the fraud examiner’s journey to the ... - fraud conference · please note that the ceb program...
TRANSCRIPT
P A U L E . Z I K M U N D
D I R E C T O R G L O B A L E T H I C S & C O M P L I A N C E
B U N G E
The Fraud Examiner’s Journey to the Compliance Office
Agenda
Current Compliance Risk Assessment
Compliance Defined
Role of the Compliance Officer
Skills & Qualifications of the CCO
Hallmark of an Effective Compliance Program
Building Key Partnerships
CFE to CCO
I N D U S T R Y T R E N D S A N D A N A L Y S I S
Current Compliance Risk Environment
Laws, Regulations, & Guidance
Sarbanes-Oxley Act
U.S. Federal Sentencing Guidelines
PATRIOT Act—Anti-money laundering
Insurance policies and ratings agencies (Moody’s)
IIA Fraud Risk Practice Guidance
Statement of Audit Standards No. 99
DOJ/SEC FCPA Resource Guide
Dodd-Frank Act
COSO—Internal Controls—Integrated Framework Update
Four Emerging Compliance Risks to
Consider in 2014
© 2012 The Corporate Executive Board Company. All
Rights Reserved. ADR4006812SYN ADR4006812SYN-CEB
Please note that the CEB program names referenced in this document have changed since the time of publication.
87
Compliance Risk Risk Drivers #1. Destructive Microcultures
Company culture (even when it’s very strong) is not a uniform thing. Environments and observed misconduct rates will vary by country and by business unit and companies need to be aware of where their cultural hot spots exist to prioritize compliance and ethics resources.
#2. Tone at the Middle
Most companies are discovering that a tone from the top, code of conduct, and annual compliance training are not enough to create a strong culture of compliance and ethics. Research indicates that the middle manager disproportionally influences (positively and negatively) the integrity behaviors of individual employees and teams, yet most firms do not always effectively foster this tone at the middle.
#3. Third-Party Relationships
In 2013, almost 55% of Chief Audit Executives identified control deficiencies in third-party relationships, perhaps not surprising given the growing ecosystem of third parties to execute core business functions, most specifically contract workers and outsourcing service providers.
#4. Business Resistance
Almost 40% of compliance failures can be attributed to “unintentional noncompliance”— employees committing misconduct because of (1) a lack of awareness or (2) the complex nature of some compliance processes. Many compliance teams have started to measure their level of “alignment “ with key business partners as a way of indentifying improvement opportunities.
Corruption Perceptions Index Map
ERC National Business Ethics Survey
“Companies are working harder to build strong cultures and implement increasingly sophisticated ethics and compliance programs. The results show that companies are doing a better job of holding workers accountable, imposing discipline for misconduct, and letting it be known publicly that bad behavior will be punished.”
More than one in five workers who reported misconduct said they suffered from retribution as a result of doing so.
The percentage of companies viewed as having “strong” ethics cultures climbed to 66 percent in 2013, compared to 60 percent in the last survey.
ERC National Business Ethics Survey
The percentage of companies providing ethics training rose from 74 percent to 81 percent between 2011 and 2013.
Two-thirds of companies included ethical conduct as a performance measure in employee evaluations, up from 60 percent in 2011.
Employees claimed that members of management are responsible for six of every ten instances of misconduct
© 2013 The Corporate Executive Board Company. All
Rights Reserved. CDES5367413SYN
92
#2 TONE AT THE MIDDLE: COMPLIANCE ONLY LEARNS ABOUT 17% OF
COMPLIANCE VIOLATIONS
How Information About Business Misconduct Travels Analysis of 2012 Reporting Trends from CEB RiskClarity’s Database
Forty percent of observed
misconduct never leaves
the workforce.
…then only 602 report
what they observe.
If 1,000 employees
observe misconduct…
About 290 managers talk to their
direct manager or supervisor.
About 213 managers talk to HR,
Legal, or other separate function (outside Compliance).
About 123 managers take their
reports directly to Compliance. 50 employees take their
reports directly to Compliance.
209 employees report to HR,
Legal, or other corporate
function (outside Compliance).
408 employees tell their
direct manager or supervisor.
