Compliance Illustration by ShutterstockEffective Monitoring of Compliance Programs: A Guide for Practitioners
Periodic monitoring is crucial for corporate counsel to ensure that their companies' compliance programs continue to align with changing business profiles, geographic footprints, channels to market and clients served.
January 13, 2020 at 01:30 PM
6 minute read
Periodic monitoring is crucial for corporate counsel to ensure that their companies' compliance programs continue to align with changing business profiles, geographic footprints, channels to market and clients served. In fact, the U.S. Department of Justice (DOJ) emphasized the importance of periodic testing and ensuring that compliance programs "work in practice" in its 2019 guidance document evaluation of corporate compliance programs. Despite this mandate to companies, enforcement agencies have neither outlined criteria for best-in-class compliance monitoring systems nor provided practical guidance as to how practitioners should test their effectiveness.
In this article, we will outline an approach for the design of a compliance monitoring system aimed at detecting compliance violations and identifying trends, outliers and red flags. It is important to keep in mind that what works for one company may not work for another—practitioners should read this article with an eye toward what is feasible within their companies.
Strategy. A company's compliance monitoring system should be tailored to the company's objectives for its compliance program and consistent with its corporate culture. Some highly regulated companies, for example, may prioritize having a compliance program that prevents all violations whereas a values-driven organization that is subject to less regulatory oversight might prioritize having a compliance program that is culturally embedded in the company.
Framework. Companies should determine the level at which monitoring should occur (e.g., by country, region or business line) and the cadence in which it should occur (e.g., monthly or quarterly). Practitioners can then prioritize the countries, regions, legal or financial reporting entities, or business lines that should be monitored. Perhaps most importantly, companies should determine who should receive monitoring reports, and who will be responsible for analysis and follow-up.
Measuring Risk. In measuring risks, companies must first determine what the appropriate baseline metrics should be. What is the basis for comparison? How are anomalies identified? Baseline metrics may include projected, estimated, or planned spend, against which deviations can be measured. This will differ from company to company, but some suggestions include:
- Compliance-sensitive payments: Compliance-sensitive payments are A/P transactions that create an opportunity for potentially improper payments. Changes or trends in compliance sensitive payments can highlight increased risk. For example, an increase in payments approved after-the-fact in a certain location may indicate potentially improper conduct or, at the very least, a need for training. To monitor, companies could identify and flag high-risk accounts within their ERP or accounting systems. Most accounting or ERP systems can generate reports on the flagged accounts which can be compared against projected budgets and previous reports to identify trends over time.
- Compliance-sensitive spend: Compliance-sensitive spend refers to non-A/P company spend for gifts, entertainment, or travel involving government officials or commercial clients. For example, an increase in external entertainment spend in a company's local office contemporaneous with major deals or tenders could signal the improper use of perks to influence decisions. Like compliance-sensitive payments, companies could earmark compliance-sensitive spend in their financial systems with the goal of generating and analyzing reports on a periodic basis.
- High-risk third parties: Companies should determine which of its third parties present a higher risk to the company—e.g., those that are likely to interact with government officials or major commercial clients. This type of data is often valuable in identifying areas where spend could be reduced. To monitor, companies can track the number and location of high-risk third parties engaged, third parties involved in investigations or audits and actual spend compared to projected budgets.
- New market entry: Companies are particularly vulnerable to inappropriate requests when they expand into new territories or channels to market. Projected timelines, key milestones, and projected budgets are useful baselines to compare against the actual time and spend associated with entering the market. Delays in permits, unexpected problems with partners, or poor financial performance may put pressure on local teams to take shortcuts in violation of violate company policies.
- Investigations: Trends in investigations can reveal gaps in how the company's policies are communicated and understood. The number of allegations by country or business line, the functional role of reporters, type of allegations, time before allegations were reported, and disciplinary actions imposed are important data points for comparison. Increased investigations in a particular country, for example, could indicate a need for targeted training, a change in management communications, or enhanced discipline for violations.
- Training: When compared with trends in investigations, data on the company's training program can offer insights into whether management is appropriately communicating or demonstrating its commitment to compliance and the effectiveness of such communications. Companies can monitor the frequency of the trainings, subject matter and format of training sessions, average time to completion, and test scores to determine whether there is a need for targeted training in specific geographies or on specific topics.
Monitoring Risk. Once companies have determined what criteria to measure and where such data resides, it is crucial to take the time to evaluate the sufficiency, completeness and reliability of the data that exists. Are there gaps or differences in the same data between different systems? Can the data be aggregated in a uniform way? For important criteria not captured by existing systems, companies could consider implementing interim, manual stop-gaps.
While there are several advanced, data analytics-driven products on the market for monitoring, it is important to remember that developing a compliance monitoring system is an iterative process and will take time. The best compliance monitoring systems are ones that accurately and consistently identify the types of risks specific to their companies, and the ability to identify risks depends on the quality of data available and the nature of the compliance program that the company has in place.
Vera Powell is senior counsel global compliance at Uber in San Francisco. She is responsible for managing a wide variety of anti-corruption compliance topics, including enhancing the company's risk-based third-party risk assessment and due diligence process and devising a compliance monitoring system.
Alice Hsieh is a senior associate in the international department at Miller & Chevalier where her practice focuses on corporate anti-bribery compliance. She advises companies in matters related to the U.S. Foreign Corrupt Practices Act (FCPA) and related international corruption laws, business and human rights, and other areas of corporate responsibility.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Three Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1Legal Advocates in Uproar Upon Release of Footage Showing CO's Beat Black Inmate Before His Death
- 2Longtime Baker & Hostetler Partner, Former White House Counsel David Rivkin Dies at 68
- 3Court System Seeks Public Comment on E-Filing for Annual Report
- 4Foreign-Company Lobbyists Would Need to Register Under Proposed DOJ Regulation
- 5'Fancy Dress': ERISA Claim Accuses Plan Administrator and Cigna Affiliates of Co-Pay Maximizer Scheme
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
