SCCE Compliance & Ethics Institute. Agenda. Trust & Verify: Investigation and Compliance Forensic Tools. September 16, 2014

Similar documents
Bearing the Bad News Reporting to the Board on Internal Corruption. Peter Dent, National Leader Deloitte Forensics September 11, 2013

Implementing and Managing an Effective Anti Corruption Compliance Program

TEACHERS RETIREMENT BOARD. AUDITS AND RISK MANAGEMENT COMMITTEE Item Number: 9 SUBJECT: Scope and Structure of the Enterprise Compliance Program

Your committee: Evaluates the "tone at the top" and the company's culture, understanding their relevance to financial reporting and compliance

EY Center for Board Matters. Leading practices for audit committees

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

INTERTEK GROUP PLC INTERTEK S MODERN SLAVERY STATEMENT 2017

Internal Audit & Compliance Importance of Collaboration and Skill Development

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

SETTING POLICIES and GUIDELINES for CONDUCTING INTERNAL INVESTIGATIONS

Board Audit & Compliance Committee Conference

Measuring Compliance Program Effectiveness

Advisory Services Governance, Risk & Compliance

Horizontal audit of the Public Services and Procurement Canada investigation management accountability framework

As much as possible, I associate my MBA courses directly to my current career and the

FAU COMPLIANCE AND ETHICS PROGRAM

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

COMPLIANCE MANAGEMENT FRAMEWORK FOR VICTORIA UNIVERSITY

Title: FOSTERING A CULTURE OF RESPECT Reference Number: HR_004 Approved by: Senior Executive Team PHSA Board of Directors BCEHS Board of Directors

VIRTUA DATE OF LAST REVIEW 5/11; 4/14, 8/16

Maximizing value from your lines of defense

Ontario Credit Unions and Caisses Populaires: 2017 Market Conduct Review

Delta Dental of Michigan, Ohio, and Indiana. Compliance Plan

Effective implementation of COSO s new anti-fraud guidance

CSL BEHRING COMPLIANCE PLAN

Building a Culture of Compliance with Your Sales Force

Performing a Successful Audit. Fundamentals of Auditing ERO Compliance Audit Process Jim Hughes Manager, Audit Assurance and Oversight

Compliance Program Start Up: What are the Basics Needed for your Infrastructure?

Strengthening Your Compliance and Ethics Program By Engaging Your Board Members

Toyota Financial Services (South Africa) Limited: King III Principles

Annual Report. Calendar Year 2016

GOODWILL INDUSTRIES OF COLORADO SPRINGS

Are you ready for Industry 4.0? FY2017 Stakeholder engagement summary

npliance IN 2008, MICROSOFT CORP. WAS FINED 899 MILLION Auditing for

BUILDING AN EFFECTIVE COMPLIANCE PROGRAM

Application of King III Corporate Governance Principles

European CEI. Compliance 101

Airport Legal Governance Issues: Understanding & Meeting Ethics Compliance Obligations

SHRINERS HOSPITALS FOR CHILDREN CORPORATE COMPLIANCE PLAN

IIA ERM Summit. August 22, 2010

Integrating Corporate Compliance Programs into Enterprise Risk Management Programs

WHISTLEBLOWER POLICY Whistleblower Policy and Procedures (the Policy ) of Canadian Solar Inc. and its Subsidiary Entities.

GUIDELINES. Corporate Compliance. Kenneth D. Gibbs President & Chief Executive. Martin A. Cammer Senior Vice President & Corporate Compliance Officer

Contract and Procurement Fraud. Detection and Prevention

TOYOTA FINANCIAL SERVICES (SOUTH AFRICA) LIMITED

Effective Compliance Programs How Does Your Program Measure Up?

Audit of Entity Level Controls

LONDON PUBLIC LIBRARY POLICY

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

Strategies For Better Positioning Your Company To Do Business With The Federal Government

Verifying Compliance Program Effectiveness in Managed Care

SAMPLE BOARD PERFORMANCE EVALUATION: Prepared by DELOITTE & TOUCHE, 2013

Compliance Program Effectiveness Guide

Realize and Sustain the Value of Your Micro Focus Implementation

International Finance Corporation

CORPORATE GOVERNANCE GUIDELINES

COMPLIANCE MANAGEMENT FRAMEWORK. Conceptual Design Document

The table below compares to the 2009 Essential Elements and the 2018 Enhanced Data Stewardship Elements

