Five Step Process for Transaction and Continuous Controls Monitoring

Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

• Business courtesies to foreign officials;
• Payments to brokers or consultants;
• Payments to service intermediaries;
• Payments to vendors in high risk markets;
• Round dollar disbursements;
• Political contributions or charitable donations; and
• Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Lessons from GSK in China – Internal Controls, Auditing and Monitoring

One of the great things about writing your own blog is that sometimes you can get going on a subject and just explore it. While I think I might sometimes get carried away when I delve into a topic, I certainly learn much while doing so. This week appears to be such a situation where in studying and researching the GlaxoSmithKline PLC (GSK); I find that the case has much more to inform the compliance practitioner. So I am going to try and tie together some of the major lessons learned from the GSK Chinese enforcement action for the remainder of the week and present to you how such lessons might assist you in designing, implementing or upgrading a best practices compliance program. Today I want to look at internal controls, auditing and monitoring.

One of the questions that GSK will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occurred in its Chinese operations? The numbers went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Internal Controls

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, noted internal controls expert Henry Mixon has suggested the following specific controls. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Auditing Lessons Learned

Following Mixon’s point 4 above, what can or should be a company’s response if one country’s gifts, travel and entertainment expenses were kept ‘off the books’? This is where internal audit or outside auditors are critical. Hirschler quoted an un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.”” Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold medical conferences, such as to make physicians aware of products and the latest advances in medicine, however, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK’s auditors should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

Another issue for auditing is materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

Ongoing Monitoring

A final lesson learned for today is monitoring. As Stephen Martin often says, many compliance practitioners confuse auditing with monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.

Here I want to focus on two types of ongoing monitoring. The first is relationship monitoring, performed by companies such Boston-based Catelas, through software products. It was reported in a Wall Street Journal (WSJ) article, entitled “Glaxo Probes Tactics Used to Market Botox in China”, that internal GSK emails showed the company’s China sales staff were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment made is outside an established norm, thus creating a red flag that can be tagged for further investigation.

GSK’s failure in these three areas now seems self-evident. However, the company’s foibles can be useful for the compliance practitioner in assessing where their company might be in these same areas. Moreover, as within any anti-corruption enforcement action, you can bet your bottom dollar that the regulators will be assessing best practices going forward based upon some or all of GSK’s miss-steps going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Berlin Airlift and Different Approaches to Compliance Issues

As the USA played Germany in the World Cup yesterday, it is perhaps appropriate that we look back at another June 26^th event that involved the US as we celebrate one of the great relief efforts in post-war Europe and the Cold War, the Berlin Airlift. On June 26, 1948, US and British pilots begin delivering food and supplies by airplane to Berlin after the city is isolated by a Soviet Union blockade. Though some in President Truman’s administration called for a direct military response to this aggressive Soviet move, the President was concerned that such a response would trigger another world war. As an alternative, he coordinated a massive airlift operation under the control of General Lucius D. Clay, the American-appointed military governor of Germany. The first planes took off from England and western Germany on June 26, loaded with food, clothing, water, medicine and fuel. By July 15, an average of 2,500 tons of supplies was being flown into the city every day. The massive scale of the airlift made it a huge logistical challenge and at times a great risk, with planes landing at Tempelhof Airport every four minutes, round the clock for the next 15 months. This broke the Soviet blockade.

I thought about this alternative approach that Truman employed, a supply line rather than a military response, when I read MIT Sloan Management Review article, entitled “What Businesses Can Learn From Sports Analytics”, by Thomas H. Davenport. In his article, Davenport explored how “the use of analytics in the sports world has much to teach managers about alignment, performance improvement and business ecosystems.”

For his article, Davenport “interviewed more than 30 representatives of teams, sports analytics vendors and consultants for a report on the state of the art in sports analytics,” in which he “focused on three different areas of activity, each of which is growing rapidly. In order of decreasing prevalence, they are: team and player performance analytics, sports business analytics, and health and injury prevention analytics.” From this research, he developed five key lessons that almost any business could adopt. However I thought about his points in the context of compliance ecosystems rather than business ecosystems so I will use his article as a starting point to consider what compliance can learn from sports analytics.

