Five Step Process for Transaction and Continuous Controls Monitoring

Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

• Business courtesies to foreign officials;
• Payments to brokers or consultants;
• Payments to service intermediaries;
• Payments to vendors in high risk markets;
• Round dollar disbursements;
• Political contributions or charitable donations; and
• Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Five Tips for Advancing with Audit Analytics-Part III

 Ed. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today is the final post, Tip 5. 

Tip 5 – Supplement Necessary Skills with Internal or External Resources

This week we have been posting about how to succeed with data analytics in areas such as internal audit and compliance. Monday we introduced the following Body of Knowledge and indicated that each of the skills below are often needed for a data analytics project.

• Project Management
• Data Acquisition and Manipulation
• Statistical techniques
• Visual Reporting techniques
• Communication
• Audit and Compliance Domain expertise
• Change Management and Strategic Thinking

Does this mean that audit teams need a statistician or visual reporting whiz in the department? Not at all. Just as audit teams co-source with supplemental resources, they can also co-source for data analytics. Better still, co-sourcing with internal company resources, in the form of a secondment or guest auditor is often possible. Reach into IT’s Business Intelligence or data warehouse group, and internal audit can find talent with excellent company and data manipulation expertise. Reach into HR or Finance for someone with domain expertise around incentive compensation and team on that important Sales commission audit project.

Will these resources have advanced audit or compliance domain expertise? Probably not, but Tom Brady doesn’t play running back or wide receiver yet he makes those players better by fitting the pieces together. Audit and compliance leaders know what questions we want to answer. It’s the “how” where we sometimes need help. At Visual Risk IQ, I have the very good fortune to work with an incredibly talented team that is deep in database design, data manipulation, programming, and visualization skills. We work together to make sure that our queries are answering the right business questions, and in turn that those answers are being communicated in a way that is precise and easy to understand.

When we have first worked in domains where our experience had been limited (e.g. Health claims in 2008, FCPA / anti-corruption in 2010, or HR in 2013), we relied heavily on domain expertise from our clients’ General Counsel’s office or on consultants to our firm, so we could bring the full expertise needed for a project, given the body of knowledge framework above. This technique has worked consistently for us, and it works for audit and compliance too.

Why are audit analytics so important? First, through the use of audit analytics as a monitoring tool it can lower audit costs by eliminating manual sampling. Second, audit analytics can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls. Third, they can improve actual operational performance by monitoring key financial processes.

However it may be more simply put in the context of McNulty’s Three Maxims of the three general areas of inquiry the Department Of Justice would assess regarding an enforcement action. First: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

The Visual Risk IQ studies include a case study of both accounts payable and of purchase card spend to determine if there was fraud and misuse of the cards. The key in both of these reviews, involving continuous controls monitoring situations was that of data review. This same type of testing can be utilized in reviewing foreign business partners, including agents, resellers, distributors and joint venture partners. All foreign business partner financial information can be recorded and analyzed. The analysis can be compared against an established norm which is derived from either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment out or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation.

Many companies have yet to embrace post FCPA compliance policy audit analytics implementation as a standard part of their compliance program. They have found that it is difficult to test behavioral aspects of a FCPA compliance policy, such as whether an employee will follow a company’s FCPA-based Code of Conduct, other testing can be used to form the basis of a thorough review. For instance, it can be difficult to determine if an employee will adhere to the requirements of the FCPA. However continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee’s annual acknowledgement of FCPA compliance. For a multi-national US company with thousands of employees across the world, the retention and availability of such records is an important component not only of the FCPA compliance program but it will also go a long way to a very positive response to McNulty’s inquiry of “What did you do to stay out of trouble?”

Good luck in 2015 with your data analytics projects! Please write or call if you’d like to compare ideas on how to excel in data analytics for audit or compliance. We’d be happy to assist in your success!

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

 © Joe Oringel 2015

Five Tips for Advancing with Audit Analytics-Part II

Ed. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today are Tips 3-4.

 Tip 3- Understanding Your Data

Tip 3 for advancing with audit and compliance analytics is to “Understand Your Data, and Explore it Fully Before Developing Exception Queries.” One common mistake that we see audit and compliance professionals make with data analytics is that they sometimes dive right into searching for transaction exceptions before exploring their data fully. This limits the effectiveness of their analysis, because they are searching for something specific and can overlook other conditions or anomalies in their data. If you’ve not seen the selective attention (aka Gorilla and Basketball) videos from Daniel Simons, here’s a fun link.

