Tag Archives: internal controls

Hui Chen: Applying DOJ’s Compliance Questions to Supplier/Social Responsibility Auditing

By: Hui Chen, former Compliance Counsel Expert, Fraud Section, Department of Justice

Ed. Note:  Hui Chen gained national attention when she made a “noisy withdrawal” from the Department of Justice this past June.  Afterwards, she graciously agreed to write the following for us.  We applaud her deep commitment to integrity and greatly appreciate her making time to pen this article.

In February 2017, the Fraud Section of the Criminal Division of the Department of Justice (“DOJ”) released a document entitled “Evaluation of Corporate Compliance Programs” (“Evaluation Questions”) which makes public the types of questions the Fraud Sections asks in its evaluation of corporate compliance programs in the context of its criminal investigations. The Evaluation Questions immediately gained the attention and interest of anti-fraud compliance professionals as well as global regulators and law enforcement interested in corporate accountability. The Fraud Section, which prosecutes cases involving foreign corruption, financial,  securities  and healthcare fraud, has brought corporate prosecutions with historic fines and penalties and exerts enormous influence in the those areas of compliance. What is often missed in the narrative, however, is the Fraud Section’s leading role in two of the largest environmental criminal prosecutions in history: the Deepwater Horizon and the VW emission scandal. As the Fraud Section’s Compliance Counsel Expert, I had the privilege of being involved in these cases, and they were very much on my mind as I drafted the Evaluation Questions.

Although the Evaluation Questions are set in the context of criminal investigations, one of the intents of the document is to also provide a framework for companies and compliance professionals to design, implement, and test their compliance programs for effectiveness. That framework is every bit as applicable to EHS and sustainability programs as it is for anti-fraud compliance programs.

At its core, the Evaluation Questions center around the following tenets of effectiveness: credibility, measurements, accountability, and continuous improvement. Let’s briefly explore these principles and see how they apply in the context of supplier/social responsibility auditing.


The Evaluation Questions probe the credibility of companies’ boards, senior leadership, and compliance and control functions. It specifically names “audit” as one of the “relevant control functions”. It asks whether “compliance and control personnel ha[ve] the appropriate experience and qualifications for their roles and responsibilities.” How companies define that appropriateness tells a lot about the company. For example, companies that define appropriate experience largely in terms of certifications tend to be less sophisticated: they rely on commercial certification bodies to exercise the judgment and evaluation on their behalf. These types of personnel often do not perform impressively when specific questions involving real experience and expertise are posed to them: i.e. “Explain your sample selection methodology”, “How would you handle specific situations”, “What specific red flags do you look for when you are auditing for X”, etc. In this regard, I find Elm’s Auditor QuickQuiz an intriguing and useful concept and tool. My instinct tells me that this quiz may reveal more about auditors’ competency and judgment than most certifications do.

It is important to note that the notion of credibility, as explored by the Evaluation Questions, goes far beyond experience and qualifications. Corporate and professional credibility comes also in the form of visible commitment, demonstrated conduct, soundness of processes, levels of autonomy, strength of empowerment, and responses to risks, all of which are explored throughout the Evaluation Questions.

Applying these questions to supplier/social responsibility auditing, it means companies need to seriously consider factors more than subject matter expertise and cost of the auditors. Companies need to define auditor competency in terms of independence, judgment, field experience, statistical and analytical sophistication, and interpersonal and intercultural skills. Companies should also examine their auditors’ approach closely, asking specific questions about approach, methodology, and plans to identify and prepare for the types of issues that are likely to arise during the audit process.


The Evaluation Questions are rooted in various prior guidance issued by the DOJ and other regulatory agencies and international organizations. The document, however, does bring a very significant new element: the demand for evidence of effectiveness in the form of measurements and data.   Evidence of results is, after all, a foundation to credibility. Not only do the Evaluation Questions ask about “information or metrics” the company collects and uses to help detect misconduct, but also “how has the company measured the effectiveness” of activities such as training and policy implementation. There are many “how” questions such as “How has the company assessed whether…policies and procedures have been effectively implemented?” or “How has the company evaluated the usefulness of …policies and procedures.” Companies that are able to answer these how questions in measurable metrics and data are regarded with far more credibility than those who answer with unsubstantiated adjectives.

