Tag Archives: compliance management

Hui Chen: Applying DOJ’s Compliance Questions to Supplier/Social Responsibility Auditing

By: Hui Chen, former Compliance Counsel Expert, Fraud Section, Department of Justice

Ed. Note:  Hui Chen gained national attention when she made a “noisy withdrawal” from the Department of Justice this past June.  Afterwards, she graciously agreed to write the following for us.  We applaud her deep commitment to integrity and greatly appreciate her making time to pen this article.

In February 2017, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released a document entitled “Evaluation of Corporate Compliance Programs” (“Evaluation Questions”) which makes public the types of questions the Fraud Sections asks in its evaluation of corporate compliance programs in the context of its criminal investigations. The Evaluation Questions immediately gained the attention and interest of anti-fraud compliance professionals as well as global regulators and law enforcement interested in corporate accountability. The Fraud Section, which prosecutes cases involving foreign corruption, financial,  securities  and healthcare fraud, has brought corporate prosecutions with historic fines and penalties and exerts enormous influence in the those areas of compliance. What is often missed in the narrative, however, is the Fraud Section’s leading role in two of the largest environmental criminal prosecutions in history: the Deepwater Horizon and the VW emission scandal. As the Fraud Section’s Compliance Counsel Expert, I had the privilege of being involved in these cases, and they were very much on my mind as I drafted the Evaluation Questions.

Although the Evaluation Questions are set in the context of criminal investigations, one of the intents of the document is to also provide a framework for companies and compliance professionals to design, implement, and test their compliance programs for effectiveness. That framework is every bit as applicable to EHS and sustainability programs as it is for anti-fraud compliance programs.

At its core, the Evaluation Questions center around the following tenets of effectiveness: credibility, measurements, accountability, and continuous improvement. Let’s briefly explore these principles and see how they apply in the context of supplier/social responsibility auditing.

Credibility

The Evaluation Questions probe the credibility of companies’ boards, senior leadership, and compliance and control functions. It specifically names “audit” as one of the “relevant control functions”. It asks whether “compliance and control personnel ha[ve] the appropriate experience and qualifications for their roles and responsibilities.” How companies define that appropriateness tells a lot about the company. For example, companies that define appropriate experience largely in terms of certifications tend to be less sophisticated: they rely on commercial certification bodies to exercise the judgment and evaluation on their behalf. These types of personnel often do not perform impressively when specific questions involving real experience and expertise are posed to them: i.e. “Explain your sample selection methodology”, “How would you handle specific situations”, “What specific red flags do you look for when you are auditing for X”, etc. In this regard, I find Elm’s Auditor QuickQuiz an intriguing and useful concept and tool. My instinct tells me that this quiz may reveal more about auditors’ competency and judgment than most certifications do.

It is important to note that the notion of credibility, as explored by the Evaluation Questions, goes far beyond experience and qualifications. Corporate and professional credibility comes also in the form of visible commitment, demonstrated conduct, soundness of processes, levels of autonomy, strength of empowerment, and responses to risks, all of which are explored throughout the Evaluation Questions.

Applying these questions to supplier/social responsibility auditing, it means companies need to seriously consider factors more than subject matter expertise and cost of the auditors. Companies need to define auditor competency in terms of independence, judgment, field experience, statistical and analytical sophistication, and interpersonal and intercultural skills. Companies should also examine their auditors’ approach closely, asking specific questions about approach, methodology, and plans to identify and prepare for the types of issues that are likely to arise during the audit process.

Measurements

The Evaluation Questions are rooted in various prior guidance issued by the DOJ and other regulatory agencies and international organizations. The document, however, does bring a very significant new element: the demand for evidence of effectiveness in the form of measurements and data.   Evidence of results is, after all, a foundation to credibility. Not only do the Evaluation Questions ask about “information or metrics” the company collects and uses to help detect misconduct, but also “how has the company measured the effectiveness” of activities such as training and policy implementation. There are many “how” questions such as “How has the company assessed whether…policies and procedures have been effectively implemented?” or “How has the company evaluated the usefulness of …policies and procedures.” Companies that are able to answer these how questions in measurable metrics and data are regarded with far more credibility than those who answer with unsubstantiated adjectives.

Measurement and data are concepts that are expected to be second nature for auditors. What is important for companies is to make sure they work with their supplier/social responsibility auditors to define what to  measure and how. Whether you are auditing for manufacturing quality, environmental compliance, or safety, it is important that you sit down with your auditors to define what satisfaction looks like, and identify ways to measure it.

