What Every Internal Auditor Should Know Perspectives of a Chief Compliance Officer

IIA: November 11, 2011 Jon Rydberg

Agenda

1. Opening Comments

2. Weak Infrastructure May Drive Value Destruction

3. Case Study: “When Sales Mask Performance”

4. Focal Points and Ideas

5. Closing Remarks

Disclaimer - This presentation is not about the presenter’s current or previous employers. The contents are observations taken from various points over his career.

1. Opening Comments

1. Opening Comments Objective

1. Internal Audit and Compliance is often misunderstood. Some companies…

▫ Establish them to “check a box.”

▫ Lack the knowledge to achieve value.

▫ Believe they are “above it.”

▫ Believe they are “control cops” (e.g., “Sales Prevention Team”).

▫ Believe they are necessary evils, draining cash with no ROI.

2. My objective is to promote these functions as mechanisms to:

▫ Establish the boundaries for compliant and ethical business activity;

▫ Proactively identify and evaluate emerging risks; and

▫ Provide recommendations that enhance infrastructure and protect enterprise value – a core responsibility of every executive.

1. Opening Comments Definitions and Assumptions

1. Corporate Infrastructure is:

▫ People, process, technology

▫ Policies, procedures and internal controls

▫ Training, measurement and accountability

2. Value Destruction is:

▫ Reduction in stock price

▫ Damage to customer satisfaction and brand

▫ Demoralization of the workforce

▫ Fines, penalties, debarment

3. ROI should also be viewed as the lack of “Value Destruction.”

6

Assurance • Compliance with policy / laws (e.g., ITAR)

Advisory

• Business advisory (e.g., International biz

design; Executive MBO setting)

• Policy development (e.g., FCPA, Code of

Conduct).

Assurance • Compliance with policy / law (e.g., T&E)

• Reliable financial reporting (e.g., SOX)

Advisory

• Efficient and effective operations (e.g.,

Procure-to-Pay process review)

• Achieving strategic objectives (e.g., ERP

implementation help, due diligence, cost audit)

Chief Compliance Officer • Promote standards of conduct.

• Design policies to prevent improper conduct.

• Manage company hotline and investigations.

Chief Audit Executive • Identify and mitigate vulnerability and risk.

• Serves as an advisor to the Board, CEO, CFO.

• Integrates risk management into strategy.

1. Opening Comments Understanding Internal Audit and Compliance

2. Weak Infrastructure May Drive Value Destruction

2. Weak Infrastructure May Drive Value Destruction Share Shock – Share Price Declines >30%

Approximately 25% of F1000 companies with share shock experienced failures in infrastructure.

Source – Corporate Executive Board Can be linked to weak risk management, corporate infrastructure or oversight.

9

2. Weak Infrastructure May Drive Value Destruction Ten Largest Settlements in Last 12 Months

Source - Nera

Can be linked to weak risk management, corporate infrastructure or oversight.

Settlement Costs Excluding Investigation and Legal Support

$0 $200 $400 $600 $800

Siemens (2008)

KBR/Halliburton …

BAE (2010)

Snamprogetti (2010)

Technip S.A. (2010)

JGC Corporation (2011)

Daimler AG (2010)

Alcatel-Lucent (2010)

Panalpina (2010)

Johnson & Johnson …

Criminal Fines (Total for All: $2,228)

Disgorgement (Total for All: $946)

10

Amounts in $US, millions

2. Weak Infrastructure May Drive Value Destruction Ten Recent FCPA Settlements

Source – Resources Global Can be linked to weak risk management, corporate infrastructure or oversight.

Settlement Costs Excluding Investigation and Legal Support

3. Case Study: “When Sales Mask Performance”

3. Case Study “When Sales Masks Performance”

Sa

les

Time

1

1 / Increasing Sales Impact

• Employees are measured on financial performance.

• Employees are held accountable for not hitting targets, but are not measured on performance in other areas.

• Tone from the top is founded on trust and there is little mention of Compliance, Ethics or Controls.

• As the organization‟s revenue base grows, bonuses are strong, stakeholders are happy and the focus on infrastructure and internal behavior shrinks.