Measurement and data are concepts that are expected to be second nature for auditors. What is important for companies is to make sure they work with their supplier/social responsibility auditors to define what to  measure and how. Whether you are auditing for manufacturing quality, environmental compliance, or safety, it is important that you sit down with your auditors to define what satisfaction looks like, and identify ways to measure it.


Compliance programs cannot succeed with accountability. This is why the Evaluation Questions are focused on the accountability of both individual players and the company’s systems and processes. Accountability is about clearly defined roles and responsibilities, and visible consequences for words and actions. In line with this emphasis, the Evaluation Questions elevate the inquiry from the traditional “tone from the top” to “conduct at the top”  and ask about “concrete” and “specific” actions. There are questions about whether supervisors are held accountable for failures in oversight and how the companies train relationship managers on their responsibilities in managing third party risks. More importantly, there are questions about the accountability of the company: what happens when “compliance raise[s] concerns or objections”? “Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures…” In other words, when issues and risks are identified, how has the company been accountable in addressing and remediating them?

As both an in-house compliance officer and as the DOJ Compliance Counsel Expert, I have seen numerous instances where companies have failed to address audit-identified issues adequately. In the eyes of prosecutors, regulators, and other stakeholders such as investors, this failure speaks volumes about the company’s commitment to accountability and raises serious questions about the company’s operational competency. It reminds me of the TV commercial where the bank security guard tells customers, in the midst of a robbery, that his job is only to notify people when there is a robbery, not to do anything about it. That is why the Evaluation Questions include questions on how audit findings and remediation progress are reported to the management and the board, and how the management and board follow up on such reports. Finding the problem is not the goal: fixing it is.

Continuous Improvement   

Even the best compliance program would become an obsolete compliance program should it not continuously update itself. Everything from business and operational realities to company culture to regulatory and legal requirements changes constantly, and only a persistently self-critical program regularly seeking improvements can remain top of its game. The Evaluation Questions recognize the necessity for continuous improvement, not only in its questions in Section 9 on audit, testing, and updates, but also in how its focus on root cause analysis and risk assessments. Every instances of breach, whether it resulted in actual harm or not, is an opportunity for learning and improvement.

This same principle applies in the supplier/social responsibility auditing process. It is important for companies to ask how their auditors are keeping up with ongoing trends, regulations, audit practices/standards and realities, as well as themselves how they are learning from the audit findings in not just short-term remediation, but long-term improvements in how they manage suppliers.


Hui Chen may be contacted at www.HuiChenEthics.com

Harvard Professor Identifies Factors for Meaningful CSR and Supply Chain Audits

Well known Harvard Business School Professor Michael W. Toffel recently published the results of three studies into CSR/social auditing, including what makes an audit valuable and how to help plants actually learn from the audit results.  Prof. Toffel narrates the key insights in this 4-minute video.

Our main takeaways were:

  1. Toffel states that “We assume that most clients want the auditors to tell them the unvarnished truth.  Obtaining accurate information from these auditors is critical to enable brands to manage this risk.”  We are not sure this is universally so and impacts how plants respond to audit findings.
  2. They found a relationship between three aspects of audit team makeup and the number of audit findings reported:
    • Returning auditors tend to have fewer findings than an auditor who has not audited the site previously.
    • More years of auditing experience and training means a higher number of findings than auditors with less experience/training.
    • Female audit team members tend to identify more findings than male auditor team members.
  3. The biggest improvements came when a highly-trained team performed an announced audit.
  4. Audits are a critical method for knowledge transfer “and for knowledge to be transferred effectively, you have to have a knowledgeable auditor, but you also have to have a receptive factory manager.”  The receptiveness of a plant manager is linked to Point #1 above.
  5. Factories in countries with greater press freedom were substantially likelier to improve.
  6. Audit teams seem to have fewer findings where the factory pays rather than the brand. While Toffel suggests this may be a result of conflict of interest, we believe there is another side that is more prevalent.  Factories are subject to enormous cost pressures and tend to select the lowest cost providers, which translates to less experienced/trained auditors not fully prepared to identify complex situations and findings.