From the COMPLIANCE AND ETHICS LEADERSHIP COUNCIL
of the CORPORATE INTEGRITY PRACTICE
www.celc.executiveboard.com
© 2011 The Corporate Executive Board Company. All Rights
Reserved. CELC1444711SYN
99
21.2%
13.1%
10.1%
20.2%
17.9%
6.4%
11.1%
Lack of employee
awareness and process
complexity are among the
top three most
frequently cited causes of
material compliance and
ethics risk events.
■ More than 7 in 10 material
compliance risk events
result from either a failure
to create clear compliance
expectations or a
prioritization of self
over company.
#4: BUSINESS RESISTANCE: UNDERSTANDING THE
CAUSES OF MATERIAL COMPLIANCE AND ETHICS RISK
EVENTS
Root Causes of Compliance and Ethics Risk Events Percentage of Events Attributed to Cause, 2011
n = 58 companies.
Process Complexity Leads to Unintentional or
Negligent Noncompliance
Lack of Employee Awareness
Poor Regulatory Tracking
Poor (Permissive)
Corporate Culture
Employee Self-
Interest
Other Root Cause
Operational Burden
Unintentional risk events are
generally caused by a lack of
clear employee expectations.
Only 6% of material
compliance risk events result
from a failure to track new
(or changing) regulations.
Did You Know?
In the past three years,
companies experienced a
median of 20 material
compliance and ethics risk
events.
Unintentional
Intentional risk events stem
from employees—as an
individual or as a group.
Intentional
CELC1444711SYN-CEB
Please note that the CEB program names referenced in this
document have changed since the time of publication.
$0.0
$9.0
$18.0
$17.3
$10.2
$8.0
$3.7
$1.0
$0.3 $0.0
Figure 2: Average Cost of Fines and Settlements for a
Single Violation
In Millions of US Dollars, 2011 and 2012
FCPA Violations
Securities Violations
Money Laundering/
Bank Secrecy Act
Violation
Fraud Data Privacy or Information
Security Violation
Discrimination Health
and Safety Violations
Source: CEB analysis
Health and safety violations have an average cost of $2,132 per incident.
Ernst & Young 12th Global Fraud Survey
Increasing risk of bribery and corruption
Nearly half of the organizations surveyed had been victimized by a significant fraud within the prior year
Managing third-party risk is high priority
M&A poses significant risk to companies
Employees committed 85% of the worst frauds
Continued need to build stronger control environment (policies, training, stronger Code of Conduct, stronger compliance programs)
Fraud Is Pervasive—2014 ACFE Survey
Estimated $3.7 trillion in fraud losses
85% of all frauds involve asset misappropriation schemes
Median loss = $145,000 per incident
Average scheme = 18 months before detection
Over 40% of all fraud is discovered through tips and complaints
Corruption & billing schemes present the greatest risk
Anti-fraud controls = reduced occurrences & losses
Highest risks = banking, government, & manufacturing
It takes time and effort to recover the money stolen by perpetrators, and many organizations are never able to fully do s
Cost of Organizational Dishonesty
Reputation degradation
Lower employee morale
Loss of sales
Increased absenteeism
Loss of assets
Disruption to operations
Cost of investigations
Lower job satisfaction
Higher employee turnover
Health consequences
Lack of trust
Backlash to controls
Source: MIT Sloan Management Review
W H A T I S E T H I C S & C O M P L I A N C E ?
Compliance Defined
What Is Corporate Compliance?
“Designed to prevent unlawful conduct and to promote conformity with externally imposed regulations, provide a second component of background for organizational ethics.”
The internal programs and policy decisions made by a company in order to meet the standards set by government laws and regulations.
A corporate compliance program is generally defined as a formal program specifying an organization’s policies, procedures, and actions within a process to help prevent and detect violations of laws and regulations.
Means conforming to a rule, such as a specification, policy, standard, or law.
Compliance Mission
The mission of Bunge’s Global Ethics and Compliance (GEC) is to serve the best interests of Company, its employees, customers, and stockholders by promoting an organizational culture committed to integrity, ethical conduct, and compliance with the law. GEC will support Bunge’s achievement of financial, operational, and strategic objectives by incorporating compliance and ethics in the daily business practices and by setting standards, policies, and procedures that contribute to responsible practices and integrity of Bunge’s products and services.
What Is Organizational Ethics?
Organizational ethics is the ethics of an organization, and it is how an organization ethically responds to an internal or external stimulus.
Organizational ethics express the values of an organization to its employees and/or other entities irrespective of governmental and/or regulatory laws.
