How Vigilant is Vigilant Enough?

Companies need to use technology and testing methodologies to uncover red flags and patterns that could indicate corrupt schemes and transactions. New tools on the horizon will help you search across virtually all of your data and information and even predict problems and vulnerabilities.

Tech Inc., a rapidly growing software company operating in 45 countries, learns that the U.S. Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are investigating payments made by its subsidiaries in Brazil and China for possible violation of the Foreign Corrupt Practices Act (FCPA). Bob, the general counsel for Tech Inc., suspects that the source of the investigation is an employee who anonymously lodged a hotline complaint alleging that the company was 1) paying independent sales agents excessive commissions and 2) providing generous discounts and rebates to some of its channel customers and distributors. The complainant also said he believed the problem extended beyond Brazil and China based on discussions he had with other employees.

While Bob is concerned with the immediate allegations, he's also worried that the numerous acquisitions that fueled Tech's growth has left it vulnerable to corrupt practices, particularly concerning a number of privately held companies acquired in emerging markets. Tech did very little pre-acquisition FCPA due diligence and has been slow to roll out an anticorruption program to the acquired companies.

Compounding Bob's misery is the news from outside counsel that the DOJ and the SEC will scrutinize the acquisition diligence to determine if Tech should be held responsible for any corrupt practices it inherited and will also expect Tech to look beyond Brazil and China and report on the effectiveness of its overall anticorruption compliance program. That, outside counsel told Bob, will require interviews, review of documents and transaction testing at a number of locations selected from an assessment process based on factors such as the volume of direct and indirect government sales, use of third-party intermediaries, country-risk profile, local licensing and other regulatory requirements, prior compliance issues and the absence of compliance procedures and training in place.

This imagined scenario is common for companies operating in or seeking to expand into developing, and frequently risky, markets. (See FraudBasics for more FCPA-related material.) Bob's concerns will ring true with other company counsels, CFEs, compliance professionals and auditors responsible for managing risk and compliance efforts. With funding scarce, these groups are being asked to do more with less, which forces them to strike a balance between adequate procedures to assess, monitor and mitigate risk; conduct fraud investigations; and perform due diligence on acquisition targets and business partners while not breaking the bank. This article discusses how companies can utilize technology and testing methodologies to uncover red flags and patterns that could potentially indicate corrupt schemes and transactions.

ENFORCEMENT TRENDS

If your company conducts business in emerging or risky international markets — or is planning to enter them — you can't be complacent about your FCPA compliance efforts.

In 2010, the DOJ and the SEC nearly doubled the number of FCPA enforcement actions brought over 2009, which had been a record-setting year.¹ Indications from the DOJ are that 2011 was another strong enforcement year.² Furthermore, the U.K. Bribery Act, which became effective July 1, 2011, represents perhaps the most significant change in global anticorruption law since the 2011 U.S. PATRIOT Act.

Companies may seek to reduce their potential exposure to corrupt acts and the resulting legal liabilities and reputational damage by implementing compliance programs designed to address particular geographic, industry and business risks. Such programs will typically include procedures through which you can monitor risk areas and test for potential red flag indicators of improper payments or other corrupt arrangements. These procedures may include email filtering to identify suspicious terms or phrases and spot compliance reviews at higher-risk locations to ensure, for example, that third-party retention and monitoring procedures are being followed.

A sometimes overlooked, yet important and potentially powerful, way to monitor anticorruption compliance is through transactional data testing for potentially improper payments. Great strides have been made in developing tools that can process and analyze large volumes of data, which can identify transactions that may require further review.

A CLOSER LOOK AT TRANSACTIONAL DATA TESTING

The goal of transactional data testing is to identify suspect patterns or anomalies in an organization's data using rules-based filtering technologies. Relevant accounting data is typically pulled from the general ledger, accounts payable, accounts receivable and payroll.