TDC WHISTLEBLOWER POLICY

National Policy Corporate Governance Principles. Table of Contents

1.1 Policy Statement. 1.2 Purpose

ALTISOURCE PORTFOLIO SOLUTIONS S.A. CODE OF ETHICS FOR SENIOR FINANCIAL OFFICERS

Corporate Compliance Plan

Internal Audit Charter

DRAFTING AN COMMUNICATING EFFECTIVE POLICIES AND PROCEDURES AGENDA

IMPLEMENTATION GUIDELINES FOR THE PRINCIPLES ON FREEDOM OF EXPRESSION AND PRIVACY

SPARTAN ENERGY CORP. BOARD OF DIRECTORS MANDATE

CORPORATE GOVERNANCE FRAMEWORK

TNT POLICY SECURITY CLASSIFICATION: PUBLIC

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Global Code of Business Conduct and Ethics

Office of Compliance Program Report

Practical workshop: Risk assessments in competition compliance. Tuesday 20 March 2012

Group Code of Ethics

Benchmarking 101: Shaping your E&C Program for Maximum Value

Risk Advisory SERVICES. A holistic approach to implementing effective governance, managing risk and maintaining compliance

King IV application report In pursuit of growth

Using a Compliance Program Assessment to Elevate Institutional Compliance Effectiveness

In-service Education Packet Corporate Compliance

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

UK STEWARDSHIP CODE RESPONSE BY GENERATION INVESTMENT MANAGEMENT LLP OCTOBER 2016

LI & FUNG LIMITED ANNUAL REPORT 2016

RETURN ON INVESTMENT (ROI): DOCUMENTING AND SUPPORTING THE VALUE-ADD FOR A COMPLIANCE PROGRAM

Compliance Plan. Introduction to the Complince Plan of the Archdiocese of Indianapolis. John S. (Jay) Mercer

CORPORATE COMPLIANCE PROGRAM CHARTER

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

The Rye Ambulatory Surgery Center, LLC Compliance Plan

BrightPath Early Leaning Inc. Audit Committee Charter

CODE OF BUSINESS CONDUCT PENN NATIONAL GAMING, INC.

International Standards for the Professional Practice of Internal Auditing (Standards)

CORPORATE GOVERNANCE STATEMENT 2017

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

How to Stand Up a Privacy Program: Privacy in a Box

EY Center for Board Matters

Enterprise Risk Management Framework

The Company seeks to comply with both the letter and spirit of the laws and regulations in all countries in which it operates.

"Finnair" and "Finnair Group" as used herein refer to Finnair Plc and its subsidiaries.

COMMUNICATING WITH THE AUDIT & COMPLIANCE COMMITTEE OF THE BOARD: LEADING PRACTICES

Risk Management Strategy

GOVERNANCE POLICY. Adopted January 4, 2018

Transcription:

SCCE & Ethics Institute Trust & Verify: Investigation and Forensic Tools September 16, 2014 Martin Wolin Chief Risk & Officer Mercer North & Latin America Boston, MA Alan K. Halfenger Chief Officer Bain Capital, LLC Boston, MA Agenda Trust & Verify: Investigation and Forensic Tools Background and Introduction Approach Overview Investigations vs. Forensic Tools Functional Responsibility and Key Stakeholders Forensic Tools Audit and Reviews Monitoring Investigations Questions & Answers 1 Background and Introduction Firm profiles may be very different, but their approaches and issues are often remarkably similar Category Firm Profile Program Profile Regulatory Environment CCO Profile Key Characteristics Size; Geographic Locations; Business Model and Lines of Business; Employee and Client Base; Public vs. Private Company; Culture; Risk Tolerance and Reputation Size; Budget; Centralized v. Decentralized; General v. Business/Regulatory Specific; Other Control Functions; Third Party Support Federal v. State v. Local; Non US Regulations; Regulatory Environment and Enforcement Culture; Civil v. Criminal; Rate of Change; and Litigation Concerns Background and Experience; Mandate and Reporting Lines; and A firm s commitment to compliance will impact how it approaches the identification and mitigation of potential risks. 2 1

