The Importance of Compliance Audits in Today’s Intensive Enforcement Environment and Whistleblower Culture

What You Don’t Know Can Hurt You:

The Importance of Compliance Audits in Today’s Intensive
Enforcement Environment and Whistleblower Culture

Editor’s note: This article was originally published on Corporate Compliance Insights on Oct. 20, 2010.

Companies doing business with the government or operating in regulated industries face the most challenging regulatory and enforcement environment in years.  Among those challenges are greater scrutiny by government regulators (whose ranks are growing by the hour), less tolerance by those same regulators and enforcement authorities for non-compliance of even seemingly “minor” proportions, and dramatically increased reporting and disclosure obligations.

compliance-auditThese realities combine to create another:  the days of a “See No Evil, Hear No Evil, Speak No Evil” approach to compliance are over.  In other words — and as any compliance officer worth his or her salt knows — what you don’t know can hurt you.  And just because you as an executive, manager, or compliance officer don’t know about non-compliance going on in your company – or, worse, you’ve chosen to ignore it – does not mean that your employees don’t know about it and that one or more of them won’t blow the whistle to authorities.

In short, if you are a regulated company, it is your obligation to have a compliance program and internal controls that will ensure violations of law, regulation or public contract do not go undetected.  While several other obligations follow from that primary obligation – for example, swift and thorough internal investigation of the potential wrongdoing; remedial action calibrated to fix and prevent the wrongdoing, if it is found to have occurred; and determining disclosure obligations to regulatory agencies and/or law enforcement – this article will focus on the critical first step, making sure that your compliance program is detecting the practices that create compliance risks.

Periodically conducting independent, confidential compliance audits is the best way to assess these compliance risks as well as to test the efficacy of your internal compliance program in doing what, at its core, it is supposed to do: deter and detect actual or potential violations or law.

What is an independent compliance audit?

An independent compliance audit assesses actual or potential violations of law, regulation, or public contract occurring within an organization, and, where vulnerabilities are identified, recommends solutions to remedy or minimize them.  It is not a conventional financial audit, but rather a legal audit that looks at the industry in which the organization operates and focuses on those areas of the law that create vulnerabilities for companies within that industry, as well as any areas of special legal risk unique to the company.  For example, a construction contractor bidding on public work operates in a regulatory and enforcement environment covering a wide array of legal subject areas, including antitrust, gifts and gratuities practices with public officials, fraud prevention in the provision of materials and services, and worker protection matters.  That company may also have special risks requiring careful monitoring, such as past environmental citations, or a track record of product specification non-compliance on public projects.

An effective compliance audit, normally involving analyses of sampled records and interviews of representative employees, will take stock of the company’s vulnerabilities both in regard to these “common pitfalls” in the particular industry, as well as potential legal risks specific to the company’s history and circumstances.

The audit should be independent, meaning it should not be led by the company’s own compliance department.  While an effective compliance department is constantly monitoring company practices and improving internal controls, a periodic independent audit evaluates both company practices and the effectiveness of the compliance department itself.[1]/  These audits – which in most cases need only occur every several years — are also intended to assist the compliance department in identifying areas where its monitoring and training efforts need more focused attention.

The compliance audit should be conducted under the direction of counsel.  Only through the creation of an attorney-client relationship may the findings and recommendations within the compliance audit be kept confidential.  Any consultants utilized in the process should be reporting their work to counsel as well, to keep that work under the attorney-client privilege umbrella.

While it is true that some jurisdictions make it more difficult to shield purely factual findings from disclosure, properly written reports that make clear that the contents are intended to assist counsel in providing legal advice will be afforded the highest measure of protection.  It is also true that many government contractors or other regulated companies may be required to disclose to the government any findings showing credible evidence of certain types of wrongdoing – or may opt to do so even without a mandatory reporting obligation.  But counsel can advise the company on exactly what the disclosure obligations are, their implications, and how to truthfully characterize the audit’s findings in the final report to minimize legal risk in the disclosure.

Aren’t compliance audits expensive and disruptive?

