meet marti arvin join scce!...compliance & ethics (ce) (issn 1523-8466) is published by the...

1February 2007

Society of Corporate Compliance and Ethics • (888) 277-4977 • www.corporatecompliance.org

Volume Four

Number One

February 2007

Bimonthly

Join SCCE!Are you a member of a professional compliance and ethics organization?

See pages 26–27

Meet Marti ArvinPrivacy Officer, University of LouisvillePAGE 18

2February 2007


Amgen IncContact: Kathleen SchumpExecutive Assistant [email protected]

Alfaro-AbogadosContact: Liliana AlfaroPartner [email protected], www.alfarolaw.com

Colgate Palmolive CompanyContact: Ron Martin VP Global Business Practices and [email protected] www.colgate.com

D&BContact: Jay CohenGlobal Compliance [email protected]

Dell IncContact: hurmond WoodardChief Ethics/Comp/Privacy [email protected]

Federal Home Loan BankContact: Sandra DamholtVP Dir Compliance & [email protected]

Foley & Lardner LLPContact: Cheryl [email protected]

Georgia System OperationsContact: Andrea Barclay, CCEPCorporate Compliance [email protected]

GSIContact: David MertzDir Compliance [email protected]

Holland & Knight LLPContact: Christopher A. Myers, [email protected]

Integrity Interactive CorporationContact: Michael R. Levin, EsqDir Compliance & Ethics [email protected]

Jones DayContact: Robert C. [email protected]

LARC Compliance & Ethics ConsultingContact: Dante L. TuckerManaging [email protected]

Medtronic www.medtronic.com

Microsoft Corporationwww.microsoft.com

Qwest CommunicationsContact: Dave HellerChief Ethics & Compliance [email protected]

RadioShack CorporationContact: Jolene D. MillerSr Dir, Ethics & Corp [email protected]

The NetworkContact: Angelia DavisMarketing [email protected]

Tozzini, Freire,Teixeira, E SilvaContact: erceia Barros [email protected]

TSYS, Inc.Contact: Daniel J. PribanDirector Risk & [email protected]

United Parcel ServiceContact: Ruth WardComp & Ethics [email protected]

U.S. FoodserviceContact: Cindy HallberlinChief Ethics & Compliance [email protected]

Vetco InternationalContact: Marjorie DoyleExec VP & Chf Comp [email protected]

Wal-Mart StoresContact: Gary HillDir International [email protected]

SCCE Corporate Members

3February 2007

THE CALENDARON

Academy Dallas: March 26–29, 2007

Workshops Chicago: March 15–16, 2007

New York: March 22–23, 2007

Los Angeles: April 12–13, 2007

Dallas: May 17–18, 2007

Compliance & Ethics InstituteNew Orleans: September 9-11, 2007

Visit SCCE’s Web site for more information:

www.corporatecompliance.org

Compliance & Ethics (CE) (ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Subscription rate is $195 a year for non-members. Periodicals postage-paid at Minneapolis, MN 55436. Postmaster: Send address changes to Compliance & Ethics, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Copyright © 2006 the Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically encouraged, no part of this publica-tion may be reproduced, in any form or by any means without prior written consent of the SCCE. For subscription information and advertising rates, call SCCE at 888-277-4977. Send press releases to SCCE C&E Press Releases Department, 6500 Barrie Road, Suite 250, Minneapolis, MN 55435. Opinions expressed are those of the writers and not of this publication or the SCCE. Mention of products and services does not constitute endorsement. Neither the SCCE nor CE is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

Publisher: Society of Corporate Compliance and Ethics, 888-277-4977

Editor-in-Chief: Rory Jaffe, MD, MBAExecutive Director of Medical Services for the University of California; Board Member, Health Care Compliance Assocation

Executive Editor: Roy Snell, CEO, SCCE [email protected]

Advisory Board:James Brennan, JDDirector of Compliance and Ethics Takeda Pharmaceuticals; Commissioner on the Illinois State Executive Ethics CommissionJay CohenGlobal Compliance Leader, Dun & BradstreetJohn Dienhart, Ph.DThe Frank Shrontz Chair for Business Ethics, Seattle University; Director, Northwest Ethics Network; Director, Albers Business Ethics Initiative; Fellow, Ethics Resource CenterOdell Guyton, JDSenior Corporate Attorney, Director of Compliance, U.S. Legal–Finance & Operations, Microsoft CorporationRick Kulevich, JDSenior Director, Ethics and Compliance, CDW CorporationSteve LeFarPresident, MediRegs; Board Member, Juvenile Diabetes FoundationStephen A. Morreale, DPA, CHCPrincipal, Compliance and Risk DynamicsMarcia Narine, JDVice President Global Compliance and Business Standards; Deputy General Counsel, Ryder System, Inc.Ann L. Straw, Vice President and Chief Compliance Officer, Laidlaw International, Inc. José A. Tabuena, JD, CFE, CHCCenter for Corporate Governance, Deloitte & Touche USA LLPGreg Triguba, JDCorporate Compliance & Ethics Manager, Eddie Bauer

Story Editor/Advertising: Marlene Robinson, SCCE, [email protected]

Copy Editor:Patricia Mees, SCCE, [email protected]

Layout:Gary DeVaan, SCCE, [email protected]

Advisory Board

4 Ethics and Risks of Self-Assessment 10 Organizational sociology as compliance16 Employee E-Communications18 Meet Marti Arvin, Joe Murphy,

and Susan Gasparian21 Frankly speaking22 CEO’s letter24 Auditing a compliance and ethics program32 “More on McNulty”36 Dept. of Justice on effective compliance41 New SCCE members