1. Align leadership at multiple levels 

Davenport believes “In sports, key decisions — which players to acquire, how much to pay them, and which strategies to adopt for better athletic and business performance — must be made and overseen at multiple levels. As a result, alignment along different management levels is crucial.” Based on his research I believe the message for Chief Compliance Officers (CCOs), compliance practitioners and analytical practitioners is to work together closely and consult frequently.

2. Focus on the human dimension 

Davenport’s key finding about sports teams is that they realize that their players are both their most important and expensive resources and that sports teams focus on the human dimension of performance in a variety of ways. “First, they address individual-level game performance by monitoring points scored, rebounds gathered, batting averages and other increasingly sophisticated measures of both offensive and defensive performance… Second, teams are beginning to assess not just individual performance, but performance in context.” They will also assess a team’s performance “with and without a combination of players.”

However, if companies say they focus on their employees as their most valuable resource, they typically only focus their analytics on “operational or marketing issues and not on the human dimension of performance.” The key insight here is for compliance to focus on more of a team aspect by investigating a group’s compliance performance “with or without a particular person’s presence could be a valuable insight.” This could be expanded to reviewing wider sales teams in a region, country or product/service line.

3. Exploit video and locational data 

In Major League Soccer (MLS), players wear a GPS-based locational device that captures all movements around the field. In the NBA, six cameras in the ceiling of each arena capture all movements of the players and ball. All Major League Baseball (MLB) stadiums have cameras that track every pitch, and many teams also track every hit and fielding play with video cameras. This allows a more complete view of the raw numbers that metrics generates.

While it may not seem readily apparent, this type of approach can also benefit the compliance function. The key is that it looks at raw numbers in a different way. So transaction monitoring could be pared with relationship monitoring or other indicia. Also travel and communications could be considered to show what might be happening in locations that are not readily apparent. The key takeaway is that there is more information available by obtaining more types of data.

4. Work within a broader ecosystem

Davenport found that “Professional sports teams are relatively small businesses, with much of their revenue going toward player salaries, leaving just nominal funds for any data and analytics projects. As a result, teams often need to work within a broader ecosystem of data, software and services providers.” Based on this he believes that a “key in these partnerships is to draw as much as possible from the partner while maintaining key internal capabilities.”

For the compliance professional, you should try to develop relations with key vendors because there are just too many different techniques, types of data and other aspects of analytics to exploit, and even the largest corporation can’t excel on its own. The GRC Pundit, Michael Rasmussen has observed that in GRC there is more than one technology. The same holds true in the compliance space. Jon Rydberg, founder of the Orchid Advisors, has called this the “Compliance Ecosystem Transformation” which he defines as “The coordinated development of compliance activities that transcend your entire supply chain, from suppliers – to manufacturers – to distributors – to retailers.”

5. Support “analytical amateurs”

Finally, Davenport found that “Some professional athletes have begun to analyze their own performance in depth using public or team data and reports. Specifically, a number of soccer and football players have become assiduous reviewers of their video and GPS data, although the most frequent users have been professional baseball players, particularly pitchers.”

For the compliance professional, this translates that they could also benefit from becoming such ‘analytical amateurs”. Moreover, they could work with business unit personnel to could keep track of their own scores on compliance measures and use that information to improve their performance. Analytics-minded salespeople and managers could, for example, use the extensive data from compliance management management systems to assess and improve their performance.

I found Davenport’s article to be quite thought provoking. For just as President Truman was able to come up with a different approach for a situation that could have led to World War III or at the very least a completely communist dominated unified Berlin, there are different ways to look at problems and find solutions. Using the analytical approach that has become so prevalent in the sports world may lead you to new and different thinking in the compliance arena.This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Use Planes, Trains and Automobiles to get to Compliance Week 2013

To say I am excited would be putting it mildly. Yes that most premier of compliance related conferences is on the short horizon; Compliance Week 2013 is nearly upon us. It will be from May 20-22 at the Mayflower Hotel in Washington DC. As usual, Matt Kelly and his outstanding team have put together a first rate program for the General Counsel (GC), compliance practitioner (in-house or outside counsel), FCPA Bar/FCPA Inc. or even Mike Volkov’s good friends, the FCPA Paparazzi. If there is one national compliance conference that you can attend each year, for my money, this is the event.