Selective attention on exception queries seems to happen due to the strengths of traditional analytics tools like Microsoft Excel and general purpose tools like CaseWare IDEA or ACL. It is less common with Visual Reporting tools like Tableau and Qlikview, in part because these tools are designed to specifically support data exploration and interaction with click and drill-through capabilities. Visual Reporting capabilities are very effective for data exploration, and some rudimentary visual capabilities can be found in Excel, IDEA, and ACL.

During data analytics brainstorming, we categorize analytics queries as Metric Queries, Outlier Queries, and Exception Queries. When prioritizing queries to be built for client assignments, we make sure that there some of each type of query, so that sufficient data exploration takes place before we jump into exception queries or begin researching exceptions.

Metric queries are those analytics such as “Top 10 Vendors by Vendor Spend” or “Top 10 Vendors by Number of Transactions”, or “Top 10 Dates of the Year for Requisitions (or Purchase Orders).” Simply summarizing number and value of transactions by different dimensions (day of week, week of quarter, or by UserID) can identify anomalies that should be questioned further. On a recent Payroll Wage and Hour project, we found unusual patterns of when people punched in and out much more frequently on some minutes (e.g. 7 or 23 minutes past the hour, vs. 8 or 22 minutes past the hour). This condition called for further inquiry and analysis about whether time rounding was fair and equitable for certain types of workers. This condition is in fact a major compliance risk and should be considered for any employers with a significant number of hourly worker. See Corporate Counsel article for more information.

Outlier queries are comparative analytics like “Largest Invoice to Average Invoice, by Vendor,” “Most Expensive Airfare by Distance,” or “Most Expensive Travel / Entertainment Event per Person vs. Average Event per Person.” These outlier queries are also essential, in that they help identify patterns or relationships that should be investigated further. Digital analysis such as Benford’s Law is a well-known audit example of an Outlier query, but there are many more techniques that can yield insight beyond only Benford’s Law.

Example of exception queries are more traditional Analytics queries such as these listed below:

• List if two (or more) invoices have been paid for the same amount to the same vendor
• List any purchase orders created after their corresponding invoice
• List any Vendors who share a Tax ID Number, Address, or Phone Number with an Employee
• List any Vendors who have had transactions posted after being Terminated or made Inactive

In short, we recommend spending at least an hour and as much as a day or more exploring and analyzing your data, before beginning any Exception Queries. A data exploration checklist follows – any additions or other suggestions to this list are welcome.

• Sort transactions from oldest to newest and from newest to oldest. Any unusual dates or times? Any gaps in date or time stamps? Why?
• Sort transactions from largest to smallest and smallest to largest. Any unusual negative values?
• Stratify by various status codes, reason codes, or transaction types. Are all values consistently completed. Any unusual relationships? What do each of the codes and values represent?
• Stratify by dollar value ranges. Do 20% of the transactions make up 80% of the value? Should they? The Pareto Principle says yes, but your business may vary.
• Compute Relative Size Factor (largest to average and largest to second largest), and sort again. Do any of these RSF values cause you to want to drill into specifics? Consider whole numbers and large numbers. Why or why not?

What has been your most significant “aha” moment when exploring your data?

Tip 4 – Considering Outliers

Five tips…#4. Consider metric, outlier, and exception queries

For readers seeing this post as their first of the series, today is actually the fourth of a five-part blog that has been developed in response to Internal Auditor magazine’s lead article titled “The Year Ahead: 2015”. Because so many people make resolutions for the new year, we wanted to help audit and compliance professionals succeed with their resolutions. Especially because we believe there are more than a few whose resolutions include becoming more data-driven in their work through regular use with data analytics.

Yesterday we defined metric, outlier, and exception queries, and provided examples in the context of related potential audit projects around expenses such as Accounts Payable, Travel and Entertainment, or Payroll. To review, metric queries are simply lists of transactions that measure values against various dimensions or strata, such as rank or time series. Top 10 largest or simply transactions by day of week are examples of metric queries. These metric queries are powerful, and can become even more powerful when combined as part of outlier and exception analysis.

One recent Travel and Expense example from our client work was seeing a number of executive assistants in the “Top 10 Travel Spend reports.” Even before we looked at any exception report it became clear that some of the organization’s executives had their assistants complete and submit their personal expense reports, and then approved those reports themselves.

Outlier queries are those that compare value to other values like a mean or standard deviation. As an example, saying that today is twenty degrees colder than average or the coldest day of winter is more informative than saying that it will be sixteen degrees tomorrow than yesterday. Better still, listing the 10 coldest days together in relation to average and standard deviation is even more informative.

