Auditing

This is a test

In Testing Compliance, (published on the Harvard corporate governance web site, with the full paper available at SSRN), Brandon L. Garrett. Professor of Law at Duke Law School, and Gregory Mitchell, Professor of Law at the University of Virginia School of Law, note that “what makes the compliance enterprise deeply uncertain and problematic is that the information generated by compliance efforts is simultaneously useful and dangerous. However, documenting problematic behaviors creates a record that may be used against the corporation in future administrative, criminal or civil proceedings, or may become the subject of a media exposé. Officers and directors, and the in-house compliance team, may sincerely hope compliance programs are effective, but they may quite rationally avoid testing that hope. The end result will often be rational ignorance with respect to the effectiveness of corporate compliance programs. This dynamic—the hope that greater attention to compliance will reap benefits drives more resources toward compliance efforts, yet fears about what examining the effects of those efforts might reveal hinders validation of compliance programs—creates a ‘compliance trap’ that can ensnare corporations and regulators alike.” The authors  “explore ways out of this trap.”

Among other things:

– They argue for government policies to promote more information sharing by companies about what works and what doesn’t in terms of C&E. While there is already some such sharing via compliance conferences and though various professional organizations there is clearly room for improvement here.

– They also note, based on compliance information published by Fortune 100 companies, that if such companies “are measuring the effectiveness of their compliance programs, they are not sharing it. It is also possible that what we see is what we get: active educational efforts focused on employee training and assessments of that training using employee surveys and reactive compliance efforts relying on whistleblower reporting and investigation of those reports. The public record reveals few active efforts to detect and remedy weaknesses within internal compliance systems.” I agree that sharing of this kind could be a powerful force in promoting strong C&E.

– They propose instituting a “legal mandate that organizations regularly test their compliance systems for effectiveness. But to incentivize companies to put in place strong compliance programs and audit those programs rigorously, the mandated reports should not increase their litigation exposure. ” I think implementing legislation to help companies avoid the “compliance trap” in this way would be very beneficial, though getting to such a safe place would – in my view – be a lengthy and difficult journey.

– They note: “Companies need to proactively test whether their employees, when given the chance to misbehave, really do. Such testing need not involve comprehensive data collection or expensive analytics, although firms increasingly use such tools, and consultants may market AI approaches to compliance. Rather, experiments, relying on blind performance testing of randomly sampled employees, can quite inexpensively measure whether employees comply in realistic work situations.” I note (as do the authors) that some this already happens but think there needs to be more of it. However, one must be careful to avoid the perception that employees are being treated as the subject of experiments.

Finally, there is much more to this piece and I encourage you to read it in its entirety.

An important real-world conflict of interest experiment

In today’s NY Times, Michael Greenstone, an economics professor at MIT, writes about a study on auditor COIs that he –  together with Esther Duflo of M.I.T.;  and Rohini Pande  and Nicholas Ryan, both of Harvard – recently published.   The study was conducted in Gujarat, India, where industrial plants with high pollution risks are required  “to hire and pay auditors to check air and water pollution levels three times annually and then submit a yearly report to” a governmental body. In the study, for a randomly selected set of companies, but not for a control group, “auditors were paid a fixed fee from a central pool of money, a subset of the audits was chosen to have its findings re-examined, and auditors received payments for accurate reports, judged by comparisons with the re-examinations. The control group continued under the status quo system in which auditors were chosen and paid by the plants they were auditing.”

The results of this real-world experiment  powerfully demonstrate the impact on the ethicality of conduct that financial incentives can have – even on the judgment of individuals who, by virtue of their professional norms, are supposed to be resistant to COIs.  That is: “While many of the plants violated the pollution standards, few of the auditors in the control group reported these violations. In the case of particulate matter, an especially harmful air pollutant, auditors reported that only 7 percent of industrial plants violated the pollution standard. In reality, 59 percent of plants exceeded it.” However, “[t]he rules changes [in the experiment] caused the auditors to report more truthfully. In the restructured market, auditors were 80 percent less likely to falsely report a pollution reading as in compliance, and their reported pollution readings were 50 to 70 percent higher than when they were working in the status quo system. This difference was as large even when comparing reports of auditors working simultaneously under the two systems. Finally, and most important, the plants that were required to use the new auditing system significantly reduced their emissions of air and water pollution, relative to the plants operating in the status quo system. Presumably, this was because the plants’ operators understood that the regulators were receiving more accurate information and would follow up on it.”

Three comments on this important study.

First, while most directly relevant to auditors, these results can, I believe, be broadly applicable to COIs generally.  That is, if professionals who are trained to rise above COIs fare this poorly, one can only imagine the impact of COIs on the rest of us.

Second, the more important compliance and ethics program efforts become to society, the greater the need for not just C&E auditing but other forms of checking – such as monitoring, as was discussed in a piece in Corporate Compliance Insights.   But monitoring  (as a general matter) is even less independent than is auditing, so this recent study underscores  the considerable  challenges for making forms of checking beyond auditing effective.

Third, research to determine “what works”   is vitally important for the C&E field to mature and realize its full promise,  and real-world studies such as this one can be particularly valuable in that regard.  Interestingly, another article in today’s NY Times describes how in the UK there is now an government-run effort (headed by a “Behavioral Insights Team”) to use research to determine what works with respect to various public policies, including some compliance-related ones. I hope that the US and other countries will follow the UK’s lead here.

Finally, here is a prior post on auditor COIs. 