Budget-conscious executives might naturally be skeptical about the value of hiring a team of lawyers and consultants to find problems where perhaps the company believes none exist – especially where more pressing short-term priorities, or true emergencies, are at hand.  A compliance audit, by contrast, is an investment in prevention.  It is a proactive, rather than reactive, exercise – and one that can be done every three, every five, or even every ten years, depending on the extent of the company’s vulnerabilities and its resources.  To save money, some companies will even vary the subject areas to be assessed:  a fraud prevention audit one year, a gifts and gratuities/Foreign Corrupt Practices Act audit the next year, a bidding practices audit after that.

Many lawyers will conduct a compliance audit with a mutually-agreed scope for a flat fee, or will use lower-rate non-lawyer assistance in conducting the audit where possible.  Sparing both excessive cost and office disruption, the best compliance audits will carefully choose representative interviewees from a cross-section of the company (rather than, say, interviewing the entire sales department) and will arrange such interviews in a manner convenient to the company.

Why should my company being doing a compliance audit – isn’t it just digging up trouble that would otherwise never see the light of day?

Most sensible executives understand that a problem ignored is not a problem solved.  Indeed, the opposite is true.  Especially in regulated industries, a problem allowed to fester, a vulnerability left unaddressed, or a “minor” non-compliance never corrected can spell devastation for a company later.  And in terms of financial costs, paid out to lawyers or otherwise, reacting to a crisis on an emergency basis is far more expensive and debilitating than having taken careful and controlled preventative measures in the years preceding the crisis.

The U.S. Justice Department has made even more clear this year than in the past that a company’s ignorance of wrongdoing happening under its nose is no defense.  In the eyes of this DOJ, the larger number of companies who have officially adopted ethics and compliance plans is no great credit to those companies because the trend has been accompanied by many, many of those same companies putting those written policies on a shelf before the ink is dry, then paying them only lip service.  As a result, in a recent speech to a group of compliance professionals, the head of DOJ’s Criminal Division announced that the DOJ has “declared war on ‘paper [compliance] programs.’”  In other words, it is just as bad – perhaps worse – to adopt a compliance program but to fail to effectively implement and enforce it than to have no program in the first place.

Further, it is foolish to think that in today’s whistleblower culture real or perceived wrongdoing within a regulated company can be left unaddressed and the problem will remain a secret.  Recently, for example, the SEC announced it is receiving an average of one new whistleblower complaint per day since the passage of the Dodd-Frank financial reform bill.  And there is far more than Dodd-Frank to financially incentivize whistleblowers-in-waiting, who exist in just about every industry.

When a whistleblower discloses real or perceived wrongdoing occurring in your company, he usually does so with no time or ability for the company to respond, and of course the whistleblower will cast his allegations in the light most unflattering to the company in an effort to spark a potential government investigation he and his lawyer hope will lead to a financial bonanza for both of them.  By contrast, an independent, confidential compliance audit can find and fix legal vulnerabilities in a manner the company can control, before the vulnerabilities become matters of real or perceived wrongdoing that are reported to authorities by whistleblowers.  In addition, where disclosure of the problem is legally mandated or otherwise appropriate, recent U.S. Supreme Court case law[2]/ has confirmed that public release of information forecloses a monetary award for future whistleblowers, thus eliminating the incentive that spurs many whistleblowers to action in the first place.

In short, independent compliance audits are an excellent investment for companies who take their compliance programs seriously, devote sufficient resources to make them work, strive for a culture of compliance that does not tolerate wrongdoing at any level, and, in today’s climate especially, understand – and want to competently navigate – the daunting regulatory and enforcement minefield in which they are operating.

**********

ben-tymannAbout the Author

Ben Tymann is a litigation partner in Mintz Levin’s Corporate Compliance and Investigations Practice Group.

Ben advises government contractors and others in regulatory compliance, corporate compliance programs, risk assessment, and government investigations.

He can be reached via email at BBTymann@mintz.com.


  • [1] – Indeed, most model compliance programs recommended by U.S. federal agencies call for the company to test how well its compliance program is working.  See, e.g., Federal Sentencing Guidelines, Sentencing of Organizations, § 8B2.1(b)(5)(B).
  • [2] –  See Graham County Soil and Water Conservation District v. U.S. ex rel. Wilson, No. 08-304 (2010).

