DOJ Fraud Section Puts Boards of Directors on Notice Regarding “Conduct at the Top”

In February 2017, the U.S. Department of Justice (DOJ) Fraud Section published its latest guidance on corporate compliance programs with the release of the very useful document titled “Evaluation of Corporate Compliance Programs.”

While many legal and compliance scholars have rightly stated that this latest publication isn’t anything radically different than prior authoritative guidance issued by the DOJ and other organizations, what jumps out is the reframing of the well-worn expression, “tone at the top,” with the potentially more insightful, and arguably much scarier, “conduct at the top.” In a just-released Flash Report, we put forth questions and insights that illustrate the degree to which the DOJ is examining senior management and the board of directors while evaluating a corporate compliance program.

Managing Your Organization’s Culture During Rapid Growth

Charles Soranno - MD New Jersey

By Charles Soranno, Managing Director
Financial Reporting Compliance and Internal Audit



Early in December 2016, I had the pleasure of leading an in-depth webinar exploring how fast-growing companies can prepare for challenges related to changes in their culture and talent requirements, particularly when ramping up for an IPO or following one.

I was joined by Carmela Krantz, Vice President of Human Resource at WideOrbit; Danielle Soucek, Director of Insight Product at Equilar; and Michael Waxman-Lenz, CFO at Undertone. Together, we provided analysis and guidance on how to create the right team, scale for growth, benchmark against peers and competitors, and develop a public company mindset.

As companies implement their growth plans in the new year, it’s worth revisiting a few of the big ideas that emerged from the event.

Building the Right Team – Recognize the Influences
An organization’s ownership structure, its industry dynamics, and whether it has a domestic or global presence shape its culture and need for certain skillsets. Challenges typically emerge when companies bring in new investors, prepare to launch an IPO, add locations, or significantly expand their employee base.

Ownership has a tremendous impact on what the right team looks like, for example. A closely held startup may not have formal financial reporting requirements, but as it attracts institutional capital or registers for a public offering, more specialization and structure is required as expectations and demands change. Institutional investors likely will be less forgiving of reporting errors than founders working in a close-knit setting, and companies that execute their IPOs have to meet strict Securities and Exchange Commission (SEC) regulatory, compliance and reporting requirements. Will free-thinking, entrepreneurial-oriented individuals who were involved in virtually all aspects of a startup’s early development be able to not just perform, but thrive, in this more regimented operating environment?

Scale for Growth
Maintaining robust and consistent communications and formal communication protocols (especially for public companies) between an organization’s leaders and its workforce – even to the point of “over communicating” – is perhaps the most important strategy human resources (HR) can promote when employment rosters are expanding by the dozens each month. Letting employees know how they fulfill a company’s mission during times of rapid change keeps them plugged-in, motivated and contributing to desired business outcomes.

Staying ahead of the recruiting battle is another critical step HR can take. Human resource managers and recruiters must work closely with the C-suite to better understand the dynamics of the growing company and the mindset – not just skillset – required to make new hires successful. Also, by keeping employees informed of open positions and using referral incentives, HR can make all employees recruiters. This strategy can help fill jobs more quickly and often nets candidates of a certain caliber that have a higher chance for success.

Benchmark Growth
Compensation practices change dramatically after a company prepares for and ultimately completes an IPO, typically moving from less structured to more formal, documented programs designed to secure and retain talent. The scrutiny, by the SEC and others, of publicly available post-IPO executive compensation data requires organizations to balance shareholder interests with rewarding executives fairly.

One of the best ways to strike that balance begins with defining the talent market by selecting a peer group survey or collecting proxy data, or by combining both methods. Many companies utilize compensation consultants that can provide the data. Often, the advisors also understand how less tangible factors, such as management philosophy and individual performance, may influence pay packages.

Get a Head Start
While an IPO may be the last thought on the minds of executives running rapidly growing companies, especially early-stage companies, operating as if an transaction is imminent can make organizations more attractive and valuable when investors begin to take interest. Steps companies can take in that direction include developing a solid IT and finance infrastructure, assembling superb finance and operations teams, establishing excellent corporate governance, and developing a public company mindset among employees.

