FCPA Compliance and Ethics Blog

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Five Step ProcessMost Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

  • Business courtesies to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 9, 2015

Lee Surrenders and Hanson Wade’s Oil & Gas Supply Chain Compliance Conference

Lee and GrantToday we celebrate one of the most momentous anniversary’s in the history of the United States, for it was on this day in 1865, 150 years ago, that Confederate General Robert E. Lee surrendered his Army of Northern Virginia to Union Commanding General Ulysses S. Grant at Appomattox Courthouse, effectively ending the American Civil War. Fighting continued for several more weeks to come, however with Lee’s surrender the Civil War had, in all intents and purposes, ended.

Lee and his troops were forced to abandon the Confederate capital of Richmond, they were blocked from joining the surviving Confederate force in North Carolina, and were harassed and outrun by Union cavalry, who took 6,000 prisoners at Sayler’s Creek. With desertions mounting daily the Confederates were surrounded with no possibility of escape. On April 9, Lee sent a message to Grant announcing his willingness to surrender and in the afternoon they met at the home of Wilmer McLean and agreed to the terms of surrender.

Although politicians would later change these terms quite dramatically, Grant is said to have told his officers, “The war is over. The Rebels are our countrymen again.”

Later this month, from April 28-30, Hanson Wade is putting on its annual conference in Houston. It is the “Oil and Gas Supply Chain Compliance” conference, now in its 5th year, and once again the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCOs) and senior compliance folks: Dan Chapman, Cameron; Brian Moffatt, Ethos Energy, Jay Martin, Baker Hughes; Marcel De Chermont, Acteon Group, Jan Farley, Dresser-Rand; John Sardar, Noble Energy and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Applying Culturally Sensitive Approaches To Deliver A Core Compliance Methodology For A Variety Of Countries And Risks; How to Meaningfully Engage Your Business Operations in Taking Greater Compliance Ownership; Avoid The Risk Of Cavalier Behaviour Across The Supply Chain In The Face Of A Challenging Economic Climate; How To Deliver Cost-Effective, Risk Based, Function Specific Compliance Training; several in-depth presentations on Supply Chain and Third Party due diligence. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently the Event’s Chairperson, Dan Chapman, Vice President, Chief Ethics and Compliance Officer for Cameron, talked about some of the issues that will be discussed in this year’s conference. Chapman said, “Supply chain is, in my mind, a critical part of compliance and creating awareness throughout the business as to when and where you should apply compliance principles is a key focus. For me the industry has evolved in recent years, and our organizations tend to now have strong legal teams who understand anti-bribery and corruption legislation. Not only this, they now have the ‘tone from the top’. Where I feel that work needs to be done is practically embedding compliance into operational processes, and becoming a true and valuable partner to the business. With the current state of the oil price, we’re likely set for reduced budgets and increased risk, which makes it more important now than ever to share stories, materials and solutions to effectively mitigate compliance risk while enabling business delivery.”

I will be speaking at the conference on internal controls but I am extremely pleased to be co-leading an in-depth workshop on the third day of the event, with Joe Oringel, guest blogger and Managing Director at VisualRisk IQ. In our workshop, you will learn how to implement a system of data-driven monitoring controls and documents to measure the effectiveness of your compliance program and get you through a Securities and Exchange Commission (SEC) investigation. During our 3 hour session we will go into the weeds on the following:

  • Understanding what internal controls are required under a best practices compliance program;
  • Recognizing what FCPA enforcement actions tell us about internal controls in an anti-corruption compliance program;
  • Getting to grips with what the SEC expects you to have in place;
  • Competently documenting the effectiveness of your internal controls;
  • Understanding best practices and a methodology for the use of data analytics in compliance and ethics organization;
  • Prioritizing business and compliance questions that can be answered with analysis of digital data; and
  • Identifying a learning plan and resources to enhance your team’s data analytics expertise

I hope that you can attend this most excellent FCPA conference with the two-day sessions on April 28 and 29 and the workshop day on April 30. Very few FCPA conferences focus on Supply Chain and the information that you will receive at this one will be first rate. Finally, Hanson Wade has allowed me to offer a 20% discount to readers of my blog. You can obtain it by entering the code TFLaw20 when you register online. For the conference brochure and full details regarding the agenda and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 4, 2015

Five Tips for Advancing with Audit Analytics-Part III

Filed under: Best Practices,Big Data,Data Analytics,Joe Oringel,Visual Risk IQ — tfoxlaw @ 12:01 am

Oringel - new pic Ed. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today is the final post, Tip 5. 