Approach Overview Investigations vs. Forensic Testing Approach may be similar in each process, but the catalysts, sensitivity and stakes may be much higher for investigations Forensic Testing Proactive and Continuous Driven by Senior Management s commitment to ensuring a sound compliance culture Protects firm by self identifying bad actors/behaviors and correcting them Management reporting and transparency critical to the process Testing is core to any process because it allows the firm to continuously analyze its actual compliance Critical for US sentencing guidelines 3 Investigations Reactive and intermittent Often driven by external events and forces Damage often already done when investigation work commences Significant willful blindness or cover up risk during the process Significant legal, regulatory and reporting risk Process often leverages external resources and done under privilege Approach Overview Functional Responsibility and Key Stakeholders Overlapping responsibilities among control groups may at times create redundancy without added value and risk mitigation for the firm Key control functions often overlap in responsibility; this requires coordination to ensure adequate oversight of risk Business Direction and Oversight Business Regulatory Advice & Litigation Support Legal Audit Controls and Testing Risk Management Risk Identification and Mitigation 4 Approach Overview Functional Responsibility and Key Stakeholders (Continued) These compliance processes must take into consideration a long list of internal and external stakeholders Internal Corporate/Senior Management Line of Business/Employees Control Entities: Legal Audit Risk Management External Regulators Do we self report? Clients Shareholders Unintended Third Parties Congress Media Mom and Dad 5 2

Forensic Tools: Audit and Reviews Key Objectives Strategic Goals Provide reliable and timely results so that appropriate action can be taken by the business to address issues identified. Verify compliance with regulatory requirements and other obligations to the satisfaction of regulators, boards and leadership. 6 Operational Goals Continually improve the quality, consistency, efficiency and effectiveness the program. Periodically review the program in light of regulatory developments and incidents to ensure content stays relevant. Apply a risk based process to ensure resources are directed to our greatest exposures. Leverage firm wide resources to maximize breadth of coverage. Utilize more thematic reviews, surveys and certifications in lieu of traditional on site office reviews. Forensic Tools: Audit and Review Plan Development and Factors Considered auditing priorities are a function of the varying levels of risk, resources and local program monitoring maturity. Topics and locations to be monitored are selected based on: Prior Results & Coverage: Monitoring & Internal Audits Investigations & Incidents of Non Regulatory & Other Environmental Developments Elements Self Assessments Key Initiatives/ Market Expansion Input from Business and R&C Leaders Key operational and compliance risks 2014 Auditing Plan 7 Forensic Tools: Audit and Review Risk Based Location Selection Criteria Presence of regulated activity Presence of new activity Acquisitions New products/services Litigation history Number of reports to counsel Total annual litigation spend Time since last review Number of hotline calls Prior compliance monitoring review and Internal Audit scores Number of detected compliance violations Number of detected privacy incidents Management gut feel 8 3

Forensic Tools: Audit and Review Risk Based Topic Criteria Periodic office reviews include some combination of remote and on site file reviews, colleague interviews, facility reviews and integrity checks on self monitoring. Risk areas to be reviewed are generally divided into core (e.g., apply to many locations and businesses) and non core (e.g., apply to select locations, topics and/or businesses) Topics for a specific review are chosen based on the risk profile of the business and location, with core program elements being supplemented with reviews of higher risk areas. Office reviews are supplemented with thematic reviews, surveys and certifications. To increase coverage we work to embed as much compliance auditing as possible into locally owned risk/quality frameworks. 9 Forensic Tools: Audit and Review Reporting and Remediation Findings and action plans from global reviews collected. Results are scored and reported to management, boards and select risk committees at the conclusion of each review, using the following scoring methodology: Required actions and recommendations are provided to management following each review and tracked by to completion. Wrap up sessions and training are provided to local colleagues in conjunction with the majority of on site reviews. Quarterly reporting is provided to senior leadership outlining key findings for certain policies. 10 Forensic Tools: Audit and Review Collaboration with Partners Internal Audit (IA) Discussions were held with internal audit to ensure no major overlap in monitoring activities. Results are shared between and IA throughout the year. and IA verify for remediation of one another s material findings when possible. The Business In some countries, many issues that would have been traditionally covered under a compliance auditing program are reviewed as part of the risk frameworks that are in place in the larger markets and that are being developed across the region. Ownership, review and reporting of risks by the businesses, coupled with support and oversight by, has been an effective approach. Honor business requests to develop auditing regimes for higher risk areas. leverages business subject matter experts to participate in certain reviews. 11 4

