Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
APRIL 28, 2020
Brad Knight, Managing Director | Risk Advisory ServicesPaul Greenspan, Managing Director | Forensic Investigation and Dispute Services
COURSE 2Evaluating Compliance and Anti-Fraud Programs – A Case Study with BDO’s Forensics Practice
3
BDO and Our Internal Audit Webinar Series
4
Polling Question 1
From which time zone are you joining us today?
A. EasternB. CentralC. MountainD. PacificE. Other
5
Brad Knight, CPA, CRMAManaging Director | Risk Advisory Services
Brad Knight leads BDO’s Risk Advisory Services in Atlanta and for the Southeast, and offers experience in variety of industries including: manufacturing, healthcare, supply chain, and technology.
He has been deeply involved in identifying and delivering governance, risk and compliance solutions to clients, including all aspects of SOX implementation and compliance, business process documentation, enterprise risk assessments, internal audit co-sourcing, internal controls assessments, and SOC reporting.
Brad has more than 15 years of experience leading and delivering internal audit, enterprise risk management, governance and compliance engagements to Fortune 500 and middle market companies. Prior to joining BDO, Brad worked at Brambles Ltd. where he oversaw and directed the organization’s global enterprise risk management programs.
404-942-2955 / [email protected]
PROFESSIONAL AFFILIATIONSAmerican Institute of Certified Public AccountantsInstitute of Internal Auditors
EDUCATION B.S., Accounting, University of Tennessee, KnoxvilleM.Acc., University of Tennessee, Knoxville
6
Paul Greenspan, CFEManaging Director | Forensic Investigation & Litigation Services
Paul Greenspan assists organizations and their attorneys with the financial, accounting, and regulatory aspects of investigations, business disputes, and compliance challenges. His primary areas of concentration include corporate compliance, fraud investigations, forensic accounting, anti-corruption compliance, damage calculations, expert testimony, and litigation support.
Paul has more than 18 years of forensics experience conducting internal and regulatory investigations of employee misconduct, misappropriation of funds, accounting irregularities, and suspect business practices. He has conducted anti-corruption compliance assessments and investigations in more than a dozen countries around the world. In addition, he has analyzed damages, produced expert reports, and been qualified as an expert witness in a variety of litigation matters, including employment disputes, complex fraud claims, breach of contract, and post-M&A disputes.
404-979-7157 / [email protected]
PROFESSIONAL AFFILIATIONSAssociation of Certified Fraud ExaminersAtlanta Bar AssociationAtlanta Compliance & Ethics Roundtable, Board Member
EDUCATION J.D. / M.B.A., University of FloridaB.A., Tulane University
7
Today’s Learning ObjectivesAt the conclusion of this course, participants will be able to:
Identify compliance-related considerations emerging from the COVID-19 crisis
Identify relevant regulatory guidance on the effectiveness of compliance programs
Effectively team with compliance functions within their organizations to assess compliance and anti-fraud programs
Conduct insightful conversations with management regarding risks of non-compliance
8
Polling Question 2
In your organization who is primarily responsible for assessing compliance and fraud risks?
A. Compliance OfficeB. Internal AuditC. General Counsel’s OfficeD. Chief Financial OfficerE. Don’t Know / Uncertain
9
COVID-19 Considerations
10
COVID-19 Compliance Considerations
Health & Safety PPE and social distancing for employees Facility closures and re-openings
Privacy and Cybersecurity Information about employees’ health status / test results What info can we ask for? What info can we share?
Increased cyber threats – phishing, ransomware, social engineering
Remote working may increase these risks
11
COVID-19 Compliance Considerations
Supply Chain
Moving into new product lines
Regulatory approvals, esp. for healthcare-related products
Using new third party intermediaries
Due diligence procedures
Payment procedures
Import / Export Controls
Corruption
12
COVID-19 Compliance Considerations
Human Resources
Absenteeism
New hires – start dates, validity of offers
Designation and documentation of employees as “essential”
Consult with Legal, as laws vary state to state
Contract Compliance Are you able to meet your commitments to your customers? Are your suppliers able to meet their commitments to you?
13
COVID-19 Compliance Considerations
More Issues
Environmental
Antitrust
Anti-money Laundering
Anti-Corruption and Bribery
Sanctions and Export Controls
Regulatory Reporting Requirements
SEC Filings (for public companies) and Insider Trading
14
COVID-19 Compliance Considerations
What procedures have you put in place to allow for exceptions to be granted from normal compliance operations?
How are you documenting these exceptions?
How are you staying abreast of rapidly-changing laws and regulations, and incorporating that information into your program?