Tip 5 – Supplement Necessary Skills with Internal or External Resources

This week we have been posting about how to succeed with data analytics in areas such as internal audit and compliance. Monday we introduced the following Body of Knowledge and indicated that each of the skills below are often needed for a data analytics project.

  • Project Management
  • Data Acquisition and Manipulation
  • Statistical techniques
  • Visual Reporting techniques
  • Communication
  • Audit and Compliance Domain expertise
  • Change Management and Strategic Thinking

Does this mean that audit teams need a statistician or visual reporting whiz in the department? Not at all. Just as audit teams co-source with supplemental resources, they can also co-source for data analytics. Better still, co-sourcing with internal company resources, in the form of a secondment or guest auditor is often possible. Reach into IT’s Business Intelligence or data warehouse group, and internal audit can find talent with excellent company and data manipulation expertise. Reach into HR or Finance for someone with domain expertise around incentive compensation and team on that important Sales commission audit project.

Will these resources have advanced audit or compliance domain expertise? Probably not, but Tom Brady doesn’t play running back or wide receiver yet he makes those players better by fitting the pieces together. Audit and compliance leaders know what questions we want to answer. It’s the “how” where we sometimes need help. At Visual Risk IQ, I have the very good fortune to work with an incredibly talented team that is deep in database design, data manipulation, programming, and visualization skills. We work together to make sure that our queries are answering the right business questions, and in turn that those answers are being communicated in a way that is precise and easy to understand.

When we have first worked in domains where our experience had been limited (e.g. Health claims in 2008, FCPA / anti-corruption in 2010, or HR in 2013), we relied heavily on domain expertise from our clients’ General Counsel’s office or on consultants to our firm, so we could bring the full expertise needed for a project, given the body of knowledge framework above. This technique has worked consistently for us, and it works for audit and compliance too.

Why are audit analytics so important? First, through the use of audit analytics as a monitoring tool it can lower audit costs by eliminating manual sampling. Second, audit analytics can improve financial governance by increasing the reliability of transactional controls and the effectiveness of anti-corruption controls. Third, they can improve actual operational performance by monitoring key financial processes.

However it may be more simply put in the context of McNulty’s Three Maxims of the three general areas of inquiry the Department Of Justice would assess regarding an enforcement action. First: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

The Visual Risk IQ studies include a case study of both accounts payable and of purchase card spend to determine if there was fraud and misuse of the cards. The key in both of these reviews, involving continuous controls monitoring situations was that of data review. This same type of testing can be utilized in reviewing foreign business partners, including agents, resellers, distributors and joint venture partners. All foreign business partner financial information can be recorded and analyzed. The analysis can be compared against an established norm which is derived from either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment out or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation.

Many companies have yet to embrace post FCPA compliance policy audit analytics implementation as a standard part of their compliance program. They have found that it is difficult to test behavioral aspects of a FCPA compliance policy, such as whether an employee will follow a company’s FCPA-based Code of Conduct, other testing can be used to form the basis of a thorough review. For instance, it can be difficult to determine if an employee will adhere to the requirements of the FCPA. However continuous controls monitoring can be used to verify the pre-employment background check performed on an employee; the quality of the FCPA compliance training an employee receives after hire and then to review and record an employee’s annual acknowledgement of FCPA compliance. For a multi-national US company with thousands of employees across the world, the retention and availability of such records is an important component not only of the FCPA compliance program but it will also go a long way to a very positive response to McNulty’s inquiry of “What did you do to stay out of trouble?”

