What You Don’t Know Can Hurt You:
The Importance of Compliance Audits in Today’s Intensive
Enforcement Environment and Whistleblower Culture
Editor’s note: This article was originally published on Corporate Compliance Insights on Oct. 20, 2010.
Companies doing business with the government or operating in regulated industries face the most challenging regulatory and enforcement environment in years. Among those challenges are greater scrutiny by government regulators (whose ranks are growing by the hour), less tolerance by those same regulators and enforcement authorities for non-compliance of even seemingly “minor” proportions, and dramatically increased reporting and disclosure obligations.
These realities combine to create another: the days of a “See No Evil, Hear No Evil, Speak No Evil” approach to compliance are over. In other words — and as any compliance officer worth his or her salt knows — what you don’t know can hurt you. And just because you as an executive, manager, or compliance officer don’t know about non-compliance going on in your company – or, worse, you’ve chosen to ignore it – does not mean that your employees don’t know about it and that one or more of them won’t blow the whistle to authorities.
In short, if you are a regulated company, it is your obligation to have a compliance program and internal controls that will ensure violations of law, regulation or public contract do not go undetected. While several other obligations follow from that primary obligation – for example, swift and thorough internal investigation of the potential wrongdoing; remedial action calibrated to fix and prevent the wrongdoing, if it is found to have occurred; and determining disclosure obligations to regulatory agencies and/or law enforcement – this article will focus on the critical first step, making sure that your compliance program is detecting the practices that create compliance risks.
Periodically conducting independent, confidential compliance audits is the best way to assess these compliance risks as well as to test the efficacy of your internal compliance program in doing what, at its core, it is supposed to do: deter and detect actual or potential violations or law.
What is an independent compliance audit?
An independent compliance audit assesses actual or potential violations of law, regulation, or public contract occurring within an organization, and, where vulnerabilities are identified, recommends solutions to remedy or minimize them. It is not a conventional financial audit, but rather a legal audit that looks at the industry in which the organization operates and focuses on those areas of the law that create vulnerabilities for companies within that industry, as well as any areas of special legal risk unique to the company. For example, a construction contractor bidding on public work operates in a regulatory and enforcement environment covering a wide array of legal subject areas, including antitrust, gifts and gratuities practices with public officials, fraud prevention in the provision of materials and services, and worker protection matters. That company may also have special risks requiring careful monitoring, such as past environmental citations, or a track record of product specification non-compliance on public projects.
An effective compliance audit, normally involving analyses of sampled records and interviews of representative employees, will take stock of the company’s vulnerabilities both in regard to these “common pitfalls” in the particular industry, as well as potential legal risks specific to the company’s history and circumstances.
The audit should be independent, meaning it should not be led by the company’s own compliance department. While an effective compliance department is constantly monitoring company practices and improving internal controls, a periodic independent audit evaluates both company practices and the effectiveness of the compliance department itself./ These audits – which in most cases need only occur every several years — are also intended to assist the compliance department in identifying areas where its monitoring and training efforts need more focused attention.
The compliance audit should be conducted under the direction of counsel. Only through the creation of an attorney-client relationship may the findings and recommendations within the compliance audit be kept confidential. Any consultants utilized in the process should be reporting their work to counsel as well, to keep that work under the attorney-client privilege umbrella.
While it is true that some jurisdictions make it more difficult to shield purely factual findings from disclosure, properly written reports that make clear that the contents are intended to assist counsel in providing legal advice will be afforded the highest measure of protection. It is also true that many government contractors or other regulated companies may be required to disclose to the government any findings showing credible evidence of certain types of wrongdoing – or may opt to do so even without a mandatory reporting obligation. But counsel can advise the company on exactly what the disclosure obligations are, their implications, and how to truthfully characterize the audit’s findings in the final report to minimize legal risk in the disclosure.
Aren’t compliance audits expensive and disruptive?