Accountability

Compliance programs cannot succeed with accountability. This is why the Evaluation Questions are focused on the accountability of both individual players and the company’s systems and processes. Accountability is about clearly defined roles and responsibilities, and visible consequences for words and actions. In line with this emphasis, the Evaluation Questions elevate the inquiry from the traditional “tone from the top” to “conduct at the top”  and ask about “concrete” and “specific” actions. There are questions about whether supervisors are held accountable for failures in oversight and how the companies train relationship managers on their responsibilities in managing third party risks. More importantly, there are questions about the accountability of the company: what happens when “compliance raise[s] concerns or objections”? “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures…” In other words, when issues and risks are identified, how has the company been accountable in addressing and remediating them?

As both an in-house compliance officer and as the DOJ Compliance Counsel Expert, I have seen numerous instances where companies have failed to address audit-identified issues adequately. In the eyes of prosecutors, regulators, and other stakeholders such as investors, this failure speaks volumes about the company’s commitment to accountability and raises serious questions about the company’s operational competency. It reminds me of the TV commercial where the bank security guard tells customers, in the midst of a robbery, that his job is only to notify people when there is a robbery, not to do anything about it. That is why the Evaluation Questions include questions on how audit findings and remediation progress are reported to the management and the board, and how the management and board follow up on such reports. Finding the problem is not the goal: fixing it is.

Continuous Improvement   

Even the best compliance program would become an obsolete compliance program should it not continuously update itself. Everything from business and operational realities to company culture to regulatory and legal requirements changes constantly, and only a persistently self-critical program regularly seeking improvements can remain top of its game. The Evaluation Questions recognize the necessity for continuous improvement, not only in its questions in Section 9 on audit, testing, and updates, but also in how its focus on root cause analysis and risk assessments. Every instances of breach, whether it resulted in actual harm or not, is an opportunity for learning and improvement.

This same principle applies in the supplier/social responsibility auditing process. It is important for companies to ask how their auditors are keeping up with ongoing trends, regulations, audit practices/standards and realities, as well as themselves how they are learning from the audit findings in not just short-term remediation, but long-term improvements in how they manage suppliers.

———————-

Hui Chen may be contacted at www.HuiChenEthics.com

New Advanced Auditor Training Program for HSE/CSR Auditors

Elm Sustainability Partners and Elm Consulting Group International have launched a new training module for senior-level and experienced health, safety, environmental and social auditors seeking to improve their auditing skills and get updates on timely topics related to non-financial auditing and technology.

It is also relevant to those buying HSE/CSR audit services who are looking to improve the quality of audits they receive.  After this course, buyers can identify specific areas of audit practice improvements to request of their providers.  Alternatively, these buyers may wish to require their external HSE/CSR auditor to complete this training themselves.

A partial list of what is covered includes detailed review and practicum concerning:

  • auditor independence standards and managing impairment threats
  • audit criteria requirements
  • audit and evidence limitations
  • evidence hierarchy, weighting and corroboration
  • fraud, forgery and tampering – including new concerns brought about by technology
  • interviewing skills including fraud examination and FBI techniques
  • discussions of US Department of Justice Criminal Division Evaluation of Compliance Program criteria (2017), the June 1, 2017 US Public Company Accounting Oversight Board (“PCAOB”) auditor reporting standard on Critical Audit Matters and EU Non-financial reporting rule
  • audit QA/QC considerations

Each participant will take a pre-test to establish a knowledge baseline and identify specific areas for improvements.  Exercises are administered throughout and a post-test will conclude the session demonstrating the advanced competencies gained.  HSE/CSR regulatory and other technical topics will not be covered as this is not a regulatory update session.

Elm Principals are BEAC Certified Professional Environmental/Health/Safety Auditors (CPEA), have served on the Board of Directors of The Auditing Roundtable (recently merged into the Institute of Internal Auditors (IIA)) and BEAC, and have trained thousands of internal and external HSE auditors over the past three decades.

Contact us to learn how you and your team can take advantage of this unique program.

New Social Auditor Certification in the Works

We have been vocal in our concerns and criticisms concerning social/CSR auditing.  And we have ourselves been criticized for that. Fair enough.

The Association for Professional Social Compliance Auditors (APSCA) has released for public comment its draft Code of Conduct and Auditor Competency Standards – available here.

We support APSCA and its work towards improving the entire “ecosystem” of CSR auditing.  Anyone with a dog in this hunt should click on the link above and submit comments.  APSCA is keen to obtain input from as wide a range of stakeholders as possible to help become as credible as possible.  Given the breath of subject matter that is being demanded of CSR auditors by buyers of their services, there is a great deal of overlap in APSCA’s draft into environmental health, safety, transportation and other technical areas.