Good luck in 2015 with your data analytics projects! Please write or call if you’d like to compare ideas on how to excel in data analytics for audit or compliance. We’d be happy to assist in your success!

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

 © Joe Oringel 2015

February 3, 2015

Five Tips for Advancing with Audit Analytics-Part II

Filed under: Big Data,Data Analytics,Joe Oringel,Visual Risk IQ — tfoxlaw @ 12:01 am

Oringel - new picEd. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today are Tips 3-4.

 Tip 3- Understanding Your Data

Tip 3 for advancing with audit and compliance analytics is to “Understand Your Data, and Explore it Fully Before Developing Exception Queries.” One common mistake that we see audit and compliance professionals make with data analytics is that they sometimes dive right into searching for transaction exceptions before exploring their data fully. This limits the effectiveness of their analysis, because they are searching for something specific and can overlook other conditions or anomalies in their data. If you’ve not seen the selective attention (aka Gorilla and Basketball) videos from Daniel Simons, here’s a fun link.

Selective attention on exception queries seems to happen due to the strengths of traditional analytics tools like Microsoft Excel and general purpose tools like CaseWare IDEA or ACL. It is less common with Visual Reporting tools like Tableau and Qlikview, in part because these tools are designed to specifically support data exploration and interaction with click and drill-through capabilities. Visual Reporting capabilities are very effective for data exploration, and some rudimentary visual capabilities can be found in Excel, IDEA, and ACL.

During data analytics brainstorming, we categorize analytics queries as Metric Queries, Outlier Queries, and Exception Queries. When prioritizing queries to be built for client assignments, we make sure that there some of each type of query, so that sufficient data exploration takes place before we jump into exception queries or begin researching exceptions.

Metric queries are those analytics such as “Top 10 Vendors by Vendor Spend” or “Top 10 Vendors by Number of Transactions”, or “Top 10 Dates of the Year for Requisitions (or Purchase Orders).” Simply summarizing number and value of transactions by different dimensions (day of week, week of quarter, or by UserID) can identify anomalies that should be questioned further. On a recent Payroll Wage and Hour project, we found unusual patterns of when people punched in and out much more frequently on some minutes (e.g. 7 or 23 minutes past the hour, vs. 8 or 22 minutes past the hour). This condition called for further inquiry and analysis about whether time rounding was fair and equitable for certain types of workers. This condition is in fact a major compliance risk and should be considered for any employers with a significant number of hourly worker. See Corporate Counsel article for more information.

Outlier queries are comparative analytics like “Largest Invoice to Average Invoice, by Vendor,” “Most Expensive Airfare by Distance,” or “Most Expensive Travel / Entertainment Event per Person vs. Average Event per Person.” These outlier queries are also essential, in that they help identify patterns or relationships that should be investigated further. Digital analysis such as Benford’s Law is a well-known audit example of an Outlier query, but there are many more techniques that can yield insight beyond only Benford’s Law.

Example of exception queries are more traditional Analytics queries such as these listed below:

  • List if two (or more) invoices have been paid for the same amount to the same vendor
  • List any purchase orders created after their corresponding invoice
  • List any Vendors who share a Tax ID Number, Address, or Phone Number with an Employee
  • List any Vendors who have had transactions posted after being Terminated or made Inactive

In short, we recommend spending at least an hour and as much as a day or more exploring and analyzing your data, before beginning any Exception Queries. A data exploration checklist follows – any additions or other suggestions to this list are welcome.

  • Sort transactions from oldest to newest and from newest to oldest. Any unusual dates or times? Any gaps in date or time stamps? Why?
  • Sort transactions from largest to smallest and smallest to largest. Any unusual negative values?
  • Stratify by various status codes, reason codes, or transaction types. Are all values consistently completed. Any unusual relationships? What do each of the codes and values represent?
  • Stratify by dollar value ranges. Do 20% of the transactions make up 80% of the value? Should they? The Pareto Principle says yes, but your business may vary.
  • Compute Relative Size Factor (largest to average and largest to second largest), and sort again. Do any of these RSF values cause you to want to drill into specifics? Consider whole numbers and large numbers. Why or why not?