Of these initiatives, developing sustainable and scalable IT infrastructure and strong finance and accounting teams are among the most critical. However, infrastructure also encompasses making sure a company’s organizational chart is balanced and determining whether special technical or general needs should be outsourced. Organizations also need to be aware of pitfalls that could derail the development of a transaction-ready public company mentality. Underestimating the effort required not just before, but also after the IPO, is chief among them.

Learn More
Rapidly growing companies face a number of challenges as they transition from freewheeling entrepreneurial startups to more structured, efficient and mature operations. By preparing for headwinds associated with changing cultures, they can put themselves in a better position for success. Listen to the recorded webinar for a deeper dive into the ideas discussed here.

Internal Audit at Financial Institutions Is Evolving

Mike ThorBy Mike Thor, Managing Director
Internal Audit Practice Leader for Financial Services in North America




Financial firms’ risk profiles are continually challenged by new regulatory requirements and heightened expectations from supervisors requiring firms to advance their risk management processes. At the same time, advances in technology are driving consumer demand for more mobile services, even as new entrants, the so-called fintech companies, are transforming the competitive landscape. All this means that demands on chief audit executives (CAEs) and internal audit departments at financial institutions are increasing in proportion to these new challenges.

Under the heightened standards for large financial institutions, a set of guidelines issued by the U.S. Office of the Comptroller of the Currency (OCC), the role of internal audit is defined as opining on the readiness and design of the risk management systems and corporate governance structures of the institution, including its risk culture and risk appetite. To fulfil this role, auditors at financial services firms need to improve their technical knowledge in several areas, according to Protiviti’s latest Internal Audit Capabilities and Needs Survey, a comprehensive survey of internal audit professionals conducted in the fourth quarter of 2015.

A special industry-focused publication derived from the larger survey’s results, Top Priorities for Internal Audit in Financial Services Organizations, zooms in on the concerns and outlook of internal audit leaders within the financial services industry. In summary: The list of internal audit priorities for financial services firms is only getting longer, and internal auditors are noting the need to improve their knowledge in key areas, specifically cybersecurity, mobile applications, model risk, and the challenge of integrating risk appetite and risk culture within an agile risk management philosophy.

In addition, as the last line of defense, internal auditors need to streamline their processes to foster a more agile and efficient internal audit approach. The survey makes clear that during the past year, internal audit executives have advanced in their efforts to connect with the lines of business and management as part of collaborative efforts to improve oversight and to help the organization understand its risks and achieve its strategic objectives. Such collaboration improves communication between the three lines of defense while also helping organizations become more efficient and optimize existing resources – an important goal, since difficulties in hiring and retaining talent have become more acute in recent years.

In light of this talent shortage, internal audit functions are increasingly considering investment in technology-enabled auditing approaches and tools, which can help them meet two important objectives: 1) address their growing list of priorities more efficiently, and 2) stay current and effective in their approach to risk, as banks continue to adopt emerging technologies in an effort to remain competitive in a rapidly evolving marketplace.

By improving their efficiency, knowledge and effectiveness, internal audit functions will be able to better assist their organizations in their continued growth. The improved skill set also will help position internal audit for its growing role of a key strategic partner in the broader enterprise – a role very much in demand, according to the recently published North American results of the 2016 Common Body of Knowledge (CBOK) Stakeholder Survey (with global results coming soon).

Finally, the reports on internal audit priorities, both the overall findings and the financial services edition, provide more than just a snapshot of the areas internal audit executives are most concerned about. The publications also offers real, practical advice from Protiviti experts from a variety of subject areas on how internal audit functions can achieve their goals and objectives. They discuss hot topics and changes that have occurred over the past 12 months in the financial services industry, and their impact on the work of internal audit. Download the two reports here and here.

A Country Default: What Does It Mean?