UPDATED ALERT: Piwowar Issues New Statement on Conflict Minerals Rule in Response to Closure of NAM v. SEC Lawsuit, Stein Pushes Back

SEC Acting Chairman Michael Piwowar and the SEC Division of Corporation Finance Staff both issued statements today (April 7, 2017) on the conflict minerals rule in light of the final Court action in NAM v. SEC.

The statements from both Staff and Acting Chairman Piwowar clarify that the Commission does not intend to recommend enforcement against any issuer that does not file a CMR or conduct due diligence of its smelters/refiners.  The statements do not amend the language of the rule itself to eliminate the CMR and due diligence requirement – they only clarify that no enforcement action will be taken if an issuer triggers the CMR/due diligence mandate, but files only the basic Form SD.

Reuters reported that the only other currently-sitting Commissioner, Kara Stein, took issue with Piwowar’s unilateral action :

The move sparked backlash from SEC Democratic Commissioner Kara Stein, who accused Piwowar of acting beyond his authority to gut the meat of a rule mandated by Congress, adopted by the SEC and reviewed by the courts.

“It is unprecedented for one commissioner, acting alone and without official notice and comment, to engage in de facto rulemaking,” she said.  “It represents a troubling attack not only on the Commission process, but also on the restraints of government power.”

We will continue to monitor new developments and keep you informed.  In the meantime, please do not hesitate to contact us with any questions.

You Are What Your Suppliers Do: Supplier Actions Make Headlines, Break Business

With companies facing increasing pressure for the actions of every part of their supply chain, demand for – and reliance on – supplier/corporate social responsibility (CSR) audits conducted by third parties has grown rapidly.

Shirts, Phones, Rocks and Shrimp

But there is concern about the quality, reliability and credibility of these audits.

CSR Auditing and Toilet Paper

Is Social Auditing Really Auditing?

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

You Don’t Know What Your Suppliers Are Hiding

Companies rely on their CSR audit firm to utilize qualified auditors, employ adequate QA/QC processes and expend adequate time to conduct a reasonable audit. Yet there are no generally-accepted professional CSR audit practitioner standards. Moreover, due to cost pressures, lowest cost audit providers are frequently selected that may not have appropriate auditing skills or training – the largest CSR audit firms conduct tens of thousands of these audits each year. Increasing audit time and costs to improve quality or credibility is typically not realistic – the business model is inherently high-volume, low margin.

Are these audits effective at findings supplier actions that create risks for you? Can a company gain confidence in their CSR audits without adding costs? Is a change in auditors necessary?

Improve Credibility for Disclosures, Media and Customers

Changing audit firms is not necessary, nor is another layer of auditing. Instead, a formalized auditor training program can be a low cost yet effective solution.

The Elm Consulting Group International is expanding our well-proven auditor training program to companies who use CSR/supply chain auditors. The intent of this program is for brands to provide detailed communication and training to their current CSR/supply chain auditors about the company’s requirements for auditor competence, audit quality and processes in order to enhance the credibility of audit information.

Our formalized training for existing CSR auditors builds their client’s confidence in the quality of the work provided. The program is not intended to provide training on specific audit topics such as child labor or worker rights. Instead, the focus is on proven audit techniques such as:

  • Understanding and applying professional skepticism
  • Interviewing and active listening
  • Identifying and responding to non-verbal cues within multi-cultural contexts
  • Evidence sampling methodologies
  • Using information from different sources
  • Verification and recomputation techniques
  • Judging audit evidence quality and limitations
  • Fraud detection
  • Using working papers and audit protocols
  • Writing effective and complete audit findings
  • Audit quality expectations, requirements and processes
  • Maintaining auditor independence, including auditor rotation

Our Qualifications as The Leader in Auditor Training

Our HSE auditor training experience began in the 1980s and we have successfully trained hundreds of external and internal auditors. Elm Principals hold auditor certifications from the US Board of Environmental, Health and Safety Auditor Certification (BEAC, now wholly merged into the Institute of Internal Auditors) and UK Institute of Environmental Management & Assessment, are approved trainers for the IIA EHS auditor certification program and are subject to annual continuing education requirements ourselves. Further, Elm Principals have served in various Board positions in The Auditing Roundtable (merged into the IIA in 2016) and BEAC, including the current BEAC Chair.  More information about our internal audit quality and auditor competence standards is available here.

Give us a call at 678-200-3424 or contact us via email to discuss how we can help you increase confidence in your CSR audits.

CSR Auditing and Toilet Paper

In the 1990s I worked for a large paper company and one of the products we made was a name brand toilet paper. As TP goes, this was nice stuff – 2 ply, thick and soft. We marveled that the product didn’t sell well in markets dominated by products that were thin, had holes and fell apart too easily. It baffled us that so many people didn’t care about what ends up on their hands.