INSIDEINSIDE

S C C E R E S O U R C E S

■ Annual conferences

■ Compliance workshops

■ Audio conferences

■ Advertising

■ Membership directory

■ Compliance & Ethics, SCCE’s journal

■ Career opportunities

■ eCorporate Compliance News, SCCE’s e-mail newsletter

■ Corporate compliance resources

■ Compliance program evaluation

■ Compliance trainingand books

ON


4February 2007


Editor’s Note: Robert R. Moeller is a Chicago area based consultant and project manager specializing in Sarbanes-Oxley internal controls, risk management and both IT and internal audit. Previously he was the Internal Audit Director for Sears Roebuck and had major responsibilities for launching their first ethics office and whistleblower program. He is the author of several audit and control books, and has a strong interest in IT governance issues. He can be reached at [email protected]

When faced with Sarbanes-Oxley (SOX) require-ments as well as other

compliance mandates, an increasing number of organizations today have initiated self-assessment processes as an easy and cost-effective way to demon-strate compliance. These initiatives are typically viewed as just a more cost-effective way to perform self-assessment reviews. But there can be risks both for the enterprise basing their compliance achievements on poorly structured self-assessment reviews, as well as personal and professional risks for individuals who perform poor, sloppy reviews. With self-assessments, the enterprise will request one of its managers or other pro-fessionals to perform a detailed review to see if the organization is in compliance in such areas as SOX internal control procedures. However, these procedures or rules may be imprecise or a manager may just “rubber stamp” his or her document to indicate compliance. This type of action puts everyone in a level of

compliance risk and may be a violation of code of conduct ethics rules calling for all employees to report correct and accurate information.

As an example of what can go wrong, this author recently was asked, as a consul-tant, to review an electrical utility’s cyber-security self-assessment procedures under North American Electrical Reliability Council (NERC) standards. A self-gov-erning set of standards covering the U.S. electrical industry, they require companies to review their level of NERC standards compliance and report them to a cen-tralized body affiliated with the Federal Power Commission. These are standards to help prevent black-outs and to keep electrical power operating; they cover such areas as electronic security perim-eters and systems security management. These NERC standards currently require self-certification by the electrical utilities as a minimum level of compliance.

To assess compliance with these stan-dards, site managers were asked to cer-tify, for example, that they “established and tested” an IT disaster recovery plan for their area or that they had executed a NERC-mandated “quarterly risk awareness program.” However, there was essentially no education and training at the organization as to what was meant by the standards. Under the pressure of time and strong messages to “get it done,” some managers just signed-off on these self-certifications on a quarter-by-quarter basis without really

understanding what they had autho-rized. Even worse, the senior manager responsible for compiling these unit-by-unit risk assessments knew little about IT cyber security issues, and operated under assumption that if a site manager signed as being in compliance, “they must be right!” When a review demon-strated that the utility could not really be in compliance with some of these requirements, that same senior manager did not want to hear this consultant’s concerns. As a result, multiple persons were signing off as being in compli-ance even though those same persons realized that they may not really be in compliance.

This example illustrates what can really go wrong with a poorly managed and execut-ed self-assessment process. The standards compliance that site managers were asked to assess was poorly communicated and site managers signed off on their compli-ance at all levels without really realizing the implications of that attestation. We have used a set of fairly specialized stan-dards here, NERC for the electrical power utilities, but there are similar risks and ethics issues with other self-assessment processes, such as for Sarbanes-Oxley sec-tion 404 internal controls.

The Ethics and Risks of Self-Assessment

ProcessesBy Robert R. Moeller

RO

BERT

R. M

OEL

LER

5February 2007


There can be both enterprise compliance risks and ethics issues in poorly executed self-assessment programs. However, well run and managed programs can provide cost savings to the enterprise and allow some key persons—the self-assessors—to gain a better understanding of how some of their controls operate. Corrective actions or remediation processes are often easier when the self-assessment manager can better describe the condi-tions observed.

Launching the Self-Assessment

Process—Training and Education

It can often be an easy decision for management to skip using outside consultants as internal controls review-ers and save costs by having in-house managers and other professionals docu-ment compliance through self-assess-ments. However, all concerned need to really know and understand this process of self-assessment. It should be much more than asking the hands-on manager to check a box on a form as OK, sign the form and be done with the pro-cess. Self-assessors need to have a good understanding of both what they are self-assessing and their required basis for these self-assessments.

Although a formal, fly in to the home office training session should not be necessary, the team responsible for man-aging this process should develop some training materials describing this process. In a Sarbanes-Oxley world, for example, the enterprise SOX coordinator might lead this effort. Using some type of a web format, designated self-assessors could be given training guidance including:■ Purpose and importance of self-assess-

ment process—Why are people being asked to do this?

■ Steps for self-assessing or performing tests—This can be very important for many areas where there may be ques-tions about the criteria for a pass or a fail.

■ Assessment documentation proce-dures—The procedures can vary, but all self-assessors should be given guid-ance on when to perform their tests as well as how to communicate the results.

The most important part of any self-assessment training is that all self-asses-sors should receive the message that they are playing a very important role in enterprise governance and that their self-assessment results must be accurate. Without appearing too threatening, the training should emphasize that false or inaccurate results could have conse-quences for the self-assessor as well as the overall enterprise. Too often, a self-assessment process can fail because the self-assessors do not really understand these objectives.

The Importance of Project Planning and

Support

Self-assessment processes are almost always tied to some timing cycle. For example, all work would be required to be completed by some month-end date. These timing requirements should be clearly communicated to all self-asses-sors with strong messages that they must complete their work not too early but before some required due date. They are asserting that a control is working “as of” some designated date. Without well-planned self-assessment project timing, one or another remotely located manager may miss a self-assessment due date because he or she was “too busy.” Consequently, the results of the entire

self-assessment process can be thrown into question. For a SOx Section 404 process, for example, external auditors will look for the self-assessment results to be reported by a specified due date. The “too busy” self-assessor can throw the entire process in question.