Auditing for Conflicts of Interest

Does your company’s C&E audit plan sufficiently address COIs?  Most companies presumably have some COI-related auditing, but far fewer deal with this important C&E area in a systematic way.

As with other C&E-related areas, COI-directed audits tend to fall largely into a “substance” bucket and a “process” one.

The former includes  (but is by no means limited to) certain measures that are necessary for all  companies – such as examining T&E records of corporate officers and other key individuals.  It should also include auditing based on industry-related COI laws and regulations (e.g., in health care/life science, government contracting or financial services), as well as cross-industry areas of legal risk (such as FCPA).

Of course, for companies with a risk of organizational conflicts there is a host of audit measures one might take. Perhaps less obvious, where companies face significant risks of causing third-party COIs  that should be audited.

The latter type of audit measures (for process) would look at COI-related:

– Risk assessment processes.  Are they well designed? Are they being followed? Is the information from the process being fully used to inform other aspects of the C&E program?

– Policies and communications.  Are the standards clear?  Is there a training and communications plan around COIs? What is employee understanding of applicable standards?

– Procedures around disclosure, review and management.  As with other audit areas, this part of the effort would look at both design and operation — and also focus on the sufficiency of documentation.

– Accountabilities.  This includes both administrative accountability and discipline for violations (including the culpable failure by managers to prevent and detect violations by others).

Finally,   political and charitable contributions should, for some companies, be reviewed, not only for COIs but also the related issues of moral hazard or bias.

Conflict of interview review processes

As prior posts have discussed, reviews of disclosed employee conflicts of interest pose a number of challenges. Disclosures may not truly mitigate conflicts.  Indeed, they may actually cause more wrongful COI-based conduct to occur than would be the case absent a disclosure.

Still, very few business organizations opt for a true “zero tolerance” approach to all COIs.  And for those that don’t, COI review processes are necessary for determining when a COI should be permitted to exist and under what conditions.

At a minimum, COI reviews should be conducted by an independent person or body.   Independence for these purposes means more than COI-free in the traditional sense.  It should also encompass the behavioral ethics concept of “motivated blindness,”  i.e., a reviewer should not be someone who may – due to the relationships involved – be inclined to approve a conflict-laden relationship or transaction.

For this reason, companies may wish to have COI reviews conducted by a C&E committee.  One obvious benefit to this approach is that there is “safety in numbers.” Another is that the committee will have or develop expertise (born of experience) in evaluating conflicts, which behavioral ethics research shows can be useful.    Offering less C&E protection – but still more than having COI reviews made by a line supervisor – is tasking a staff function, such as legal or HR,  for this job.

Of course, some companies do permit supervisors to approve COIs.  If this approach is adopted, companies should still seek to have a reasonable degree of rigor in the process by:

– requiring that any approvals be in writing and sought before engaging in a conflict-based transactions;

– providing and publicizing avenues for supervisors to ask questions of the C&E function when performing COI reviews; and

– including the issue of COI reviews in supervisor training – or, if this is impractical, providing written guidance (e.g., FAQs)  regarding such reviews.

Finally, companies should check on the supervisors’  actions in reviewing or approving COIs, such as through audits.

Other People’s Conflicts

Samuel Johnson once famously said of some unfortunate soul, “He is not only dull himself, he is the cause of dullness in others,” and in this posting we’ll examine how companies can avoid the misfortune that sometimes comes from causing conflicts of interests in others.

To start, a brief bit of COI history.

Several years ago an advertising agency lost a highly lucrative account with Wal-Mart and – according to some press accounts at the time – part of the reason for the loss was the agency’s entertaining of a Wal-Mart executive in ways that allegedly caused her to violate that company’s code of conduct. Although the agency presumably violated no law, its loss of future revenue could be seen as costly as some of the largest criminal fines in history.

The case led many companies to add to their codes of conduct a requirement that in providing gifts, entertainment or travel to employees of third parties one must not cause those employees to violate their respective employers’ codes. But is such a provision by itself enough to mitigate risks of this kind?

For any given business organization, addressing this issue should, of course, be driven by an assessment of relevant risk. However, for all organizations it may be useful to consider the range of available C&E measures that can be taken here, and “work backwards” to determine if their respective risks warrant implementing the measure in question.

First, there is the language of the code itself. While at first blush a mandate that employees must not cause a violation seems strong, a preferable approach may be to specify that employees must ensure that they do not cause a violation. The latter sort of requirement (particularly if reinforced the right ways) suggests a higher and more meaningful burden on the employees who deal with third parties.

Second, companies can establish a practice of periodically collecting customers’ and other relevant third parties’ codes and disseminating gifts and entertainment language to at-risk employees and their respective managers. Even if it is not possible to do this for all third parties, the effort can be useful if codes for major customers are obtained.

Third, COI training can emphasize the importance of identifying and following relevant third-party standards. Fourth, companies can deploy “just-in-time” communications to at-risk employees around these issues.

Fifth, for organizations with relatively high risks in this area, managers can be required to monitor for compliance with third-party codes. Sixth, auditors might be tasked with including third-party standards in their audits.

Finally, note that this post deals with the topic of other people’s conflicts only at a very high level. There are many other aspects to this area. Indeed, the whole field of corruption by definition involves “causing conflicts in others,” and many of the largest criminal fines in history (specifically in the FCPA and health care fraud-and-abuse areas) have been precisely about that. The point of this post is to suggest that even without significant corruption risks, all organizations should consider whether they do enough to avoid creating third-party COIs.