1 Compliance Auditing Done Right SCCE 10 th Annual Compliance & Ethics Institute September 12, 2011 Scott Avelino Win Swenson Proprietary Material Discussion Topics Rationale for Conducting Compliance Audits Identifying Risk Areas to Audit Determining Audit Scope, Roles and Responsibilities Selecting Appropriate Compliance Audit Techniques Sample Work Plan Elements Documenting and Acting on Results 2
23
Embed
Compliance Auditing Done Right - SCCE Official Site · 2014-09-03 · 1 Compliance Auditing Done Right SCCE 10 th Annual Compliance & Ethics Institute September 12, 2011 Scott Avelino
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Compliance Auditing Done RightSCCE 10th Annual Compliance & Ethics Institute
September 12, 2011
Scott Avelino
Win Swenson
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
Core Objectives of an Effective Compliance Program
4
Prevent
wrongdoing
Detect
occurrence
Respondappropriately
once discovered
4
3
Proprietary Material
Government Expectations
� Federal Sentencing Guidelines
− “The organization shall establish standards and procedures to prevent and detect criminal conduct.”
− “The organization shall take reasonable steps to: (a) ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct; (b) evaluate periodically the effectiveness of its compliance and ethics program; and (c) have a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organizations employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.”
5
Proprietary Material
Government Expectations
� Department of Justice
− “Compliance programs should be designed to detect the particular types of misconduct most likely to occur in a particular corporation's line of business.”
− “Prosecutors should determine whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation's compliance efforts.”
− “The Department encourages … corporate self-policing, including voluntary disclosures to the government of any problems that a corporation discovers on its own.”
6
4
Proprietary Material
Other Practical Business Considerations
� Narrow the gap between policy and practice
� Ensure resources allocated to compliance are making a difference and achieving their intended results
� Provide directors and officers the information they need to discharge their oversight responsibilities
� Discover issues before someone else does
� Position the organization to qualify for maximum credit for identifying, remediating and self-reporting problems
� Demonstrate and reaffirm internal commitment to compliance
7
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� Known laws or regulations that apply to the business
� Standards addressed in the code of conduct and related policies, or external codes, contracts or voluntary standards to which the company is a signatory
� Compliance topics arising from previous allegations, violations, enforcement actions or settlement agreements
� Line management or employee views of known issues or “near misses” that have arisen in the business
� Areas targeted in industry enforcement or litigation
� Business practice criticisms profiled in the media, shareholder resolutions or legislative activity
9
Proprietary Material
Risk Inventory – Sample Taxonomy
10
21.0 Digital systems use and security
20.0 Insider trading
19.0 Intellectual property and copyright of others
18.0 Protecting Assets
17.0 Accurate data, records, reporting and accounting
16.0 Political Activity
15.0 External communications
14.0 Community engagement
13.0 Dealing w ith governments
12.0 Bribery and corruption
11.0 Working with suppliers
10.0 Money laundering
9.0 Trade restrictions, export controls and boycott laws
8.0 Competition and antitrust
7.0 Conflicts of interest
6.0 Receiving and giving gifts and entertainment
5.0 Privacy and employee confidentiality
4.0 Respectful and harassment-free workplace
3.0 Fair treatment and equal opportunity
2.0 Environment
1.0 Health, safety and security
Sample Top-Level Compliance Risk Inventory
21.0 Digital systems use and security
20.0 Insider trading
19.0 Intellectual property and copyright of others
18.0 Protecting Assets
17.0 Accurate data, records, reporting and accounting
16.0 Political Activity
15.0 External communications
14.0 Community engagement
13.0 Dealing w ith governments
12.0 Bribery and corruption
11.0 Working with suppliers
10.0 Money laundering
9.0 Trade restrictions, export controls and boycott laws
8.0 Competition and antitrust
7.0 Conflicts of interest
6.0 Receiving and giving gifts and entertainment
5.0 Privacy and employee confidentiality
4.0 Respectful and harassment-free workplace
3.0 Fair treatment and equal opportunity
2.0 Environment
1.0 Health, safety and security
Sample Top-Level Compliance Risk Inventory
6
Proprietary Material
Risk Inventory – Sample Taxonomy
11
1.0 Competition and Antitrust
1.1 Price fixing
3.0 Trade Restrictions
2.0 Environment
3.2 Imports from a sanction country
2.1 Air emissions
3.1 Exports to a prohibited country
3.3 Restricted technology transfer to a company facility
2.3 Hazardous waste
2.2 Water emissions
1.3 Conditioned sales
1.2 Monopolization
Second-Level Risk Inventory
1.0 Competition and Antitrust
1.1 Price fixing
3.0 Trade Restrictions
2.0 Environment
3.2 Imports from a sanction country
2.1 Air emissions
3.1 Exports to a prohibited country
3.3 Restricted technology transfer to a company facility
Audit This: There Must Be At Least 25% Green Balls
and Absolutely No Brown Ones
21
Proprietary Material
Substantive Testing
� Determine Statistical Sample Size
� Collect Sample
� Test for Compliance
22
12
Proprietary Material
Substantive Testing - Features
23
Strengths Limitations
� Tangible analysis and specific results.
