Resolve: Part of Internal Investigations for Control and Compliance Violations (5 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture
   
2. Filter
3. Plan & Assign
4. Investigate
   
5. Resolve <- THIS POST

Resolve

Once the investigation is complete, the organization must address allegations with all appropriate constituencies. Allegations that are not substantiated should be closed with communications to the individuals who raised the issue and to those who were investigated. When allegations are substantiated, the organization must take consistent action and ultimately resolve the issue including:

• Restitution to make harmed parties whole;
• Discipline to appropriately warn, demote or even terminate involved parties;
• Disclosure as appropriate to the government, customers, suppliers, regulators, shareholders, lenders, employees, insurance and ratings agencies as appropriate; and
• Remediation to fix any weakness in the system or improve the system to better prevent, detect and respond to similar issues in the future.

In fact, even when issues are not substantiated, there may be opportunities to improve the system.

Data, Documentation & Discovery

As part of the investigations process, an organization needs a protocol for issuing a “preservation notice” that instructs the workforce to suspend any routine data destruction activities and to proactively preserve information related to the investigation. As important are the actual procedures that ensure that the preservation notice can be affected. Make sure that all back-up and data protection processes will not overwrite critical information once a preservation notice is sent out. This is especially important for automated procedures.

New changes to the Federal Rules of Civil Procedure (FRCP) note the importance of “electronically stored information” and how this information should be handled and shared during an investigation. To the extent that an internal investigation becomes relevant to the government or some third party, the company must be prepared to provide details about where data is stored and how it is created, managed, archived, destroyed, etc. Keep a close watch on this evolving area.

Global Considerations

If all of this is not daunting enough, consider the increased complexity presented by cross-border investigations. Key issues include:

• Data Protection. Rules governing how personal information must be handled are different all around the world. For example, the European Union’s Directive on Data Protection restricts the transfer of personal data to non-EU nations that do not meet the European “adequacy” test for privacy protection. Namely, the United States. As such, any information gathered in the EU before or during an investigation may or may not be allowed to be transmitted to a U.S. location for analysis or follow-up. At least two of the major hotline companies have established protocols for overcoming this obstacle.
• Evidence Collection Protocols and Witness Rights. In some jurisdictions, management and internal investigators are restricted from collecting information stored on company property once it is in the hands of an employee. One internal investigator noted, “We are not allowed to pull data from our laptops in France, even though the company owns the laptop and we have technical access to the drives.”
• Cultural Differences. The most obvious and significant challenge is less technical and more cultural. Local customs may lead employees and witness to share more, or typically less information with investigators. Deep cultural roots of loyalty to one’s boss or the company may lead individuals to be less cooperative when questioned. In some cultures, the notion of “telling on neighbors” may reduce the effectiveness of hotlines. In a recent discussion, the chief compliance and ethics officer of the largest Korean steel company presented an approach whereby individuals were awarded $50,000 for reporting issues that were later substantiated. This, he said, was paramount to breaking through the cultural preference for deference to supervisors and senior executives.

One way to deal with these global considerations is to identify, in advance, a local firm to assist with future investigations. Having a memorandum of understanding in place rarely involves any financial commitment but does require some time to identify and vet local firms.

Investigate: Part of Internal Investigations for Control and Compliance Violations (4 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture
   
2. Filter
3. Plan & Assign
4. Investigate <- THIS POST
5. Resolve (future post)

Investigate

At this point, the right people are in place to conduct the investigation using predefined protocols given the tier to which it was assigned. Regardless of which tier, some common questions must be answered:

• What happened / is happening?
• Who is involved? How many are involved? How senior are they?
• For how long has this been going on?
• What was the motive?
• What other activities are under this person’s purview? What is their span of control?
• Has anything similar happened with this person in the past? Anything at all?
• Why did they do it?
• Was it carelessness? Was it a mistake in judgment?
• Was it a lack of training or clarity in policy, procedures or controls?
• Was it pernicious?
• Were there “perverse incentives” in place that led this person to commit these acts?
• What else could be affected?
• How much harm was caused? Who was hurt?

