Fraud-Related Compliance

Fraud-Related Compliance R. A. (Andy) Wilson, CFE, CPP VP Fraud & Compliance Sedgwick Claims Management Services, Inc. Introduction: Why Compliance Is Essential 2015 Association of Certified Fraud Examiners, Inc.

Compliance Defined A program or a set of policies in an organization designed to ensure compliance with laws and regulations on a variety of issues 2015 Association of Certified Fraud Examiners, Inc. 2 of 27

Evolution of Compliance Field Relatively new field Mid-20th century: Civil Rights Act, OSHA, and other laws targeting businesses Early 1990s: Federal Sentencing Guidelines for Organizations Early 2000s: Corporate scandals and resulting regulations 2015 Association of Certified Fraud Examiners, Inc. 3 of 27

Evolution of Compliance Field Growing focus on formal compliance efforts Compliance efforts being moved out of the legal department and into dedicated ethics and compliance functions The rise of the corporate Ethics and Compliance Officer Professional associations, training, and guidance specifically for ethics and compliance professionals 2015 Association of Certified Fraud Examiners, Inc. 4 of 27

The Cost of Fraud 2014 Report to the Nations The typical organization loses 5 percent of annual revenue to fraud. Anti-fraud controls appear to help reduce the cost and duration of fraud schemes. Small organizations are particularly vulnerable to occupational fraud. 2015 Association of Certified Fraud Examiners, Inc. 5 of 27

The Cost of Fraud 2014 Report to the Nations In organizations that had fraud hotlines, 51 percent of frauds were detected by tips, while in organizations without hotlines, only 33 percent of cases were detected by tips. Internal controls alone are insufficient to fully prevent occupational fraud. 2015 Association of Certified Fraud Examiners, Inc. 6 of 27

2014 Report to the Nations 2015 Association of Certified Fraud Examiners, Inc. 7 of 27

2014 Report to the Nations 2015 Association of Certified Fraud Examiners, Inc. 8 of 27

Federal Sentencing Guidelines for Organizations A formula for federal courts to determine fines/punishments for organizations that violate the law The purpose: to promote consistent penalties for violators 2015 Association of Certified Fraud Examiners, Inc. 9 of 27

Federal Sentencing Guidelines for Organizations For sentencing, the guidelines suggest the court should consider the defendant s compliance program. Effective compliance program is defined as one that is reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct. 2015 Association of Certified Fraud Examiners, Inc. 10 of 27

Why Are the Guidelines Important? Even where liability cannot be avoided, the presence of a compliance program may mitigate or avoid penalties. Organization s culpability is a measure of its actions taken that either mitigated or aggravated the situation. Minimum sentencing can be reduced by as much as 95 percent or increased by up to 400 percent. 2015 Association of Certified Fraud Examiners, Inc. 11 of 27

Why Are the Guidelines Important? In 2009, Pfizer made a $2.3 billion settlement. DOJ found that Pfizer acted with indifference to the laws in place. Largest fraud-related fine from DOJ: GlaxoSmithKline paid $3 billion settlement for fraudulent promotion of prescription drugs and hiding safety data. 2015 Association of Certified Fraud Examiners, Inc. 12 of 27

Why Are the Guidelines Important? Eli Lilly, for defrauding the government: $1.4 billion qui tam settlement in 2009 Siemens, for FCPA violations: $800 million settlement in 2008 KBR/Halliburton, for FCPA violations: $580 million settlement in 2009 LG, for antitrust violations: $400 million settlement in 2011 SAIC, for defrauding NYC government: $500 million settlement in 2012 2015 Association of Certified Fraud Examiners, Inc. 13 of 27

Are the Guidelines Mandatory? In 2005, the U.S. Supreme Court ruled that the guidelines are advisory, rather than mandatory. While not binding, courts continue to use the guidelines when determining sentences. 2015 Association of Certified Fraud Examiners, Inc. 14 of 27