Analytics software now enable users to efficiently test 100 percent of data rather than just samples, thereby reducing the risk that relevant transactions will fall outside the testing scope.

Anomaly detection software is typically sourced through "off the shelf" packages, existing services within a company's enterprise resource planning (ERP) application or proprietary tools developed by consulting firms specializing in anticorruption services. You must select technology that's sufficiently powerful to handle data and processing requirements and flexible enough to deal with data sets from multiple systems.

LEVERAGING ADVANCED ANALYTICS IN TRANSACTIONAL ANALYSES

In addition to the standard transactional testing for data anomalies and higher-risk payments, more advanced analytics are emerging as potential game-changers in detecting and deterring fraud and corruption. In development are predictive models that forecast potential violations based on profiles of historical issues, either within or external to the company. Moreover, continuous monitoring solutions that track transactions on a real-time or near real-time basis can alert company personnel to potential issues before they mushroom. Finally, tools that can cull content and meaning out of emails, electronic documents and other unstructured information and tie those findings to transactional data will provide comprehensive yet efficient looks at a company's relevant systems.

You'll need personnel with a thorough understanding of corruption schemes and, specifically, the ability to identify higher-risk payments in accounting data to review transaction results to determine those that should be examined more closely.

Because any such analyses may at some point be subject to government scrutiny, you must carefully consider your approach, process and documentation. Your process should be efficient, repeatable and produce timely, consistent and relevant results. It should include three distinct steps: 1) formulating a testing plan, 2) identifying relevant data and 3) creating a central analytics database.

Formulating a testing plan

Perhaps the most important step in the testing process is developing the initial plan. Although the plan will likely evolve as you learn more about entities, accounts, events, etc., a strong foundation is key to determining what data to collect, schemes to consider, specific tests to run and locations to include. An initial risk assessment will help determine threshold questions concerning the breadth and potential depth of the testing plan. Factors to consider in this assessment include country and industry risk profiles, government sales volume, local regulatory environment, use of sales or logistics intermediaries, high commission rates, historical or current compliance issues and local management experience and independence.

The power and sophistication of analytical tools make it possible to cover a broad range of transactions while keeping the work focused and manageable. For example, you can readily identify payments to off-shore locations and vendor payments in round currency amounts or exceeding certain limits with search queries adjusted to capture a wider or narrower range of transactions as appropriate. Initially, 10 to 15 well-defined tests should yield a representative range of transactions. Once you refine the methodology, you can incorporate it into your company's overall compliance program.

Thoroughly document all steps you take in the development and execution of the plan and the reporting and follow up of results, particularly if you discover a potential violation and you need to explain or defend the process.

Identifying relevant data and data sources

Although this step might seem straightforward, often it's surprisingly complex. Key questions for identifying the right data and sources include:

When you collect the data, it will be important to provide precise and detailed requests that specify the fields of information, the time period, the format the data is to be delivered in — for example, spreadsheet or text files — and the delivery method, such as CD, DVD or online transmission. It is usually better to ask for more rather than less because there are costs and delays associated with each data request. Busy company information technology professionals appreciate precise, reasonable and sufficiently comprehensive requests so you don't have to repeatedly ask them for assistance.

Creating a central analytics database

In most cases, the volume of data retrieved for analysis will exceed spreadsheet limitations. If you set up a central analytics database, you can consolidate, access and test disparate data sources from one location using standard relational database software such as Microsoft®, SQL Server® or Oracle® Database. This will create efficiencies by permitting investigators the flexibility to run tests beyond those contemplated in the original work plan. It's particularly important to save queries and test plans so the same process can be repeated on other business entities within the organization, if necessary.

AVOIDING PITFALLS OF TRANSACTIONAL DATA TESTING

Despite the many benefits of transactional data testing, it's not without its challenges. Listed below are several important potential pitfalls and how to avoid them.