Eyes have been on Greece and its debt crisis for a long time. The downward spiral of the Greek economy began some 35 years ago with fiscal policies that expanded the country’s debt-to-GDP ratio four-fold over the ensuing decade and into the early 1990s. After stabilizing its economy and holding the debt-to-GDP ratio relatively constant until the advent of the Great Recession, Greece has experienced a 50 percent increase in the ratio to its present unsustainable level. Structural weaknesses in the economy, the recent default on debt obligations, and lost confidence among lenders regarding Greece’s ability to take responsibility for its fiscal issues have led to the present crossroads.

After the initial 2010 bailout and subsequent bailout extensions, coupled with extensive debt restructuring involving principle reductions, extended maturities and lower rates, the present crisis has been marked by weeks of debate and posturing between Greece and the eurozone in which the country requested additional debt relief and the eurozone demanded concrete proposals that will lead to progress toward achieving the long-term debt-to-GDP ratio targets set by previously established bailout terms. On July 5, a strong majority of Greek citizens voted to reject the current bailout terms, causing global capital markets to tumble amid the uncertainty over what will happen next.

In the aftermath of the Greek vote, the country’s finance minister was replaced and negotiations with the eurozone have continued. As it stands today, the eurozone has demanded new proposals from Greece to secure a deal with creditors in time for evaluation by the eurozone finance ministers prior to a full summit of the European Union (EU) scheduled for Sunday, July 12.

So it’s all coming to a head. Either there will be a deal or Greece and its banks will be on their own starting next week.

So Why Should We Care?

As the 45th largest economy in the world in terms of GDP in 2014, Greece’s economy is smaller than that of the Seattle, Washington metropolitan area in the United States. It’s slightly greater than one percent of EU GDP. Since no one is arguing that Greece is too big to fail, why do we care what happens in the crisis?

Perhaps the primary reason is the uncertainty of not knowing what we don’t know. Could a so-called Grexit from the euro and reintroduction of the drachma destabilize the eurozone and would a permanent default by Greece on its debt throw global markets into distress mode? No one wants to start a fire they can’t put out.

What about the effect on Greece itself following a Grexit? It is reasonable to expect the new drachma to devalue significantly relative to the euro once the currency is pegged to another currency (perhaps to the euro). In addition, we can expect higher inflation, exorbitant interest rates and lost purchasing power for Greek citizens. Add rising unemployment and out-of-reach prices for imported goods, a possible run on the banks (which may have already begun), a drop in per capita income, and rising income inequality, and you’ve got a not-so-pretty picture of declining living standards and a budding humanitarian crisis in the making.

Close observers of the situation in Greece have seen the present impasse coming for a long time. Hopefully, companies with operations or other interests in Greece have been able to make adjustments over time to prepare. But the real question is this: What other countries are exposed to bankruptcy due to economic, structural and/or political issues, do we operate there, and if so, are our operations exposed? In addition to Greece, examples of such countries include Venezuela, Argentina, Egypt, Pakistan, Ukraine, Jamaica and Cuba. And there are other countries that may be on the brink or headed in the wrong direction.

Managing Country Risk

Companies invest in other countries to enter new markets, lower costs and, above all, earn a satisfactory return on investment. The less stable a country, the greater the exposure to either investment impairments or reductions in investment returns. These may arise from:

  • Confiscatory actions by a sovereign (g., nationalization of the business or expropriation of assets);
  • Discriminatory actions by a sovereign directed to the company, a targeted industry (say banking) or companies from certain countries (e.g., additional taxation, price or production controls, exchange controls, currency manipulation or performance requirements); or
  • As we witnessed in the Arab spring, destructive/disruptive acts by others (e.g., violence, terrorism, war, strikes, infrastructure deficiencies, kidnappings or physical phenomena).