About the Author

Benjamin Tymann

ben-tymannAbout the Author
Ben Tymann is a litigation partner in Mintz Levin’s Corporate Compliance and Investigations Practice Group. Ben advises government contractors and others in regulatory compliance, corporate compliance programs, risk assessment, and government investigations. He can be reached via email at BBTymann@mintz.com and has contributed the following article(s) to Corporate Compliance Insights:

2 Comments

  1. October 21, 2010

    Companies in regulated industries have a lot of laws to comply to and with the decreasing tolerance levels from regulators, there’s no room to hide. These industries are under tight regulation for a reason, and therefore, need to take responsibility to have an effective ethics and compliance program in place. I like that this article fights back about many of myths surrounding compliance audits. A lot of companies have been using those excuses for far too long and they need to realize that the costs of noncompliance significantly outweigh the costs of developing an ethical and complaint company.

  2. November 1, 2010

    Dear Ben –
    I read with great interest your article on compliance audits as a preventative measure. I am currently working on the follow-up of the discovery and reporting phase of a completely NON-compliant entity and the issues as they exist within a “charitable” entity straddling NY & CT. The information they boldly post on their web site, the “planted” promotional information in both printed press and spots on local televised area programs that consist of interviews both solicited by the Chairman and with the Chairman, always making the pitch for the Foundation’s research and needed continuing support, I – quite frankly – cannot find one area of properly executed procedural (or other) compliance anywhere within the entity’s structure, function, state mandated filings and registrations, nothing – even the annual 990’s are filled with false statements and, as this is a “health care” provider with the 501(c)(3) attached to it as a “research, ACGME program”, the Chairman of the “Foundation” and the owner of the private medical practice that founded the entity – and who uses the private practice patients without their knowledge for research/training subjects for the Fellowship program – the funds and income/expenses are co-mingled and the year the Foundation was begun depends upon which page of the web site one goes to, however the IRS letter of determination was issued to the original entity, structured in Colorado but claiming a CT business location address (CT has no record of this entity ever registering with the SOS or the AG’s Charity department – ever!, and the IRS dates the non-profit status as approved in 2002 retroactive to 2000. The first 990 filed was for a short year – by 1 month – in 2001. Annual returns filed since then have always used a c/o mailing address – one of the Chairman’s 2 private medical practice office locations. He has one in NYC on Park Avenue and one in Cos Cob, CT. He lists the other officers of the entity as his father and his father in law! The for-profit practice and the non-profit entity are so intertwined it would likely be close to impossible to separate them, as they share employees, business space, funding and use the private patient practice population to provide “over 500 surgical opportunities annually” for the Foundation’s “Fellowship” program. In my most recent research I discovered that the Foundation – in spite of significant advertising and lavish gala fundraisers held (without pre-registration – and the entity itself is still not registered to function in either state it is currently operating in – NY & CT. The Colorado structure (c-corp) was annually renewed and maintained until 2004, when it defaulted for non-renewal of the annual filing and fee payment. I cannot find a restructure or any official, legal movement of the entity as it existed to NY or CT, and neither can either state’s AG or SOS departments, however it has been filing the 990’s as a NY based entity and the IRS Pub 78 also lists it as a NY based 501(c)(3) using the same FEIN. With almost every rule, functional requirement and regulation either ignored, by passed or simply not acknowledged for functioning appropriately in the category this entity occupies, as well as the recent receipt of ACGME accreditation. This was not awarded to the foundation as they claim, however, but was actually an accreditation of the private practice sponsoring the Foundation it actually has as a resource of tax exempt funds, employees and other goodies! The latest Foundation fundraiser – where they auctioned off – among other things – a car with a state MSRP of $ 170K+ that the Foundation’s evening’s program stated was donated – the dealership denies this stating that it was special ordered and purchased by the Chairman pre-event – the fundraiser asking for support to continue the Fellowship program (it does not have a Fellowship program that is accredited rather the for profit medical practice is the place of record for the Fellowship program!). This ACGME accreditation allows them to apply for significantly larger Medicare / Medicaid and other funding, including corporate match programs. The most interesting aspect of these 2 companies is that they are perceived as completely separate from each other, when in fact, they are simply 2 rooms, so to speak, in the same building – owned and operated by the same