The enterprise’s self-assessment coor-dinators should carefully designate the persons to do these reviews, determine their availability, and clearly schedule this work. It is really important that the message be communicated to all self-assessors that this is a very important task for the organization, requiring top attention. Despite the best of training, however, there will always be a risk that some designated self-assessors do not fully understand the process or what they have been asked to evaluate or test. There will always be questions. Someone from the enterprise self-assessment coordination group should be available to answer questions and provide sup-port. These types of questions often come up when a self-assessor finds the area reviewed as “almost compliant.” Guidance is often needed here.

Self-Assessment Ethics and the

Enterprise Code of Conduct

The value or worth of self-assessment processes depends on the quality and integrity of the persons asked to perform these reviews. If the persons doing self-assessments have good knowledge of the areas they are reviewing, they can be expected to perform correct reviews. The enterprise could face a risk, however, when self-assessors sign-off on things without really reviewing the current sta-tus, or give some internal control area a “pass” even though it had failed. People

Continued on page 6

6February 2007


generally do not do these things with some malicious intent, but they may be just too busy or don’t want to have to explain later why some area is not really compliant. One way to prevent these kinds of problems is to insist on separa-tion-of-duties controls in any self-assess-ment process. That is, an independent person would be asked to observe or check the work of the designated self-assessor. A basic accounting internal control, this type of procedure really defeats the concepts and efficiencies of individual self-assessments. There is a need to rely on the self-assessor’s report-ed results. This can be accomplished through periodic reviews by groups such as an internal audit department or a compliance department. Even though those reviews may not be that frequent, the knowledge that they might occur should improve self-assessment quality.

The accuracy and integrity of reported results can be an issue if self-asses-sors are not generally accurate in their reported results. To improve integrity here, there is a need to go back to an enterprise’s core values and to seek guidance from its code of conduct. Certainly since the launch of the COSO internal controls framework, and even before for some, organizations have strengthened their employee codes of conduct, published strong state-ments on their adherence to ethics, and much more. The emphasis in many of these codes has been on such matters as fair dealing with vendors, protection of company property, and employee conduct. However, the message that an organization’s code of conduct also applies to the reported results from compliance self-assessments may not be fully understood.

An enterprise may want to visit its pub-lished Code of Conduct to make certain that it contains some words about the employee’s responsibility for “fair and accurate” reporting of all work-related financial and operational results. If not, the subject should be included in a future revision of the Code. More importantly, self-assessors should be reminded in a subtle manner of these Code principles. The idea is to com-municate this message to all persons asked to report on the results of their self-assessments. When an employee is asked to report on plan versus actual project time or financial results, they would normally do the right thing and report accurate results. However, when asked today to report on compliance with some standard, it is easy to miss that accurate self-assessment reporting is just as important. The Code of Conduct link and emphasis on organization ethics should help to improve the accuracy and integrity of all self-assessment results.

Testing and Documentation.

Self-assessment processes frequently require the evaluator to test a process to determine that it is working as described. For example, a control pro-cedure can describe some process where two key accounts are reconciled every period and that outstanding items are researched. The self-assessor would look for evidence of that reconciliation as well as details of the research covering the outstanding account items. This is an easy process when the reconciliation involved only one or two outstanding items. The self-assessor faces a chal-lenge, however, when the reconciliation involved a very large number of out-standing items. How can the self-assessor attest that “all” items are researched?

The answer to this problem is the com-mon auditing or QA technique of testing. By taking a representative sample of out-standing items and finding that they have been researched, the self-assessor can be X % confident that all of the items in such a large population have been researched. There is a whole body of literature cover-ing audit sampling and these types of decisions, but the enterprise should set some sample size guidelines—often up to 20 items—and have assessors select up to that number to report a conclusion about whether the control appears to be work-ing. In a financial or SOx-related self-assessment process, the enterprise external auditors or internal audit can provide some guidance on recommended mini-mum sample sizes. This and guidance for “randomly” selecting items should be included in the self assessment training and guidance material discussed above.

Defined documentation processes are an important final step to assuring the integrity of self-assessment processes. All too often, the remote location self-assessor does the review, sends in the results, and all but forgets about the review until the next period. This author was involved in a SOx 404 review exercise at a large manu-facturing operation with many locations. Controllers at each location were instruct-ed to assemble the self-assessment docu-mentation and keep them in notebooks on the office credenzas. The problem was that perhaps new controllers took over at many of these facilities every year. A new person coming in may not understand all this “stuff” left by a predecessor and pitch the old records. The original self-assessor may have followed good control proce-dures by capturing the evidence, but the organization could still be at risk because the older documentation is missing.

Self-Assessment Processes ...continued from page 5

7February 2007

Benefits of an Effective Self-

Assessment Program

An enterprise should always have a good understanding of its self-assessment objectives, and these should always be communicated to all members of the self-assessment team. While there is always a strong need to complete these self-assessments, the message should not be along the lines of “we’ve got to pass these tests!” Rather, the importance and criticality of self-assessment should be emphasized by highlighting the goals of completing them on time and of identi-fying any controls weaknesses for future corrective actions.

Self-assessment procedures can be very cost-effective if the enterprise clearly defines its requirements to the stakehold-ers performing the review, and if those persons have both the training and ethi-cal culture to perform effective reviews. The process also works better if the enterprise sends out clear instructions and provides a level of on-site assistance in completing them. Schedules must be established to allow the self-assessors enough time to complete these tasks.