The direct linkage between qualified auditors and the quality of audit results is a drum have been beating for years, but in the current environmental of increased supply chain transparency – and  liability – companies should rethink the value, make-up and execution of supplier audits.  Call us to discuss our views on this further

We’ll Be Seeing You

We’ve been quiet over the past several weeks because we’ve been busy.  A number of companies took us up on our recommendation to get a program review and we are continuing to conduct those through the end of the year.  But we will be back out and about soon and available to meet and chat.

Although our parent The Elm Consulting Group International has long been recognized as a leading environmental, health and safety auditing firm and  Elm Sustainability Partners is most well known for our conflict minerals services, we also provide other sustainability/supply chain risk assessment services.  We recently summarized our general experiences with sustainability in comments to the US Securities & Exchange Commission’s Concept Release as they explore the need for including sustainability disclosures within standard financial reporting.

Where we’ll be

We are always happy to talk at meetings, conferences or phone calls.  Please don’t hesitate to reach out.

Is Social Auditing Really Auditing?

We are a rather vocal proponent of auditor qualifications and set a high bar for ourselves and others who call themselves auditors. Non-CPA auditors are “regulated” differently than CPAs and in some cases, less stringently. Auditor certifications are available for non-CPAs specific to areas of practice. These certifications vary greatly in terms of validity, rigor and length of time they have been established. In our case health, safety and environmental (HSE) auditor certification is applicable.

In the US, the Board of Environmental Auditor Certification (BEAC) was established in 1997 as a joint venture between the Institue of Internal Auditors (IIA) and The Auditing Roundtable. Earlier this year, BEAC and The Auditing Roundtable were wholly merged into IIA. Elm Principals obtained BEAC certification the year it was established and have maintained the annual continuing educational requirements to hold the certification continuously since then. Three of our Principals have for the past 10 years held – or currently hold – leadership positions on the Boards of The Auditing Roundtable and BEAC.  In the UK, the Institute of Environmental Management & Assessment (IEMA) offers auditor and practitioner certifications. One Elm Principal holds an IEMA certification as well.

The Independent Private Sector Audit (IPSA) requirements finalized under Dodd Frank Section 1502 for conflict minerals reports added more professional qualifications for IPSA practitioners. Elm responded by adding a stand alone page on our website describing our audit quality practices.  We haven’t seen other firms provide the same level of clarity, specificity and visibility on this matter.  From our beginning, we sought to ensure our qualifications, expertise and professionalism were unparalleled.

During the past 10 years, a new type of audit emerged – the social or corporate responsibility audit. Most of these audits are commissioned by large companies to be conducted of their suppliers to ensure that they are conforming to social responsibility standards. We have found over the years, the perceived value of these audits has reduced dramatically and price is far and away the primary auditor selection criteria. Of course, with reduced pricing comes reduced scoping and level of effort.

And here is the mic drop.

It isn’t unusual to see social auditor qualifications indicating something like 2,000 audits conducted over 10 years. At first, that sounds very impressive. But do some math – on average, that is 200 audits/year or 16.7/month. Assuming a full time US standard work year (2,080 hours) and 75% utilization, that comes to a little over 7.5 hours/audit average.

In comparison, Elm Principals average close to 30 years of experience each, and have conducted between 500 – 600 audits each. In comparison to the 2,000 social audits, we seem to be slackers. But again, doing math on conservative numbers (25 years and 500 audits), we average of 20 audits/year or 1.7/month. Again, assuming a full time US standard work year and 75% utilization, that comes to 78 hours/audit average.

These are just averages and different matters factor into real numbers for both social audits as well as ours (our average is more like 55 – 60 hours/audit). But clearly there is an order of magnitude difference between our HSE audits and social audits.

Are we inefficient or milking billable hours?  We hardly think so.  First off, our business model is different – we don’t run on billable hours, which relieves the pressure most firms have for project volume.  Our audits are far deeper and more complex than a typical supplier social audit – almost always requiring two to five auditors and a week on-site. We spend significant time delving into documentation, spreadsheets, permits and regulations at the federal, state/provincial and local levels. Our data sampling rate is generally far higher than the minimum statistically meaningful level. We carefully evaluate and confirm operating and production levels, including technical operating parameters for pollution control equipment. Most of our audits also include assessing performance of on-site contractors.  We even show up on site at 3 a.m. to observe third shift operations. And we cover the full breadth of environmental, health, safety and – when the client requests – sustainability indicators.