Today there is a surprising demand for third party environmental/safety/social/supply chain audits that are equivalent to cheap TP – thin, single “ply” (i.e., one dimensional) and full of holes.   Yet even in the midst of so much reliance on audits, very few buyers of these audit services seem to be concerned. Its not only us that sees this – a fascinating article published earlier this week called out Amazon, The Children’s Place, Gap, Hanes, J-Crew, JC Penny, Kohl’s, Macy’s, Nike, Pink, Polo, Target, Walmart and Zara for “ineffective … CSR monitoring, corporate codes of conduct and industry ‘social audits’ … in protecting the rights, health and safety of millions of workers in global supply chains.”  This, after a decade of CSR audits, is the author’s conclusion.

The article goes on to discuss related failures and inconsistencies in certifications and audit scopes. Our own experiences support this – all too frequently we have seen companies pursuing various certifications solely in order to have a certificate to frame and hang in their lobby. One unfortunately memorable experience came a week after a client had completed their ISO14001 recertification audit. The ISO auditor passed the site with flying colors and was highly complimentary of their program. However, our compliance audit found – with little effort – criminal environmental violations that resulted in the site environmental manager losing his job and one of the few instances where self-disclosure to EPA was warranted without question. This isn’t necessarily a problem with the standards themselves – the problem rests completely with the auditors responsible for assessing the sites.

This criticism shouldn’t be a surprise to anyone who is familiar with current CSR audits and auditors. Certainly there are excellent and conscientious practitioners in the field, but the pricing model of these audits tends to support minimalism all the way around. In a recent article on this topic, we stated our belief that the pricing of CSR audits is directly in response to severe operating cost pressures placed on the manufacturers by the brands. But that circles back to consumer buying preferences as we pointed out six years ago. If attributes other than price and product performance were truly key buying criteria, then the entire economic ecosystem (eco-ecosystem??) would be different.

We do not offer typical CSR/supplier audits because we flatly refuse to compromise our professionalism in order to be cost competitive in this market. Our respect for clients and concern for the risks they face exceeds our desire to compete for revenue from these services in the current market. But, as evidenced by what the article states is an $80B year CSR industry, many people are okay with using cheap toilet paper and don’t seem to care what will end up on their hands.

A few key things you should do to help prevent continuing CSR audit failures:

  • Ensure the audit scope matches the auditor(s)’ backgrounds.  For example, after Raina Plaza, CSR auditors have been increasingly asked to provide information on structural engineering and local electrical code compliance.  These matters require specific technical knowledge beyond that of a typical CSR auditor.
  • Explore the auditor(s) professional qualifications. Do they hold a relevant third-party certification?  How much continuing education do they require on an annual basis?  What fraud detection training have they had?  What are the audit firm process for ensuring independence of the individual auditors, not just the firm as a whole?  Auditors should consider themselves professionals and hold themselves accountable to appropriate standards for qualifications.  If they don’t, that speaks volumes about their attitude toward their work.
  • Test the auditor(s) technical knowledge beyond their checklist.  Does the auditor understand the applicable requirements beyond what is written in the audit checklist or protocol?  There are few times when reality matches the criteria on paper.  You want a professional who is prepared to apply knowledge and expertise objectively and pragmatically, not just check boxes on paper or a screen.
  • Find out how much time the auditor(s) spend onsite, and on each audit activity.  Generally speaking, one day (or less) total on-site is too little for any credible audit scope.  The auditor should reasonably balance their time between document reviews, interviews and visual observations.  If you don’t feel there is adequate time spent or balance in the activities, make your auditor change their practices.
  • Observe – or get feedback on – the auditors’ bedside manner.  An auditor’s attitude and non-verbal cues have a significant impact on the amount and quality of information they are able to gather from the audited entity, and how that entity responds to the audit and corrective actions.  Interviews conducted by the auditor should be non-threatening.  Using active listening techniques without sounding condescending or like a robot is an art form not easily mastered.
  • Look at audit report findings and the cited evidence.  Are findings based solely on interviews?  While this can be acceptable in some settings/situations, information from interviews should be corroborated with another type of audit evidence such as documentation, recomputation or direct visual observations.  If findings are not based on objective and repeatable evidence, make your auditor change their practices.  Issues based on interviews alone should be brought forward in a mechanism outside the audit report as those don’t meet the requirement for a formal finding.
  • Determine how audit reports are peer reviewed – or are they peer reviewed at all?  Does the review require the auditors’ original notes so the reviewer can confirm that the audit evidence supports the findings?  All audit reports should go through a formal internal quality check.
  • Don’t get swayed by broad company or program certifications such as ISO.  While these certifications can be an indicator of internal process formalization, understanding the reality of auditor performance in your specific need is far more important.
  • When considering an auditor, call client references and discuss their experiences, both positive and negative.  Obviously, references are specifically selected to present a positive image.  Expressly ask the reference to offer comments about matters or situations that are not so positive.