Budget-conscious executives might naturally be skeptical about the value of hiring a team of lawyers and consultants to find problems where perhaps the company believes none exist – especially where more pressing short-term priorities, or true emergencies, are at hand. A compliance audit, by contrast, is an investment in prevention. It is a proactive, rather than reactive, exercise – and one that can be done every three, every five, or even every ten years, depending on the extent of the company’s vulnerabilities and its resources. To save money, some companies will even vary the subject areas to be assessed: a fraud prevention audit one year, a gifts and gratuities/Foreign Corrupt Practices Act audit the next year, a bidding practices audit after that.
Many lawyers will conduct a compliance audit with a mutually-agreed scope for a flat fee, or will use lower-rate non-lawyer assistance in conducting the audit where possible. Sparing both excessive cost and office disruption, the best compliance audits will carefully choose representative interviewees from a cross-section of the company (rather than, say, interviewing the entire sales department) and will arrange such interviews in a manner convenient to the company.
Why should my company being doing a compliance audit – isn’t it just digging up trouble that would otherwise never see the light of day?
Most sensible executives understand that a problem ignored is not a problem solved. Indeed, the opposite is true. Especially in regulated industries, a problem allowed to fester, a vulnerability left unaddressed, or a “minor” non-compliance never corrected can spell devastation for a company later. And in terms of financial costs, paid out to lawyers or otherwise, reacting to a crisis on an emergency basis is far more expensive and debilitating than having taken careful and controlled preventative measures in the years preceding the crisis.
The U.S. Justice Department has made even more clear this year than in the past that a company’s ignorance of wrongdoing happening under its nose is no defense. In the eyes of this DOJ, the larger number of companies who have officially adopted ethics and compliance plans is no great credit to those companies because the trend has been accompanied by many, many of those same companies putting those written policies on a shelf before the ink is dry, then paying them only lip service. As a result, in a recent speech to a group of compliance professionals, the head of DOJ’s Criminal Division announced that the DOJ has “declared war on ‘paper [compliance] programs.’” In other words, it is just as bad – perhaps worse – to adopt a compliance program but to fail to effectively implement and enforce it than to have no program in the first place.
Further, it is foolish to think that in today’s whistleblower culture real or perceived wrongdoing within a regulated company can be left unaddressed and the problem will remain a secret. Recently, for example, the SEC announced it is receiving an average of one new whistleblower complaint per day since the passage of the Dodd-Frank financial reform bill. And there is far more than Dodd-Frank to financially incentivize whistleblowers-in-waiting, who exist in just about every industry.
When a whistleblower discloses real or perceived wrongdoing occurring in your company, he usually does so with no time or ability for the company to respond, and of course the whistleblower will cast his allegations in the light most unflattering to the company in an effort to spark a potential government investigation he and his lawyer hope will lead to a financial bonanza for both of them. By contrast, an independent, confidential compliance audit can find and fix legal vulnerabilities in a manner the company can control, before the vulnerabilities become matters of real or perceived wrongdoing that are reported to authorities by whistleblowers. In addition, where disclosure of the problem is legally mandated or otherwise appropriate, recent U.S. Supreme Court case law/ has confirmed that public release of information forecloses a monetary award for future whistleblowers, thus eliminating the incentive that spurs many whistleblowers to action in the first place.
In short, independent compliance audits are an excellent investment for companies who take their compliance programs seriously, devote sufficient resources to make them work, strive for a culture of compliance that does not tolerate wrongdoing at any level, and, in today’s climate especially, understand – and want to competently navigate – the daunting regulatory and enforcement minefield in which they are operating.
Ben Tymann is a litigation partner in Mintz Levin’s Corporate Compliance and Investigations Practice Group.
Ben advises government contractors and others in regulatory compliance, corporate compliance programs, risk assessment, and government investigations.
He can be reached via email at BBTymann@mintz.com.
-  - Indeed, most model compliance programs recommended by U.S. federal agencies call for the company to test how well its compliance program is working. See, e.g., Federal Sentencing Guidelines, Sentencing of Organizations, § 8B2.1(b)(5)(B).
-  - See Graham County Soil and Water Conservation District v. U.S. ex rel. Wilson, No. 08-304 (2010).