The primary objective of managing country risk is to protect company investments and sustain investment returns. To that end, if multinationals believe that destabilizing situations in certain countries exposes them to confiscation, discrimination or destructive/disruptive acts, they can face these changes with confidence by:

  • Managing down investment: Repatriate cash to the extent exchange controls and currency conditions allow, manage the operation as though it’s a “cash cow” until conditions stabilize, avoid any additional capital investments, cease replenishing inventory from abroad, and/or look for ways to finance payroll, maintenance and other operational functions through local cash flow.
  • Moving assets to higher ground: Move tangible and non-tangible (e.g., data files, intellectual property) assets out of harm’s way, if feasible. For example, if the company has physical assets close to known “hot spots” where the masses are likely to converge, it may be best to move them to other locations away from the action and potential violence.
  • Sharing the risk: Enter into joint ventures with local/foreign partners to reduce exposure to confiscation risk since the presence of nationals can take a multinational under the radar. If cost-effective, political risk insurance is another option covering the risks of confiscation, political violence, insurrection, civil unrest and discrimination.
  • Listening to local management: Make sure local management is on top of things and empower them to do what they have to do to take any and all necessary steps to protect the safety of employees and safeguard company assets.
  • Initiating an exit strategy: Divesting assets in the cool of the day (before violence breaks out) may be a viable option, if there is a willing buyer. Obviously, it is not likely to be viable when people take to the streets.
  • Paying attention to the warning signs: Assess exposure to instability and take proactive steps to manage that exposure. Don’t wait until it’s too late and options are limited. Watch countries with runaway food price inflation such as those with a low GDP per capita and a very high percentage of food relative to total household consumption. People have to eat.
  • When stuff happens, conducting a post-mortem: When an adverse event happens, review the assumptions your company had previously from an economic, political and structural standpoint. Did management see the event coming? If not, why not? If management saw it coming, did the organization take steps to prepare? Could the company have done anything different?

A Grexit would pose new uncertainties – for Greece and its people, for the EU and eurozone, for global markets and for companies with operations affected by the fallout. It’s just another illustration that the world is a dynamic place and escalating cost structures are impossible to sustain without growth. It’s also a reminder that multinationals can expect continued challenges when countries in which they operate become unstable.


My Dinner with Dr. Mervyn King

His Royal Highness Prince Charles, in a videotaped welcome message kicking off The Institute of Internal Auditors International Conference in London this summer, spoke of the importance of long-term value creation, noting that nonfinancial reporting is changing the face of internal audit.

He deferred on the subject to a general session speaker, Professor Mervyn E. King – not the former head of the Bank of England, but the former South African judge widely considered a staunch champion of corporate governance and viewed by some as the father of integrated sustainability reporting.

King, the eponymous architect of South Africa’s pioneering integrated reporting framework, has served and, I believe, continues to serve as chair of the International Integrated Reporting Council (IIRC). The IIRC was created by Prince Charles to examine long-term solutions to value creation and break the cycle of corporate governance driven by short-term financial pressures. Quite a daunting task, and one which required a special person to lead the effort.

Some 14 years ago, I undertook a 32-day trip around the globe to promote a book I wrote on the topic of enterprise risk management. This was, in fact, the first book published on the subject. One of the countries I visited was South Africa. My partners at Andersen in Johannesburg arranged a dinner with several individuals, including Dr. King. It was a long table in a private room and Dr. King and I were seated directly across from each other. While I am sure Dr. King has long forgotten that evening in Johannesburg, it was a memorable experience for me personally. I learned firsthand that he and I had a common core set of views on a wide variety of topics around corporate governance, risk management and internal control, and their importance to creating and protecting enterprise value. Most importantly, he was quite the gentleman.

At the time, Dr. King was chairing a committee that prepared what became known as the King II Report, which updated a prior version of a governance framework. Issued in March 2002, the report covered such topics as directors and their responsibility, risk management, internal audit and integrated sustainability reporting. Acclaimed internationally, King II was a rich source of input to the U.S. Congress in formulating the Sarbanes-Oxley Act. Since then, Dr. King has consulted with and advised bodies all over the world on King II and governance generally.

