Compliance Creates Alliance: Internal Compliance Program

Transcription

1 Compliance Creates Alliance: Internal Compliance Program By G.C.Y. Gillessen and M.E. Farrell 1 The New World Throughout the world there is a great variety of trade laws and regulations and every company that takes its business abroad is confronted with them. For example, a Dutch company doing business in the United States (U.S.) and in Turkey will have to take into consideration U.S., Dutch, European Union (EU) and Turkish trade laws and regulations. However, for many companies and its compliance officers it can be a daunting task to become and remain compliant with all the laws and regulations that affect their businesses. For example, in recent years, multiple companies and individuals have been heavily penalized, because they were not compliant with all the trade laws and regulations that affected their organization. The penalties they endured ranged from; fines, imprisonment of the involved employees, mandatory compliance audits, and denied export privileges. 2 The biggest challenge that came up in these cases was that being in-control is more than simply meeting the obligations in regards to trade compliance. Companies have to be proactive in implementing changes in regulatory requirements and have to ensure that the measures they take to be compliant are embedded in the day-to-day business operations of their organization. Only by staying ahead of regulatory changes and embedding them in the dayto-day business operations, can a company ensure it remains trade compliant and confidently operate in a globalized business environment. Hence, the purpose of being in-control in the area of trade compliance is more than just meeting legal requirements; it creates trust, and keeps you in business. 3 Step One: The Know-How The first step in becoming trade compliant is, of course, obtaining and understanding all the information about the various trade laws and regulations that affect your company. In the above example, the Dutch company should gain a thorough understanding of the U.S. International Traffic in Arms Regulations 4 and Export Administration Regulations 5 ; EU Export 1 We thank Alexander P. Bosch for his contributions to this article. 2 Recent examples of companies and individuals that are penalized can be found at the websites of the U.S. State Department/Directorate of Defense Trade Controls, the U.S. Department of Commerce/Bureau of Industry and Security, and Anna Wetter, Enforcing European Union Law on Exports of Dual-Use Goods, Stockholm International Peace Research Institute, 2009, (accessed on January 30, 2014). 3 Michael E. Farrell, Welcome to Full Circle Compliance, Full Circle Compliance, December 19, 2013, (accessed on January 30, 2014). 4 U.S. Department of State/Directorate of Defense Trade Controls, International Traffic in Arms Regulations (ITAR), U.S. Department of State/Directorate of Defense Trade Controls, February 11, 2014, (accessed on February 11, 2014). Compliance Creates Alliance: Internal Compliance Program page 1-13

2 Control Regime6; Dutch Strategic Goods Regulation7; and Turkish Export Regime, because all these laws and regulations are involved when it does business in the U.S. and Turkey.8 Hence, obtaining and understanding these trade compliance laws and regulations is the first step in becoming trade compliant. Step Two: The Do-How Only when a company knows how trade compliance laws and regulations affect its business can it take the measures to ensure that it remains compliant with them. The next step then is to embed the measures that have to be taken in order to be compliant in the company s organization in such a way that they become an integral part of the day-to-day business operations. As figure 1 below makes clear, setting up trade compliance requires a significant investment, while improving it to take advantage of the opportunities trade compliance can bring to an organization, requires a decreasing amount of resources. Therefore, it is important to translate the know-how into do-how, because this will ultimately lead to fewer costs and better value from your compliance function. Simply put, investing in trade compliance keeps you in-control and out of trouble. Figure 1. The investment of trade compliance It is this translation from know-how into do-how that proofs to be the most challenging for companies. The main question is: How does one put being and staying trade compliant into U.S. Department of Commerce/Bureau of Industry and Security, Export Administration Regulation Downloadable Files, U.S. Department of Commerce/Bureau of Industry and Security, February 10, 2014, (accessed on February 11, 2014). 6 European Commission, Dual-Use Controls, European Commission, February 7, 2014, (accessed on February 11, 2014). 7 Government of the Netherlands, Export Controls of Strategic Goods, Government of the Netherlands, (accessed on February 11, 2014). 8 Republic of Turkey Ministry of Economy, Export, Republic of Turkey Ministry of Economy, 2012, (accessed on February 11, 2014). 5 Compliance Creates Alliance: Internal Compliance Program page 2-13