We recommend diving into exception queries only after metric and outlier queries have been prepared, explored and analyzed. It’s common for false positives to be averted through thoughtful review of metric and outlier queries.

How does this compare to your experiences?

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

© Joe Oringel 2015

How to Introduce Change into Your FCPA Compliance Program (Without Blowing It Up)

Thucydides or Herodotus; Herodotus or Thucydides. Which is your favorite? I admit to vacillating between the two. Thucydides wrote about the end of the Athenian dynasty from the Peloponnesian War and the debacle of the Sicilian Invasion. Herodotus wrote about the beginnings of the Golden Age of the Greek City State through the defeat of the Persian Invasion of Greece. Slogging through both is never easy but it is far and away worth the effort. One of the things that both of these ancient authors wrote about was massive change.

I recently read a book review of a couple of new volumes which looked at these authors and thought about the changes wrought when implementing or enhancing a Foreign Corrupt Practices Act (FCPA) compliance program. In making a large change, most compliance practitioners think of bringing it all to a company in one fell swoop. This is usually based on a Board of Directors or senior management directive to ‘get it done’. Sometimes this can simply be overwhelming to the compliance practitioner or information overload to the troops in the field, particularly those outside the US. However, a recent article in the MIT Sloan Management Review, entitled “How to Change an Organization Without Blowing It Up”, suggests that a different approach might be appropriate. In this article, author Karen Golden-Biddle writes that there is a middle ground between wholesale change and tentative pilot projects which could allow an organization to operate more effectively.

The author believes that “Too often, conventional approaches to organizational transformation resemble the Big Bang theory.” Further, that this “Big Bang transformation attempts often fail, fostering employee discontent and producing mediocre solutions with little lasting impact.” To overcome this she believes that “organizations can seed transformation by collectively uncovering “everyday disconnects” — the disparities between our expectations about how work is carried out and how it actually is. The discovery of such disconnects encourages people to think about how the work might be done differently.”

She suggests that there are three techniques for discovering these disconnects and turning them into a way to “seed transformation from the bottom up.” These three techniques are (1) Work Discovery; (2) Better Practices; and (3) Test Training. I will look at all three and discuss how a compliance practitioner can bring them to bear to help move a compliance program forward.

I.                   Work Discovery – Examine Firsthand the Work Where It Is Actually Conducted

The author states that “instead of assuming that you know if the work process will be successful as it is designed, you should examine it firsthand, “as it is actually conducted.”” This will allow a company to “turn the (inevitable) surprises you uncover into assets.” She advises that senior management needs to actually see how the organization works to understand not only the expectations that they have set but also to uncover disconnects in the process. She cautions that this is not the same as a pilot project but rather should be viewed as part of a larger exploration of how a system might become the best that it can be. Put another way, the initial “design and rollout was always connected with the larger possibility, even though the possibility was in the process of becoming defined.”

For the compliance practitioner, this examination ‘in the field’ allows you to find the  disconnect in the proposed compliance program or changes to facilitate the reconsideration of expectations in the program or understanding of how the program is designed to be conducted, but further allows you to  entertain new possibilities  of how to make the program work better. Compliance professionals can talk through the proposed changes to generate insights and possibilities for change and help company employees understand what the program changes will be and how the compliance program will work in their day-to-day operations.

II.                Better Practices – Instead of Adopting the Best Practices of Others, Screen Your Work Through Those Best Practices in Order to Generate New Ideas

Often times, particularly in the compliance arena, companies will simply review and determine the best compliance practices and then adopt them into their organization. This approach was certainly not suggested by the recently released Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance, where it stated “When it comes to compliance there is no one-size-fits-all program.” This sentiment was echoed by Golden-Biddle when she recommended that a company should not simply adopt another organization’s best practices, but instead should screen the way work gets done in your company and use those other’s best practices in order to generate new ideas. “In other words, use best practices to generate even better practices.”

However other companies’ best practices can be more effectively used as a discovery technique, enabling people to go beyond replication and discover new methods for meaningful change. The author opines that by studying other companies’ best practices as a discovery technique this will allow employees to compare their expectations of how a new system or program will work as it is currently constituted with what might be offered by the best practice. Further, “this discovery tool imports the unfamiliar in the form of others’ best practices and pairs them with the familiar. Exploring this pairing enables people to move beyond their expectations and tease out new possibilities that are suggested by best practices elsewhere. Overlaying your current practices with someone else’s best practices in this way generates better practices — better than best because they are relevant in highly specific ways to your organization’s work.”