15
COVID-19 Compliance Considerations
FERC – Federal Energy Regulatory Commission – April 2, 2020
The Chairman today announced that the Commission will exercise appropriate prosecutorial discretion in addressing events that arise during the emergency period. “I’ve said this before, but it bears repeating: The Commission will not second-guess the good faith actions that regulated entities take in the face of this emergency.” Enforcement staff will take the current emergency into account when evaluating compliance programs as part of its analyses under the Penalty Guidelines, or as part of an audit for operations taking place during the emergency. Staff also will take the crisis into account in assessing the timeliness of self-reports, including the self-report credit under the Penalty Guidelines.
16
COVID-19 Compliance Considerations
Office of Foreign Assets Control (OFAC) – April 20, 2020
OFAC understands that the COVID-19 pandemic can cause technical and resource challenges for organizations. As OFAC has articulated … the agency supports a risk-based approach to sanctions compliance. Accordingly, if a business facing technical and resource challenges caused by the COVID-19 pandemic chooses, as part of its risk-based approach to sanctions compliance, to account for such challenges by temporarily reallocating sanctions compliance resources consistent with that approach, OFAC will evaluate this as a factor in determining the appropriate administrative response to an apparent violation that occurs during this period. OFAC will address these issues on a case-by-case basis.
17
COVID-19 Compliance Considerations - Fraud
The Fraud Triangle is a model used to explain how a person comes to commit occupational fraud.
18
COVID-19 Compliance Considerations - Fraud
People are desperate and fearful = Pressure and Rationalization Government response Enormous amounts of money Being rolled out extraordinarily quickly Variety of new and proposed programs = confusion Oversight entities
New work environments – working remotely from home – may increase likelihood of fraud schemes Employees are looking for and using workarounds Physical separation may lead to lack of communication Remote working may inhibit normal security protocols that have
been carefully built over years
19
Polling Question 3
Has your organization reviewed its fraud and compliance risk assessments since the emergence of COVID-19?
A. YesB. NoC. Unsure / UncertainD. N/A
20
Overview of Regulatory Guidance on Compliance and Anti-Fraud Programs
21
Overview of Regulatory Guidance
Federal government has made clear that it expects organizations to have robust, risk-based compliance programs
Regulators’ expectations have become more and more explicit
Expectation is built into various aspects of the law and regulations
General thrust of these expectations is consistent across different laws, regulatory guidelines, pronouncements, memos, informal guidance, etc.
22
U.S. Sentencing Commission -Federal Sentencing Guidelines for Organizations
Built-in incentive for having a effective compliance program - greatly reduced fines Outlines 7 key criteria for establishing an “effective compliance program” (§8B2.1)
1) Standards and procedures to detect and prevent criminal conduct2) High-level program oversight3) Due care regarding individuals with discretionary authority in the program4) Communications and training to all levels5) Monitoring, auditing, and evaluation of the program, including employee
reporting mechanisms without fear of retaliation6) Consistent enforcement - incentives and discipline7) Respond appropriately to detected wrongdoing and prevent similar
conduct, including updating the program Other regulators have developed their own guidance based on this model
23
Department of Justice - Principles of Federal Prosecution of Business Organizations
Includes a section on Corporate Compliance Programs (USAM 9-28.800):While the Department recognizes that no compliance program can ever prevent all criminal activity by a corporation's employees, the critical factors in evaluating any program are whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives.
The fundamental questions any prosecutor should ask are: Is the corporation's compliance program well designed? Is the program being applied earnestly and in good faith? Does the corporation's compliance program work?
24
Department of Health & Human Services – Office of Inspector General
Health Care Provider Compliance Training Slides
25
Department of Health & Human Services – Office of Inspector General50+ pages of suggested ways to measure various elements of a compliance program
26
Department of Justice – Antitrust Division
27
Department of Justice – Antitrust DivisionElements of An Effective Compliance Program
Design and comprehensiveness of the program Culture of compliance within the company Responsibility for, and resources dedicated to, compliance Risk assessment techniques Compliance training and communication to employees Monitoring and auditing techniques, inc. continuous
improvement Reporting mechanisms Incentives and discipline Remediation methods
28
DOJ and SEC – The FCPA Guide
Released in November 2012 jointly by the DOJ Criminal Division and SEC Enforcement Division
29
DOJ and SEC – The FCPA GuideHallmarks of Effective Compliance Programs
Commitment from Senior Management and a Clearly Articulated Policy Against Corruption
Code of Conduct and Compliance Policies and Procedures Oversight, Autonomy, and Resources Risk Assessment (“One-size-fits-all compliance programs are generally
ill-conceived and ineffective …”) Training and Continuing Advice Incentives and Disciplinary Measures Third-Party Due Diligence and Payments Confidential Reporting and Internal Investigation Continuous Improvement: Periodic Testing and Review M&A: Pre-Acquisition Due Diligence and Post-Acquisition Integration
30
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
31
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
Released April 2019
Most recent and comprehensive guidance – approximately 20 pages
“This document is meant to assist prosecutors in making informed decisions as to whether, and to what extent, the corporation’s compliance program was effective at the time of the offense, and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate (1) form of any resolution or prosecution; (2) monetary penalty, if any; and (3) compliance obligations contained in any corporate criminal resolution (e.g., monitorship or reporting obligations).”