Unless self-assessment processes and supporting procedures are well planned and organized, the enterprise may face a

risk that they miss the mark in terms of appropriate scheduling, documentation, and testing. Perhaps more important, enterprise values and ethics must be strongly communicated to all persons doing self-assessments to ensure that results are reported accurately. With proper consideration given to these risks and ethics issues, a strong program of self-assessments can be a powerful tool for achieving enterprise compliance in many areas of rules and regulations. ■

Enron. WorldCom. Arthur Andersen. Tyco. If you’re wondering how a system fraught with criminal and ethical misbehavior could possibly be right for you, authors Joseph E. Murphy and Joshua H. Leet have the answer: Join what smartmoney.com calls one of America’s top ten fastest growing fi elds.Th eir book, Building a Career in Compliance and Ethics, is the fi rst ever to give step-by-step instructions on how to establish a career making powerful organizations safer and more ethical. You’ll discover:

Th e wide range of compliance and ethics jobs Th e skills and temperament needed for this fi eld Practical ways to prepare for and get ahead in your career Steps for conducting an eff ective job search Advice from seasoned compliance and ethics professionals in the fi eld Tips for “selling” your compliance and ethics program to upper management

Building a Career in Compliance and Ethics is your guide to doing well by doing good!

Visit www.corporatecompliance.org to order.SCCE6500 Barrie Road, Suite 250 Minneapolis, MN 55435Phone 888-277-4977FAX 952-988-0146info@corporatecompliance.orgwww.corporatecompliance.org

Get started today on your career making powerful organizations safer and more ethical

SCCE • (888) 277-4977 • www.corporatecompliance.org

8February 2007


SAVE THE DATES!SCCE is the premier provider of compliance and ethics educational events. Faculty is composed of industry experts from around the world who represent the corporate environment, academia, government, and the law. Attracting hundreds of compliance professionals each year, SCCE events also provide unparalleled networking opportunities. Programs are offered in the following formats to meet the diverse needs of this evolving profession.

AcademyThe SCCE Academy is a four-day intensive train-ing program with the optional CCEP exam on the fifth day. Academies are designed to address United States Sentencing Commission (USSC) compliance guidelines in detail and better prepare interested par-ties for the CCEP exam. The Academy is designed for participants with a general knowledge of com-pliance concepts and some professional experience (6–18 months) in a compliance function.

Dallas . . . . . . . . . .March 26–29, 2007 optional CCEP exam on March 30

WorkshopsWorkshops are two-day programs designed to pro-vide the practical information compliance profes-sionals need to create and maintain compliance programs in a variety of industries. Workshops run on Thursdays and Fridays and are followed by the optional CCEP exam on Saturday mornings. For your convenience, the 2007 workshops will be held in four locations throughout the country.

Chicago . . . . . . . .March 15–16, 2007optional CCEP exam on March 17

New York . . . . . . .March 22–23, 2007optional CCEP exam on March 25

Los Angeles . . . .April 12–13, 2007optional CCEP exam on April 14

Dallas . . . . . . . . . .May 17–18, 2007optional CCEP exam on May 19

Audio ConferencesSCCE will launch a series of audio conferences in 2007. SCCE audio conferences will explore current hot topics in-depth and provide an instant and up-to-date education from the convenience of your own office. Details will be available shortly.

SCCE’s Nationally Acclaimed Certification ProgramThe Certified Compliance and Ethics Professional (CCEP) program provides professionals from all industries the opportunity to become certified in compliance and ethics practice. Professionals who earn the CCEP designation demonstrate sufficient knowledge of government regulations and com-pliance processes to understand and address legal obligations and promote organizational integrity through the operation of effective compliance pro-grams. The CCEP certification program promotes a national standard of requisite knowledge for compli-ance and ethics, encourages continued personal and professional growth, and enhances the credibility of both certified professionals and the compliance programs that they staff.

Credits earned at SCCE events will count toward the credits required to sit for the certification exam.

Please visit the SCCE Web site at www.corporatecompliance.org for registration materials!

SCCE 2007 Educational Opportunities

9February 2007


Dallas | March 26–29, 2007

Introduction to Compliance Practice: Abbreviated Compliance 101Sheryl Vacca, CHC, West Coast Practice Leader, Deloitte & Touche LLP

Organizational EthicsKathleen Edmond, Chief Ethics Officer, Best Buy Co, Inc.

Compliance InfrastructureDebbie Troklus, CHC, CCEP, Assistant VP for Health Affairs/Compliance, University of Louisville

Creating & Reviewing Compliance Policies and ProceduresLisa Murtha, JD, CHC, Managing Director, Huron Consulting

Regulatory UpdateMichael Horowitz, Commissioner, U.S. Sentencing Commission

Education and TrainingJolene Miller, Senior Director, Ethics & Corporate Compliance, RadioShack Corporation

Enterprise Risk ManagementSheryl Vacca, CHC, West Coast Practice Leader, Deloitte & Touche LLP

International Compliance IssuesLeonard Shen, Senior Counsel and CCO, GE Commercial Financial

Legal Issues, Risk Factors, and Disclosure IssuesFrank Sheeder, Esq., Partner, Jones Day

Auditing and MonitoringUrton Anderson, Associate Dean for Undergraduate Programs and Clark W. Thompson Jr Professor in Accounting Education, McCombs School of Business, University of Texas at Austin

Effectiveness and EvaluationGreg Triguba, JD, CCEP, Ethics & Compliance Program Manager, Eddie Bauer

Corporate ResponsibilityJacki Trevino, CCEP, Program Manager, Corporate Ethics & Compliance, Dresser, Inc.

InvestigationsSean Martin, Vice President, Commercial Law, Amgen, Inc.