To answer these questions, the investigations team should follow predefined protocols for gathering evidence including interviews, surveillance and other methods. Try to conduct all interviews in person so that nonverbal queues can be analyzed. Review all relevant documentation prior to the interview so that you can corroborate what you already believe to be factual as well as to direct questions to fill in gaps. At the beginning of the interview it is important to provide appropriate warnings:

• Upjohn Warning. An employee should be told at the beginning of every interview that the interviewer is representing the company’s interests and not theirs, and that the information being obtained is to provide legal advice to the company. The employee should be told that the interview is covered by attorney-client privilege and that the company, not the employee, may decide to either keep the information confidential and privileged or to waive this privilege in the future. Although there is no ethical obligation to legally advise the employee to obtain an attorney, it is an increasingly common practice to make this suggestion at the beginning of the interview. While, Upjohn is specific to interviews directed by counsel, this protocol is helpful for non-legal interviews as well. In some ways, it is common courtesy to let employees know that the intention behind the questions is to serve the company and not to serve them.

• Zar Warning. To the extent that internal investigations are part of, or contemplated to be part of, a government investigation or government disclosure, employees should be informed that information obtained in the interview may be turned over or filed with the government. This is important because any false statements provided as part of an interview that is ultimately filed or disclosed to the government could result in obstruction charges. Some argue that this warning may actually cause more obstruction, or at least less cooperation as discussion about potential felonies can quickly chill a conversation.

As the investigation progresses, it will often take twists and turns. An issue may transform into a different or even multiple issues. At one global technology firm, the chief internal investigator found that, “Last year, two allegations about financial misconduct ended up being little more than lovers’ quarrels. While these are still important issues, they were nothing like what was initially reported.” The opposite can happen as well. Sometimes more minor allegations about a single issue may transform into more pervasive misconduct. At any point during the investigation the team may consider changing the tier and thus approach to the investigation. Always think about whether it needs to be escalated and self-reported to regulators.

It is important to not make premature predictions until the investigation has concluded as they provide nothing more than interesting (or more likely uninteresting) gossip. Reserve and report final judgment once the investigation has concluded.

Know When to Stop

The art of the investigation is knowing when to stop. Knowing when the issue has been thoroughly investigated. Knowing when there are no credible loose ends. Be aware that outside consultants and counsel, through no perniciousness of their own, have an incentive to pursue every last possibility. However, at some point you have to stop digging. Instead of asking “Is it possible?” begin asking “is it probable?”

Plan & Assign: Part of Internal Investigations for Control and Compliance Violations (3 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:
1. Capture
2. Filter
3. Plan & Assign Based on the alleged and/or confirmed facts, circumstances, nature and seriousness of the issue, the team should assign the issue to the appropriate investigations “work stream” or “tier” as some organizations call it. Using a tiered system ensures that issues of similar nature and seriousness are handled in a similar way. In addition, it allows the organization to allocate scarce capital – both human and financial capital – to investigations.

When assigning issues to a tier and team, an organization should consider:

• Nature and seriousness of the issue;
• Skills and experience required to obtain and analyze facts (legal, accounting, technology, forensic and other industry expertise);
• Independence from the issue at hand (e.g., to not assign a financial investigation to a team that includes staff from the office of the CFO); and
• Availability of resources.

I know this last item sounds obvious, but a timely follow-up and investigation is important especially for serious issues that may involve the government.

While an organization may choose to have fewer or additional tier, at least four will be helpful:

Tier 1: Critical Issues. This tier is reserved for “sink the company” issues that are material to either the financial or reputational health of the organization – or issues that involve senior executives. These investigations are directed by the board and involve significant outside assistance to ensure objectivity. Privilege is a must at this level. For public companies, the involvement of the external auditor may be required or at least advised.

Tier 2: Significant Issues. These issues are serious and material to the organization but do not involve allegations of wrongdoing by senior management. As such, senior management directs these investigations with special care and under privilege.