What has been your most significant “aha” moment when exploring your data?

Tip 4 – Considering Outliers

Five tips…#4. Consider metric, outlier, and exception queries

For readers seeing this post as their first of the series, today is actually the fourth of a five-part blog that has been developed in response to Internal Auditor magazine’s lead article titled “The Year Ahead: 2015”. Because so many people make resolutions for the new year, we wanted to help audit and compliance professionals succeed with their resolutions. Especially because we believe there are more than a few whose resolutions include becoming more data-driven in their work through regular use with data analytics.

Yesterday we defined metric, outlier, and exception queries, and provided examples in the context of related potential audit projects around expenses such as Accounts Payable, Travel and Entertainment, or Payroll. To review, metric queries are simply lists of transactions that measure values against various dimensions or strata, such as rank or time series. Top 10 largest or simply transactions by day of week are examples of metric queries. These metric queries are powerful, and can become even more powerful when combined as part of outlier and exception analysis.

One recent Travel and Expense example from our client work was seeing a number of executive assistants in the “Top 10 Travel Spend reports.” Even before we looked at any exception report it became clear that some of the organization’s executives had their assistants complete and submit their personal expense reports, and then approved those reports themselves.

Outlier queries are those that compare value to other values like a mean or standard deviation. As an example, saying that today is twenty degrees colder than average or the coldest day of winter is more informative than saying that it will be sixteen degrees tomorrow than yesterday. Better still, listing the 10 coldest days together in relation to average and standard deviation is even more informative.

We recommend diving into exception queries only after metric and outlier queries have been prepared, explored and analyzed. It’s common for false positives to be averted through thoughtful review of metric and outlier queries.

How does this compare to your experiences?

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

© Joe Oringel 2015

February 2, 2015

Five Tips for Advancing with Audit Analytics, Part I

Filed under: Data Analytics,Joe Oringel,Visual Risk IQ — tfoxlaw @ 12:01 am

Oringel - new picEd. Note-Joe Oringel, Principal at Visual Risk IQ recently wrote a series of blog posts on advancing your business through the use of data analytics and audit. I asked Joe if I could repost his articles, which he graciously allowed me to do. So today I begin a day 3-day series of blog posts which reprint his post. Today are Tips 1-2.

For many people today, Monday January 5, is the first work day of 2015. We compliance and audit professionals are like our many co-workers and friends in that we have new goals and ideas that we expect should set this year apart. We want to grow and develop personally and professionally and have even greater career success. Inside and even outside of our current roles. But how?

Even more than in previous years, 2015 is shaping up as the year that Analytics will be adopted by the audit and compliance profession, at least according to Internal Auditor, the global professional journal for internal auditors. See article titled “The Year Ahead: 2015.”

This article quotes several high profile Chief Audit Executives (CAE’s) on the subject of Analytics. Raytheon’s Larry Harrington, a frequent keynote speaker for the IIA says that “you will see greater use of data analytics to increase audit coverage without increasing costs” and that “internal audit will leverage analytics from other lines of defense,” such as compliance and risk management. Increased use of Analytics will lead to greater value from audit and compliance, as measured by management. But if this was easy, wouldn’t we all be doing it already? How should we overcome obstacles such as finding the right people, training, and budgets (as cited by the CAE’s in this article)

Visual Risk IQ has been helping audit and compliance professionals see and understand their data since 2006. We work with all leading audit-specific tools (e.g. CaseWare IDEA, ACL, and newcomer Analyzer, from Arbutus Software), and also with general purpose analytics and visual reporting tools like SQL, Tableau, Oversight, and more. Importantly, we have completed hundreds of engagements for clients across a wide variety of industries.

These five tips are:
1) Consider skills and experience of the team, not individuals, when planning a data analytics project.
2) Begin with the business objectives in mind, and map from these objectives to available data
3) Understand your data, and explore it fully before developing exception queries
4) Consider outlier, metric, and exception queries
5) Supplement necessary skills with internal or external resources

We’ll be expanding on each of these five tips in blog posts later this week, but here is some information on the first and perhaps most important one.

