As an independent corporate monitor, I am, among other things, obligated to assess the effectiveness of the corporate compliance programs of the organizations I monitor. Interviews of company personnel have proven to be one of the most reliable and effective tools in making this assessment. While many of the people interviewed are chosen randomly from the company’s employee roster, others are specifically selected due to their position, role or risk profile.
Under the United States Sentencing Guidelines, organizations are expected to take reasonable steps to (1) “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct” and; (2) “evaluate periodically the effectiveness of the organization’s compliance and ethics program”. Interviews similar to the ones I conduct as a monitor, if incorporated into a company’s annual compliance work-plan, can help companies meet these expectations, among others.
The lines of questioning in such interviews should be comprehensive and cover all of the areas relevant to the functioning of the corporate compliance program. In the interview template that I use as a monitor, I have an exhaustive list of potential questions covering my areas of inquiry. The questions that are actually asked are determined largely as each interview proceeds. Though those questions will vary, there are some “universal” questions that I have found to be particularly helpful. Following are six of those questions:
1. What are the compliance- and/or ethics-related challenges you face most frequently in your current role?
This question provides information on several important aspects of a compliance program. First, it may highlight risks that the compliance officer was unaware of or didn’t fully appreciate (risk assessment). Second, it assesses how well employees are able to apply corporate policies in the context of their role (policy comprehension/retention and training effectiveness). Third, it reiterates and reinforces the employee’s understanding of risks and policies specific to them (training). Interviewees frequently struggle with this question initially and the interviewer may need to provide an obvious example of such a challenge to help the interviewee get started (i.e. gift policy, etc).
2. How can the company’s compliance policies be improved and/or better applied, communicated and enforced?
Compliance policies should be accessible to all employees, well communicated, and easy to understand and apply. Responses to this question can provide valuable end-user feedback in this regard. The additional area of “enforcement” may provide some insight into an organization’s ethical tone and employee perceptions about fairness and equality. A quality compliance program will assure that all violators are treated fairly, but equally. If employees perceive that management or others are “above the law,” the compliance program loses credibility.
3. How can employees report concerns, issues, or potential violations of laws, regulations and/or the code of conduct and/or compliance policies?
§8B2.1(5) (C) of the USSGs requires that an organization have and publicize a system whereby employees can anonymously or confidentially report or seek guidance about potential or actual criminal conduct without fear of retaliation. Responses to this question can help a compliance officer assess the effectiveness of their hotline or other reporting system publication efforts. It may also help the compliance officer assess employees’ knowledge of the organization’s policy regarding employee complaints (i.e. first report to supervisor, etc.) and any training that was conducted regarding such a policy. This question can also be used to explore employees’ perceptions about the credibility of the organization’s non-retaliation policy.
4. Are you aware of anyone who has not complied with or is not complying with the company’s code of conduct and/or compliance policies?
This question is directly associated with the compliance officer’s “monitoring” efforts to detect potential criminal conduct as per §8B2.1(5) (A) of the USSGs. It can also test compliance by managers and supervisors with internal policies requiring that any complaints from employees concerning compliance or ethics violations be reported to the compliance officer.
5. What should happen to someone who violates the company’s code of conduct and/or compliance policies?
This is a modified “behavioral analysis” question. The purpose of the question is to assess the ethical tone of both the individual and the organization. Generally speaking, the appropriate response should be that those who violate the company’s code of conduct or compliance policies should be fired and, if their actions broke the law, criminally prosecuted. While employees may vary in the severity of the punishments they believe appropriate, a pattern of responses that overly minimizes punishments may be indicative of an ethical tone that is not consistent with the company’s expectations or desires.
6. If you were to be promoted or leave the organization and someone took over your role who lacked the same level of integrity that you do, how could that person violate a policy or break the law and not be detected?
This is one of my “black hat” interview questions. Nobody understands the intricacies of a person’s role better than the person who performs that role – particularly if they have performed that role day after day for some length of time. This question challenges the employee to think about compliance policies and internal controls from the perspective of someone seeking to violate or circumvent them.
To elicit effective responses often requires the interviewer to enable the interviewee to disassociate himself/herself from their role. Responses to this question may help the compliance officer understand and assess the effectiveness of internal controls in preventing and detecting compliance violations.
 United States Sentencing Guidelines §8B2.1(5) (A and B)
About the Author
John “The Fraud Guy” Hanson is the founder and executive director of Artifice Forensic Financial Services LLC. He has over 20 years of fraud investigations, forensic accounting, and corporate compliance/ethics and audit experience. John has applied his extensive experience in these areas across a wide array of areas and industries, frequently assisting counsel, government agencies and companies with internal corporate investigations and other sensitive matters arising from alleged fraud or misconduct.