Ways that a compliance practitioner might do this is to ask the following questions. First, what would you do differently as a result of the new compliance practice and what might you wish to incorporate into the company’s compliance practices? Next, is there anything in the new compliance policy that was not included that you believe should have been or are there any issues in the new policy which you did not know how to address when using the new policy?

III.             Test Training – Use Training to Experiment With Emergent Possibilities for the Way Work Will Be Done

This part may be the most intriguing and useful as the author advocates that you can use training to develop new possibilities so that “Instead of locking down standard operating procedures during training, experiment with other, potentially better possibilities for changing the way the work will get done.” Training typically comes at the end of a policy/program revamp or enhancement. However, the use of the phrase “test training” means something different than the usual corporate training. She says that it allows a company to uncover the “disconnects between people’s expectations for how proposed solutions might operate and the actual experience of the solution in experimental settings such as training or trials. This enables people to see and come to understand what they don’t know about the solution as well as to continue to shape it for implementation, often in significant ways.”

This type of testing would allow the compliance practitioner to obtain insights from those in the field on not only what does not work but also what might work better. Consider training on a third party management program. You would usually walk the designated training group through all of the steps your policy would entail. But those in the training test group might suggest new, other or different information that might be relevant to evaluate a third party in the context of compliance. But also such “test training” provides an opportunity to find out what is not being discovered through the third party investigation process and provide the opportunity to suggest a new solution.

Golden-Biddle ends her article with five points that she believes Discovery Techniques can bring to an organization. They are:

1. Achieve the benefits of transformation without risking wholesale disruption of operations.
2. Build a culture of continuous improvement that is embraced by leadership and employees throughout the organization.
3. Avoid the often exorbitant costs of Big Bang transformation associated with wholesale replacement of employees.
4. Leverage existing employee knowledge and experience for transformation.
5. Cultivate collective, not just individual, capacity in surfacing disconnects and generating new insights and ideas that seed transformation.

To her list I would add one more but I might put it as Number 1 on the list. It is that you bring your employees into the process. By listening to them and incorporating their ideas on what works and what does work, they not only become invested in the final compliance product but they feel like you care about what they think. That may be the biggest reason to take up some of Golden-Biddle’s Discovery Techniques.

If you want to look at how change blew things up, pick up a copy of Herodotus or Thucydides and settle down for a long winter’s read.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Quadrophenia and Four Compliance Issues

This past weekend I saw the remaining members of The Who perform in their Quadrophenia Tour. While I had seen Roger Daltry perform the rock opera Tommy, I had never seen Pete Townsend in concert. To say I was blown away would be putting it mildly, especially as Quadrophenia does not even make it into my top three favorite Who albums, which are, in descending order, Who’s Next, Tommy and Live at Leeds. While Roger Daltry’s voice was not as strong as it was during his Tommy tour, not doubt due to the longer duration of this tour, it was still a great performance and it was worth it to see Pete Townsend. He can still rock. Also they ended the show with three songs from Who’s Next, which alone was worth the price of admission.

The story generally revolves around four themes based upon the four personalities of the members of the band; Daltry, Townsend, Keith Moon and John Entwhistle. However, it was also a play on (for those of you old enough to remember) quadrophonic sound. According to Pete Townsend, “”The whole conception of Quadrophenia was geared to quadraphonic, but in a creative sort of way. I mean I wanted themes to sort of emerge from corners. So you start to get the sense of the fourness being literally speaker for speaker.” So inspired by ‘fourness’ today, I will review four issues that have, or will, impact the compliance practitioner.

I.                   EU and Data Privacy

In an article in the Financial Times (FT), entitled “EU refuses to bend on tough data privacy law”, reporter James Fontanella-Khan wrote that Viviane Reding, the EU Commissioner for Justice, said that she will continue to fight any US attempts to water down its proposed data protection and privacy law, “which would force global technology companies to obey European standards across the globe.” Further, “Exempting non-EU countries from our data protection regulations is not on the table. It would mean applying a double standard.” Fontanella-Khan said that “US tech companies argue that it would be unfair for them to be subject to EU laws that are too stringent and could result in expensive administrative burdens and hefty fines for errant companies.” Can you think of any US laws that non-US companies have to comply with?

Issues for the compliance practitioner? There could be a myriad, from internal investigations, to sharing data with US regulators to ongoing monitoring and auditing. While it is currently US technology companies which are leading the fight against these new tough standards, non-tech companies could do well to assess how these changes may well impact them.