Tip 1 – Your People 

You should consider skills and experience of the Team, not individuals, when planning a data analytics project.

As part of our consulting projects, and for our inward assessment of our own team members, we use an analytics-focused Body of Knowledge framework that has the following seven key components.

  • Project Management
  • Data Acquisition and Manipulation
  • Statistical techniques
  • Visual Reporting techniques
  • Communication
  • Audit and Compliance Domain expertise
  • Change Management and Strategic Thinking

In our experience, data analytics projects succeed because of project expectations and corresponding competencies of team members in these seven areas. It’s especially important to note that these body of knowledge components are rarely (if ever?) found at a high level within a single individual, and therefore a team approach is needed to accomplish successful an analytics projects. 

People that have greater skills at project management or communication of issues may not have the requisite technical experience when it comes to data acquisition and manipulation, or statistical techniques. Similarly, it is common for stronger data specialists to be weaker on audit or compliance domain expertise.

So when planning an audit analytics project, be sure that you’ve built a team that has each of these key elements in their skill set, and that they have the incentives and team structure to work together and learn from each other’s expertise.

Tip 2-Brainstorming

Yesterday we started a multi-part post on the importance of building audit data analytics capabilities, together with some “how-to” tips. Our first tip was how this is actually as much of a people challenge as a technical undertaking. One particular “secret” is that a combination of skills are needed to accomplish these analytics projects, and we see many departments make the mistake of assigning a single individual to carry out a project, without sufficient assistance or at least oversight from colleagues that have complementary skills.

In our data analytics consulting practice, we use a Body of Knowledge framework to identify needed skills for a particular project, and then match at least one “expert” with an “apprentice” that is looking to add to these same skills. Together our teams bring excellent qualifications in each of these domains, but it’s rare that they all arrive in the form of a single consultant. That framework was published here yesterday.

Today’s tip is to “Begin with the business objectives in mind, and map from these objectives to available digital data.” Too often, we see compliance and audit teams request data and begin to interrogate it before understanding the data fully or taking steps to validate control totals and/or data completeness. A related mistake is to exhaustively test a single data file without considering supplemental data sources that may yield greater insight or answer related business questions.

A recent example of why to begin with business questions was a Payroll project that we completed for a retail client. Our team was tasked with searching for “off-the-clock” work. If we had focused only on available data files, we could have answered questions about meal breaks, rest breaks, and overtime but perhaps missed other hours worked but not paid. By focusing on the business question first, we identified badge data and cash register data to identify if employees were in the store and ringing sales, yet were off the clock at the time of badge swipes or point-of-sale,

As such, the first step in any data analytics project is brainstorming. You can think of it as part of project planning. During this step, teams should identify the business questions that they want to answer with their analytics efforts, and cross-reference these business questions against available reports and digital data. If existing report(s) fully answer a business question, then a new query may not needed. But if a report does not currently exist, then analytics should be considered and understanding data sources becomes a key next step. During brainstorming, it is very important to understand the number and complexity and number of data sources that will be needed, and to focus only on a small enough number of business objectives so that the number of data sources does not get overwhelming. It is better to have a series of “small win” analytics efforts, than a larger, less successful project.

Joe Oringel is a CPA and CIA with 25 years of experience in internal auditing, fraud detection and forensics. He has over ten years of Big 4 external audit, internal audit, and advisory experience, most recently with PricewaterhouseCoopers. His corporate experience includes information security, internal auditing, and risk and control of large ERP systems for companies in highly regulated industries, including Pharmaceuticals, Utilities, and Financial Services. Partner Kim Jones and Joe founded Visual Risk IQ in 2006 as an advisory firm focused solely on Data Analytics, Visual Reporting, and Continuous Auditing and Monitoring. He can be reached at joe.oringel@visualriskiq.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.