Tier 3: Serious Issues. Most organizations have issues that they, to a certain degree, expect and prepare for, such as a significant theft. Systems have been designed and special investigative staffs have been trained to address these issues.

Tier 4: Operational Issues. These issues, often HR related, warrant the attention of management, but may not require privilege or professional investigators. They are often delegated to management, but could escalate at any phase. Some of these issues are resolved without the need for investigative resources.

While each of these tiers it is important to define who does what. Critical roles include:

• Leadership for day-to-day management of the investigation;
• An individual charged with communication about the status of the investigation with stakeholders such as the source of the allegation, the media, and most importantly the government; and
• Staff and outside consultants who will obtain and analyze the facts.

As a final note, it is wise to limit knowledge that a particular investigation is being conducted. The risk of evidence tampering and destruction increases when it is broadly known that an issue is under investigation.

Filtering Issues: Part of Internal Investigations for Control and Compliance Violations (2 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture
   
2. Filter <- THIS POST
3. Plan & Assign (future post)
4. Investigate (future post)
5. Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

1. Capture
2. Filter
3. Plan & Assign
4. Investigate
5. Resolve

Filter
Once information about potential violations is captured, it must be filtered so that the investigations team can focus on what matters most. The goal of filtering is to discard allegations that are not specific and credible; and appropriately act on those that are. It is critical that the individuals charged with this determination are both competent and independent. Some issues may require a level of technical analysis to make this determination. It is wise to have these individuals available in the early stages of filtering. Key questions to answer include:
• How was the issue discovered?
• By whom?
• Is it specific and credible?

If there is not sufficient information captured about a violation, it will be extremely difficult to determine if it is specific and credible. As such, while it is not absolutely necessary, it is helpful if reporters and sources of allegations are able to be contacted for follow-up and clarification. It is also important to discern whether the source has a motive to lodge a frivolous allegation.

Even at this early stage, the team should attempt to determine if the issue should be handled under privilege. Every step not taken under privilege can introduce more risk to the organization as untrained individuals may capture facts and testimony that have no chance of being privileged later on. On the other hand, every issue cannot and should not be vetted and investigated under privilege. For some issues, privilege is simply overkill and, according to one enforcement official, “The obsessive compulsive assertion of privilege is one of the things I look for when I try to determine if an organization is sincere about its need to maintain privilege. It is statistically impossible that everything should require privilege and, thus, I treat organizations that have an ‘everything is privileged’ culture with increased skepticism.”

Another important consideration here is that, even as early as the filter stage, the clock begins to tick. Simply read the Federal Sentencing Guidelines for Organizations, the McNulty Memo and the often overlooked 21(a) Report of Investigation of Seaboard to understand the importance of a spry internal response to serious allegations. A quick response and, if appropriate, disclosure to the government is the only way that the organization can be spared the damage caused by the blunt tools available to the government should they become involved in a matter.

Capturing Issues: Part of Internal Investigations for Control and Compliance Violations (1 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture <- THIS POST
2. Filter (future post)
3. Plan & Assign (future post)
4. Investigate (future post)
5. Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. A recent conversation with a chief compliance officer at a large industrial manufacturer suggests that this rule is applicable to internal control and compliance. He noted, “After we organized our approach to investigations, our costs dropped dramatically – unfortunately, it wasn’t for lack of investigations. As investigations volume went up, our annual costs actually went down 15%.” Multinational organizations will find even more efficiencies as cross-border investigations tend to be even more ad hoc and fragmented. The good news is that it takes relatively little time to define a robust internal investigations process. The same executive above noted, “It took about 200 hours of internal staff time and about 100 hours of external help to nail down our process. In the end, we saved at least that much time in our first investigation.” While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

1. Capture
2. Filter
3. Plan & Assign
4. Investigate
5. Resolve

Capture
This is the precursor to an internal investigation. It is helpful to have a “big funnel” to channel information to a team charged with filtering and vetting this information. The funnel should comprise a number of “push” and “pull” structures.

