Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Size: px

Start display at page:

Download "Developing an Integrated Anti-Fraud, Compliance, and Ethics Program"

Homer Parrish
5 years ago
Views:

1 Developing an Integrated Anti-Fraud, Compliance, and Ethics Program Monitoring, Assessing, and Remediating the Program 2018 Association of Certified Fraud Examiners, Inc.

2 Discussion Questions 1. How does your organization monitor its compliance and ethics program? 2. What formal metrics, if any, do you use to assess the program s effectiveness? 3. How often is the program audited? 4. Who is responsible for evaluating the effectiveness of the compliance and ethics program? Who is responsible for correcting any noted deficiencies? 2018 Association of Certified Fraud Examiners, Inc. 2 of 27

3 Introduction The organization shall take reasonable steps... to evaluate periodically the effectiveness of the organization's compliance and ethics program. Sentencing Guidelines 2018 Association of Certified Fraud Examiners, Inc. 3 of 27

4 Why Do Compliance and Ethics Programs Fail? The code sits on the shelf. The program ignores the company s true culture. The program focuses on shouldnots, rather than shoulds. Management sets a poor example. Management focuses exclusively on financial performance. Performance incentives do not align with ethics and integrity objectives. Hiring and promotion practices do not screen for ethics. The CECO does not have a seat at the table. The helpline is not trusted. The program does not address thirdparty risks. There is widespread fear of retaliation Association of Certified Fraud Examiners, Inc. 4 of 27

5 Why Do Compliance and Ethics Programs Fail? Lack of employee awareness Insufficient resources Failure to consider cultural differences Failure to consider the generation gap Lack of clear, accessible policies Competing priorities and initiatives Insufficient monitoring Inconsistent enforcement and corrective actions 2018 Association of Certified Fraud Examiners, Inc. 5 of 27

6 Monitoring Versus Assessment Monitoring Continuous Ongoing Often automated Used to identify program breaches and issues in real-time Assessment Structured Periodic Used to evaluate the effectiveness of the overall program or a component thereof 2018 Association of Certified Fraud Examiners, Inc. 6 of 27

7 Program Monitoring The program should have monitoring activities integrated into each component at the outset. The goal is to identify variances from expected outcomes (i.e., red flags ) that merit further investigation. Consider assigning monitoring procedures to operations staff and management: Make them the first line of defense. Use automated controls and technology tools where appropriate Association of Certified Fraud Examiners, Inc. 7 of 27

8 Assessing Program Effectiveness Goal: to gauge the overall functioning of the program and to identify gaps in risk mitigation strategies Assessment should examine program: As a whole By risk By location and division By component By impact on company s ethical culture 2018 Association of Certified Fraud Examiners, Inc. 8 of 27

9 What Is an Effective Program? Before assessing the program, management must define an effective program. Considerations: Stated program goals Results of prior program assessments Key financial and reputational risks Regulatory and legal requirements Sentencing Guidelines elements Board of directors and shareholders expectations 2018 Association of Certified Fraud Examiners, Inc. 9 of 27

Challenges in Assessing the Program Lack of time or resources Geographically dispersed or culturally diverse operations Uncertainty about how best to conduct the assessment Lack of employee

10 Challenges in Assessing the Program Lack of time or resources Geographically dispersed or culturally diverse operations Uncertainty about how best to conduct the assessment Lack of employee participation or honesty Organizational silos and internal competition Concern that data would be used adversely in litigation Concern about negative results Lack of commitment from the organization to respond to results Difficulty keeping assessment current 2018 Association of Certified Fraud Examiners, Inc. 10 of 27

11 Who Conducts the Assessment? Internal assessment: Internal audit Compliance and ethics function Independent third-party assessment 2018 Association of Certified Fraud Examiners, Inc. 11 of 27

12 How Often Should the Program Be Assessed? As often as is meaningful and useful Typically annually: Might need more frequent assessments for certain components When changes affect company s risk profile or program components 2018 Association of Certified Fraud Examiners, Inc. 12 of 27