 

© Joe Oringel 2015

January 9, 2013

Marks of Excellence – the Lakers 33 Game Winning Streak and FCPA Compliance Tools

Sorry Bill Simmons, but today we celebrate one of the great modern day records of any American sports franchise. On this day 41 years ago, the Milwaukee Bucks beat the Los Angeles Lakers to end the Lakers 33 game winning streak. This is the longest winning streak of any professional American sports team. 1971-72 was the greatest season in Laker history with the team winning the then record of 69 games for the season, topped off with a National Basketball Association (NBA) championship, after a 4-1 romp over the New York Knicks in the finals. By any measure, the Lakers achieved true greatness in that season.

One of the more interesting areas of Foreign Corrupt Practices Act (FCPA) compliance work is its evolving nature (although some might say more frustrating). However, as compliance work and compliance programs mature the tools, products and services available to help companies better manage the business of compliance continues to evolve as well. Several articles recently caught my attention and, in particular, one product caught my eye. Two of the articles appeared in the Financial Times (FT) and spoke to the advance in the sophisticated nature of compliance tools available. The final article was in the New York Times (NYT) and focused on a systemic failure by the US Air Force in the implementation of a computer upgrade that spoke to the difficulties a compliance practitioner can face in implementing a new compliance regime or engaging in a system upgrade.

The first FT article was by Jennifer Thompson, entitled “Rogues revealed by bad language”. In this article Thompson reported on research by Ernst & Young on information they received from the US Federal Bureau of Investigation (FBI). Thompson reported that “Phrases such “as “nobody will find out”, “cover up” and “off the books” are among those most likely to litter the in-boxes of corporate rogues, according to fraud investigators deploying increasingly popular linguistic software.” Moreover, “Expressions such as “special fees” and “friendly payments” abound for those embroiled in bribery cases, while rogue employees feeling the heat are likeliest to write that they “want no part of this” as well as the somewhat misguided “don’t leave a trail”.”

The technology angle is that there is software available which performs linguistic analysis that “initially protects employee anonymity, can flag uncharacteristic changes in tone and language in electronic conversations and can be tailored for particular types of employees, such as traders.” Further, Thompson noted that the “use of technology is set to grow as compliance departments police sprawling organisations to avert potentially costly mistakes.”

The second FT article was by Richard Waters, entitled “Counter-terrorism tools used to spot fraud”. In this article Waters detailed how “JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behaviour that could reveal risks or openings to make money.” While the article focused on the use of the software to spot fraudsters, I believe that such techniques could well be brought in to help in the fight against corruption and bribery.

Another area where technology has come into play to help compliance programs is in due diligence. Most compliance practitioners are aware of the various levels of due diligence, that being Levels I, II and III. One difficult question has been how does a company perform in-country native language source business information investigations, without paying someone to put ‘boots on the ground’ and then have to pay for a translation, sort of due diligence Level I (a). I was recently introduced to a software tool by Arachnys Information Services Ltd (Arachnys) and I can tell you that it does some really cool stuff and can certainly help to fill a gap. Arachnys software can run your designated search terms in local media, such as newspapers or other sources, and not simply through a Google search database. It can then translate the local source for you and deliver the results to your computer. This software allows a compliance practitioner to perform in-country computer based due diligence at a level that I had not previously seen available. And as I said, it is really cool.

The final article was by Randall Stross, entitled “Billion-Dollar Flop: Air Force Stumbles on Software Plan”. In this article Stross discussed the failure by the Air Force to install and implement ‘off-the-shelf software’ which was originally budgeted at $628MM. In November of last year, the Air Force “canceled a six-year-old modernization effort that had eaten up more than $1 billion. When the Air Force realized that it would cost another $1 billion just to achieve one-quarter of the capabilities originally planned –  and that even then the system would not be fully ready before 2020 – it decided to decamp.” While there were numerous reasons given for the failure, the main reason attributed was that there was not “a single accountable leader” who “has the authority and willingness to exercise the authority to enforce all necessary changes to the business required for successful fielding of the software.”