Push structures include:

• Hotline/Helpline is one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially or anonymously) allegations of misconduct. The helpline can also provide input as high volume of questions about a particular subject may indicate confusion about expected conduct and, in turn, increase the risk of actual misconduct.
• Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lend to the discussion about other issues.
• Control violations that are automatically triggered based on threshold conditions can raise “yellow flags” that misconduct may have occurred. Management will most likely have to use human judgment to determine if these violations are actually issue of interest.

Pull structures include:

• Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues.
• Exit interviews provide an opportunity to find out what is really happening in a department. People tend to be extremely honest as they are walking out the door.
• Surveillance including video, audio and physical (e.g., RFID tags) monitoring many be necessary for high risk locations and/or transactions.
• Audits and assessments include all of the proactive evaluation of controls and other information on a periodic and ongoing basis.

In addition, management should pay attention to all of the “chatter” in the organization – the formal and informal conversations that take place verbally and via email. Sophisticated email filtering technologies can look for interesting phrases such as, “Do we really want to do this?” or “I don’t feel comfortable putting that in writing.” All of these techniques need to be balanced with the potential of creating a tattletale, gadfly or Big Brother culture which will result in decreased workforce productivity.

In the next few entries, I will delve into each of the other steps.

Consider Outcomes before Benchmarking Internal Controls

When it comes to financial controls, it’s not about ROI. Effective benchmarking depends on clear outcome expectations.

Following my recent presentation at a conference of financial executives, a member of the audience asked “What is the typical cost of a program for internal control over financial reporting processes?” He continued, “Is there a way to benchmark these costs?”

Good question, and one that certainly can and should be asked about the full range of compliance and internal control processes across the enterprise.

We have a great guide on our site called the OCEG Metrics and Measurement Guide (MMG) which provides a ton of good information on how to measure an internal control and/or compliance program of any type. That said, there are some important things to remember.

Benchmarking. An often-uttered word. One that indicates we are serious executives. That we are doing what it takes to optimize our programs. But how does it really work and what does it really do for us?

The concept of benchmarking is great, but before we can benchmark we need to define the outcomes that we hope to deliver. By way of example, when evaluating call center metrics, the starting point is understanding customer satisfaction (or some similar indicator). Without this top-level indicator of the outcome we hope to generate, it is impossible to evaluate other indicators such as cost. In a vacuum, spending $100 to resolve a customer problem is superior to spending $200 to resolve the same customer problem. However, the “vacuum” does not exist. If the $200 resolution delivers 95% satisfaction and the $100 resolution delivers 50% satisfaction, most executives would choose the former.

So what does that mean for us? As financial professionals, we must define the outcomes that we hope to achieve through our internal control programs, as well as indicators of success. Only then can we even begin to benchmark our costs, cycle times and other program attributes in a meaningful way. To engage in a benchmarking effort without taking the time to first establish clear outcome expectations is putting the cart before the horse – the time and resources spent will be wasted.

While every organization is unique and therefore pursues unique objectives, most organizations strive to achieve growth, profitability, total shareholder return, and key value drivers such as workforce productivity, quality, customer loyalty, and innovation. In the same way, each of our programs for internal financial control will be unique and should strive to achieve unique objectives, but every program should deliver on these universal objectives:

• Promote business conduct in-line with business objectives
• Prevent noncompliance and weaknesses
• Prepare the organization to deal with noncompliance and weaknesses when (not if) they occur
• Protect the organization from negative consequences
• Detect noncompliance and weaknesses earlier rather than later
• Respond to noncompliance and weaknesses more quickly rather than slowly
• Improve the program so that similar noncompliance and weaknesses are not repeatedly encountered
• Reduce losses due to noncompliance including fines, penalties and investigation costs
• Enhance the culture so that, even in the absence of controls, the workforce is inclined to do business within defined boundaries of conduct

Now, undoubtedly, I will get a few emails (mostly from consultants) noting that the benefits of implementing a strong program of internal controls go beyond the outcomes listed above. Fine. Shareholders will be thrilled if our programs deliver more. But at the end of the day, if we cannot demonstrate that our programs deliver on the universal outcomes above, we need to get new day jobs.