Using Incentives in the Compliance and Ethics ProgramJoe Murphy, Of Counsel, CSLG; Co-founder and Senior Advisor, Integrity Interactive; Co-editor, ethikos

Privacy

Dennis Muse, CEO, Global Compliance

Chicago | March 15–16, 2007optional CCEP exam on March 17

New York | March 22–23, 2007optional CCEP exam on March 25

Los Angeles | April 12–13, 2007optional CCEP exam on April 14

Dallas | May 17–18, 2007optional CCEP exam on May 19

TOPICSEducation & Training

Case Studies

How to Conduct Internal Investigations in Light of the Hewlett-Packard Case

Conflicts of Interest

The Care and Feeding of Boards: A Bottom-Up Approach

Ethics and Culture

Internal Audit and Compliance Collaboration

Scope of Compliance Programs: What Should They Include?

Compliance & Ethics Programs and Agents, Suppliers, and Other Third Parties

Measuring the Effectiveness of Compliance Programs

Organizational Sentencing Guidelines

Data Governance: Protecting Personal and Confidential Data

Fraud Risk Assessment

Gifts and Gratuities

Harassment/Ensuring a Positive Workplace

Accurate Books and Records

2007 Academy Preliminary Program

2007 Workshops Preliminary Program

10February 2007


Editor’s Note: Gary Green PhD has taught about organizational legal compliance at the university level for more than a quarter-century. Gary presently, is Associate Professor of Government at Christopher Newport University. As the founder of Compliance Analysis consulting firm Gary works with organizations and attorneys on compli-ance issues. He has advised the Japanese Ministry of Justice about ways to combat organizational wrongdoing in Japan, and has authored and co-authored more than forty publications. Gary can be contacted at: [email protected]

Compliance officers are aware that compliance programming is a dynamic activity that

should respond to changes in the needs of the organizational structure as well as changes in external legal and social envi-ronments—“compliance analysis” must be an on-going process.

Despite this awareness, the compliance field seems to have devoted little attention to the fact that the very nature of organiza-tions can routinely create courses of action through which noncompliance is likely to result.1 There is a meaningful literature in the sociology of organizations that identi-fies these courses of action, but it seems to have gone essentially unused by the com-pliance field, a field that has instead con-centrated on highly legalistic frameworks.

The purpose of this article is to invite corporate compliance officers to inte-grate more work from the sociology of organizations into their compliance programming.2 As an introductory state-ment on this initiative, examples herein are necessarily limited, but more detailed applications can certainly be presented at later times.

Two Important Sociological Tenets for

the Context of Compliance

I have chosen two main sociological concepts—“the definition of the situ-ation” and “normative validation”—as the primary tenets to remember when developing and evaluating organizational compliance programs. After introduc-ing them, several other concepts from the sociology of organizations will be presented in brief to illustrate how they may be pertinent to the avoidance of noncompliance.

“The Definition of the Situation”

There are relatively few objective truths in human interaction. Each individual, based on his or her own constellation of life-historical, biological, psychological (including levels of self-control), and other factors contributes to the way(s) in which he or she perceives a given cir-cumstance, and this is no less true in the context of actors within organizations. A person’s conscious and subconscious

choices to interpret reality in certain ways will dominate how they construe a given situation.

The following are but five examples. An organizational actor may self-define their noncompliant conduct as compliant in order to commit it (“neutralizing”). Or the actor may define incorrect action as correct after it occurs (“rationaliz-ing”), regardless of whether it occurred willfully or through mistake. Second, clearly noncompliant conduct is more likely to be normalized in the mind of an individual the more it recurs. Third, organizational actors may have such a strong “escalated commitment” to a noncompliant endeavor that their ego disallows them from viewing it any way other than positive, and this intense loyalty to the noncompliant conduct will also prevent them from abandoning it.3 Fourth, membership in professions, organizational social groups (including those based on different geographic loca-tion), and differing corporate ranks may expose individuals to cultural norms that alter their “definition of the situation” to the point that it will conflict with com-pliant conduct. And fifth, individuals may inadvertently misinterpret or pur-posely ignore their own observations in

Maximizing the role of organizational

sociology as a compliance

initiativeBy Gary Green PhD

GAR

Y G

REEN

11February 2007


an organizational risk area that deceives them into assuming “all is well” when, in fact, it is not.

William I. Thomas, one of American sociology’s earliest thinkers, best summed up the effects of individual definitions of situations when he stated that, “Things perceived to be real become real in their consequences.” Compliance officers should be aware of the “self-fulfilling prophesy”—some-thing false may become true because it is believed to be true. Individuals in orga-nizations who believe that they can not or need not meet compliance mandates are much less prone to accomplish those directives because of that perception.

The bottom line for compliance officers here is to acknowledge that human action is dominated by individuals’ often sub-conscious choice in interpreting the reali-ties with which they are faced. Failure to recognize this simple tenet may prevent the organization from anticipating the adverse effects on compliance associated with the essentials of human conduct within an organizational setting.

“Normative Validation”

It is generally believed that acts that are punishable have sanctions attached to them because those behaviors are wrong. On the contrary, the sociological per-spective of normative validation asserts that acts are wrong only because they are punished and only to the extent they are punished.

Put another way, if a university has a “strict” honor code, and violators of that code are not sanctioned, the university is tacitly stating that academic dishonesty among students is not illegitimate. In

the same way, if you want to see how an organization truly views an act of noncompliance, don’t look at its “Code of Conduct.” Instead, you must examine the extent to which it punishes noncom-pliant conduct and rewards compliant conduct, because these acts of punish-ment and reward are the most compel-ling indicators of organizational norms regarding what it considers to be the good and bad behaviors of its employees.