What Does Trump and GOP Control Mean for Conflict Minerals, Sustainability?

UPDATE:  Acting SEC Chairman Piwowar issued a statement on January 31, 2017 opening the rule and the 2014 Guidance to public comment.

It has been an unusual campaign and election for the US presidency.  Donald Trump will take office in January and the Republicans will control of both houses of the legislature.

So is the fate of the US conflict minerals disclosure mandate in jeopardy?  Perhaps, but in our opinion the Trump administration will not change anything before the May 31, 2017 filing deadline for the CY2016 disclosure.  We recommend that all companies subject to the conflict minerals filing  continue to move forward as planned.  Looking even further out, we expect that the administration will face other dragons to slay through 2018 as well.  This is expected to be a topic of many conversations at the CFSI workshop we are attending this week.

Trump has made clear his disapproval of the Dodd-Frank Act in toto, so there is a general expectation that change will come, yet he faces other higher priority matters such as healthcare and the Federal budget.  But with the Senate and House now controlled by the Republicans, there likely will not be much opposition to a repeal of, or amendments to, Dodd-Frank.

Emerging regulatory initiatives such as expanding SEC reporting to include sustainability matters is also likely to face far more opposition during the Trump administration.

We occasionally are asked what we would do if the conflict minerals mandate was eliminated.  We would see some business loss, but Elm Sustainability Partners and The Elm Consulting Group International do much more than conflict minerals advisory.

Elm Sustainability provides a range of sustainability, corporate responsibility and supplier auditing services.  We review existing social auditor results and qualifications and are known for calculating economic value of sustainability programs using methods that withstand tough management scrutiny.

The Elm Consulting Group International has been in business for 15 years providing clients with the highest quality environmental, health and safety auditing available and that business continues to grow.

Through our six years in the conflict minerals space, we have made many friends and new clients we hope to continue to serve, whether related to conflict minerals or otherwise.  If you are looking for sustainability, social auditing or EHS auditing support, please give us a call.

Cobalt is the New Conflict Mineral

Conflict minerals information requests from customers increasingly include cobalt.  While cobalt is not an official conflict mineral, and the basis for the recent public attention is not the funding of armed groups, it is nonetheless being included in conflict minerals CMRT requests.

But cobalt is not one of the CMRT metals, and the CFSI smelter/refiner lists and audits do not include cobalt.  What do you do?  You can build on your existing conflict minerals program, but you need new data collection/verification tools, business criteria and customer reporting methodologies.

These are fundamental issues that every company will have to resolve before meaningful responses to customers can be provided, and it will likely take time.

Apropos: Dia de los Muertos and the Billable Hour

Today is Halloween in the US and Dia de los Muertos in Mexico.  It is a time based on the idea of reflecting on death.  Now we aren’t being morbid here – instead we grinned at the amusing irony of the timing of this article on LinkedIn which is an obituary to the billable hour.

We absolutely agree with the downsides of billable hours.  All of us at Elm, in prior points in our careers, have had ourselves and clients held hostage by the almighty billable hour.  Over the past several years, we decreased our use of hourly rates and billings – instead working on a daily rate or, increasingly, on a fixed fee basis.

Given all that is right with eliminating hourly billing, a reasonable person might ask why doing so remains ubiquitous for consulting/auditing firms?  Yet another irony for those of us who help client organizations in changing their internal culture – because it’s the way it’s been done in the past. 

Hmmmmm.

We’ll Be Seeing You

We’ve been quiet over the past several weeks because we’ve been busy.  A number of companies took us up on our recommendation to get a program review and we are continuing to conduct those through the end of the year.  But we will be back out and about soon and available to meet and chat.

Although our parent The Elm Consulting Group International has long been recognized as a leading environmental, health and safety auditing firm and  Elm Sustainability Partners is most well known for our conflict minerals services, we also provide other sustainability/supply chain risk assessment services.  We recently summarized our general experiences with sustainability in comments to the US Securities & Exchange Commission’s Concept Release as they explore the need for including sustainability disclosures within standard financial reporting.

Where we’ll be

We are always happy to talk at meetings, conferences or phone calls.  Please don’t hesitate to reach out.