This is not to say that all social auditors are poor auditors or unqualified. We have observed some in the field and have been impressed.  There are also instances where limited audits/site visits are reasonable in the social auditing context.  But with social auditors expanding into other areas of supply chain and operations, the social audit approach and qualifications are not universally appropriate even though the price they offer may be attractive.  You may want to think carefully about your needs and expectations, as well as the numbers on CVs and ask yourself if the auditor is actually impressive or overworked and under-scoped.

Shirts, Phones, Rocks and Shrimp

You are most likely asking yourself what the nonsensical title means. It probably won’t seem nonsensical after you read this article.

New and emerging legal requirements, customer/consumer demands and media attention are pushing product compliance and procurement staff in unprecedented directions. Suppler responsibility is now a critical component of their functions and is no longer limited to just certain products or industries.

Arguably, the emphasis on supplier responsibility has it roots in the garment manufacturing sector and specifically, the offshore subcontractors in areas such as Bangladesh and Viet Nam. Working conditions and human rights violations were brought to light and brands initiated supplier screening and audit programs. There we have Shirts.

The electronics industry was next but things went further as a new US law (Dodd-Frank Section 1502) required publically traded companies to disclose origins of the ore used to produce tin, tantalum, tungsten and gold in their products. The sale of some of these ores soured from certain African countries was thought to fund violence and human rights abuses by informal militias.   Now automakers are being pilloried for the mica in their paint.  Phones and Rocks now join Shirts.

New laws in the US and UK require companies to continue their supply chain assessment and screening to include whether suppliers are supporting (or actively engaged in) human trafficking and slavery. A high profile lawsuit against a major US retailer alleged that the retailer’s sub-sub-contractor used slave labor as part of the supply chain for commercial shrimp production. Although the suit was dismissed, the issue in the public eye remains. So there you have it – connective tissue between Shirts, Phones, Rocks and Shrimp.

If your company hasn’t begun evaluating your supply chain beyond your direct supplier, there is a risk that that your product could be the next addition to our article’s title. We are happy to discuss this with you, so feel free to call.

Hints of Value Emerging from Conflict Minerals Disclosure Efforts

Dodd-Frank Section 1502 and the associated SEC conflict minerals disclosure mandates have been highly criticized since their beginnings.  Many arguments against these arose – among them: the approach required by the law was the wrong tool for the solving the problem; there was no practical way to determine the ultimate effectiveness of the expense and activities companies had to incur; the benefit of the requirements cannot be determined or quantified; and SEC is not the correct venue for social agenda matters.

Even so, regulated companies began working on their compliance efforts after the SEC adopted the rules in August 2012, with many more jumping on the bandwagon through 2013.

In the 15 months of work since the SEC rules, a glimmer of business value is emerging from the efforts.  What we are seeing (and hearing from others) are some positive developments, such as:

  • Greater understanding of suppliers. This is the first integrated effort some companies have undertaken to identify suppliers across their organization.  At the least, companies are frequently surprised at the number of suppliers they have, or how outdated their supplier data is.  Some have used this as a reason to implement broad supply chain optimization projects, consolidating suppliers and spend to obtain cost savings.  Of course, not all supplier lists are carefully reviewed.  We recently received a request to fill out an EICC template from the IT solution implemented by a client for whom we conducted the original conflict minerals program gap assessment.
  • More insight into products themselves.  Not every company understands the breadth of products offered.  Companies reducing corporate overhead at times leave decisionmaking to business units, which can result in new products or product changes made without knowledge of corporate functions or leadership.  Conflict minerals projects are bringing these forward and highlighting the need for increased communications internally about new products and changes to existing products.
  • Improved documentation and knowledge of design specifications for contact manufacturers.  Not all companies have rigorous documentation about product requirements for their contract manufacturers to use.  We have found a surprising amount of informal – and even undocumented – communications with contract manufacturers.  Conflict minerals compliance activities have increased company knowledge about the amount of influence on design, specifications or product performance for contract manufacturers
  • Improved supplier prequalifications.  Discussions about adding a conflict minerals check to new supplier qualification reviews has brought forth gaps and missing controls in existing processes.  In these cases, companies have improved their overall processes and controls for on-boarding new suppliers.
  • Strengthened importance and visibility of corporate social responsibility (CSR) activities.  The linkage of the conflict minerals legal compliance mandate to CSR activities, departments and reporting has increased their visibility within their organizations.  This comes at a time when increasing pressure is being felt on other CSR issues that have caught the public’s attention in recent months.
  • Preparing for the future.  There is a general sense that supply chain transparency mandates will increase – either from new legal requirements – such as in the EU – or from other stakeholders.  Conflict minerals compliance activities can create an overall structure to be leveraged for future sourcing transparency initiatives.