As Matt Kelly has said, the theme of Compliance Week 2013 is “Seeing All the Data” and is designed as “a testament to how vital it is that compliance executives have visibility into all the information and operations at their enterprises. That could be anything from tracking all your third parties, or monitoring all the data your business collects about customers, or seeing all the regulatory risks you face as you build a risk-management program.” This theme is certainly appropriate as I believe that 2013 will be the year that the use of data in transaction;  third party; relationship and all other forms of ongoing monitoring will make any compliance program more robust. There are several sessions where these topics will be explored, including the following: Continuous Transaction Monitoring That Works, the Kroll Benchmarking Report, Mapping Data on Information Governance, Automating Third Party Risk, and Financial Reporting. This plethora of sessions speaks to the emergence of technology as a tool to support compliance.

Another key theme of Compliance Week 2013 is leadership. The first day of the conference is the subject of leadership. The first keynote speaker on Day One is Ed Breen, the chairman and former Chief Executive Officer (CEO) of Tyco International Ltd, who had to pick up the tatters of that company in 2002, as his predecessor went off to prison, and then rebuild the entire operation. The second keynote speaker on Day One is retired Major General Lewis MacKenzie, former head of U.N. peacekeeping forces in Yugoslavia, Central America, Middle East and Vietnam. Some of the sessions on Day One regarding leadership will focus on the practical; how to position the compliance department as an asset rather than an obstacle; how to craft a Code of Conduct that fits your business and culture; how to do business in India, Latin America, and elsewhere.

For the FCPA consigliori amongst you, I will once again be leading a conversation on the most recent Foreign Corrupt Practices Act (FCPA) developments. With the recent Parker Drilling Company and Ralph Lauren Corporation resolutions and the various individuals who have been indicted or have pled out, it promises to be an interesting and informative time for anyone interested in all things FCPA. If it turns out that after my session you are still craving more insight about effective compliance with the FCPA there will be a session entitled “FCPA Guidance, Right From the Source”. This session will address any lingering questions you may have about the FCPA guidance published last fall by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The panel will include the top FCPA enforcers from both the DOJ and SEC, who will offer their latest thinking on anti-bribery enforcement and answer questions from the audience about best practices and putting agency guidance to good use.

If your compliance challenges reach beyond the FCPA, there will be sessions which deal with broader compliance themes. In the area of export control, one conversation will have regulators who will discuss issues related to sponsoring a foreign-born worker here in the United States; some of the implications of the export control reform effort on investigations and prosecutions; and the absolute requirement to know your customer. There will also be a session which showcases the Boeing Co.’s approach to trade compliance, from monitoring regulatory changes to developing processes that simplify compliance and examples of how the Boeing program was implemented in its business units.

If internal controls are more to your taste or needs, then check out the panel discussion regarding FMC Corp. You will hear from the company’s internal control team that implemented an automated system to collect and monitor financial data: the software they used; the controls they streamlined; the high-level components of internal controls they did not automate, and the results so far. More focused on training? One session will discuss how to align business and compliance objectives with training, how to ensure you get the data you need to demonstrate progress, and what tools you can use to deliver training to a diverse workforce cost effectively. If you want to move beyond training and into embedding compliance into your company’s DNA, check out this session “Beyond Training: Articulating & Embedding Company Values”. This session will discuss how organizations with the most ethical rigor want to embed their cultural values in everything they do, so employees know how to conduct themselves in any circumstance, not just in moments of obvious crisis.

So whether it’s by plane, train or automobile, I hope that you can get to Compliance Week 2013. To help you do so, I have been authorized to offer a discount to readers of my blog. For registration and information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013