3 practice? Trade compliance is inextricably bound up with a company s internal control framework. After all, a company is not in-control if an important part of the company policy is not guaranteed in its systems. However, the accompanying ambition level and managing methods can differ per company. Nonetheless, an efficient Internal Compliance Program (ICP) will transform reactivity into proactivity, create an effective and secure working environment and promote a stronger, more commercially viable business proposition while also creating an auditable environment supporting compliance with regard to dual use and military environments. Such an ICP identifies the relationship between the organizational risks and the internal control measures in the area of trade compliance laws and regulations. This framework or management system should be supported by the right processes and procedures as well as by the necessary awareness, capabilities, attitudes and mindset amongst management and staff members. Nonetheless, there is no off-the-shelf solution that encompasses all the specific requirements and needs that individual companies have. After all, companies differ in the countries they do business in, which means that differing combinations of trade laws and regulations will affect different companies, and companies also differ in the products they produce and export, meaning that trade laws and regulations will have a different effect on companies depending on the product they export. However, FCC has created a framework ICP, based on its experience with the Committee of Sponsoring Organizations of the Treadway Commision (COSO), Export Compliance Management System (ECMS) guidelines and additional guidelines and frameworks, that can be used as a starting ground for building a tailored ICP. Annex A shows how FCC s ICP compares to other ECMS s and guidelines for developing an ICP. FCC s ICP framework allows for the incorporation of a client s specific requirements and needs, which depends on the trade laws and regulations that affect its business and the products, services, and technologies that it exports. 9 Therefore, this framework is ideally suited to be a building ground for tailor made ICP s for different companies, in different industries, producing and exporting different products, services, and technologies. The starting point of FCC s ICP is the five components of COSO: control environment; risk assessment; control activities; information and communication; and monitoring. The reason for this is that the COSO framework can be adapted to different situations and companies. 10 This allows for a flexibility that is lacking in other internal control frameworks. Below each component will be further explained. Control Environment Trade Compliance is more than just being compliant. It creates safety and comfort. The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including a compliance risk management philosophy and risk appetite, integrity and ethical values, 9 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, COSO, 2004, (accessed on January 30, 2014). 10 Ibid., 2. Compliance Creates Alliance: Internal Compliance Program page 3-13

4 and the environment in which the organization operates. Moreover, this is supported by a well-organized compliance function. Its role has shifted from that of a mere scorekeeper to that of a real organization partner who at the same time monitors the various trade compliance components. 11 Risk Assessment The purpose of a risk assessment is to identify and analyze the risks involved in achieving a company s objectives. A company s objectives in the area of trade compliance are derived from specific laws and regulations, as well as standard agreements and licenses. 12 The management of an organization should clearly establish what these objectives are, because only then can it be determined what the risks are to fulfilling these objectives. Any effective ICP should incorporate the assessment and analysis of potential risks, and consider their likelihood and impact on the fulfillment of a company s objectives. Moreover, the risk assessment should serve as a basis for determining how the risks should be managed and how the ICP could be made more effective. 13 Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Control activities are represented by detailed, physical process documentation as well as a wealth of knowledge gained related to the importance and workings of the organization s business processes (logistics, warehousing, production, Research & Development (R&D), etc.). Possible control activities are: screening, classification, and training. 14 Information and Communication Relevant information must be identified, captured, and communicated in a form and timeframe that enables people to carry out their responsibilities in a compliant manner. In order to do so, organizations have turned, for example to the Transglobal Secure Collaboration Program (TSCP) or cloud computing. TSCP provides in common business language collaboration across the Defense and Aerospace Industry and examines areas, such as identity management, certification and accreditation, privacy, information security, physical security and encryption. This way information can be effectively captured and communicated. 15 In addition, cloud computing provides companies both with an opportunity to spread relevant information quickly throughout its operations, but it provides difficulties in the sense that cloud computing can be difficult to monitor and securitize. The need to resort to means to effectively identify, capture, and communicate changes in laws and regulations become even more relevant when changes laws and regulations 11 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, COSO, 2004, (accessed on January 30, 2014) Examples of standard agreements are: License and Option Agreements (LOA s), Memorandum of Understandings (MOU s), Technical Assistance Agreements (TAA s), Manufacturing License Agreements (MLA s), Department of State Policies (DSP s), and EU General Export Authorizations. 13 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, COSO, 2004, (accessed on January 30, 2014), Ibid., Transglobal Secure Collaboration Program, Mission & Vision, TSCP, 2013, (accessed on February 11, 2014). Compliance Creates Alliance: Internal Compliance Program page 4-13