Normative validation should not be con-fused with deterrence, although both are educative effects emanating from punish-ment. Deterrence is aimed at preventing misconduct by creating fear of forth-coming sanctions for committing that misconduct. Normative validation, on the other hand, is a moralizer that denounces an act of misconduct through its pun-ishment, and thereby teaches people it is wrongful. Deterrence and normative validation operate simultaneously based on the extent and consistency of punish-ment. The success of each is directly tied both to sanctioning proportionately to the wrongfulness of the behavior and to the certainty with which the sanctions are carried out. However, determining the relative effects of normative valida-tion and deterrence is impossible because they derive from the same imposition of punishment, they occur at the same time, and both result in the same compliant behavior. Our inability to disaggregate the effects of deterrence and normative validation is probably unimportant, but it is very important to conceptually dif-ferentiate between the two.

Creating normative validation is not limited to rule-breaking; it should be established in all matters related to compliance programming. For instance,

instituting “whistleblower hotlines” is of little value if the organization does not encourage the reporting of actual or potential problems—by truly reward-ing employees when they make a valid report and by truly chastising them when they should have reported a viola-tion. Similarly, hiring an outside firm to “communicate standards and pro-cedures” is of little consequence if the organization does not corroborate the importance of those standards and pro-cedures by periodically assessing employ-ees’ retention of the knowledge.

Indeed, the Federal Sentencing Guidelines for organizations clearly rec-ognizes in its description of an effective compliance program the importance of normative validation through consis-tent enforcement—in both preventing wrongful organizational behavior and in promoting pro-legal and ethical organi-zational cultures.4

Continued noncompliance based on fail-ure to punish wrongful behavior has sur-faced more than once in my consulting practice. In one case in which I worked as a litigation advisor for the plaintiff against an insurance company, there was a high volume of evidence that the same misconduct (forgery of a particu-lar policy-holder document) had been committed by as many as thirty sales agents over a 10-year period, yet only one agent seems to have been terminated for committing that felonious behavior. The company did virtually nothing to sanction the forgeries, to report them to the proper authorities, or to effect even a minimal change in organizational pro-cedures to help prevent its recurrence. Through choosing to dis-validate com-

Continued on page 13

C O R P O R A T E C O M P L I A N C E & E T H I C S :G U I D A N C E F O R E N G A G I N G Y O U R B O A R D

Name

Title

Company

Address

City

State Zip

Phone

Fax

E-mail

Format: DVD VHS

Mail to: SCCE 6500 Barrie Road, Suite 250 Minneapolis, MN 55435Phone: (888) 277-4977

Total Payment $ ______________

Purchase Order # _____________ Check/Money Order VISA MasterCard

Number

Exp. Date

Name of Card Holder

Signature of Card Holder

Please make check payable to:Society of Corporate Compliance and Ethics (SCCE)

FAX: (952) 988-0146Online: www.corporatecompliance.org E-mail: [email protected]

ORDER TODAY! Non-Members $395 SCCE/HCCA Members $345

www.corporatecompliance.org

“ This video provides an overview of the Board’s role in compliance.”

Odell Guyton Senior Corporate Attorney, Director of Compliance,Microsoft Corporation

“ It’s pretty clear that the best compliance program in the world is meaningless, even if it’s funded with a good well-meaning compliance officer, if the leadership of the company is not behind it and isn’t supportive…”

Honorable Michael E. Horowitz Commissioner, United States Sentencing Commission

Bringing the vision of leadership together

with a compliant and ethical culture

13February 2007


pany norms against forgery by ignoring the wrongdoing, the insurance company sent an unmistakable message to its agents that the firm did not perceive such criminal behavior as organization-ally problematic. That the forgeries continued is not surprising, whether because of a lack of normative validation or a lack of deterrence, or both. It is use-ful to note that, despite strong evidence to the contrary, defendant claimed that the company had an effective, state-of-the-art compliance program with all of the elements required by the Federal Sentencing Guidelines.

Foremost, consistent and commensurate sanctioning will have a strong coun-teracting effect on the aforementioned individual agency to self-define non-compliant behavior as acceptable. It cuts across organizational rank and geograph-ic location. It offsets escalated commit-ments to wrongful conduct, reduces misinterpretation of observations, and thwarts both neutralizations and ratio-nalizations. And, separately, it deters.

Additional Compliance Related

Concepts from Organizational Sociology

The following lists only a few of the many sociological concepts that can be applied to organizational process and structure that may help elucidate poten-tial opportunities, motives, and errors that promote noncompliance. They can be explored in more depth at a later point.

“Trained Incapacity” (or “Trained Inability”)—Thorstein Veblen’s (and Kenneth Burke’s) well known phrase referring to specializing employee func-tion to such a great extent that the employee is unable to operate according

to any other expectations.5 Companies should communicate “standards and procedures” in such a way that employ-ees are encouraged to ferret out and oth-erwise anticipate problems-in-practice, and then report those anomalies when they arise.

“Myth and Ceremony”—Meyer and Rowan’s idea that organizations often adopt rules and structures to conform to societal and industry expectations in order to gain public legitimacy, even though the rules and structures may be inappropriate to that particular organization’s undertakings and therefore potentially generate opportunities for compliance breaches.6 Creating an inef-fective compliance program for the sake of having a compliance program is a good example of “myth and ceremony.”

“Liabilities of Newness”—Stinchcombe’s suggestion that new lines of commerce, new products and services, and inexperi-enced employees are likely to encounter circumstances about which there is insuf-ficient legal knowledge, thereby leading to potential compliance problems.7

“Structural Secrecies”—Vaughan’s concept, based on her work on the Challenger shuttle disaster, asserts that organizational hierarchical boundaries, high employee specialization, and other factors preclude important knowledge from being shared among those who require it, rendering some of the informa-tion inside organizations deficient.8 Risk of a compliance breach therefore increases as work and information cross intra-orga-nizational boundaries with limited facts.

