In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.
This is Part 1 of a 5-Part Series:
- Capture <- THIS POST
- Filter (future post)
- Plan & Assign (future post)
- Investigate (future post)
- Resolve (future post)
Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. A recent conversation with a chief compliance officer at a large industrial manufacturer suggests that this rule is applicable to internal control and compliance. He noted, “After we organized our approach to investigations, our costs dropped dramatically – unfortunately, it wasn’t for lack of investigations. As investigations volume went up, our annual costs actually went down 15%.” Multinational organizations will find even more efficiencies as cross-border investigations tend to be even more ad hoc and fragmented. The good news is that it takes relatively little time to define a robust internal investigations process. The same executive above noted, “It took about 200 hours of internal staff time and about 100 hours of external help to nail down our process. In the end, we saved at least that much time in our first investigation.” While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:
- Capture
- Filter
- Plan & Assign
- Investigate
- Resolve
This is the precursor to an internal investigation. It is helpful to have a “big funnel” to channel information to a team charged with filtering and vetting this information. The funnel should comprise a number of “push” and “pull” structures.
Push structures include:
- Hotline/Helpline is one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially or anonymously) allegations of misconduct. The helpline can also provide input as high volume of questions about a particular subject may indicate confusion about expected conduct and, in turn, increase the risk of actual misconduct.
- Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lend to the discussion about other issues.
- Control violations that are automatically triggered based on threshold conditions can raise “yellow flags” that misconduct may have occurred. Management will most likely have to use human judgment to determine if these violations are actually issue of interest.
- Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues.
- Exit interviews provide an opportunity to find out what is really happening in a department. People tend to be extremely honest as they are walking out the door.
- Surveillance including video, audio and physical (e.g., RFID tags) monitoring many be necessary for high risk locations and/or transactions.
- Audits and assessments include all of the proactive evaluation of controls and other information on a periodic and ongoing basis.
In the next few entries, I will delve into each of the other steps.
0 comments:
Post a Comment