The failure of the Air Force’s attempt to modernize its software speaks to one of the issues present when implementing or scaling up a compliance regime. First, do not start with the ‘Big Bang’ approach and try to do everything at once. There is usually more success by scaling implementation or enhancement down into manageable chunks. Next is the point raised above, that being that there must be a leader who not only has the authority but the willingness to exercise the authority to make the changes. Additionally, coupled with this type of leader, is the need for local buy-in which is important, as is empowering small groups to make the necessary decisions.

So today we celebrate the greatness of the Lakers and their phenomenal season of ‘71-72. In the compliance world, best practices are evolving but so are the tools which you can implement into your compliance program. The mining of data has many uses. Some companies such as Catelas Inc. can look at the relationships of persons and parties involved. Other software, such as that available through VisualRisk IQ, can mine the data and come up with financial or data points for further investigation. On the due diligence front, Arachnys software can help fill in holes for your in-country native source business information searches. Lastly, do not fall into the trap of the US Air Force; manage not only the expectations but the entire compliance process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 23, 2012

Money, Money, Money: Use of Big Data in Your Compliance Program

What is No. 2 on the biggest selling rock and roll album of all-time list? It’s Pink Floyd’s Dark Side of the Moon. In addition to learning that there is no “dark side” to the Moon as it is all dark really; my favorite cut off the album was the song Money. I was thinking about that song and how it might have some relevance to the Foreign Corrupt Practices Act (FCPA) or Bribery Act, in a rock and roll sort of way, when I came across an article in the October issue of the Harvard Business Review, entitled “Big Data: The Management Revolution” by authors Andrew McAfee and Erik Brynjolfsson. The authors’ basic premise is that by exploiting vast new flows of information, a company can improve its performance. However, to do so there must be a corresponding change in the company’s decision-making culture. In business today, many companies are concerned about having not the new thing but the new, new thing. In the FCPA world we might call that evolving best practices as it is another way to phrase many of the emerging business techniques and strategies that can have application to the FCPA compliance practitioner.

What is Big Data?

The authors differentiate ‘Big Data’ from other analytics through three key facets. First is the sheer volume of data that is now available to companies. The authors note that “more data comes across the internet every second than were stored in the entire internet twenty years ago.” The second difference is in velocity with the abundance of real-time or “nearly real-time information”. The authors believe that the “speed of data creation is even more important than the volume.” The final difference is in the form of the data; it is not simply numbers from structured databases but “big data takes the form of messages, updates and images posted to social networks, readings from sensors; GPS signals from cell phones, and more.”

A New Culture of Decision Making

While noting that the technical challenges in capturing or storing ‘Big Data’ can be formidable, the authors believe that the managerial challenges can be even greater. When data is scarce, expensive to obtain or not available in digital forms, the authors posit that “it makes sense to let well placed people make decisions, which they do on the basis of experience they’ve built up and patterns and relationships that that they’ve observed and internalized”, in other words “intuition.” The authors believe that when ‘Big Data’ is involved the Highest Paid Persons Opinion (HiPPO) must “be muted.”

There must be a shift in thinking by the decision makers. The authors believe that two key questions should be “What does the data show?” and then follow up with some more specific questions such as “Where did the data come from? “What kinds of analysis were conducted?” and “How confident are we in the results?” However, as important as these questions might be the bigger challenge by any decision maker using ‘Big Data’ is that they “can allow themselves to be overruled by the data”. The authors believe that nothing speaks louder to employees than “seeing a senior executive concede when data has disproved a hunch.”

Five Management Challenges

The authors write that there are five “particularly important areas” in the effective management of change when it comes to ‘Big Data’.