Elements of an Effective Compliance Program 1. Establishing standards and procedures 2. Assigning responsibility 3. Due diligence in hiring 4. Communicating the policy 5. Achieving compliance 6. Disciplinary action 7. Appropriate responses 2015 Association of Certified Fraud Examiners, Inc. 15 of 27

Elements of a Compliance Program Establish standards and procedures. Design them to be reasonably capable of preventing fraud. Have an ethics policy. 2015 Association of Certified Fraud Examiners, Inc. 16 of 27

Elements of a Compliance Program Assign responsibility to governing authority. Governing authority includes directors, officers, major business managers, and individuals with substantial ownership interests. Consider placing compliance program under control of audit committee. Audit committee overseen by high-level personnel. 2015 Association of Certified Fraud Examiners, Inc. 17 of 27

Elements of a Compliance Program Conduct due diligence in hiring/contracting. Make reasonable efforts to keep people who the organization knew or should have known committed illegal acts out of positions with substantial authority. Substantial authority personnel includes supervisors (e.g., plant and sales managers) who are authorized to exercise significant discretion. Screen applicants, run background checks, and monitor current employee performance. 2015 Association of Certified Fraud Examiners, Inc. 18 of 27

Elements of a Compliance Program Communicate the compliance policy. To anyone who can bind the organization Directors and officers Managers and supervisors Low-level employees and independent contractors Include ethics policy, as well as what kinds of acts and omissions are prohibited by law. Train new employees. Provide ongoing training for current employees. 2015 Association of Certified Fraud Examiners, Inc. 19 of 27

Elements of a Compliance Program Take steps to achieve compliance. Audit and periodically evaluate program effectiveness. Implement a reporting system (e.g., fraud hotline). Disciplinary action Enforce compliance to assure employees that violations will be punished. Determine range of punishment for various offenses. Probation, suspension, or demotion Termination Referral for criminal prosecution or civil action 2015 Association of Certified Fraud Examiners, Inc. 20 of 27

Elements of a Compliance Program Appropriate responses 1. Correct the offense. Make restitution to victims. Self-report criminal conduct. Cooperate with authorities. 2. Prevent similar offenses. Modify compliance program. Identify and remediate internal control weaknesses. Conduct periodic risk assessments. Consider use of outside professional advisor. 2015 Association of Certified Fraud Examiners, Inc. 21 of 27

COMPONENTS Control Environment COSO INTERNAL CONTROL INTEGRATED FRAMEWORK Ethical tone at the top Organizational structure, including key areas of authority and reporting lines Policies both formal and informal to reward ethical conduct and punish unethical actions Mechanism and support for employee reporting HR policies to ensure hiring and promotion of those who demonstrate integrity Consistent and appropriate discipline SENTENCING GUIDELINES Code of conduct Promote a culture that encourages ethical conduct and compliance Knowledgeable governing authority with reasonable oversight High-level personnel assigned overall responsibility for the program Incentives to promote proper conduct and discourage improper conduct Reporting mechanisms for employees and agents Prohibit retaliation against those who make good faith reports of suspected violations Due diligence to avoid delegation of authority to those with criminal tendencies Consistent and appropriate discipline Risk Assessment Identification and analysis of risks related to operations, financial reporting, and compliance A strategy to manage risks Tailoring ethics and compliance programs to specifics of organization Develop compliance standards and procedures using risk assessment Periodic assessments of compliance and ethics risk Incentives to maintain internal controls Identification of industry-specific compliance risks 2015 Association of Certified Fraud Examiners, Inc. 22 of 27

