by Jonny Frank, Michele Edwards, and Chris Hoyle
It is tempting for organizations to downplay compliance violations as an isolated event attributable to a few bad apples. However, experience teaches that misconduct is often worse than initially thought. Wrongdoers who confess rarely admit to their complete wrongdoing. And it is common for the same or similar misconduct to occur across business lines and geographies.
Because wrongdoing is often much more extensive than originally believed, organizations cannot afford to assume that an incident is an isolated event. Imagine the legal implications—and embarrassment—if the government, public or other stakeholders discover that an organization’s internal investigation failed to detect the full extent of the perpetrators’ wrongdoing or similar schemes committed by others in the organization. There may also be more extensive financial losses to recover that the organization needs to be aware of.
“Read Across” refers to the procedures the remediation team employs to build on the root-cause analysis to (a) discern the full extent of wrongdoers’ misconduct and (b) detect similar misconduct elsewhere in the organization (e.g., other geographies and business units). The remediation team should document its conclusion and rationale, especially if it decides the wrongdoing is an isolated event and warrants no further action from the organization. Contemporaneous documentation will be helpful if later events reveal an incorrect assessment by the company.
Negative Assurance
How does an organization ferret out undetected misconduct without specific allegations or suspicions to guide the investigators? Even worse, how does the organization prove the absence of misconduct?
Remediation professionals borrow from an auditing process called negative assurance. In this process, the remediation team searches for indicators of misconduct. If the team finds none, it provides negative assurance to management and the board that it has not detected anything to indicate the occurrence of misconduct.
(a) Wrongdoer Misconduct
The remediation team can provide negative assurance that the organization has captured the full extent of the perpetrators’ wrongdoing by applying forensic audit procedures:
- Identify potential misconduct risks and scenarios by examining the wrongdoers’ pressures, incentives, and opportunities to engage in misconduct.
- Examine the design and operating effectiveness of the organization’s risk response (i.e., culture, conduct and supervision, processes, controls) to prevent and detect the identified potential misconduct risks and scenarios.
- Create risk indicators and red flags for residual risks.
- Develop forensic auditing procedures, including forensic analytics, transaction testing, accounts and balances testing, walk-throughs, observations, and interviewing.
- Provide negative assurance if forensic auditing procedures do not identify risk indicators; refer for investigation if risk indicators and red flags suggest possible misconduct.
Illustration: The XYZ Corporation terminates the CFO for significant travel and expense abuse. Concerned about the potential for other misconduct, XYZ conducts a risk assessment and identifies that the CFO had an incentive and the opportunity to inflate sales numbers through side agreements that give customers the right to return. There are many indicators of this type of scenario, including, for example, a disproportionate spike in sales just before the end of a quarter or in returns just after the end of a quarter. The absence of a spike in sales and returns and other risk indicators could support the remediation team to provide negative assurance that there are no indications of premature revenue recognition. The presence of a spike would give rise to a suspicion, which the remediation team would refer to the organization for investigation.
(b) Misconduct by Others
Remediation professionals must consider whether to search for similar misconduct elsewhere in the organization. For example, suppose that a multinational company discovers corruption in an African sales office. How does it investigate whether similar wrongdoing occurred in other high-risk jurisdictions?
Investigating misconduct throughout an organization can be expensive and time-consuming, especially without specific allegations or suspicions. The organization must balance the time and expense of conducting extended forensic auditing procedures with the business, legal, and reputational consequences of permitting wrongdoing to go undetected.
The remediation team should begin with the flaws in the compliance program and controls identified in the root-cause analysis (“RCA”). Suppose the RCA reveals the controls are well designed but not operating effectively. In that case, the remediation team will test operating effectiveness in other locations to provide negative assurance that the wrongdoing was limited to a single individual or location.
The process becomes more complicated if the RCA determines the misconduct arose from significant design deficiencies. The company must decide whether the likelihood and significance of the underlying warrants conducting a forensic audit to search for indications of misconduct (e.g., artificial intelligence, data analytics, transaction testing).
The forensic auditing procedures are like those used for pursuing the full extent of the wrongdoers’ misconduct, including:
- Identify risks and scenarios that are reasonably likely to occur and would significantly impact the organization.
- Create risk indicators and red flags.
- Develop forensic auditing procedures, forensic analytics, transaction testing, accounts and balances testing, walk-throughs, observations, and interviewing.
- Provide negative assurance if the forensic auditing procedures do not identify any risk indicators; refer for investigation if the auditing procedures identify sufficient indicators and red flags.
Moving Ahead
Stay tuned for the next piece in this series, developing “Corrective Action Plans,” which follows the RCA and Read Across in the remediation process. Developing Corrective Action Plans includes developing enhancements to processes and controls to prevent and timely detect the misconduct identified during the RCA and Read Across. You can find more information about the RCA in the initial part of the series, “A Primer in Root Cause Analysis: A Critical Step in the Remediation of Compliance Violations.”
Jonny Frank, Michele Edwards, and Chris Hoyle are Partners at StoneTurn Group, LLP. This article is the second part of a multi-article series, access part one on Root Cause Analysis here. This article also updates J. Frank, Remediation, Litigation Services Handbook: The Role of the Financial Expert 5th Edition, Chapter 13A (2015). Access that chapter here.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).