Forensic Tools: Monitoring Monitoring Overview A firm s Monitoring Program is part of a group of key risk mitigants deployed by the Department, which include: Monitoring Program Tone at the Top / Culture Focus Areas Monitoring Ongoing Testing Surveillance Communication Reviews Management Reporting of Key Data Management Reporting of Raw Data E&R Focused Reviews Ongoing Advice and Involvement Policies and Procedures Firm wide Training 12 1. Electronic Communications Review Trading Desk Sales & Marketing General Employee 2. Employee Monitoring Monthly Reporting Social Media Monitoring Conflicts of Interest Operational 3. Data Loss Prevention/Process Data Removal Data Upload and Viruses Access Controls Data Security/Hacking 4. Business Monitoring and Trading Surveillance Key Interactions Business Trade Surveillance Portfolio Management Ethical Walls Forensic Tools: Monitoring Monitoring Culture Different firm cultural norms will balance employee rights and privacy versus firm risk when addressing e mail monitoring and data security Blind Faith Light Touch Trust and Verify Police State Small and unregistered firms (Real Estate, Venture, Single PE fund) Infrequent ad hoc reviews Limited review scope No automation / technology Unlimited access to websites and personal mobile devices Registered HF, PE and multi strategy firms Generally ad hoc reviews Limited review scope focused in higher risk areas Minimal automation / technology Broad access to websites and personal mobile devices Larger registered HF, PE and multi strategy firms Ongoing routine reviews plus limited / necessary ad hoc reviews Broad review scope with deep dives into higher risk areas Effective use of automation / technology Selected websites and personal mobile devices blocked Investment banks, mutual funds, broker/dealers Ongoing routine and ad hoc reviews Very broad review scope with deep dives into most areas High degree of automation / technology General policy to block websites and personal mobile devices Bain surveillance program 1. Monitoring exiting employees 2. Increased standardization and management reporting o High degree of employee freedom & privacy o Low Cost o Limited oversight & disciplinary process o Smaller, less complex firms Successful Range o Limited employee freedom & privacy o High cost o Formal oversight & disciplinary process o Larger, more complex firms 13 Forensic Tools: Monitoring Monitoring Process Below is the routine Monitoring process, developed with the goal of providing a consistent and controlled approach across reviews. Business or Employee Activity Monitoring Activity Reporting and Exception Generation Preliminary Research Monitoring Team The Monitoring team produces business reporting to provide a holistic view into business activities and monitoring and analysis to issue spot potential breaches of law, policies and procedures. Business Unit Additional Research and Follow Up Business Unit Officer Research Business Unit/ Officer Business Reporting is generally raw data. Tracking and follow up is central to this process Final Analysis, Recommendations and Conclusions CCO Needle in a Haystack Digging too many holes Secret Police Culture Escalation Follow Up and Corrective Actions Business Unit Management and CCO 14 5

Forensic Tools: Monitoring Issue Identification and Escalation Policies should include guidelines for escalation and resolution that perpetuate fair and consistent treatment for identifying issues Record keeping should include potential issues, timely issue resolution and supporting documentation Reporting may be necessary to various parties: Regulators Auditors / External Auditors Shareholders Clients While identification, remediation and disclosures represent best practices, some firms fear the reputation risk that can result Find it now vs. Find it later! 15 Forensic Tools: Monitoring Issues and Pitfalls How much and what type of monitoring is driven by several key factors: Budget and staffing Risk and exposure Culture of / Employee trust Impact of missing an issue False sense of security Availability of necessary data Monitoring without meaningful and timely follow up is a significant problem Lack of adequate Management Reporting can also cause significant issues 16 Investigations Catalysts While forensic testing seeks to prevent violations of law and policy, investigations start with a specific concern that a breach may have already occurred Where do the concerns start? Management Oversight and Business Controls Self Assessment Process Risk Management Forensic Testing Audit and Reviews Monetizing Regulatory Inquiry or Examination Internal or External Audit Customer Complaint Whistleblower Hotline and Employee Reporting The firm s response and process is defined by the type and nature of the potential issue 17 6

Investigations Process and Key Issues While the process is typically consistent with an audit or compliance review, the confidentiality and discipline must be more strict. There are several key process questions that must be addressed: Is there a standard playbook or approach? Who should conduct the investigation? Internal vs. External Internal Conflicts Costs Firm Knowledge Does it need to be privileged? Do we have the right skills to conduct the investigation? Forensic Accounting Forensic IT Specialist Who is in the know? Who could be involved? 18 Investigations Issue Resolution Ok, so we know what happened, now what do we do about it? Corrective Actions Specific Actions Employee and supervisor issues Address client issues/compensation Revise process issues General Actions Strategic solutions and systems/controls Broader testing are there similar problems elsewhere? Related functions Reporting Do the regulators require disclosure? Does law enforcement need to be notified? Do clients need to be informed? Things to consider Could corrective actions be considered an admission of guilt by the regulators? Can this be used as evidence in a plaintiff s suit? 19 Q & A 20 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback