Attention-grabbing regulatory traps, such as the Foreign Corrupt Practices Act, which has been highlighted in the media as a result of the Justice Department’s recently released guidelines, Sarbanes-Oxley, and the Dodd-Frank legislation, provide plenty of reasons for businesses to be concerned. Outside the U.S., similar regulations like the UK Anti-Bribery, J-SOX, and the Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Act add complexity for global operations and concerns for organizations based all around the world. Management must be aware of the red flags indicating possible violations at an early stage so that a strong focus can be placed on potentially high-risk targets for regulatory enforcement. It only takes one violation to trigger a government investigation that can lead to considerable fines and a reputation-damaging stream of bad publicity.
The most important components of any effective compliance program are 1) a risk-based assessment process for defining the borders of application of global regulations within the organization, 2) development of a consistent process to identify potential violations within those borders, and 3) continuous monitoring that will enable a company to stay informed of such red flags on an ongoing and real-time basis.
Identifying Cracks in the System
While no system is completely foolproof, there are ways to achieve reasonable assurance that your company is checking all the necessary boxes when it comes to global compliance. At the top of the must-have list is a risk-based assessment that accumulates compliance risks in a central location and allows for evaluation of those based on line-of-business and geography in order to clarify where mitigation efforts will achieve the highest levels of assurance. Once key compliance risks are identified and isolated within the organization, a workflow-enabled tracking system for potential red flags becomes a necessity. By marking suspicious transactions in a manner that spotlights potential issues while prohibiting any manipulation of underlying detail, management can operate with full transparency into compliance at a transactional level.
By using a monitoring system like this, a complete audit trail is maintained during the identification and investigation process, allowing a company to respond quickly and take immediate action to address potential violations. This system of checks and documentation is critical later on when your organization is required to demonstrate that it has a solid compliance program in place. It also significantly reduces the manual workload required to perform tests that aren’t scheduled on a continuous basis.
But with so many corners of an organization to put under the microscope with respect to each regulation, where to start?
First, focus on the highest risk areas using an approach that includes data analytics to identify areas that require further analysis. Using the FCPA as an example, here is how a company could begin to investigate for potential issues:
-Payments made to high-risk vendors
-Payments to foreign government contractors
-One-time use of vendors/consultants
Instead of spending excessive time and money on manual reviews, which if performed too far apart, could allow for a buildup of potential violations, companies need to make compliance activities efficient, cost-effective, and sustainable.
Through use of audit and risk analytic techniques, organizations are able to make potential violations visible as soon as they arise, allowing management to focus attention on the right areas and follow-up with action when necessary.
This approach is much more effective than others, such as anonymous whistleblower hotlines or frequently updated written policies, which rarely garner significant attention. Active monitoring of data is much more likely to ensure compliance with FCPA, Sarbanes-Oxley, and other government mandates.
While Enterprise Resource Planning and other business systems can prevent fraud and flag exceptions, they typically don’t do a sufficient job of snaring the problematic data. ERPs aren’t built to efficiently analyze and monitor transactions intended to mask illegal or unethical activity. When dealing with complex business arrangements, the ability to analyze data across multiple systems – including ERPs – is difficult because of poor integration.
Specialized audit and risk analytic technology examines every piece of data instead of just a sample, and then flags potential problems that must be scrutinized. By running this independently from other business systems, the analytics can correlate the varying data sets and identify indicators of non-compliance in the data.
Over time, companies that adopt this approach will be better equipped to handle flare-ups, ultimately leading to fewer compliance-related uncertainties. Given the government’s vigilant approach to monitoring for violations – whether it is FCPA, Sarbanes-Oxley, or other legislation – it’s wise to take the steps necessary to keeping your company’s name out of the headlines.
Top 3 Components to Effective Compliance Programs:
1. Risk-based assessment process
2. Consistency with regard to method used to identify potential violations
3. Continuous monitoring
Steps to Getting Started:
1. Focus on the highest risk areas using an approach that includes data analytics
2. Define top-priority “red flags” for your organization
3. Obtain the data necessary to address the red flags
4. Run analyses
5. Make adjustments where needed
6. Automate the process
Dan Zitting, Vice President, Product Management & Design at ACL, is responsible for product management, design, and user experience for ACL’s industry-leading software products. Dan’s previous experience has been in the audit, risk and assurance industry. After working for several years at Ernst & Young, he co-founded the CPA firm Linford & Company LLP, which provides audit services to global clientele. While running his own practice, he developed a web-based software for auditors to meet his team’s needs. As demand for this software increased, he founded Workpapers.com which was acquired by ACL in late 2011.
Dan is dedicated to the advancement of productivity enhancing technology for the audit profession and is a three-time winner of the CPA Practice Advisor Magazine’s 40 under 40 and Readers’ Choice awards. Dan is a Certified Public Accountant, Certified Information System Auditor and Certified Information Technology Professional. He holds a Bachelor of Science from Colorado State University and a Master of Science from the University of Notre Dame.