Some of these were predicted as anticipated benefits early on.  While the value of these benefits may not be easily quantifiable, we do think they offer at least some silver lining to the compliance burden.

Do HSE Management Systems Audits Support Regulatory Compliance? Not So Much…

A recent survey in the UK continues to demonstrate the gap between technical regulatory compliance and HSE management systems conformance.

An article published in the June 2013 the environmentalist (the journal of the Institute of Environmental Management & Assessment, or iema) provided a short overview of research results that compared accredited certification bodies processes and “whether third-party audits of an environmental management system (EMS) could provide sufficient assurance of a firm’s legal compliance”.

The findings:

the competence of [EMS] auditors is generally limited to assessing the presence of procedures.

Clearly, assessing the mere presence of procedures is not the same as evaluating the content, adequacy, appropriate or effectiveness of those procedures. Not even close.

There was a notable divergence in opinions on the perceptions of how well EMS audits address regulatory compliance. Not surprisingly, 92% of the certification bodies were convinced their audits reflect regulator conclusions very well or quite well. Yet the regulators themselves hold a far different view with only 17% saying EMS audits address regulatory compliance very well or quite well.

We would call that a gap.

The article is also available online for iema members and subscribers.


Elm and MetalMiner Announce CMCheckPoint(sm) Available for Purchase

Elm Sustainability Partners LLC (a newly created subsidiary of The Elm Consulting Group International LLC) and MetalMiner jointly announce the public availability of Elm’s CMCheckPointSM.

Completely unique in the marketplace, CMCheckPointSM is a detailed conflict minerals program assessment tool for downstream companies. It can be implemented by internal staff to review compliance and implementation decisions and strategies, track completion of program development and even score severity of identified gaps. Proprietary graphics and flowcharts are included, as well as information from the May 30, 2013 Q&A from SEC and detailed table of contents of the Federal Register version of the rules.

CMCheckPointSM is not an IT system for supplier engagement/response tracking/data exchange, but a spreadsheet for creating/evaluating overarching management programs and regulatory compliance decisions applicable to downstream companies. It covers the SEC regulatory elements, the OECD 5 step framework and related supplements.

“This tool has developed through various forms for longer than most consulting firms have been in the conflict minerals advisory space,” said Lawrence Heim, Director of Elm Consulting Group International LLC/Elm Sustainability Partners LLC.

Heim continued: “CMCheckPointSM reflects actual project implementation experience (including Fortune 200 companies) and scores of detailed discussions/reviews with many of the world’s most recognized corporate leaders in conflict minerals program development. It is also the result of hundreds of research hours, sifting through the regulation and preamble; guidance documents from industry associations, law firms, accounting firms, international organizations; comment letters to SEC’s proposed regulation; GAO documents; certain legal filings; and publicly available information from credible sources like the OECD Pilot Program Reports.”

“Nobody understands conflict minerals regulations as deeply as Elm Sustainability Partners,” said Lisa Reisman managing editor of MetalMiner, “we are thrilled to be able to offer an alternative to higher cost consulting services from a leading subject matter expert that will greatly expedite any company’s conflict minerals compliance program.”

Click each to see screenshots of excerpts from CMCheckPointSM

Main summary, scoring and navigation page excerpt.

Automated categorical scoring raw data charts.

Detailed final regulation table of contents.

Sample topic guidance and assessment page.

Exclusive color-coded regulatory flow chart.

The tool can be downloaded through MetalMiner’s website either on a standalone basis or with consulting/training support packages.

