As an independent corporate monitor, I am, among other things, obligated to assess the effectiveness of the corporate compliance programs of the organizations I monitor. Interviews of company personnel have proven to be one of the most reliable and effective tools in making this assessment. While many of the people interviewed are chosen randomly from the company’s employee roster, others are specifically selected due to their position, role or risk profile.
Under the United States Sentencing Guidelines, organizations are expected to take reasonable steps to (1) “ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct” and; (2) “evaluate periodically the effectiveness of the organization’s compliance and ethics program”. Interviews similar to the ones I conduct as a monitor, if incorporated into a company’s annual compliance work-plan, can help companies meet these expectations, among others.
The lines of questioning in such interviews should be comprehensive and cover all of the areas relevant to the functioning of the corporate compliance program. In the interview template that I use as a monitor, I have an exhaustive list of potential questions covering my areas of inquiry. The questions that are actually asked are determined largely as each interview proceeds. Though those questions will vary, there are some “universal” questions that I have found to be particularly helpful. Following are six of those questions:
1. What are the compliance- and/or ethics-related challenges you face most frequently in your current role?
This question provides information on several important aspects of a compliance program. First, it may highlight risks that the compliance officer was unaware of or didn’t fully appreciate (risk assessment). Second, it assesses how well employees are able to apply corporate policies in the context of their role (policy comprehension/retention and training effectiveness). Third, it reiterates and reinforces the employee’s understanding of risks and policies specific to them (training). Interviewees frequently struggle with this question initially and the interviewer may need to provide an obvious example of such a challenge to help the interviewee get started (i.e. gift policy, etc).
2. How can the company’s compliance policies be improved and/or better applied, communicated and enforced?
Compliance policies should be accessible to all employees, well communicated, and easy to understand and apply. Responses to this question can provide valuable end-user feedback in this regard. The additional area of “enforcement” may provide some insight into an organization’s ethical tone and employee perceptions about fairness and equality. A quality compliance program will assure that all violators are treated fairly, but equally. If employees perceive that management or others are “above the law,” the compliance program loses credibility.
3. How can employees report concerns, issues, or potential violations of laws, regulations and/or the code of conduct and/or compliance policies?
§8B2.1(5) (C) of the USSGs requires that an organization have and publicize a system whereby employees can anonymously or confidentially report or seek guidance about potential or actual criminal conduct without fear of retaliation. Responses to this question can help a compliance officer assess the effectiveness of their hotline or other reporting system publication efforts. It may also help the compliance officer assess employees’ knowledge of the organization’s policy regarding employee complaints (i.e. first report to supervisor, etc.) and any training that was conducted regarding such a policy. This question can also be used to explore employees’ perceptions about the credibility of the organization’s non-retaliation policy.
4. Are you aware of anyone who has not complied with or is not complying with the company’s code of conduct and/or compliance policies?
This question is directly associated with the compliance officer’s “monitoring” efforts to detect potential criminal conduct as per §8B2.1(5) (A) of the USSGs. It can also test compliance by managers and supervisors with internal policies requiring that any complaints from employees concerning compliance or ethics violations be reported to the compliance officer.
5. What should happen to someone who violates the company’s code of conduct and/or compliance policies?
This is a modified “behavioral analysis” question. The purpose of the question is to assess the ethical tone of both the individual and the organization. Generally speaking, the appropriate response should be that those who violate the company’s code of conduct or compliance policies should be fired and, if their actions broke the law, criminally prosecuted. While employees may vary in the severity of the punishments they believe appropriate, a pattern of responses that overly minimizes punishments may be indicative of an ethical tone that is not consistent with the company’s expectations or desires.
6. If you were to be promoted or leave the organization and someone took over your role who lacked the same level of integrity that you do, how could that person violate a policy or break the law and not be detected?
This is one of my “black hat” interview questions. Nobody understands the intricacies of a person’s role better than the person who performs that role – particularly if they have performed that role day after day for some length of time. This question challenges the employee to think about compliance policies and internal controls from the perspective of someone seeking to violate or circumvent them.
To elicit effective responses often requires the interviewer to enable the interviewee to disassociate himself/herself from their role. Responses to this question may help the compliance officer understand and assess the effectiveness of internal controls in preventing and detecting compliance violations.
 United States Sentencing Guidelines §8B2.1(5) (A and B)
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
John “The Fraud Guy” Hanson is the founder and executive director of Artifice Forensic Financial Services LLC. He has over 20 years of fraud investigations, forensic accounting, and corporate compliance/ethics and audit experience. John has applied his extensive experience in these areas across a wide array of areas and industries, frequently assisting counsel, government agencies and companies with internal corporate investigations and other sensitive matters arising from alleged fraud or misconduct. In addition to being an expert on fraud, John is a recognized thought leader and expert in the field of independent corporate monitoring, a relatively new and highly specialized practice area involving the imposition of an independent third-party by a government agency or department upon an organization to verify that organization’s compliance with the terms of a settlement agreement between the organization and the government. John has previously served in a leadership role in a federal monitorship and is currently involved in three significant federal monitorships, two as the named monitor. John’s practical experience as a corporate monitor and extensive knowledge in this area was recognized by the American Bar Association, which appointed him to the Criminal Justice Section’s Ad-Hoc Task Force on Corporate Monitors, responsible for creating “best practices” and formal standards for corporate monitors. John is the only nonlawyer member of the task force and a frequently sought speaker on the topic. He has provided practical advice, ideas and strategies to lawyers, government officials and corporate executives involved in such matters as well as newly appointed corporate monitors. John’s diverse corporate compliance & ethics, fraud investigations, audit, accounting, finance, legal, regulatory, business operations and management, internal controls, professional training, international, fraud risk & vulnerability, interviewing, and quality control experience combined with his actual experience as a corporate monitor and passionate commitment to best practices in monitorships uniquely qualifies him as a premier advisor and provider of monitorship services. Prior to Artifice, John spent nearly six years as a leader in the fraud investigations and forensic accounting practice of a large publicly traded international financial consulting firm, where he focused on helping organizations prevent, detect, respond to and resolve issues associated with fraud or questions of corporate integrity. John was also a special agent with the Federal Bureau of Investigation (FBI), where for nearly ten years he specialized in white collar crime and investigated a wide variety of complex fraud schemes and financial crimes. For his last two years as an FBI Agent, John served as an instructor in the Investigative Training Unit at the FBI Academy, where he developed and facilitated fraud and investigative training curriculum for new agent trainees and conducted advanced fraud related in-service trainings for experienced FBI agents. Prior to the FBI, John was the director of internal audit and quality control for a large privately held mortgage origination and servicing company, where he designed and implemented the internal audit program from the ground up. In the course of his internal audit work, his techniques and instinct for fraud identified numerous instances involving borrowers attempting or involved in fraud schemes, which he helped resolve, at times using creative techniques not customary in the early 1990s to do so. John is a licensed Certified Public Accountant (Louisiana), a Certified Fraud Examiner and a Certified Compliance & Ethics Professional. Keep up with John on the web:Inside the Mind of a Corporate Monitor, for CCI.