https://www.justice.gov/criminal-fraud/page/file/937501/download
32
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
Guidance is organized in three sections:
I. Is the corporation’s compliance program well designed?
II. Is the corporation’s compliance program being implemented effectively?
III. Does the corporation’s compliance program work in practice?
Includes many questions that prosecutors should ask when evaluating a compliance program…which means you should be asking these same questions! And incorporate them in audit plans.
33
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
Sample from the Risk Assessment section
34
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
I. Is the Corporation’s Compliance Program Well Designed?
A. Risk Assessment
B. Policies and Procedures
C. Training and Communications
D. Confidential Reporting Structure and Investigation Process
E. Third Party Management
F. Mergers & Acquisitions
35
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
II. Is the Corporation’s Compliance Program Being Implemented Effectively?
A. Commitment by Senior and Middle Management
B. Autonomy and Resources
Prosecutors should evaluate whether “internal auditfunctions [are] conducted at a level sufficient to ensure their independence and accuracy,” as an indicator of whether compliance personnel are in fact empowered and positioned to “effectively detect and prevent misconduct.” JM 9-28.80
C. Incentives and Disciplinary Measures
36
DOJ Criminal Division –Evaluation of Corporate Compliance Programs
III. Does the Corporation’s Compliance Program Work in Practice?A. Continuous Improvement, Periodic Testing, and Review
Internal Audit - What is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process? How are audits carried out? What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often does internal audit conduct assessments in high-risk areas?
B. Investigation of MisconductC. Analysis and Remediation of Any Underlying Misconduct
Prosecutors will review Internal Audit’s role and performance within the overall compliance program.
37
Benefits of an Effective Compliance Program
Two weeks ago, the SEC charged a former banker at Goldman Sachs’ UK subsidiary with FCPA violations for paying bribes to government officials in Ghana to help a Goldman client win a power plant contract there.
However, the SEC did not charge Goldman itself because of the bank’s efforts to stop the alleged wrongdoing.
38
Benefits of an Effective Compliance Program
39
Benefits of an Effective Compliance Program
In Feb. 2019, the former President and former Chief Legal Officer of Cognizant were charged with FCPA violations for allegedly approving the payment of $2m in bribes to Indian government officials related to licenses and permits for construction a large new facility there.
The company agreed to a cease-and-desist proceeding with the SEC and paid $25m in penalties, disgorgement, and interest, but it also received a declination letter from the DOJ (i.e., the DOJ decided not prosecute the company.)
40
Benefits of an Effective Compliance Program
From the DOJ declination letter:
41
Polling Question 4
Has your organization compared its compliance program to the relevant guidance issued by federal regulators and enforcement agencies?
A. YesB. NoC. Don’t knowD. “What’s a compliance program?”
42
Effective Fraud & Compliance Assessments
43
Managing Fraud Expectations
How important is fraud risk to your organization and stakeholders?
Whose job is it to find fraud?
Can someone within your organization find fraud?
How do you currently prevent and/or detect fraud schemes?
Does your organization currently conduct an evaluation of fraud risks?
44
Internal Audit’s Role and ResponsibilityThe Institute of Internal Auditors sets forth certain standards regarding fraud:
IPPF Standard 1210.A2 | Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.
IPPF Standard 2120.A2 | The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.
IPPF Standard 2210.A2 | Internal auditors must consider the probability of significant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.
45
Internal Audit’s Role and ResponsibilityCOSO views the management of fraud risk as the responsibility of “personnel at all levels of the organization – including every level of management, staff and internal.”
Five Fraud Risk Management Principles
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.
The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.
The organization selects, develops, and deploys preventive and detective fraud control activities or mitigate the risk of fraud events occurring or not being detected in a timely manner.
The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.
The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.
COSO Internal Control – Integrated Framework Presentation May 2013 by COSO.org
46
Fraud Risk Assessment – Common Elements
The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Involve stakeholders Brainstorm and identify potential fraud schemes Disregard the control environment Use a risk based approach – likelihood and impact Consider emerging risks Document a thorough risk assessment
47
Fraud Risk Management Process
Establish a fraud risk management policy as part of organizational
governance
Perform a comprehensive
fraud risk assessment
Select, develop and deploy
preventative and detective fraud
control activities
Establish a fraud reporting
process and coordinated approach to
investigation and corrective action
Monitor the fraud risk
management process, report
results and improve the
process
48
5 Questions Every Organization Should Be Asking
1) Does the organization have a fraud response plan in place that outlines key policies and investigation methodologies?