II.                Will DOJ Open FCPA Investigation Against EADS?

Perhaps not fully appreciating the irony in reporting the EADS story in the same issue as the above EU data privacy story, the FT also had an article by Carola Hoyos, entitled “FBI probe of EADS unit claims”, who reported that the Federal Bureau of Investigation (FBI) has interviewed “a witness and taken possession of documents in connection with allegations” that a British subsidiary of the European aerospace entity EADS, named GPT Special Management Systems, bribed Saudi Arabian military officials, in connection with business dealings. Hoyos reported that GPT “made ₤11.5 of unexplained payments – some via the US – to bank accounts in the Cayman Islands.”

Although there is no known open US Department of Justice (DOJ) investigation open into the EADS matter at this point, Hoyos noted that it was the DOJ which led the effort to investigate and eventually fine the UK company BAE, the amount of $400MM after the British government ordered the Serious Fraud Office (SFO) inquiry into allegations of BAE bribery for sales of equipment into Saudi Arabia “citing economic and diplomatic interests”. The FBI interviews occurred even though the SFO is currently investigating the matter. Hoyos also reported that EADS “maintained that its own investigations into the matter had yielded no evidence of wrongdoing.”

III.             Think Before You Hit That Send Button

In a post in his blog, the D&O Diary, entitled “Damning E-mails: Can We Talk?”, author Kevin LaCroix wrote that “revelations this past week arguably represent some type of high-water mark, as a cluster of serious allegations were accompanied by a trove of embarrassing excerpts from emails and instant messages. While the latest disclosures provide yet another reminder of the dangers associated with ill-considered use of modern electronic communications technology, they also raise questions about the use that regulators and claimants are attempting to make of the communications.” He was talking about the Commodities Futures Trading Commission’s press releases announcing RBS’s settlement this past week of charges of alleged Libor manipulation drew heavily on excerpts from the bank’s internal electronic communications. While noting that “emails do sometimes in fact evidence wrongdoing” the problem with them “is that when seemingly damning email excerpts are blasted into the media, it is very difficult to appreciate the larger context within which the excerpts fit.”

As much as he has distaste for the selective use of emails in this manner by regulators, LaCroix believes that they can provide a teachable moment. He writes that “a useful exercise to try to adopt is to pause and ask yourself, before hitting “send”, how the message would look if it were to fall into the hands of a hostile and aggressive adversary who was looking for ways to try to make you or your company look bad. Were this simple test to be more widely implemented, we would certainly see a marked reduction in, for example, running email jokes about the French maid’s outfit. My final thought is this – we all know that many electronic messages are written in haste and sometimes with insufficient care. With full awareness of this attribute of electronic communications, we should hesitate to jump to too many conclusions about the seemingly damaging inferences that could be drawn from email or instant message excerpts. But we should also learn from the inferences that regulators and claimants are trying to draw and try to take that into account in our own communications.” I could not have put it better myself.

IV.              Trust Your Gut and Raise Your Hand

There have recently been a plethora of articles about ‘big data’ and how it can help in the monitoring of a Foreign Corrupt Practices Act (FCPA) compliance program. I have been one of the folks to write and talk about it. However, in an article in the New York Times (NYT), entitled “Sure, Big Data is Great. But So Is Intuition”, reporter Steve Lohr wrote that while he thinks that big data is a powerful tool and an unstoppable tread it “might be a time for reflection, questions and qualms about this technology.” This is because, like all mathematical models, big data is “a simplification.” He quotes Thomas Davenport for the following. “A major part of managing Big Data projects, he says, is asking the right questions: How do you define the problem? What data do you need? Where does it come from? What are the assumptions behind the model that the data is fed into? How is the model different from reality?”

So the underlying basis for analyzing big data may actually be “too simple minded, rather than too smart.” All of this leads back to intuition. I would add that if the hair on the back of your neck stands up, your gut tells you something is wrong or something does not smell right, it probably isn’t right. The implications for the compliance practitioner? I would like to propose that the largest is in the area of training. What I try and tell non-compliance practitioners when I put on training is that if you see, smell or sense one of the above, just raise your hand. You do not have to know the ins and outs of the FCPA or know the answer but I do ask that you raise your hand and get the issue to a person who does have the expertise to analyze the issue.

If you have the chance to see The Who on their Quadrophenia Tour, all I can say is to drop whatever you are doing and go see it. I do not know if it will be your last chance to see Pete Townsend but when he winds up for one of those trademark windmill slams down the guitar strings, just close your eyes and listen. It is pure bliss and a quad of sensations for the ages.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013