Fixing The Problem – The Intersection of Investigations and Compliance
Crafting the subject line of an email can be a work of artistry. Done well, it is not unlike an attention-grabbing tabloid headline that compels the reader to act. Today, I received one such email with the subject line: Fixing the Problem and I was immediately hooked.
What struck me is the term “fixing the problem” describes the exact intersection where an investigation ends, and compliance remediation begins. The bad guy is gone, law enforcement has stepped in, and the insurance claim has been filed. And yet the problem remains. Why was the crime possible in the first place? There was no shortage of internal controls, policies, procedures, tracking databases, approvals, and audit procedures. And despite all of that, one otherwise unexceptional employee managed to orchestrate the theft of several million dollars’ worth of company assets.
What comes after the investigation?
Fixing the problem. Such a simple statement. When it comes to compliance remediation, it can be difficult to know where to begin. The good news is that some of the work has probably already been done during the investigation itself. Process walkthroughs may have revealed how the subject deviated from procedures and controls that were either inadequate or non-existent. Witness interviews may have revealed one or more red flags that were either unreported or not acted on when someone did come forward. Background investigations may have raised further clues such as assets that exceed known sources of income or legal entities with names indistinguishable from those of legitimate vendors. They could also have revealed prior bad acts, misrepresentations in the employment application, or other indicators that the subject had bad intentions from the start. Email exchanges may have revealed coworkers or superiors who were suspicious of the subject.
These various indicia can be repurposed to give the root-cause analysis a running start. Do the existing information technology systems that govern the relevant processes have features or functionality such as segregation of duties, approvals or credentials logging that were not in use at the time? Does the software vendor offer artificial intelligence or anti-fraud modules at an additional cost? Or did the crime expose the fact the software is outdated and does not have potential to be leveraged as a part of the remediation?
Red flags that were raised but not acted upon or were never raised in the first place could mean the organization needs some additional training and ongoing compliance communications on the importance of speaking up, awareness as to the types of things the company would like to hear about and how to access confidential reporting channels.
Internal audit and compliance working together
Often overlooked in the compliance remediation process is the important role of internal audit. There could be clues in prior audit reports including corrective actions that are still pending and could have led to the discovery of the problem earlier had they been implemented. Internal audit is equally important on the back end. Changes to the internal control environment and enhanced policies and procedures need to be measured. Doing so provides insights as to whether the needed changes have in fact been implemented, operationalized and are being followed, and if the changes are driving more positive behaviors and mitigating risks.
Use of background investigations after the fact are very useful in internal investigations but could also be a part of the solution. Internal investigations often reveal that the pre-employment screening process missed important information before the investigative subject joined the company. That could have allowed the company to make a different hiring decision had the process been more robust. Similarly, background investigations are based upon an examination of public records in a moment in time. They are static. Public records on the other hand are dynamic and someone who seemed like an ideal hire one day could look very differently two or three years in. Few organizations except those that require that their employees have Top Secret clearances conduct investigations of their existing employees on a recurring timetable. Likewise, vendors, customers, venture partners and other commercial relationships can pose risks. Examining the risks these various touchpoints represent and performing targeted screening and background investigations of those that represent elevated levels of risk can be an important part of the risk assessment and compliance remediation process.
Monitoring of email and internet usage is sometimes controversial. The thought of it can make people uncomfortable and can be a non-starter in some foreign jurisdictions. In the U.S., employees have no expectation of privacy on their use of company email and messaging systems, devices and networks. In a surprisingly high number of internal investigations, the subjects use their work email, equipment and systems to discuss criminal activity, create and store fraudulent business records or keep track of their illicit activity. If monitoring email and internet usage causes leadership to cringe, having the tools and ability to access them as an investigative tool is the next best thing.
Organizational risks change over time and compliance programs and internal controls need to be adapted periodically to keep pace with these external dynamics. Whether it is referred to as “root cause analysis”, the application of lessons learned, or the more grisly “post-mortem”, the investigation itself and the performance of a risk assessment through the lens of one or more recent negative events is an essential part of an effective compliance program and “fixing the problem”.