5 occur quickly in succession, such as in the current U.S. Export Control Reform Initiative (ECRI). ECRI changes the U.S. Export Control system quickly and in a very significant way. Therefore, companies must identify the changes it brings at the earliest possibility and determine its affects upon its business operations as quickly as possible and clearly and coherently communicated throughout the company so that all employees are able to perform their responsibilities in a compliant manner. Furthermore, effective communication also occurs in a broader sense, flowing down, across, and up the organization.16 Monitoring Compliance begins at the top and starts at the bottom. The entirety of an ICP is monitored and modifications are made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. You get what you measure. 17 Figure 2. COSO Internal Control Framework The cube shown in figure 2 makes clear that the five COSO components are only the beginning of setting-up an ICP. In addition, a wide variety of other factors have to be taken into account in the establishment of an ICP, because they too play a dynamic role in becoming and remain trade compliant. Incorporating the interdependency between the components of the COSO model, the applicable laws and regulations and the company s Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, COSO, 2004, (accessed on January 30, 2014), Ibid., Compliance Creates Alliance: Internal Compliance Program page 5-13

6 organization is key in establishing an effective ICP, because it incorporates different views and ways of dealing with being compliant. Hence, an ICP is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and will influence another. FCC has determined ten elements that provide guidance in setting-up an effective ICP. Below the ten elements on the top axis will be further elaborated upon, as they require additional explanation. Management Commitment: The single most important aspect of an effective ICP is senior Management Commitment. A strong and unquestioned commitment of senior management is essential to a successful ICP and should include: communicating the commitment; active involvement senior management; providing and assigning resources to develop and implement the system; and evaluating the functioning of the system. In other words, senior management must effectively communicate its strong and unyielding commitment to export compliance to all employees in a written policy statement that is clear. Moreover, management must provide sufficient resources (time, money and quality export compliance personnel) to develop and implement the ICP. In addition, senior management must take an active role in evaluating the functioning of the system. Audits must be conducted and employees must be encouraged to report suspected violations and procedures for such reports should be developed and implemented. Compliance standards should be enforced and actions should be taken to prevent and detect violations in the future. Compliance Organization: A compliance function must be set up and staff should be assigned to the compliance function to make sure that the ICP can work. Therefore, organizational charts that clearly describe the authority, function and duties of key persons in the day-to-day export compliance should be created and updated on a regular basis. Management must ensure that a sufficient number of personnel are dedicated to export compliance functions. Knowledgeable back-up personnel that can maintain the compliance function in the absence of key persons should be assigned and a contact list should be available that includes at least name, title, and phone number of all key persons and backup export compliance personnel. Management should also provide incentives to recruit, train and motivate quality export compliance personnel and should structure pay scales, bonuses, evaluations and promotions. Export compliance personnel should be positioned at the appropriate levels to enforce export compliance. Compliance Creates Alliance: Internal Compliance Program page 6-13