� Good when there’s something tangible to inspect (e.g., customer files, vendor invoices, bank statements, expense reports, inventory, etc.).
� Can be aided by technology.
� Lots of educated guesswork.
� Time and resource intensive.
� Backward looking.
� Wrongdoing can involve conduct that does not necessarily leave a clear paper trail (e.g., kickbacks, fraud).
Proprietary Material
Process/Controls Testing
� Who filled the pit?
� Did they get communication and training on the requirements?
� Did a supervisor monitor them as they filled the pit?
� Did they have access to brown balls?
� Does somebody else test the pit each time its filled?
24
13
Proprietary Material
Process/Controls Testing – Features
25
Strengths Limitations
� Less resource intensive
� Evaluates the quality of controls management relies on to prevent and detect compliance violations – which can be a proxy for predicting the state of compliance today and prospectively
� Probative, but not determinative on whether compliance has been achieved
Proprietary Material
Eliciting Observations / Perceptions
Can apply to both process and
substantive testing
� Has anyone ever seen any brown balls being used?
� Does the pit crew feel pressure to cut corners?
� Did the pit crew find the training useful and easy to understand?
� Does the pit crew feel comfortable raising questions and concerns?
26
14
Proprietary Material
Observations / Perceptions – Features
27
Strengths Limitations
� Not resource intensive
� Tells you what people really think
� Subjective, open to misinterpretation or misunderstanding
� Not necessarily determinative
Proprietary Material
Upshot
� Triangulate in light of the risk area being audited
28
Process/Controls
Substantive
Perceptions
15
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities
� BU-specific compliance program elements to preventand detect violations
− Tests of Design
− Tests of Operating effectiveness
� Process-specific (e.g., sales, accounts payable) controls to prevent and detect violations
− Tests of Design
− Tests of Operating Effectiveness
� Substantive testing
� Subjective observations, perceptions
GPS Device Co.
31
Russia BU
Consumer
North
East
West
South
Government
Military
Aviation
Automobile
Infrastructure
Shared
Services
Human
Resources
Legal
Procurement
Finance
Proprietary Material
Sample Compliance Program Considerations
� Risk assessment
� Compliance oversight responsibility
� Code, policies and standards
� Due diligence procedures
� Communication and training
� Auditing and monitoring
� Hotline
� Investigations
� Discipline, remediation, etc.
32
17
Proprietary Material
Sample Process-Specific Considerations
33
Gifts, gratuities and
entertainment
Business Development
Vendors with
improper ties
Procurement
Ghost employees
Payroll
Visa applications
Staffing
Shipping and freight
forwarding
Logistics
Construction permits
Real Estate
Proprietary Material
Brainstorming Considerations
34
Opportunity
Pressures / Incentives
Rationalization
18
Proprietary Material
Sample Red Flags to Guide Focus
� Parties Involved
− Government officials or their family members − Entities owned by government officials of their family members − Entities run by former government officials− Agents, suppliers or (sub)contractors that have been pre-
designated by the customer− Agents who have multiple contracts / business relationships with
the site (e.g., consulting services, warehousing, office rentals, staffing services, etc.)
− Local suppliers contracted through sole-sourced bids− Third parties with no apparent expertise in the industry− Apparent lack of qualifications on the part of the agent to perform
services − Use of shell or nominee companies
35
Proprietary Material
Sample Red Flags to Guide Focus
� Pricing Terms
− Unusual rebate or discount pricing unrelated to volume pricing or discounts, e.g., prompt payment
− Unusually high costs for goods or services− The size of the commission paid to the agent in relation to the
services performed, and/or the size of any secondary contract paid to an agent in some other capacity (e.g., fees paid for warehousing equipment or renting office space)
36
19
Proprietary Material
Sample Red Flags to Guide Focus
� Payment Methods
− Any unusual means of payment− Cash transactions− Many petty cash transactions− Payment to suppliers or (sub)contractors in advance of their
services unless specifically authorized by the agreement and supported by a letter of credit, bank guarantee or surety bond.
− Non-monetary terms (e.g., barter / exchange of goods and services)
− Use of financial instruments not requiring a name (e.g., bearer checks)
� Are potential charities screened to ensure that the recipient has no connection to a government or political official (or their agent or immediate family) capable of providing the company with an unfair competitive advantage?
� Are potential charities screened to ensure that the recipient is a legitimate organization, is not sanctioned by the U.S. government?
� Are opinion letters are sought from local legal counsel confirming that the donation is lawful under the laws of the country in which the donation is made?
� Are charitable contributions pre-approved before they are made?
� Are records and receipts for charitable contributions kept?
� Review the general ledger for charitable contribution costs.
� Select transactions for review and determine whether:
− Documentation supports the transaction− Policies and procedures were followed− Correct cost codes and accounting classifications were applied− Business purpose and support appears reasonable
39
Proprietary Material
Discussion Topics
� Rationale for Conducting Compliance Audits
� Identifying Risk Areas to Audit
� Determining Audit Scope, Roles and Responsibilities