2) Who carries out fraud investigations within the organization?
3) Who is tasked with identifying where fraud risk is present, and does it audit controls in these areas? (risk management, internal audit, other)
4) When fraud has occurred, is an investigation performed to understand how the controls failed and how they can be improved? Who is tasked with performing this investigation?
5) Who is tasked to investigate fraud, and, do they possess the proper skill sets to carry out such investigations?
49
Compliance Risk Assessments
Specifically identifies regulatory compliance and legal risks Laws and regulations with which the organization is required to comply in
all jurisdictions where it conducts business Critical organization policies
Should be linked with enterprise and internal audit risk processes Interrelationships exist between enterprise, internal audit and
compliance risk assessments Linkage helps an organization understand the full range of its risk
exposure
Assessments should be comprehensive, customizable and allow for both objective and subjective evaluation of risks
50
Compliance Risk Assessments
Effective compliance risk assessments capture elements of the organization’s mitigation strategies
Assess both inherent and residual compliance risk, similar to ERM processes
51
Assessing the Reporting Structure
The question of what is the “right” reporting structure for Compliance has been hotly debated over the years
Separate Chief Compliance Officer vs. secondary role for GC (or someone else)?
Report to Legal? Report to CEO/CFO? Report directly to Board? No “correct” answer – any can be successful Trend is toward separate Compliance function Keys: Who has responsibility and accountability for the compliance
program? Independence, Access, Influence, and Resources
52
Common Pitfalls in Fraud and Compliance Programs
Assumed communication amongst teams charged with managing risk in the organization
Lack of a Risk Assurance Map Lean organizational structures or overwhelmed assurance and
compliance functions unable to take a strategic view of the organization’s risks
Assessments should be comprehensive, customizable, and allow for both objective and subjective evaluation of risks
Lack of customized training (using a one-size fits all approach) Tone at the Top and fear of speaking up
53
Polling Question 5
Has your organization conducted a risk assurance mapping exercise to centralize risk identification and assessment?
A. YesB. NoC. Unsure / UncertainD. N/A
54
Today’s Case Study
55
Case Study - BackgroundCompany Background Publicly traded, global organization conducting business in 60+ countries Increasing competitive pressures and declining margins Pressure to meet forecasts and externally communicated targets Increasing levels of regulation across the globe
Relevant Facts Compliance function was a lone individual within the General Counsel’s office GDPR, FCPA, Sanctions, and other regulations overwhelmed resources ERM & Internal Audit were not integrated with Compliance function Fraud and Compliance Risk Assessments had not been conducted Hotline calls directed to General Counsel’s office for vetting and assignment of
resources, if deemed necessary
56
Case Study – What Happened?One business unit improperly accelerated revenues and deferred expenses at period-ends to meet its financial targets. A call to the hotline had gone ignored due to personal relationship(s)
The ERM function was not properly championed and enabled and could not obtain information sufficient to identify this as a risk
Incomplete enterprise risk assessments, inadequate communication of compliance risks, and nonperformance of fraud risk assessments meant Internal Audit was focused on the wrong risks and areas of the business
The Compliance function was overwhelmed with monitoring efforts and unable to adequately review KPIs and self-assessments for indicators
Management exerted significant pressure on line workers and middle management that resulted in these actions being rationalized to achieve:
The business’s financial targets
Individual targets relating to annual incentive plans
Continued employment
57
Case Study – What Should Have Happened?1. The business should have placed more emphasis on proactive
identification of compliance and fraud risks.2. The business’s assurance and compliance functions should have been
better aligned and communicating.
If the above had occurred, the business may have prevented occurrence of the fraud by implementing the following: Hotline calls: Increased communication between Counsel and Internal Audit could have
raised an issue, or calls could have been redirected to Internal Audit for follow up.
A risk assurance map could have been completed by ERM, Internal Audit, and Compliance to reflect the vulnerabilities within the organization.
Executive Management could have adequately supported Internal Audit and ERM in their efforts to review information and identify important risks.
Compliance and Fraud Risk Assessments could have been conducted.
58
Polling Question 6
Would you like to subscribe to Risk Advisory Services and Internal Audit Webinar Series updates (these may include webinar invitations, news, thought leadership articles, etc.)
A. YesB. No
59
Concluding thoughts
61
Coming Soon
62
Coming Soon
63
Coming Soon