7 Risk Assessment: Through adequate risk assessments the organization will be able to manage trade compliance risks. Such a risk assessment would identify risks, monitor the occurrence of these risks, assess the implications and ensure timely reporting to the board. Examples of export control risks are: The risk that as a result of inadequate internal communication with respect to export control, employees exchange data (i.e. with third parties) without the required license; The risk that management due to inadequate reporting procedures, are not sufficiently informed with regard to non-compliance with export regulations; The chance that staff consider export control as not important due to unclear roles and responsibilities of the internal compliance organization; The risk that legal requirements are not fully understood and insufficiently incorporated due to limited resources (time, money, people); Insufficient know-how to perform export control tasks due to insufficient training of staff; The risk that due to failure to retain end use statements, export control rules are not complied with; Policies & Procedures: Policies and procedures are the moving parts of the framework. This is where corporate strategy translates into policies. In turn, policies consist of processes. Processes consist of procedures and at the most detailed level of work instructions. This is where the work actually gets done and how. Therefore, having established effectively policies & procedures is vital to being and staying trade compliant. Contract Management & License Applications: Contract Management is about the processes and requirements applicable to external parties that deal with the business. It is very important that export compliance begins at all the interfaces the company has with other parties, i.e. it may apply to the entire supply chain. The reason for this is that trade compliance is more than just being trade compliant yourself; you have to make sure that the other parties you do business with are compliant as well. Screening: Screening refers to the screening of personnel, customers, suppliers, subcontractors or any other parties dealing with your organization. It also includes reviewing your exports and reexports and making sure that deemed exports do not take place. The questions address the effectiveness of your screening procedures and how these procedures are adaptable to a changing regulatory environment. Training and Communication: Communication about trade compliance is a key ingredient in the export organization. Without proper communication on trade compliance, an ICP is ineffective, because no one in your organization knows what it must do or not do in order to stay compliant. Compliance Creates Alliance: Internal Compliance Program page 7-13

8 Training programs can assist in communicating clearly about trade compliance. The reason is that substantively informed personnel lower the likelihood that violations will occur. Therefore, a training program (including frequent refresher and update) and training records should be in place to ensure this. Qualified trade compliance personnel or external trade compliance specialists must conduct the training programs to ensure that your personnel gets the most of their training. In addition, trainers have to bridge the gap between the legal languages of regulations and the language that is familiar to the company. The training program should create further trade compliance awareness to all personnel. An intermediate training program for personnel who regularly deal with export control issues should be developed based on the specific job functions of the attendees. Furthermore, a company should provide an advanced training program to internal trainers and personnel who frequently deal with export control compliance. After a training program, a company could decide to test personnel for basic comprehension of trade compliance issues. Training materials should be developed as a collaborative effort. Memoranda, newsletters or s should be sent to personnel periodically reaffirming the company s requirements and advising personnel of any changes to export control regulations or the company s policies or procedures. Physical / IT Security: The security environment refers to the physical and IT security measures taken in the organization. This element includes appointing security officers, controlled access to locations and IT along with back-up procedures. A special focus should be given to cyber security and cloud computing as they bring new challenges to being and remaining trade compliant. Recordkeeping: A properly functioning documentation and recordkeeping system is an essential part of any control management system, specifically when your company may be required to present data about past transactions to the authorities. Because of the complexity of trade law and regulations, guidance must be given to personnel on how to properly maintain and preserve the integrity of pertinent records. These practices should be incorporated into existing recordkeeping and business systems to the extent possible. Specific export-related recordkeeping procedures should be developed and implemented. For example, recordkeeping procedures for certain communication with foreign nationals and certain communication with government officials must be clearly established. The company should be able to retrieve any required documents within 48 hours of request for retrieval. Compliance Creates Alliance: Internal Compliance Program page 8-13