Disparate data systems

Accounting systems and ERP of large, multinational corporations are complex and frequently decentralized. If you take the time initially to understand how the data is organized across business units, countries and/or functions, you will significantly save time particularly when you're presented with multiple and duplicated sources of information, numerous and inconsistent data formats and no standard means of access.

Also, companies acquired by the subject company often will maintain their systems for lengthy periods of time because system integrations are costly and time consuming. It's imperative that you know exactly where and in what system the relevant data resides.

Archived versus live data

Many companies archive historical information to save space and money and to increase performance. Depending on the company's size, the volume of data kept "live" may vary, which frequently requires restoring and retrieving archived data. Common complications include difficulties in accessing tapes from off-site locations, improper or unclear indexing and data saved in a read-only application, which requires the same user interface as a company's live data. Accessing the user interface for data-testing purposes may slow the live system's operation (leading to business interruptions) or require the implementation of a mirror environment. (This is a duplicative server environment hosting the data that's separate from, but mirrors the components of, the original system.) If you understand your storage environment, how the data was archived and any restrictions on retrieval you will shorten your retrieval time and reduce costs.

Homegrown systems

Many organizations — particularly those with subsidiaries in smaller countries — may use homegrown or local accounting systems. While accounting data is typically "rolled up" to a centralized database for consolidation purposes, that data is usually provided in a summary format that lacks the transaction details necessary for effective data analytics.

Local systems also may not be designed to support the recording of transaction details or provide the data in an appropriate format for testing. Identifying such limitations at an early stage in the investigation will help ensure that valuable time is directed towards collecting data that will be immediately usable.

Cross-border considerations

Increasingly, companies are venturing into markets such as China, India, Russia, Brazil and Mexico that present significant corruption risks, according to Transparency International's "2010 Corruption Perception Index." They may need to use new or little-known partners, suppliers and agents to help drive sales, develop sites for factories or business centers or handle logistics and regulatory matters. Because intermediary relationships are common sources of bribery concerns, monitor transactions with these parties in risky environments to help identify potentially suspicious payments requiring further review, including large commission or success payments, payments made in advance of services rendered or one-time payments.

Also consider data privacy laws when obtaining transactional data. Although accounting data doesn't typically fall within the privacy definitions used in many countries, certain accounts (e.g., payroll) may contain personally identifiable information for which cross-border transfer restrictions may apply. Other data transfer laws — in particular China's state and trade secret laws — will impact the timing of collections and execution of data testing plans. In some instances, it may be necessary to conduct the transactional testing, as well as other aspects of the investigation such as email and document reviews, entirely in the local country. Such issues will require expert legal analysis because the penalties for violations can be quite severe.

CASTING A WIDER NET

Companies and their advisors often struggle with the magnitude and complexity of data systems when determining how to best test for compliance with anticorruption laws or respond to regulatory inquiries. As companies continue to seek business opportunities in emerging and risky markets, and as aggressive enforcement of global anticorruption laws continues unabated, the need to develop effective and cost-efficient testing solutions takes on a greater urgency. The good news is that companies can achieve this goal through structured and logical approaches to system assessment, data extraction and transaction testing using powerful and increasingly sophisticated technology tools to reduce time, cost and personnel requirements.

Edward A. Rial, J.D., is a principal and leader of the Foreign Corrupt Practices Act Consulting practice with Deloitte Financial Advisory Services LLP. erial@deloitte.com

Daniel Krittman is a director in the Analytic and Forensic Technology practice and the Data Analytics National Leader with Deloitte Financial Advisory Services LLP. dkrittman@deloitte.com

Anthony DeSantis, CFE, is a principal in the Analytic and Forensic Technology practice with Deloitte Financial Advisory Services LLP. andesantis@deloitte.com

¹"2010 Year-End FCPA Update," Gibson Dunn, Jan. 3, 2011.

²Assistant Attorney General Lanny A. Breuer, The American Conference Institute's 24th National Conference on the Foreign Corrupt Practices Act (FCPA), Nov. 16, 2010.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.