COMPONENTS COSO INTERNAL CONTROL INTEGRATED FRAMEWORK SENTENCING GUIDELINES Control Activities Information and Communication Policies and procedures to help ensure that management s directives are followed Activities to ensure fraud risks are addressed Methods used to identify, capture, classify, and report pertinent information in an appropriate format and time frame Communication of roles and responsibilities pertaining to internal control Standards and procedures capable of reducing the prospect of criminal conduct Determination of modifications needed to prevent future problems Effective communication of standards and procedures to all employees and other agents Required participation in compliance and ethics training programs Compliance and ethics training and communications that are ongoing, updated, and appropriate to each group of employees Monitoring Ongoing assessment of the internal control system Actions to correct and remediate any deficiencies Use of monitoring and auditing systems designed to detect criminal conduct Periodic evaluation of program effectiveness After discovering misconduct, taking reasonable steps to remedy the harm caused (e.g., provide restitution to victims, and self-reporting and cooperation with authorities) Responding to identified offenses by assessing the compliance program and making necessary modifications to prevent future problems 2015 Association of Certified Fraud Examiners, Inc. 23 of 27

Periodic Assessment: Freescale Model Present formal annual program review to Audit and Legal Committee. Explain new policies established since last program review. Discuss one-on-one meetings between CCO and senior leaders regarding tone at the top and tone at the middle. 2015 Association of Certified Fraud Examiners, Inc. 24 of 27

Periodic Assessment: Freescale Model Report on: Background check process for officers Content and effectiveness of employee training Investigations and disciplinary actions How the company may have responded to any reported violations of law Periodic risk assessment training and updates on completion of action items to address identified risks 2015 Association of Certified Fraud Examiners, Inc. 25 of 27

Periodic Assessment: List of Metrics Total number of contacts rec d from reporting mechanisms Total anonymous contacts Total unsubstantiated contacts Total employee terminations Summary of discipline as a result of contact Geographical distribution Type of complaint (HR, ethics, legal violation) How complaint was received 2015 Association of Certified Fraud Examiners, Inc. 26 of 27

Periodic Assessment: List of Metrics Trend analysis of contacts Cycle time to resolve contacts Year-on-year comparison of all of the above Employee ethics survey results Year-on-year survey comparison Training completions 2015 Association of Certified Fraud Examiners, Inc. 27 of 27

Importance of the Seven Elements Adherence to the Guidelines is not required. Then why are the seven elements important? Promotes a culture of ethical behavior Communicates organizational expectations and commitment Prevents and identifies illegal and unethical behavior Limits liability and possibly avoids prosecution in instances of wrongdoing Makes good business sense to minimize fraud Promotes a positive reputation 2015 Association of Certified Fraud Examiners, Inc. 28 of 27

Discussion Question #1 Establishing standards Do you think that the sample business conduct policy meets the requirements? What, if any, standards or procedures would you add to the policy? 2015 Association of Certified Fraud Examiners, Inc. 29 of 27

Discussion Question #2 Assigning responsibility Does the policy assign responsibility concerning the content and operation of the policy, and, if so, to whom? Would you add anyone to that list? 2015 Association of Certified Fraud Examiners, Inc. 30 of 27

Discussion Question #3 Due diligence in hiring and contracting Does the policy contain adequate measures to meet the expectations of due diligence in hiring? What about due diligence in contracting? What kind of policies are necessary to create due diligence in hiring? Due diligence in contracting? 2015 Association of Certified Fraud Examiners, Inc. 31 of 27

Discussion Question #4 Communicating the policy Who needs to receive the policy? How should the company communicate the policy to each of these groups? 2015 Association of Certified Fraud Examiners, Inc. 32 of 27

Discussion Question #5 Achieving compliance What steps not currently in the policy would you take to achieve compliance? 2015 Association of Certified Fraud Examiners, Inc. 33 of 27

Discussion Question #6 Disciplinary action Does the policy provide for a proper range of punishment? What should the company do to ensure consistent enforcement? 2015 Association of Certified Fraud Examiners, Inc. 34 of 27

Discussion Question #7 Appropriate response Does the policy provide for adequate procedures to respond to and correct an offense? Does the policy contain provisions that would work to prevent future violations from occurring? What would you add? 2015 Association of Certified Fraud Examiners, Inc. 35 of 27