In 2009, King II was updated because Dr. King was of the view that sustainability issues did not warrant a mere separate chapter but should be integrated into the mainstream. The resulting King III report asserted that strategy, risk, performance and sustainability are inseparable; hence, the phrase “integrated reporting” was used throughout the report.

I recently saw an article referencing King III and its impact on integrated reporting. The principles of the King III framework, which now form the nucleus of the IIRC’s integrated reporting framework, raise the bar for governing and managing an organization. They can be summarized as follows:

  • Good governance is essentially about effective leadership. Leaders need to define strategy, provide direction, and establish the ethics and values that will influence and guide practices and behavior with regard to sustainability performance.
  • Sustainability is now the primary moral and economic imperative, and it is one of the most important sources of both opportunities and risks for businesses. Nature, society and business are interconnected in complex ways that need to be understood by decision makers. Incremental changes towards sustainability are not sufficient – we need a fundamental shift in the way companies and directors act and organize themselves.
  • Innovation, fairness and collaboration are key aspects of any transition to sustainability – innovation provides new ways of doing things, including profitable responses to sustainability. Fairness is vital because social injustice is unsustainable and collaboration is often a prerequisite for large-scale change.
  • Social transformation and redress is important and needs to be integrated within the broader transition to sustainability. Integrating sustainability and social transformation in a strategic and coherent manner will give rise to greater opportunities, efficiencies and benefits, for both the company and society.
  • Sustainability reporting is in need of renewal in order to respond to a) the lingering distrust among civil society of the intentions and practices of big business, and b) concerns among business decision makers that sustainability reporting is not fulfilling their expectations in a cost-effective manner.

These are sound principles. Slavish devotion to short-term financial goals is an unwise policy from the standpoint of the long-term interests of our global society. While the almighty bottom line will always be important, income inequality, resource preservation, chronic unemployment, carbon footprint size and other issues suggest that business strategies should drive long-term corporate growth and profitability by considering environmental and social issues in the business model. Some take this mantra seriously. Many don’t. King III is a call to action on this front.

Looking back fondly on that dinner, so many years ago, I raise a glass once again in Dr. King’s honor and wish him continued success at bringing his much-needed ideas into the corporate and public company mainstream.

For more on the work of the IIRC, visit For more on Mervyn E. King and King III, visit


Developing an Effective, Scalable Third-Party Anti-Corruption Program

Scott Moritz - Protiviti NY 2013 (hi res) Scott Wisniewski - Protiviti Chicago -hi res 2012




by Scott Moritz and Scott Wisniewsk

Scott Moritz and Scott Wisniewski are Managing Directors with Protiviti. Moritz leads the firm’s Investigations and Fraud Risk Management practice, while Wisniewski is the head of Protiviti’s Risk Technologies group.

Honesty and trust aren’t what we want to be thinking about when it comes to the global partner ecosystems we are building out today. We’d rather be thinking about economies of scale, increased efficiency and agility, and a time to value that blows away the competition. Unfortunately, third parties represent a major and constant risk, and are the source of the majority of violations of the U.S. Foreign Corrupt Practices Act, the U.K. Bribery Act and other international anti-corruption laws. Because of this, an effective third-party anti-corruption program is now an essential component of the overall corruption program at many companies. An effective third-party anti-corruption program helps you to understand the risk that each third party represents, identify potential bad actors, and apply a heightened standard of care to these organizations, or even terminate the business relationship.

A successful program is all about designing sustainable, consistent global processes based on an understanding of which parties should be included in the program; applying a risk-scoring methodology to group the parties into high-, medium- and low-risk categories; and applying standard due diligence processes to all parties and enhanced due diligence processes to those that fall into the high-risk group.

Implementing a successful program also requires a global technology platform that centralizes – and can scale – all third-party anti-corruption activities across the global ecosystem. This is why Protiviti has just released the Governance Portal for Third-Party Anti-Corruption v4.1, a new Protiviti Governance Portal solution that makes it simpler, faster and easier to reduce risk and ensure compliance on a global scale. From creating a centralized repository for all program data and activity, to creating the required scorecards for vendors and partners, to managing workflow and maintaining an audit trail of activities, the Governance Portal for Third-Party Anti-Corruption enables key stakeholders to identify third parties with heightened risk and track investigations and resolutions – regardless of where the stakeholders or third parties are located.