“Error-amplifying Decision Traps”—Schulman posits that relatively simple

errors within organization are exacer-bated because efforts to structurally cor-rect them or hide them from others will necessarily involve more individuals who may inevitably increase the degree of noncompliance.9

“Authority Leakage” and “The Law of Diminishing Control”—Concepts put forth by Tullock and Downs, respective-ly, whereby the more complex an organi-zation becomes, the weaker the control over subunits exercised by higher man-agement.10 More precisely, subunits are necessarily given more autonomy over their decisions in complex organizational structures, and those decisions are often based on competitive operative goals of the subunit that conflict either with the overall goals of the organization or with legal requirements. Authority Leakage and the Law of Diminishing Control undoubtedly constitute much of the reasoning behind the U.S. Sentencing Commission’s requirement that larger organizations be held to higher expecta-tions for professional compliance pro-gramming.11

“Tacit Knowledge”—Collins’s assertion that only those who carry out certain organizational tasks have intuitional knowledge that can not be communicat-ed to managers because it is intuitional. Managers then make ill-informed deci-sions based on their lack of tacit knowl-edge (inexperience associated with those tasks), thereby increasing the risk for a compliance problem.12 Meaningful feed-back from those who are actually doing the work and who possess the intu-itional knowledge is, therefore, essential before the need for modification can be identified and subsequent changes

Organizational sociology as compliance ...continued from page 11


14February 2007


Organizational sociology as compliance ...continued from page 13

properly implemented. There is also a “Micropolitics of Knowledge”—Lazega’s contention that managers and others who make decisions in organizations informally sift through large amounts of information and pick that which conforms to the expectations of others, thereby excluding certain knowledge that may be important in promoting compliance.13 Too much information, like too little, can lead to noncompli-ance. Organizational knowledge is much more complex than the mere “commu-nication of standards and procedures,” and compliance programs must examine systematically the ways in which organi-zational knowledge is handled by their organizational actors.

“The Deterrence Trap”—Coffee’s obser-vation that individuals and organizations can be dissuaded from wrongful activity only to the point they are able to meet the penalty that is threatened.14 Once a compliance breach is committed by an employee or an organization and the punishment reaches the maximum that the violator is able to pay (e.g., termina-tion in the case of an employee or crimi-nal fine dollar amount in the case of an organization), there is no meaningful additional threat to stop further acts of noncompliance.

Conclusion

Perhaps the most instructive sociologi-cal thought on which to conclude this article is: “Beautiful theories often turn into ugly practices.” An idea that appears to be excellent at the time it is concep-tualized may surprisingly produce unan-ticipated negative consequences later on. One of the most significant examples of this axiom in the field of compliance surfaced in the “Report of the Advisory

Group on Organizational Guidelines to the United States Sentencing Commission” regarding the inherently contradictory “litigation dilemma” asso-ciated with compliance efforts in gener-al—the very same information generated by organizations to strengthen their legal compliance can be used against them in civil and criminal proceedings, thereby discouraging organizations from ever gathering that information.15 Designers of compliance programs should be skeptical about the “beautiful” program elements they create, and know that any one of them may have unintended nega-tive consequences that may promote, rather than reduce, noncompliance.

The foregoing has attempted to introduce an initiative to the field of organizational compliance to more routinely integrate ideas from the sociology of organiza-tions into compliance programming. The general theme is that effective compli-ance programs can not be fashioned in a purely legalistic framework without con-sidering the nature of human beings and how they are affected by organizational structures and processes. Unless compli-ance programs are regularly evaluated through “compliance analysis,” many of the “traps,” “ugly practices,” “liabilities,” “prophesies,” “dis-validations,” “leakages,” and “secrecies” discussed above are likely to go undiscovered, thereby increasing organizational exposure to risks for com-pliance failures. ■

Gary S. Green (Ph.D. University of Pennsylvania, M.A. Rutgers University, B.A. University of California) is Associate Professor of Government at Christopher Newport University (Newport News, VA). Gary began the Compliance Analysis con-sulting firm in 2003 (www.compliancean-

alysis.com), through which he works with organizations and attorneys on compliance issues. He has advised the Japanese Ministry of Justice about ways to combat organiza-tional wrongdoing in Japan, has authored or co-authored more than forty publica-tions, and has taught about organizational legal compliance at the university level for more than a quarter-century. Gary is the 2006-2008 Senior Fellow for Corporate Citizenship at the Magellan Center (www.magellancenter.org) and a member of SCCE. He can be reached at [email protected].