13 Ways to Assess Program Effectiveness Program audit: Independent review of whole program, component, or function Different from monitoring, but some overlap Considerations: Risk assessment Requirements under Sentencing Guidelines, SOX, and other regulations Code and policies Results of prior audits and investigations Tips received 2018 Association of Certified Fraud Examiners, Inc. 13 of 27

14 Ways to Assess Program Effectiveness Program metrics: Helpline data Investigation data Violations Retaliation reports Code and policy attestations Dismissals for violations Education and training data Legal actions Trends in employee requests for ethical guidance HR statistics Product or service quality metrics Program net cost Third-party feedback 2018 Association of Certified Fraud Examiners, Inc. 14 of 27

15 Ways to Assess Program Effectiveness Program metrics interpret using: Risk assessments Standards and procedures to mitigate risks Executive communications Responses to issues found Regulatory developments Results of internal and external audits Industry benchmarking data Published guidance and best practices 2018 Association of Certified Fraud Examiners, Inc. 15 of 27

16 Ways to Assess Program Effectiveness Employee surveys Employee interviews and focus groups Exit interviews Peer review 2018 Association of Certified Fraud Examiners, Inc. 16 of 27

17 Reporting the Assessment Results To the board and management: Actionable Useful for decision making Quickly digestible Detailed enough to provide thorough insight into risks and effectiveness of program components 2018 Association of Certified Fraud Examiners, Inc. 17 of 27

18 Reporting the Assessment Results To others: Managers and supervisors throughout the organization Business-unit ethics leaders All employees (especially survey results) Government and regulators Outside organizations (e.g., compliance and ethics groups, industry groups) 2018 Association of Certified Fraud Examiners, Inc. 18 of 27

19 Remediating Uncovered Issues Management Reassess the risk in the area where the issue occurred. Examine how and why it happened. Determine how to prevent it from reoccurring. Ensure that the remediation efforts are effective in correcting the identified issue. Compliance and ethics team Work with those responsible for the deficiencies to identify and implement program modifications. Internal auditors Help strengthen any control deficiencies Association of Certified Fraud Examiners, Inc. 19 of 27

20 Updating or Modifying the Program Have there been changes in any of the following since the last revision? Internal policies Organizational structure Key management positions Information technology Laws, regulations, or guidelines Industry or economic conditions Are there any new best practices that management should be incorporate into the program? 2018 Association of Certified Fraud Examiners, Inc. 20 of 27

Are the company s compliance policies: Clear? In writing? Easily understood? Translated?

21 Conclusion DOJ Criteria Is directors and senior managers support for compliance: Strong? Explicit? Visible? Does the compliance function have adequate: Stature? Funding? Resources? Are the company s compliance policies: Clear? In writing? Easily understood? Translated? Effectively communicated to all employees? Easy to find? Reviewed and kept up to date? 2018 Association of Certified Fraud Examiners, Inc. 21 of 27

22 Do employees receive compliance training that: Conclusion DOJ Criteria Does the company even-handedly: When dealing with third parties, does the company: Is repeated? Incentivize good behavior? Make known that it is serious about compliance? Informs them what to do or with whom to consult when issues arise? Discipline bad behavior? Take action if a third party is noncompliant? 2018 Association of Certified Fraud Examiners, Inc. 22 of 27

23 Conclusion Top Ten Ways to Demonstrate Company Commitment to Ethics 1. Strong ethical leadership 2. Promoting an ethical culture 3. Useful code of conduct 4. Effective ethics AND compliance training 5. Rewards and sanctions 2018 Association of Certified Fraud Examiners, Inc. 23 of 27

24 Conclusion Top Ten Ways to Demonstrate Company Commitment to Ethics 2018 Association of Certified Fraud Examiners, Inc. 24 of 27

25 Conclusion Top Ten Ways to Demonstrate Company Commitment to Ethics 6. Robust anonymous reporting and helpline 7. Documented investigative process 8. Effective and tested internal controls 9. Transparency and cooperation 10.Periodic independent assessments 2018 Association of Certified Fraud Examiners, Inc. 25 of 27