9 Compliance Audits: A comprehensive audit system is a necessary element of any ICP. A comprehensive audit system is the way your company will be able to evaluate and continuously improve its ICP. Internal assessments can successfully focus management attention on risk areas at an early stage affording the opportunity to correct the deficiencies before they result in major problems. These internal audits should focus both on the trade compliance process and the specific export transactions of the company to ensure that it is complying with existing procedures. To be effective, audits results must be reported appropriately. To be able to implement audit recommendations arising from the audits, clear responsibilities must be assigned. Handling Violations & Voluntary Self-Disclosures: Although organizations are not mandated to make voluntary disclosures, the authorities will usually consider an organization s filing of a voluntary disclosure as a mitigating factor in determining any penalties or other enforcement actions against an organization. An organization s failure to voluntary discloses violations with legislation may be viewed as an aggravating factor, particularly in case of willful, knowing or repeated violations. Therefore, organizations must have a clear procedure in place on how it will handle violations and do voluntary disclosures. It is the combination of the five COSO components, the ten elements, a company s organization, and the applicable trade laws and regulations that ensure that an ICP is effective and keeps your organization in-control. The incorporation of all these factors in FCC s ICP framework make that it is flexible, inclusive, and provides you with the confidence that your organization is and will remain in-control in regards to trade compliance. Conclusion Companies and compliance officers have found it difficult to comply with all the trade laws and regulations that affect their organizations. The result being that multiple organizations have been penalized in recent years, because they were not in-control in regards to being trade compliant. The main reason for not being in-control was that these companies failed to embed their knowledge of trade laws and regulations into their organization s day-to-day business operations. In order to assist organizations in becoming and staying in-control in regards to trade compliance, FCC has developed an ICP framework. FCC s ICP framework has proven to be an ideal platform for building customized ICP s for its customers, because it allows for the incorporation of an organization s specific requirements and needs in changing regulatory environments. Moreover, if your company already has an ICP in place, FCC can assess your company s ICP against the framework. This benchmark test helps your company to determine its compliance risks and allows it to take the necessary measures to enhance its ICP. Whether your company needs to build an ICP from scratch or wants to ensure that its current ICP is effective enough, using FCC s ICP framework allows your company to be in-control in the area of trade compliance, which minimizes compliance risks and provides a solid foundation to confidently do business around the world. Compliance Creates Alliance: Internal Compliance Program page 9-13

10 Annex A: ICP Framework Comparison Compliance Creates Alliance: Internal Compliance Program page 10-13

11 Key to Table FCC: Internal Control Program Framework BIS: Compliance Guidelines 18 CEEC: Best Practices for Export Controls 19 CIS: Common Industry Standards for European Aerospace and Defence 20 COBIT: Framework for IT Governance and Control 21 COSO: Internal Control Integrated Framework 22 DDTC: Compliance Program Guidelines 23 FCPA: Good Practice Foreign Corrupt Practices Act Compliance 24 FSG: U.S. Federal Sentencing Guidelines 25 GPA JSF: Global Project Authorization for Joint Strike Fighter 26 NW: Nunn-Wolfowitz Task Force Report 27 OECD-B: OECD Business Approaches to Combating Corrupt Practices 28 OECD-G: OECD Guidelines for Multi-national Enterprises 29 UK: Adequate Procedures Per New UK Bribery Act 30 Woolf: Business Ethics, Global Companies and the Defence Industry from the Woolf Committee U.S. Department of Commerce/Bureau of Industry and Security, Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual, Bureau of Industry and Security, June 2011, (accessed on July 31, 2013). 19 Coalition for Excellence in Export Compliance, Best Practices, CEEC, (accessed on October 9, 2013). 20 Aerospace and Defence Industries Association of Europe, Common Industry Standards for European Aerospace and Defence, ASD, April 26, 2007, Common-Industry-Standards.pdf (accessed on July 31, 2013). 21 IT Governance Institute, COBIT 4.1: Framework for IT Governance and Control Excerpt, ISACA, 2007, (accessed on July 31, 2013). 22 Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Integrated Framework, COSO, 2004, (accessed on January 30, 2014). 23 U.S. Department of State/Directorate of Defense Trade Controls, Compliance Program Guidelines, Directorate of Defense Trade Controls, (accessed on July 31, 2013). 24 Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission, FCPA: A Resource Guide to the U.S. Foreign Corrupt Practices Act, U.S. Department of Justice, Nov. 14, 2012, (accessed on October ). 25 The District of Columbia Sentencing and Criminal Code Revision Commission, Voluntary Sentencing Guidelines Manual, DC Sentencing and Criminal Code Revision Commission, June 18, 2012, (accessed on Sept 2, 2013). 26 U.S. Department of State, Global Project Authorization (GPA) for Joint Strike Fighter Program SDD Phase GC (Washington: GPO, 2002). 27 Nunn-Wolfowitz Task Force, Nunn-Wolfowitz Task Foce Report: Industry Best Practices Regarding Export Compliance Programs, King & Spalding, July 25, 2000, (accessed on July 31, 2013). 28 The Organisation for Economic Co-operation and Development (OECD), Business Approaches to Combatting Corrupt Practices, June 2003, (accessed on July 31, 2013). 29 The Organisation for Economic Co-operation and Development (OECD), OECD Guidelines for Multinational Enterprises, May 25, 2011, (accessed on Sept. 2, 2013). 30 UK Government, Bribery Act 2010, Legislation.gov.uk, April 8, 2010, (accessed on Sept ). 31 Woolf Committee, Business Ethics, Global Companies and the Defence Industry. Ethical business conduct in BAE System plc the way forward, BAE Systems, May 8, 2008, (accessed on July 31, 2013). Compliance Creates Alliance: Internal Compliance Program page 11-13