Ethics are the principles and values an individual uses to govern his activities and decisions. In an organization, a code of ethics is a set of principles that guide the organization in its programs, policies, and decisions for the business.
Organizational ethics is a broad concept that includes not only culture and trust, but also processes, outcomes, and character and denotes “a way of acting, not a code of principles.
Food for Thought
Nancy is a supervisor at LBT Corporation. She manages LBT’s human resources function for a division of the organization.
LBT conducts annual ethics and compliance certification training during which employees log into a portal and answers questions after viewing the training. The course takes approximately 30–45 minutes to complete.
Nancy, in her efforts to help her overworked staff sends the following email message. “Hello Everyone, there are 20 questions at the end of the training. In order to save the team some time I’ve included the answers below. Feel free to jump ahead and finish the certification much quicker than normal.”
What, if anything, should happen to Nancy?
Role of the Chief Compliance Officer
Roles & Responsibilities
Develop corporate compliance strategy
Conduct compliance risk assessments
Develop and periodically review appropriate compliance policies and procedures
Coordinate proactive measures to identify gaps in compliance with company policies and procedures
Conduct compliance training and awareness programs
Oversee the organization’s code of business conduct
Communicate results to executive leadership, audit committee, and other relevant parties
Roles & Responsibilities
Respond to alleged violations of rules, regulations, policies, procedures, and standards of conduct by evaluating or recommending the initiation of investigative procedures
Ensure proper reporting of violations or potential violations to duly authorized enforcement agencies as appropriate and/or required
Monitors, and as necessary, coordinates compliance activities of other departments to remain abreast of the status of all compliance activities and to identify trends
W H A T Y O U N E E D T O K N O W
Skills and Qualifications of the Chief Compliance Officer
Skills & Qualifications
Knowledge of relevant laws and regulations
Ability to collaborate with multiple functions and executive leadership
Excellent verbal & written communication skills
Critical thinking skills
Managerial courage
Strong networking skills
Good public speaker
Excellent credibility and strong brand
Forward thinking
Enjoys ethics
Hallmarks of an Effective Compliance Program
RUNNING A SUCCESSFUL PROGRAM
Federal Sentencing Guidelines
Oversight
Standards & Procedures
Auditing & Monitoring
Education &
Training
Reporting
Response & Investigation
Enforcement &
Discipline
Filip Memo
Nature & seriousness of the offense
Pervasiveness of wrongdoing
History of offenses
Timely & voluntary disclosure
Pre-existing compliance programs
Remedial actions
Collateral consequences
Adequacy of prosecution of individuals
Adequacy of remedies
2010 FSGO Amendments
CCO has direct access to the Board or Audit Committee
The compliance program discovered the offense
The organization promptly reported the offense
No member of the compliance program was involved in the misconduct
Organizations should continuously reassess their compliance programs
Pfizer FCPA Settlement
Delegation of compliance responsibilities to a high-level compliance officer
Appoint head of compliance for each business unit
Establish an Executive Compliance Committee
Establish a group to handle investigations, anti-corruption, and mergers and acquisition compliance
Risk-based annual reviews
Anti-corruption, risk-based, third-party due diligence
Compliance training & awareness programs
Annual compliance/FCPA certificates from senior managers
Elements of an Effective Program
Commitment from Senior Management
Code of Conduct & Compliance Policies
Oversight, Autonomy, & Resources
Risk Assessment
Training, Awareness, & Continued Advice
Element 1
Element 2
Element 3
Element 4
Element 5
Elements of an Effective Program
Incentives & Disciplinary Measures
Third-Party Due Diligence
Confidential Reporting & Investigation
Periodic Testing & Review
Mergers & Acquisitions Due Diligence
Element 6
Element 7
Element 8
Element 9
Element 10
Commitment from Senior Management
Tone at the top
Active board and audit committee
Tone in the middle
More than a paper program
Senior manager assigned to oversee compliance
Clearly defined values and standards
Communicated in unambiguous terms
Disseminated throughout the organization
Compliance Policies/Code of Conduct
New-hire policy
Code of conduct—code of ethics—employee handbook
IT/Internet ethics policy
Method of communication
Frequency of communication
Ease of access/centralized
Communicated to third parties
Frequency of certification
Required percentage of acknowledgement
Oversight, Autonomy, & Resources
Assigned to a senior-level person—CCO/CECO
Access to executive leadership—seat at the table
Reputation within the organization
Adequate staffing—proportionate to the size of the organization
Adequate resources—technology, portal, budget, etc.