• Cultural norms develop around heroics. Employees do what is needed to get the job done.

Sa

les

Time

2 / Stability or Limited Volatility Impact

• Despite limited volatility, success is still strong. Confidence grows. Company goes public.

• In order to meet Shareholder expectations, new revenue streams are found (new products, new markets, acquisitions).

• Measurement on short-term financial performance becomes stronger.

• Organization is too busy to think internally. Money is saved by not investing in “oversight” functions.

• Even less focus on infrastructure as the organization invests its financial and human resources on revenue maintenance or growth.

• Employees are hired and put into action with little training.

• The business has grown large and complex, outpacing its infrastructure. Yet, margins remain strong due to decent sales and limited internal investments.

Stability or Limited Volatility

2

3. Case Study “When Sales Masks Performance”

Sa

les

Time

3 / Declining Sales Impact

• Limited revenue to cover fixed costs. Bottom-line profits shrink.

• Pressure is high and even more focus is place on doing what is needed to get the job done.

• Few written Policies and Procedures govern how work is accomplished.

• Environment is now ad-hoc and out of control. Employees continue to act through heroics.

• Mistakes are made affecting cost of quality, customer satisfaction, litigation expense, revenue leakage, cost overruns, injury, etc.

• Bottom-line profit shrinkage is exacerbated relative to industry competitors because the organization lacks process repeatability, efficiency, compliance and cost control.

Kaboom! Share Shock 3

3. Case Study “When Sales Masks Performance”

1. Investors lose confidence due to slip in profits.

2. Significant investments required to build infrastructure around a sinking ship.

3. The immediate response for oversight and business control is disregarded by tenured workforce.

Bu

sin

ess

Vo

lum

e a

nd

Co

mp

lex

ity

Collapsing Infrastructure

Management Team

3. Case Study “When Sales Masks Performance”

3. Focal Points and Ideas

1. Identify warning signals.

2. Create efficient and sustainable processes.

3. Mitigate bad behavior.

4. Provide a legal defense.

Consider the following benefits.

- Controls drive accurate financials Keeping officers out of jail:

- Controls drive ethical behavior Avoiding $335m of FCPA fines:

- Controls prevent duplicate payments Enhance working capital:

- Controls facilitates working systems Mitigating system re-work:

- Controls limit workers compensation Eliminating safety issues:

- Controls ensure inventory accuracy Minimizing production delays:

3. Focal Points and Ideas So Where Could Internal Audit or Compliance Have Helped?

ROI = Positive!

• Are we operating as planned?

• Are the processes and controls operating effectively?

• Are policies being adhered to as intended?

• How can the process, be enhanced?

• What are other companies doing?

• Can we further leverage our technology?

• Where is this process going?

• Can it scale?

• Should new technologies be considered?

Oversight

(Reactive)

Insight

(Proactive) Foresight

(Strategic)

18 Confidential, Not For Re-distribution

3. Focal Points and Ideas Balance Internal Audit According to Your Needs

Spectrum of Capability

Confidential, not for re-distribution

Sample Emerging Risk Chart 100% of Boards Want Insight Into

Emerging Risks, 51% Are Provided Them

3. Focal Points and Ideas Use Internal Audit’s Risk Assessment for Strategic Foresight

20

Increased Quality

Increased Risk

Maturity

Level

Distinguishing

Factors Capability Description Capability Characteristics

5 Optimized

Continuously

Improving

Process

Continuous Improvement –

Continuously improving controls

enterprise-wide

• Proactive improvement of processes & controls, based on costs

• Enterprise-wide risk strategies

• Use of statistics data to analyze & improve costs, performance, & risks

• Formal & flexible cost / benefit analysis

• Best practices identified & shared across organization

• Application processes and technology are fully integrated organization

wide

4 Managed Predictable

Process

Quantitative – Risks managed

quantitatively enterprise-wide;

“Chain of accountability”

• Objective is process control of outputs

• Detailed statistical measurement & use of key performance indicators

• Cost & cycle times well known

• Early-warning systems, risk analytics, and contingency preparation

• Experienced personnel with requisite knowledge & expertise in place

3 Defined

Standard,

consistent

process

Qualitative / Quantitative –

Policies, process and standards

defined and institutionalized;