Once we have a firm understanding of whether, and the degree to which, our programs are achieving top-level outcomes, we can discuss whether we have optimized the outlay of financial and human capital. In addition, we can thoughtfully analyze whether process improvement (e.g., reducing the cycle time to discover noncompliance of a particular type) is worth the investment.

Benchmarking: Are We Winning the Race or Just Keeping Pace?

Marathon runners say, “Plan the race, and race the plan.” You need to know what your objectives are and what obstacles you must overcome to develop the right plan of attack. How have others tackled the course? How many hills are there? How fast are your competitors? Is your goal to win, to set a new record or merely to cross the finish line with a personal best time? Only when you answer these questions and more can you determine how to set your speed and decide which runners to pass or pace yourself against.

It all comes down to objectives and obstacles – knowing what they are and how to achieve the first while avoiding the latter. The same applies to the race we are in every day – the one where we seek to meet our company’s objectives, while the obstacles are too many to mention. Just like the runner, we have to stay on track, but for us the boundaries of the course are compliance requirements and standards of conduct that are not always clear. In this race, it is increasingly difficult to judge our own performance or determine where we stand in the field of competition.

There is a lot of talk about the importance of benchmarking – comparing our performance to that of others or against established standards. Critics complain that benchmarking is often poorly done – comparing data that is calculated only because it is easy to collect and not because it measures anything meaningful, or using data that is not truly comparable.

These criticisms are valid. How should we define what to measure and benchmark? How do we know that terms in a benchmarking survey mean the same thing to different respondents? Results have little value if the metrics do not help us evaluate and improve our actions. This happens if survey respondents interpret questions differently or do not organize their information in ways that allow for true comparison.

These problems can be largely avoided, reducing the cost and enhancing the value of benchmarking, when participants use a business process framework that establishes a common vocabulary and standards of performance. Benchmarking can be very valuable when everyone is interpreting the questions the same way and answering with information that is maintained in the same format and language.

Just like the runner, we need to evaluate our own performance and be aware of how our competitors and peers are doing if we want to achieve our goals. Not every company strives for record-setting results every time out of the box. Sometimes our objective is as simple as improving slightly over last year’s performance. In either case, keeping our eye on the field and being able to evaluate what is going on around us is essential to success.

Beware of the Big Stick Carried by the Government

Beware of the big stick carried by the government. Its called the False Claims Act and contract and environmental managers have long known that they can’t just sign the myriad of required certifications to the government without risk of organizational and personal prosecution. You can’t just cross your fingers and hold your breath, hoping no one notices if your certified statement isn’t true. In many instances, the penalty for admitting a compliance failure or weakness up front may be small, but the cost of filing a false statement or false claim (a false statement tied to a government payment) can be huge. Now, Chief Compliance Officers and other GRC executives are learning it the hard way.

The complaint filed this week against Christi Sulzbach, who was the Associate General Counsel and Corporate Integrity Program Director at Tenet Healthcare Corporation (Tenet) makes that point loud and clear. Sulzbach is alleged to have signed and provided to the Government declarations that falsely stated that to the best of her knowledge and belief, Tenet was in material compliance with all federal program legal requirements, despite her allegedly having received legal opinions to the contrary. The government also alleges that these false declarations allowed Tenet to bill Medicare for millions of dollars in claims that it was not legally entitled to receive.

It’s just a signature on a standard required clause, right? WRONG. It’s a signature that now is exposing Ms. Sulzbach to hundreds of millions of dollars of potential liability PERSONALLY, even after Tenet has settled with the government for more than $920 million dollars.

