Applying data analytics and periodic monitoring to recent DOJ guidance

This article was originally published on June 18, 2019 and has been updated.

In September 2024, the Department of Justice (DOJ) Criminal Division published an updated Evaluation of Corporate Compliance Programs Guidance Document (the guidance) for prosecutors to use in evaluating corporate compliance programs. The guidance, which provides a window into the DOJ’s evolving enforcement expectations, lays out three principal areas prosecutors should explore when faced with evaluating a corporate compliance program in the context of a criminal investigation.

• Is the corporation’s compliance program well-designed?
• Is the program being applied earnestly and in good faith? In other words, is the program adequately resourced and empowered to function effectively?
• Does the corporation’s compliance program work in practice?

Coinciding with this update, the DOJ launched a three-year pilot program regarding incentives and clawbacks of executive compensation. This program requires companies entering into deferred prosecution agreements or other criminal resolutions to incentivize compliance and have mechanisms to claw back executive compensation in the event compliance is not effective.

With this renewed and enhanced scrutiny on compliance programs, including personal financial impact to executives, organizations are more focused than ever on the efficacy of their compliance program. This article will focus on how those charged with implementing and testing compliance programs can incorporate data analytics and monitoring protocols to evaluate the efficacy of their program.

Does your organization’s compliance program work in practice?

The guidance points to several factors that companies should focus on to assess whether a compliance program works in practice, including:

• Continuous improvement, periodic testing and review
• Investigation of suspected misconduct
• Gap analysis and remediation of underlying misconduct

To address each of these factors, organizations can incorporate analytics and periodic monitoring into their suite of forensic protocols. Organizations generate and maintain tremendous amounts of data. The power to harness this data and apply analytical tools and procedures to identify problematic trends, uncover high-risk relationships and detect noneconomic transactions can facilitate the early identification of fraud schemes that require investigation, and assist in the process of remediation—two of the stated goals contained in the guidance.

Below we have outlined a suggested protocol for applying forensic data analytics and periodic monitoring to assist boards, general counsel, compliance professionals and external counsel in mitigating risk, reducing exposure and testing the efficacy of an organization’s compliance programs.

We will explore the concept of monitoring, the use of monitoring as a risk mitigation solution, and discuss program implementation procedures and common hurdles.

What is periodic monitoring?

As depicted in Figure 1 below, a monitoring program integrates data analytics with sound forensic practices to detect the following in a timely fashion: high-risk transactions, undisclosed conflicts of interest, internal control and compliance failures, and potential collusive behaviors.

Unlike traditional transactional sampling techniques that analyze a small fraction of an available dataset, periodic monitoring examines 100 percent of the population of transactions, leading to substantially greater coverage and a commensurate reduction in risk.

Monitoring systems can be used to identify high-risk operations within a company’s global operations by testing for data inconsistencies, suspicious trends, policy violations and a host of other high-risk attributes. These tests can be performed remotely; and based upon the results, the appropriate internal resources can be routed to those operations posing the greatest exposure. This approach increases efficiency, reduces travel costs and allows companies to focus finite resources on their highest and best use, allowing them to do more with less.

Monitoring provides a risk mitigation solution

The process of proactively testing a compliance program can be inefficient and costly in the absence of a qualified engagement team, and the thoughtful application of forensic tools by skilled professionals. As a result of the complex relationships that exist between a company’s operations and its control environment, the investigative process is often iterative. The approach depicted in Figure 2 involves procedures being conducted in successive phases that build on the findings of prior analyses. With limited exception, analytical procedures used to identify anomalous transactions, high-risk relationships and compliance failures (see Figure 1) could be conducted, in whole or in part, using forensic data analytics and monitoring.

For example, consider the process of performing an entity-level risk assessment across a global organization. Putting aside the more elementary anti-corruption risk factors, such as conducting operations in countries with a known culture of corruption, and the use of agents and other third-party intermediaries, a monitoring solution can identify other attributes possessing high indicia of fraud and/or elevated risk. These would include transactions that:

• Fall outside an expected norm based upon historical patterns
• Possess high-risk characteristics typically associated with fraudulent activity
• Appear to be in contravention of company policy
• Are being accounted for in a manner that is potentially violative of the books and records provision of the Foreign Corrupt Practices Act (FCPA)
• Have higher rates of occurrence in one or more locations when benchmarked across the company or a discrete region
• Appear to be consummated at less than fair value or for no value at all

The application of forensic data analytics and monitoring is not limited to uncovering behaviors and transactions implicating anti-corruption statutes, but can also be successfully employed to detect embezzlements, kickbacks, accounting irregularities, and a host of other compliance failures and operational risks. In the following section, we will explore the application of forensic data analytics and monitoring.

Program implementation and exception management

A monitoring program produces the most significant benefits in organizations that approach the process in a structured manner. The following five-step process should be considered when implementing a monitoring program:

1. First, there must be a clear vision of the program’s goals. Is the organization solely looking to test for compliance with company policy, or is there a broader ambition of improving management oversight by detecting and eliminating accounting irregularities, as well as potentially fraudulent behaviors and transactions?  These goals will dictate the types of analytical tests performed.
2. Second, there must be a consensus on which data sources will be monitored, including the enterprise resource planning (ERP) system, payroll, employee expense systems and system logs.
3. Third, it requires a keen insight into the underlying data that will be mined.
4. Fourth, there must be a workflow process in place covering the range of actions and responsibilities, including the assignment and management of exceptions. In the absence of timely follow-up, the benefits of a monitoring system will be substantially diluted.
5. Lastly, there must be experienced forensic professionals involved in designing the front-end analytical tests that drive the output to limit the false positives that are inherent in this process.

Once the monitoring system is generating exceptions, a process for managing and risk ranking the exceptions needs to be in place. Without the ability to triage results, the team responsible for following up on perceived high-risk matters will find itself focusing its time on false positives and other issues that are without merit, leading to a waste of time and valuable resources. One method for prioritizing exceptions requiring further analysis is depicted in Figure 3. Utilizing this approach, those transactions that fail the greatest number of analytics (and therefore, possess the highest number of discrete risk attributes) represent those that rate the highest priority for follow-up and should be the first to be assigned to a compliance and/or investigative professional for in-depth analysis and resolution.