Applying data analytics and periodic monitoring to recent DOJ guidance

On April 30, 2019, the Department of Justice (DOJ) Criminal Division published an updated Evaluation of Corporate Compliance Programs Guidance Document (the guidance) for prosecutors to use in evaluating corporate compliance programs. The guidance, which provides a window into the DOJ’s evolving enforcement expectations, lays out three principal areas prosecutors should explore when faced with evaluating a corporate compliance program in the context of a criminal investigation.

• Is the corporation’s compliance program well-designed?
• Is the program being applied earnestly and in good faith?
• Does the corporation’s compliance program work in practice?

While the application of data analytics and periodic monitoring can provide valuable insights into a range of issues raised by the first two questions, this article will focus on how those charged with implementing and testing compliance programs can incorporate data analytics, and monitoring protocols to evaluate the efficacy of their program.

Does your organization’s compliance program work in practice?

The guidance points to several factors that companies should focus on in order to assess whether a compliance program works in practice, including:

• Continuous improvement, periodic testing and review
• Investigation of suspected misconduct
• Gap analysis and remediation of underlying misconduct

To address each of these factors, organizations can incorporate analytics and periodic monitoring into their suite of forensic protocols. Organizations generate and maintain tremendous amounts of data. The power to harness this data and apply analytical tools and procedures to identify problematic trends, uncover high-risk relationships and detect noneconomic transactions can facilitate the early identification of fraud schemes that require investigation, and assist in the process of remediation—two of the stated goals contained in the guidance.

Below we have outlined a suggested protocol for applying data analytics and periodic monitoring to assist boards, general counsel, compliance professionals and external counsel in mitigating risk, reducing exposure and testing the efficacy of an organization’s compliance programs.

We will explore the concept of monitoring, the use of monitoring as a risk mitigation solution, and discuss program implementation procedures and common hurdles.

What is periodic monitoring?

As depicted in Figure 1 below, a monitoring program integrates data analytics with sound forensic practices to detect the following in a timely fashion: high-risk transactions, undisclosed conflicts of interest, internal control and compliance failures, and potential collusive behaviors.  

Unlike traditional transactional sampling techniques that analyze a small fraction of an available dataset, periodic monitoring examines 100 percent of the population of transactions, leading to substantially greater coverage and a commensurate reduction in risk.

Monitoring systems can be used to identify high-risk operations within a company’s global operations by testing for data inconsistencies, suspicious trends, policy violations and a host of other high-risk attributes. These tests can be performed remotely; and based upon the results, the appropriate internal resources can be routed to those operations posing the greatest exposure. This approach increases efficiency, reduces travel costs and allows companies to focus finite resources on their highest and best use, allowing them to do more with less.

Monitoring provides a risk mitigation solution

The process of proactively testing a compliance program can be inefficient and costly in the absence of a qualified engagement team, and the thoughtful application of forensic tools by skilled experts. As a result of the complex relationships that exist between a company’s operations and its control environment, the investigative process is often iterative. The approach depicted in Figure 2 involves procedures being conducted in successive phases that build on the findings of prior analyses. With limited exception, analytical procedures used to identify anomalous transactions, high-risk relationships and compliance failures (see Figure 1) could be conducted, in whole or in part, using data analytics and monitoring. 

For example, consider the process of performing an entity-level risk assessment across a global organization. Putting aside the more elementary anti-corruption risk factors, such as conducting operations in countries with a known culture of corruption, and the use of agents and other third-party intermediaries, a monitoring solution can identify other attributes possessing high indicia of fraud and/or elevated risk. These would include transactions that:

• Fall outside an expected norm based upon historical patterns
• Possess high-risk characteristics typically associated with fraudulent activity
• Appear to be in contravention of company policy
• Are being accounted for in a manner that is potentially violative of the books and records provision of the Foreign Corrupt Practices Act (FCPA)
• Have higher rates of occurrence in one or more locations when benchmarked across the company or a discrete region
• Appear to be consummated at less than fair value or for no value at all

The application of analytics and monitoring is not limited to uncovering behaviors and transactions implicating anti-corruption statutes, but can also be successfully employed to detect embezzlements, kickbacks, accounting irregularities, and a host of other compliance failures and operational risks. In the following section, we will explore the application of analytics and monitoring.