  1. Leadership. ‘Big Data’ does not erase the need for leadership’s vision and insight. However companies will succeed using ‘Big Data’ because leadership teams “set clear goals, define what success looks like, and ask the right questions.” The authors believe that the companies who lead the way in the use of ‘Big Data’ will be those who use these time honed techniques while changing the way they make decisions.
  2. Talent Management. While data scientists and other similar professionals skilled at working with large amounts of numbers will be important; the authors believe that “cleaning and organizing” the data so that a decision can be made will be equally important. They note that such skills are not currently taught in universities so that company personnel will need to develop the ability in “crossing the gap between correlation and causation.”
  3. Technology. The authors recognize that at the end of the day it is people who will analyze the data but that technology is “always a necessary component of a ‘Big Data’ strategy.” They also believe that the tools available to handle ‘Big Data’ are out there in the marketplace but there is still a skill set required that most IT departments do not have, which is to “integrate all the relevant internal and external sources of data.”
  4. Decision Making. Here the authors believe the key is that company personnel who understand the problem must be brought together with the right data and that these same personnel must have “problem solving techniques that can effectively exploit” the ‘Big Data’. This requires a company leadership which puts “information and the relevant decision making rights in the same location”. The authors termed it as the “not invented here syndrome” and that employees must work throughout the decision making calculus.
  5. Company Culture. In addition to moving away from the HiPPO syndrome noted above, executives must stop claiming that they are using data and analytics to make decisions when they are simply spicing up their reports “with lots of data that supported decisions they have already made”. The authors believe that the first question that a company should ask is not “What do we think?” but “What do we know?” Such an inquiry will allow businesses to gravitate away from making decisions based on “hunches and instinct” to those based upon the data.

What about the application of ‘Big Data’ to FCPA and Bribery Act compliance? I think this article shows the power of not only data analytics but also continuous monitoring. In their article the authors end by stating “Data-driven decisions tend to be better decisions.” The same is true in compliance. Whether you use a software tool, such as Catelas software to pull down large amounts of information and make decisions based upon this data or design a protocol to continually monitor segments of your information through the guys at Visual Risk IQ, cutting edge technology is available to assist the compliance practitioner. But with all data, the key is how to use it and I believe that compliance practitioners who can review large amounts of information from their own internal company and analyze it quickly and efficiently will be able to better protect their companies and keep them in compliance. This will inevitably lead to more complete and better decisions and companies will be able to respond more quickly to compliance challenges as they arise.

And Pink Floyd? Just remember, Money, Money, Money…or listen to the You Tube version by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 24, 2012

Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

April 14, 2011

FCPA Compliance: Documentation Is a Key

Paul McNulty, former United States Deputy Attorney General has provided perspective that there are three general areas of inquiry the Department of Justice (DOJ) would assess regarding an enforcement action. First: “What did you do to stay out of trouble? Second: “What did you do when you found out?” and Third: “What remedial action did you take?” He also discusses that as a key component, a company must document its overall compliance efforts.

Former federal prosecutor Stephen Martin, currently the General Counsel of Corpedia, discusses the key component of documentation when he and I speak across the country on current compliance best practices in our World-Check sponsored Foreign Corrupt Practices Act (FCPA) events. To respond to any of these inquiries a company must document what it does for its compliance efforts. However, more than simply the ability to document the results of your company’s compliance efforts is the ability of a company to quickly and efficiently respond to a prosecutor’s request for information in a timely manner.

We recently wrote about the proactive use of the results of your compliance program, as advocated by William Athanas in his article “Demonstrating “Systemic Success” in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations . . . Before They Begin.” From this article I derived three key take a ways; which are document, document and then document. If your compliance program does not document its successes there is simply no evidence that it has succeeded. In addition to providing to your company support to put forward to the DOJ, it is the only manner in which to gage the overall effectiveness of your compliance program. Put another way, if you don’t document it, you cannot measure it and if you cannot measure it, you cannot refine it.

One of the mechanisms to help both in your documentation and delivery of this documentation is audit analytics. ACL Services, in a White Paper entitled “Don’t Get Bitten by the FCPA”, advocated the use of audit analytics to assist in creating and accessing the necessary documentation to enable your company to continue to compare and update its compliance program and provides a readily assessable written record to present to any DOJ official.

Another company, Visual Risk IQ, has a software product which performs continuous controls monitoring involving the monitoring of data. This system will enable your company to not only record and analyze a large amount of financial information but will allow you to readily document whether any payments are outside of any established norm. This established norm can be derived from against a businesses’ own standard or an accepted industry standard. Therefore if a payment, distribution or other financial payment, or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation and such record is documented and readily accessible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.