I used to jokingly call the Chief Compliance Officer job the “designated scapegoat,” but cases like this one highlight the importance of taking the job seriously. Understand what government contract laws and regulations apply to you and your organization. Use a consistent approach to manage compliance. Don’t sign things that put your personal reputation, assets and possibly even freedom on the line – unless you have undertaken the necessary investigations to know that what you are saying is true. Don’t assume that no one checks. Don’t step into the line of the swing of that big stick.

GRC - More than Three Letters

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.

IT for GRC vs. GRC for IT

Yesterday, I met with one of the leading thinkers in the GRC space, Lee Dittmar a principal at Deloitte Consulting. Our conversation covered a number of topics -- however, we spent most of our time discussing IT for GRC and how it is related to but different from GRC for IT.

GRC for IT
There are a number of governance, risk, compliance and internal control (GRC) issues related to information technology (IT). These are well-known:

• IT governance
• IT controls (general computing controls, access controls, master data controls, etc.)
• data privacy
• data security
• document retention / records management
• electronic data management
• disaster recovery and business continuity
• etc.

These are primarily IT issues that have significant governance, risk management, compliance and internal control implications.

IT for GRC
There are a number of enterprise processes that aim to help keep the organization on track and operating within defined "boundaries" of conduct. Boundaries may be either mandated (laws, rules, regulations) or voluntary (corporate values, contractual obligations, internal policies).

IT for GRC is about enabling all of these processes.

This distinction will be further analyzed and elaborated by the OCEG Technology Council over the next few months.

Antitrust Compliance

On a recent webcast, I spoke with Michael Horowitz, a commissioner with the United States Sentencing Commission (USSC) and Eric Morehead, the assistant general counsel at the USSC. The topic of discussion was antitrust.

The entire webcast can be found at OCEG.

As always, it was an interesting session where Mr. Horowitz outlined the key dimensions of criminal antitrust (essentially price fixing) and contrasted these issues with civil antitrust issues (such as monopolistic behavior).

A real gem came at the end of the session during the audience Q&A. One participant asked how organizations should structure their compliance training to address antitrust issues. Specifically, they wanted to know where to "draw the line" when it comes to who should be trained.

Mr. Horowitz provided some very insightful advice. While it would be unusual for, say, an executive assistant to engage in product pricing or negotiating activities they should still be trained. The reason being that these are the individuals who book travel and arrange meetings for people who DO engage in pricing and negotiating activities. In fact, often, executive assistants are called as witnesses in antitrust cases.

Mr. Morehead provided some excellent details about how antitrust is addressed in the U.S. Federal Sentencing Guidelines and some statistics about prosecution. A summary follows:

• Base Offense Level is 12
• Non-Competitive bidding increases the offense level
• The “Volume of Commerce” also can adjust the Offense Level upward from 2 to 16 levels
• Special instructions for fines – individuals to pay a fine equal to one to five percent of the “volume of commerce”, but never less than $20,000.
• Special instructions for sentencing organizations

Volume of Commerce

• The “volume of commerce done by” the defendant in “good or services that were affected by the violation”
• Cumulative amount that can cover multiple counts or conspiracies
• Amount is the commerce affected by the conspiracy

2005 Amendments

• Base Offense Level was increased from 10 to 12.
  
• Volume of Commerce Table was enhanced – range went
  from $ 400,000 - $ 100,000,000
  to $1,000,000 - $1,500,000,000
  
• The adjustments for volume of commerce also increased from a prior maximum of 7 levels to a new maximum of 16 levels, reflecting a new maximum enhancement of for volume of commerce.
• These changes reflected the Antitrust Division’s experience of uncovering larger dollar conspiracies and also fostered greater proportionality between antitrust sentencing guidelines and fraud offense guidelines.

Individual Sentences
In FY 2003 In FY 2006
Mean 7.2 Months 8.2 Months
Median 4 Months 9 Months
Number 12 Cases 12 Cases

Organizational Sentences
In FY 2003 In FY 2006
Mean $6.2 MM $46.5 MM
Median $2.7 MM $1.1 MM
Number 10 Cases 15 Cases

Source: 2003 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission; 2006 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission

== slm ==