By centralizing the third-party anti-corruption program and managing the processes more effectively, companies can more confidently focus on the business benefits of their ecosystems. For more information about third-party anti-corruption programs, check out Are Third Party Vendors Putting Your Company at Risk?” a July 15, 2014, webinar featuring Chris McClean, principal analyst and research director with Forrester Research, Inc. The webinar provides a detailed account of how to effectively apply best practices to identify potentially problematic commercial partners and the importance of an enabling technology platform.

Some Interesting News from Australia – New Rules Boost Internal Assurance for ASX-Listed Companies

Mark Harrison

By Mark Harrison
Managing Director, Protiviti Australia


Editor’s note: This post was published originally on Work Life, a website and blog from Robert Half Australia. We thought this news about new internal audit requirements for publicly listed companies in Australia would resonate with companies in other countries, including the United States. (The NYSE has a similar requirement for its listed companies.)

Stronger Corporate Governance
From July 1, 2014, listed entities will disclose if they have an internal audit function, how it is structured and what role it performs, as per Recommendation 7.3 of the 3rd edition of the ASX Corporate Governance Principles and Recommendations.

The Recommendation further states that if the entity does not have an internal audit function, it should disclose that fact and the alternative processes employed for evaluating and continually improving the effectiveness of its risk management and internal control processes.

These new disclosures will deliver a long-overdue boost to the governance standards of approximately 1,800 Australian companies who have yet to embrace the assurance that internal audit provides.

The New York, UK, Hong Kong, Singapore and Malaysian stock exchanges have for many years either obliged listed companies to have an internal audit function or required a relevant disclosure in their annual report. Market regulators insist on this for the simple reason that internal audit enhances shareholder protections and is a fair quid pro quo for the privilege of raising capital from the public.

Internal Audit Is an Indicator of Corporate Health
Many institutional  and other sophisticated investors view the existence of an internal audit function as an indicator of the health and stability of the company.

Why? Because internal auditing is an essential element of good corporate governance. It’s an independent assurance process that helps companies improve their operations by ensuring there are effective risk management and controls in place to identify and mitigate problems before they escalate and to take advantage of new opportunities. Companies that disclose a solid internal audit function will therefore inspire greater market confidence and enhance their attractiveness to investors.

Most well-resourced companies at the ‘big end of town’ already have an internal audit function because quite apart from being good for governance, it adds value to the business. However, for the remaining 1,800 or so companies below the ASX 300, internal audit is still practically non-existent.

Implementing an Internal Audit Function
In many cases, it would not be cost-effective for a smaller company to establish a dedicated internal audit function. Fortunately, other competitive options are available.

Smaller companies could embrace a shared service model where two or three companies split the cost of an internal auditor, an approach which is common in the government sector. Another option is to outsource to an internal audit consulting firm.

Importantly, to safeguard the quality and integrity of its internal audit reviews, companies engaging an internal audit service provider should always insist their internal auditor apply The Institute of Internal Auditors’ (IIA) International Standards for the Professional Practice of Internal Auditing. These are the only globally accepted standards for internal audit work and represent professional best practices.

Companies should be wary of service providers who use accounting standards or their own internal manuals to perform internal audit work. These references are simply not appropriate for internal audits and risk compromising the quality of the audit.

Applying the IIA’s internal audit standards guarantees that the work will be robust and that company directors and executives will receive reliable and objective information to improve their business processes.

Stand Out From the Crowd
There are many benefits in adopting an internal audit function and in making a quality internal audit disclosure. For smart operators in the small-to-medium company sector this is an excellent opportunity to positively differentiate themselves and to make an impression on investors seeking a more stable, sustainable investment.