Program implementation and exception management

A monitoring program produces the most significant benefits in organizations that approach the process in a structured manner. The following five-step process should be considered when implementing a monitoring program:

1. First, there has to be a clear vision of the program’s goals. Is the organization solely looking to test for compliance with company policy, or is there a broader ambition of improving management oversight by detecting and eliminating accounting irregularities, as well as potentially fraudulent behaviors and transactions?  These goals will dictate the types of analytical tests performed.
   
2. Second, there must be a consensus on which data sources will be monitored, including the enterprise resource planning (ERP) system, payroll, employee expense systems and system logs.
   
3. Third, it requires a keen insight into the underlying data that will be mined.
4. Fourth, there needs to be a workflow process in place covering the range of actions and responsibilities, including the assignment and management of exceptions. In the absence of timely follow-up, the benefits of a monitoring system will be substantially diluted.
   
5. Lastly, there must be experienced forensic professionals involved in designing the front-end analytical tests that drive the output to limit the false positives that are inherent in this process.

Once the monitoring system is generating exceptions, a process for managing and risk ranking the exceptions needs to be in place. Without the ability to triage results, the team responsible for following up on perceived high-risk matters will find itself focusing its time on false positives and other issues that are without merit, leading to a waste of time and valuable resources. One method for prioritizing exceptions requiring further analysis is depicted in Figure 3. Utilizing this approach, those transactions that fail the greatest number of analytics (and therefore, possess the highest number of discrete risk attributes) represent those that rate the highest priority for follow-up and should be the first to be assigned to a compliance and/or investigative professional for in-depth analysis and resolution. 

Conclusion

In addition to achieving the broad goals of an effective risk management program, monitoring is a cost-effective way for companies to evaluate the efficacy of their processes associated with devising, implementing and testing their system of internal controls. Other value-added benefits include:

• Early detection of behaviors and transactions that violate anti-corruption statutes translates into reduced losses as well as significant reductions in both the number of books and records violations, and the amount of potential disgorgement of tainted gross profits.
• Finite internal resources are focused on operations that pose a heightened risk of theft of assets by insiders, accounting irregularities and exposure stemming from corruption risk. This allows the internal watchdog functions to operate effectively without expanding headcounts.
• Timely detection of control weakness and noncompliance with policies provide the company with the option of implementing the required remediation on a schedule set internally rather than at the directive of regulators.
• Newly enhanced controls instituted to mitigate identified control weaknesses stemming from previously conducted analyses can be monitored to determine their effectiveness.
• While awaiting integration, recent acquisitions can be monitored to determine their level of compliance with policies and controls instituted by the acquiring company in order to minimize fraud risks and exposure resulting from noncompliance.
• Findings of policy violations, high-risk transactions and control weakness by location can be benchmarked across the company or a particular region.
• The qualitative nature of the data being captured can be analyzed and augmented to ensure the data necessary to monitor conditions and perform necessary tests is available for testing.

The costs associated with delayed detection, and in some cases, a complete lack of detection, are substantial. In addition, the observed trends in the sphere of forensic investigations are quite troubling. There are a growing sophistication and aggressiveness of the schemes being perpetrated, a rise in the prevalence of conspiratorial relationships inside companies, and a mounting awareness among those perpetrating frauds of the investigatory protocols being employed by forensic experts. Each of these conditions poses unique challenges that require thoughtful and reasoned responses that must continue to evolve. The use of data analytics and periodic monitoring can assist compliance professionals in adhering to the guidance put forth by the DOJ by mitigating risk, reducing regulatory exposure and measuring the efficacy of compliance programs. In addition, in an environment of downsizing, these tools will help compliance departments accomplish more with reduced resources. The unfortunate truth is that you cannot stop fraud from occurring; however, you can implement solutions to detect prohibited behaviors and fraudulent transactions quickly, shut them down in their infancy, and implement additional controls to further enhance existing systems.