person for his personal financial benefit. There is not any teaching staff for the Foundation’s highly touted and supposedly recently accredited Fellowship program (except maybe for the chairman claiming to be an instructor ??? – – even though the web site and literature regarding the program cites numerous “senior” teaching staff and supporting teaching staff, when in fact there is no staff except the Chairman, the only association the Foundation has with any hospital or teaching entity of any degree – and none to any teaching institution – is through the Chairman’s personal attending privileges at the 2 area hospital where he operates. He is not on either hospital’s teaching staff and brings the Fellows into the OR as his staff of the private practice, and his private practice does employ them while they are in this funded research program, and also bill the (unaware) patient, who sought out the care of a private surgeon, not a teaching institution. So, this floridly (mal) functioning, non-compliant in every category that applies to it and more, even when brought to the attention of the regulatory agencies in both states, continues on. The Fellows are awarded CT and NY medical licenses by endorsement of the Chairman to be staff for 1 year. The complaint filed with both CT & NY was accompanied by substantive proof in February 2010, with any action yet to be taken. My question is, where are the “aggressive” authorities you refer to in your article when it comes to company non-compliance on this level? It seems to me, after working with my client on the due diligence, investigative portion of this issue, the regulators are not in attendance here, neither in CT nor in NY state. While I work with clients that request I audit them to make certain that they are complaint, I am very discouraged that the recipient of this aggressive regulatory interest is often the smaller business. As the Foundation I have referenced has significant money attached to the owner & officers (all 1st degree family members!), the Board of Directors (the members of this Board seem to have lifelong appointments as the Board membership NEVER changes!) and the AG of CT was actually in attendance at the last annual Gala held in NY (illegally and which raised $ 425K in a single evening). This year they advertised that David Dinkins would be one of the honorees, but he apparently bowed out – after the programs were printed! The Foundation – all financial decisions and monies approved for spending in the hands of the Chairman – spent a small (donated, tax free obtained!) fortune on this year’s fundraiser, and the only difference I see from last year is in the amount of self-promotion appearing this year pre-event. They are aware of the state and federal interest, and have received interrogatories from both state’s AG’s – one of which they returned after 4 months of repeated requests that it be returned – and it was filled out with intentionally fraudulent information – and signed by the Chairman. They also held the fundraiser last month in the same state, and did not register it. My client is discouraged, as am I, in that this entity is able to continue on and collect millions of dollars – tax free – and at the expense of private patients who are unaware of their role in this scam, and who often experience bad outcomes but are never given any explanation as to why this happened – and by the the Fellow is gone and the statute is up! While the presentation of boxes of factual and well researched proof and evidence has been supplied to the authorities, many smaller business with minor infractions have been pounced upon while this entity continues about it’s very public and harmful moneymaker fraud. These are the same authorities that I have seen go after small businesses with annual net of less than 1M for minor infractions, so is it a political game or is there something that – as one invested in the value of preparing and assisting clients in becoming compliant for all area and who are functioning in the same 2 states that I work in – and this entity functions – really true that playing by the rules only applies to those who cannot afford to thumb their noses at the regulations and will take their chances with getting caught? This entity is fully aware of the interest their activity has generated, and have responded – in their own good time – to some of the inquiries they have received from the regulatory agencies (with clearly false info!) Yet, even when they know that they are under the microscope in many ways they continue to ignore regulations and seem to be fairly comfortable in the fact that they appear to be untouchable – as the formally filed complaints of over 9 months ago have resulted in no change in the way they function or caused them to increase their concerns and begin to correct their areas of non-compliance, if for no other reason that a fear of the consequences? I apologize for the length – I am serious about the content and if you do have any suggestions as to how to make this more important, I would be grateful. If small companies see that it is possible to function without taking the proper steps, then they are less likely to be willing to tolerate the disruption a compliance audit causes, never mind deal with the consequences of discovery and the requirements to make proper corrections. Thank you for your time – Best regards, Karen L. Martinelli, Transitions, L.L.C. (www.linkedin.com/in/karenmartinellitransitions1)