“Chain of certification”

• Proactive management & flexibility

• Standard roles & training

• Standardized processes company-wide

• Stable & measurable processes

• Standards & verification mechanisms

• Consistent reporting & reporting of exceptions & near-misses

2 Repeatable

Disciplined

Process

Intuitive – Process established and

repeating; reliance on people

continues; controls documentation

lacking

• Management objectives & planning

• Some documented policies & procedures, signs of implementation

• Stability increased

• Organizational knowledge & training

• Clear accountability & understanding of roles/commitments

1 Initial

No Process

Evident

Ad Hoc / Chaotic – Control is not a

priority -- Unstable environment

leads to dependency on heroics

• Unpredictable & subject to “firefighting” & crisis management

• Little or vague documentation/policies

• Highly dependent on key individuals & heroics

• Instability, especially during crisis

• Inconsistent reporting mechanisms

• Undefined roles & accountability

3. Focal Points and Ideas Internal Audit can Benchmark Your Infrastructure

21

3. Focal Points and Ideas Utilize Internal Audit Software for Proactive Risk Management

3. Focal Points and Ideas Keys to a Successful Internal Audit or Compliance Function Rollout

Tone From The Top

• Public announcement. • State the purpose (compliance, process improvement, mixture).

Accountability • Without it, your investment is meaningless. • Establish a structured reporting process to Management, the Board, and

back to employees!

Establish Defined Programs (GE examples) Driving culture has to be the results of defined, tangible programs.

• Cultural programs: Leadership engagement; Risk assessment; Training; Communication; Evaluation

• Compliance programs:

– Ownership by an executive (don‟t blame the staff, legal or compliance).

– Assess (list the regulations we must comply with).

– Resource (hire and assign domain experts)

– Relate (build it into the business process, don‟t outsource it).

Budget Appropriately

• Balance your spend and budget with GAIN. • Establish an amount that you can stomach without reason to adjust.

3. Focal Points and Ideas The Key to Being Compliant

Seven Pillars of the Federal Sentencing Guidelines Compliance Program

Leadership Assign an independent owner, reporting to the Board

Develop values, culture and tone

Standards and Procedures Create a structured policy set and Code of Conduct

Exclude Prohibited Personnel Documented background checks of third parties, channel

partners and suppliers

Training and Communication Online and in-person training

Train third parties

Audit, Monitor and Report Develop a rotational audit plan, up to 2x per year

Enforcement and Discipline Reward and discipline employees

Response and Action Establish a corrective action process

Aggregate compliance and internal audit findings

4. Closing Comments

25

4. Closing Comments An Exercise for Your Organization

1. List the seven features that the Federal Sentencing Guidelines expect

within an organization‟s “Ethics and Compliance Program.”

2. List the features of your Ethics and Compliance Program.

3. List the actions that each department has taken to support your

“Ethics and Compliance Program.

4. Is your Internal Audit function aligned to your Strategic Objectives?

5. Have you benchmarked it against GAIN or other Companies?

6. Have you considered all three ranges of the IA spectrum?

26

Area Remarks Activities

Ethical and compliant behavior

• You can do everything right for 20 years and kill your reputation in 5 minutes .– Warren Buffet (not present)

• Never Hide what has occurred. You only have once chance to tell the truth; Failure to act with total transparency risks your entire brand. – Hyatt

Differentiate between „we are an ethical Company‟ and being able to provide it in a defined ethics program.

Culture and Ownership

• Employees like to work at a company that is consistent with its own values –General Electric

• A good compliance program is effective if you take action when someone does something right or wrong - UBS

• Measure ethics in executive MBOs –Google

• It is very easy for the CEO to set the tone, he/she only speaks to 5 people. The middle management layer is critical to changing a corporate culture. – Accenture

• How do we get the business to own compliance and ethics? First we spoon feed them, then we ram it down their throats –Microsoft

• Measure ethical conduct.

• Hold an annual Company awareness meeting. The first award should be on integrity and ethics.

• Middle layer should be

appointed and rewarded as drivers.

4. Closing Remarks Remarks from Best of Breed Companies