Access to external consultants, lawyers, investigators, etc.
Approved charter (independent & objective function)
Not a paper program
Risk Assessment
Documented process
Tailored to meet the organization’s unique risk profile
Considers business lines, products, services, geographic locations, customer base, and distribution channels
Involves relevant personnel
Performed on a routine basis
Development of heat map
Shared and tracked with functions and business units
Training & Awareness Programs
Variety of training programs
Frequency of training sessions
How is training conducted
Special training for new policies and policy changes
Is training tracked and monitored for attendance, completion, and effectiveness
Who conducts the training
Incentives & Disciplinary Measures
Appropriate and clear disciplinary actions
Applied reliably and promptly
Publicized internally for deterrent effect
Fraud, misconduct, or policy violations result in swift and appropriate consequences
Not just a paper program
Review basis for disciplinary action taken by the organization
From the boardroom to the supply room
Incentive compliant behavior
Celebrate success
Third-Party Due Diligence
Defined as “reasonable inquiry” and not absolute certainty
Not necessarily an investigation or detailed fact finding Companies are advised to maintain a standard practice
or written policy Important to define an escalation process when red flags
are uncovered during the due diligence Companies should use logic and rational thinking when
evaluating third parties and be able to defend their position
Due diligence is not the same for everyone. The approach may vary depending upon the type of company
Include third parties, transactions, & relationships
Confidential Reporting & Investigation
Efficient, reliable, and properly funded investigation process
Internal mechanism to report concerns Effectively assigned for prompt follow-up Investigated by objective, independent, and competent
personnel Assignment of proper management oversight Results shared internally with appropriate personnel Investigations conducted in line with company policies
and within legal and regulatory guidelines Concerns are tracked and periodically reported to the
audit committee/senior management
Periodic Testing and Review
Continuous improvement
Business is constantly changing
Acquire companies
Launch new products
Open new offices
Change of senior leadership
Industry sweeps—monitor and respond
Continuous monitoring
Active internal audit function
M&A Pre-/Post-Acquisition Due Diligence
Background checks (reputation, litigation)
Social media review
Criminal/civil history
Interviews & intelligence gathering
Analysis of financial records
Assessment of anti-fraud/compliance programs and controls
Assessment of physical security risks
Organized and consistent risk-based program
Bunge’s Compliance Programs, Policies, & Controls
CCO Mission
Global Fraud &
Misconduct Policy
Global Investigation
Protocols
Allegations Matrix
GEC
Investigation Guidelines
CCO Mission
Defines the purpose of ethics and compliance & the areas of responsibility
Global Fraud & Misconduct Policy
Governs receipt, retention, and treatment of complaints
Global Investigation Protocols
Defines the general principles for the conduct of investigations by Legal/Compliance & Internal Audit
Allegations Matrix
Prioritizes allegations in three separate levels (A, B, C)
Assigns a specific person or function the authority to investigate
GEC Investigative Guidelines
Serves as a guide and reference to enroll investigative procedures and processes during the collection of facts and evidence in matters where illegal, unethical, or otherwise improper acts are alleged
Building Key Partnerships
KEYS TO ENSURE PROGRAM SUSTAINABILITY & EFFECTIVENESS
Ethics & Compliance
Programs & Controls
Internal/External Auditors
Human Resources/
Legal/
IT
Senior Management
External Agencies
Board
&
Audit Committee
Middle Management
& Employees
Key Stakeholders
P A T H W A Y T O C O M P L I A N C E R O L E
CFE to CCO
Recommendations
Know your company
Where does compliance fit in your organization?
Understand the regulations
Forward thinking and innovative
Understanding and managing risk
Review your internal policies and procedures
Build a campaign for compliance
Highlight risk
Avoid “the voice of no”—be an enabler
Recommendations
Develop a compliance charter
Embrace visibility
Build key partnerships and relationships
Generate excitement
Revise the hotline
Rewrite the code of conduct
Conduct training and awareness
Crisis drives change
Deliver perfection
Continuous improvement
Know Yourself
Outgoing
Strong communicator
Managerial courage
Embrace crisis and continuous change
Open to criticism and being judged by hindsight
Like to travel
Overcome pitfalls, roadblocks, and resistance
Willing to build the brand
Knowledgeable, continuous learner
Good educator