission (the “SEC”) for a total of $1.78 billion. Petrobras has American Depositary Shares (“ADSs”) registered with the SEC and traded on the New York Stock Exchange and is therefore subject to the FCPA as an “issuer.”

Petrobras entered into a non-prosecution agreement (“NPA”) with the DOJ that included a criminal penalty of $853.2 million for knowingly and willfully failing to keep accurate books and records and implement appropriate internal financial and accounting controls by “facilitating payments to politicians and political parties in Brazil.” Under the NPA, Petrobras will pay 10 percent, or $85.32 million, of the criminal penalty to the DOJ and another 10 percent to the SEC. Petrobras will pay the remaining 80 percent of the criminal penalty, or $682.56 million, to authorities in Brazil.

The Company did not receive voluntary disclosure credit because it did not voluntarily and timely disclose to the Fraud Section and the Office the conduct described in the Statement of Facts.

Petrobras no longer employs or is affiliated with any of the individuals known to the Company to be implicated in the conduct at issue.

Summary of Remedial Measures

Petrobras engaged in extensive remedial measures, including: replacing the Board of Directors and the Executive Board (the Company’s high-level managers) and implementing governance reforms, such as expanding the scope of decisions requiring Board of Director approval; elevating and revamping the Company’s compliance function, including creating and staffing the Division of Governance and Compliance (“DGC”), and mandating that the Officer of DGC cannot be terminated without the affirmative vote of a Board member representing minority shareholders; limiting individual decision-making authority by implementing a “four eyes” approval policy (now I know the DOJ reads my thought leadership) that requires a second review by supervisors from different reporting lines for substantive decisions; creating new corporate investment policies and procedures, including a new Approval Authority Matrix, mandatory collective decision-making, and participation of the Division of DGC in investment committees; enhancing the Company’s policies and procedures related to confidential reporting and investigations, including restructuring the Office of the Ombudsman, implementing a confidential reporting hotline, and enhancing the procedures related to the Company’s Internal Commissions of Inquiry; updating policies and procedures related to compliance; implementing measures to ensure the Company’s operations are insulated from improper political interference, including new hiring and promotion procedures, a comprehensive government relations policy, and uniquely protecting the Officer of DGC within the organization; enhancing anti-corruption training by requiring all employees to complete compliance training, providing specialized training to employees engaged in the procurement of goods and services, and providing anti-corruption training to the Board of Directors and Executive Board; creating an Ethics Committee responsible for guiding, disseminating, and promoting compliance with ethical principles and conduct obligations; creating a committee within the Company’s compliance function to discipline employees and ensure that discipline is meted out consistently; disciplining employees known to have violated Company policies and procedures, including suspending employees, removing their managerial functions, and terminating their employment; and enhancing controls related to procurement and contracting, including centralizing the procurement function, segregating procurement duties, and implementing a risk-based integrity due diligence program for prospective contractors.

Closing

From the “Realm of the Obvious”, why was there no monitor installed?

Thoughts and comments are appreciated.

Jonathan T. Marks