12 Bibliography Aerospace and Defence Industries Association of Europe. Common Industry Standards for European Aerospace and Defence. ASD. April 26, europe.org/fileadmin/user_upload/client_documents/dolores/asd-common- Industry-Standards.pdf (accessed on July 31, 2013). Coalition for Excellence in Export Compliance. Best Practices. CEEC. (accessed on October 9, 2013). Committee of Sponsoring Organizations of the Treadway Commission. Enterprise Risk Management Integrated Framework. COSO (accessed on January 30, 2014). Criminal Division of the US Department of Justice and the Enforcement Division of the US Securities and Exchange Commission. FCPA: A Resource Guide to the US Foreign Corrupt Practices Act. US Department of Justice, November 14, (accessed on September 14, 2013). District of Columbia Sentencing and Criminal Code Revision Commission. Voluntary Sentencing Guidelines Manual. DC Sentencing and Criminal Code Revision Commission. June 18, (accessed on July 31, 2013). European Commission. Dual-Use Controls. European Commission. February 7, (accessed on February 11, 2014). Farrell, Michael E. Welcome to Full Circle Compliance. Full Circle Compliance. December 19, (accessed on January 30, 2014). Government of the Netherlands. Export Controls of Strategic Goods. Government of the Netherlands. (accessed on February 11, 2014). IT Governance Institute. COBIT 4.1: Framework for IT Governance and Control Excerpt. ISACA (accessed on July 31, 2013). Nunn-Wolfowitz Task Force. Nunn-Wolfowitz Task Foce Report: Industry Best Practices Regarding Export Compliance Programs. King & Spalding. July 25, (accessed on July 31, 2013). Organisation for Economic Co-operation and Development (OECD). OECD Guidelines for Multinational Enterprises. OECD, May 25, (accessed on July 31, 2013). Organisation for Economic Co-operation and Development (OECD). Business Approaches to Combatting Corrupt Practices. OECD. June (accessed on July 31, 2013). Compliance Creates Alliance: Internal Compliance Program page 12-13

13 Republic of Turkey Ministry of Economy. Export. Republic of Turkey Ministry of Economy (accessed on February 11, 2014). Transglobal Secure Collaboration Program. Mission & Vision. TSCP (accessed on February 11, 2014). UK Government. Bribery Act Legislation.gov.uk. April 8, (accessed on Sept ). U.S. Department of Commerce/Bureau of Industry and Security. Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual. Bureau of Industry and Security. June (accessed on July 31, 2013). U.S. Department of Commerce/Bureau of Industry and Security. Export Administration Regulation Downloadable Files. U.S. Department of Commerce/Bureau of Industry and Security. February 10, (accessed on February 11, 2014). U.S. Department of State/Directorate of Defense Trade Controls. Compliance Program Guidelines. Directorate of Defense Trade Controls. (accessed on July 31, 2013). U.S. Department of State/Directorate of Defense Trade Controls. The International Traffic in Arms Regulation (ITAR). U.S. Department of State/Directorate of Defense Trade Controls. February 11, (accessed on February 11, 2014). U.S. Department of State. Global Project Authorization (GPA) for Joint Strike Fighter Program SDD Phase GC Washington: GPO, Wetter, Anna. Enforcing European Union Law on Exports of Dual-Use Goods. Stockholm International Peace Research Institute (accessed on January 30, 2014). Woolf Committee. Business Ethics, Global Companies and the Defence Industry. BAE Systems, May 8, (accessed on July 31, 2013). Compliance Creates Alliance: Internal Compliance Program page 13-13