You might be falling behind on conflict minerals if…

One of the more common questions we hear from companies on the topic of conflict minerals is “Are we behind the curve?”

Every company faces their own challenges in understanding the requirments, assessing their needs and implementing programmatic changes.  But there are a number of common guideposts that provide reasonable indications on general progress – and shed light on whether your company is falling behind.

So, in an unabashed take-off of Jeff Foxworthy’s “You Might be a Redneck If…”, we offer the following.  If any of these sound familiar, then it is probably time to pick up the pace.  Second quarter is fast approaching and one consistent trend has emerged for companies who are immersed in this right now – this process takes more time, and is more complex, than it seems.  It is valuable to ensure you have as much time as possible in 2013 to make key decisions, gather data and develop processes to support SEC reporting or customer information requests.

You might be falling behind on conflict minerals if…

You had not heard the term “conflict minerals” before the first of this year.

Customer information requests on conflict minerals are piling up unanswered.

Your company has not established an internal conflict minerals team, or assigned formal leadership responsibility to look into the matter.

Consultant proposals for conflict minerals support are sitting on your desk that have not been reviewed or approved.

You don’t have at least a general sense about the range of your company’s products that contain conflict minerals.

You are not certain if existing information management systems can link specific suppliers through your manufacturing processes to a final product.

You think that you don’t need anything more than a spreadsheet or IT system to solve this problem.

You haven’t read the SEC regulation, the OECD Due Diligence Framework and at least one White Paper or Client Alert from a law firm or consultant.

You have not identified or assessed what gaps may exist between the SEC regulation, OECD Framework, customer requirements and your existing internal management systems.

You have not attended at least one conference or webinar on the topic (free webinars are offered practically weekly).

You have not notified your suppliers that you will soon be contacting them for more information about the products they supply you.

You don’t know how you will contact suppliers to gather relevant conflict minerals information.

You don’t know what your industry associations are doing relative to conflict minerals.

The company’s strategy is hoping the issue goes away.


We are available to help with any questions.

Elm Continues to Respond to Changing Needs on Conflict Minerals Assessments, Consulting

Elm announces CM CheckPointSM, a new rapid and highly cost-effective conflict minerals program assessment method/deliverable to be available late January 2013.  CM CheckPointSM is intended for companies who have already begun program development or implementation and are looking for high-level “navigation checks” – rather than deep dives –  from a third party to confirm strategic direction, alignment with SEC regulations and/or project status.

Features of CM CheckPointSM include:

  • Assesses from a high-level perspective practices/status/available documentation against the three-step process for SEC regulatory compliance (plus reporting/auditing) and the 5-step process of OECD Due Diligence framework and related supplements
  • Reviews from a high-level perspective the framework, strategy, procedures, and generalized level of implementation at the company’s corporate level
  • Topic/element/task general completion status indicators of Complete, Partially Complete, Not Started, Not Applicable
  • Severity rankings for  identified gaps/deficiencies reflecting potential importance to program implementation or potential audit outcome
  • Can be used to confirm site-level program implementation/consistency with corporate expectations
  • Automated summary report generation on-site with intuitive visual indicators
  • Comment fields for each topic and sub-element allow highlighting of relevant data, findings or limitations encountered
  • Minimal disruption – requires a single Elm assessor and only a few days on site, including on-site summary reporting

Evolutionary steps in developing CM CheckPointSM relied on internal client staff and resources to conduct the process as an internal self-assessment.  Over time, the feedback we received was that companies supported a form of quick assessment, but expressed a strong preference for having an external subject matter expert at the helm to offer specific expertise, guidance and understanding especially in relation to what we call “emerging industry consensus”.  With CM CheckPointSM,  this review is facilitated by us, guiding users through the SEC conflict minerals regulations and related programs, maximizing the efficiency of the review and providing broad benchmarking insight from our experiences.

CM CheckPointSM was not designed for companies seeking strategic advisory or consulting support for initial program conflict minerals program scoping and design.  In that case, a detailed assessment utilizing a multi-disciplinary team of subject matter experts is best to establish a solid foundation (and related documentation) for decisions, systems and procedures reflecting corporate strategies/goals, systems, special circumstances combined with verification of site operations.

Contact us for more information.