1. Dr. Diane Vaughan of Boston College has conceptualized this general paradigm in D. Vaughan, “The Dark Side of Organizations: Mistake, Misconduct, and Disaster,” Annual Review of Sociology (1999) Volume 23, pp. 271-305. In addition to the sociology of organizations, there is also a considerable literature in “OCB,” or “organizational citizenship behavior,” that is equally as important to meaningful understanding of human behavior within organizations. If there is a discernable difference between the two fields, OCB tends to focus more on individuals’ behavior within organizations and the sociology of organizations, at least the branch that is the focus of this article, treats organizations as settings that routinely produce conditions likely to generate deviant conduct. Both perspectives are important in regard to recognizing the nature of human behavior within the organizational setting for the purposes of successful compliance.2. Although this article concentrates on organizational settings which can routinely produce conditions likely to generate deviant conduct, all work in the social science of organizations should be considered in compliance and ethics programming. This would include psychology—see, e.g., J. Dienhart, D. Moberg, and R. Duska, The Next Phase of Business Ethics: Integrating Psychology and Ethics (New York: JAI Press, 2001).3. D. Ermann and G. Rabe “Corporate Concealment of Tobacco Hazards,” Deviant Behavior (1995) Volume 16, pp. 223-44.4. See the current U.S. Sentencing Guidelines, Section 8B2.1(b)(6). 5. T. Veblen, The Instinct of Workmanship and the State of the Industrial Arts. New York: MacMillan, 1914, p. 347; K. Burke, Permanence and Change. 1935. Berkeley, CA: University of California Press, 1984. See Erin Wais’s detailed discussion of the origin and contexts of the phrase “trained incapacity” at http://kbjournal.org/node/103 .6. J. Meyer and B. Rowan, “Institutionalized Organizations,” American Journal of Sociology (1977) Volume 83, pp. 340-63.7. A. Stinchcombe, “Social Structure and Organizations” (1965), pp. 142-93 in J. March (ed.) Handbook of Organizations. Chicago: Rand McNally.8. D. Vaughan, The Challenger Launch Decision. Chicago: University of Chicago Press, 1996.9. P. Schulman, “The ‘Logic’ of Organizational Irrationality,” Administration and Society (1989) Volume 21, pp. 31-33.10. A. Downs, Inside Bureaucracy. Boston: Little Brown, 1967; G. Tullock, The Politics of Bureaucracy. Washington, D.C.: Public Affairs Press, 1965.11. U.S. Sentencing Guidelines, 2(C)(ii) of Commentary to §8B2.1 (“Effective Compliance and Ethics Program”). 12. R. Collins, “The Place of the ‘Core-set” in Modern Science,” History of Science (1981) Volume 19, pp. 6-19.13. E. Lazega, The Micropolitics of Knowledge. New York: Aldine de Gruyter (1992),14. J. Coffee, Jr., “‘No Soul to Damn; No Body to Kick’: An Unscandalised Inquiry Into the Problem of Corporate Punishment” Michigan Law Review (1981) Volume 79, pp. 386-459. See also G. Green and M. Bodapati “The Deterrence Trap in the Federal Fining of Organizations,” Criminal Justice Policy Review (2000) Volume 10, pp. 547-559.15. Report of the Ad Hoc Advisory Group on the Organizational Sentencing Guidelines(October 7, 2003) http://www.ussc.gov/corp/advgrprpt/advgrprpt.htm See the discussion beginning on page 117.

15February 2007


Call for Authors

Anyone interested in submitting an article for publication in Compliance & Ethics:

Contact Marlene [email protected]

(888) 277-4977

Compliance & EthicsThe Society of Corporate Compliance and Ethics (SCCE) is seeking authors for upcoming issues of Compliance & Ethics. We welcome all who wish to propose corporate compliance–related topics and write articles.

Topics to consider: Acquisitions, mergers, RFP, insurance, incorporating

compliance review in processes Compliance training—senior management

versus non-management Security Investigations—attorney privileges Evaluation of software and technology relevant to compliance Professional liability, audit, accounting Education/communication/marketing Enterprise risk management—risk-based assessments Articles addressing “hot” compliance issues in your profession

Articles when the topic allows, should include “how to” tips. Articles generally run between l,250 and 2,500 words.

16February 2007


Editor’s Note: David Simon is Founder and President of WeComply, Inc., which develops and delivers online compliance training on a broad range of law-related topics. As a trial and appellate lawyer he has created computer-based training pro-grams for both lawyers and non-lawyers. He is a frequent speaker and writer on compliance and employee-training issues. David may be reached at [email protected].

Not that long ago Neil Armstrong and Michael Jackson moon-walked

across the TV screen, and employees shared secrets at the watercooler. Today George Bush’s war on terror and Donald Trump’s war on Rosie O’Donnell play out on YouTube, and employees share secrets via e-mail, instant-messages (IMs) and MySpace. The corporate-compliance issues of yesteryear—antitrust and for-eign bribery—are still with us, but now they’re dwarfed by issues of information security and electronic discovery. In the new normal, every “connected” employ-ee—and virtually every one of that employee’s “e-communications”—poses a potential compliance risk.

What Are Employees Doing?

With e-mail having recently celebrated its 25th birthday and the Web approach-ing its 20th, surely employees have come to understand the proper use of these seminal e-communication tools. NOT! Consider these statistics:

■ Of the 1.86 hours per eight-hour workday that the average employee admits to wasting (not including lunch and scheduled break-time), 52% of employees cite Web-surfing as their primary distraction.1

■ 26% of U.S. employers have termi-nated employees for e-mail or Internet misuse.2

■ 13% of companies have been involved in litigation related to inappropriate employee e-mails.3

Employees’ use of IMs is even more out of control, to wit:■ 50% of employees have downloaded

free IM tools from the Internet that 26% of their employers aren’t even aware of.

■ 24% of those employees use their workplace IM tool to send jokes, gos-sip, rumors and disparaging remarks.

■ 12% use IM to transmit confidential employer, employee and client infor-mation, while 10% use IM to engage in sexual, romantic and pornographic chat.4

Data-gathering on inappropriate e-com-munication activities can’t keep pace with the evolution of new e-communication modes such as blogging, text-messaging, YouTube-ing and Second Life exploring. But anecdotal evidence suggests that each of these new modes is rife with potential for employee/employer liability on any number of legal theories.5

What Do Employees Understand about

What They’re Doing?

Here again, the numbers paint a scary picture for companies and their compli-ance/legal departments:■ 92% of employees did not believe they

had ever sent a risky e-mail message, yet 68% actually had sent or received messages that put their employers at risk.6

■ Just fewer than 50% of employees didn’t know that personal e-mails, IMs, web searches and unsent word-processing files created on their work computers could be archived by their employers.[We are constantly preach-ing that e-mail and other personal info is not a business “record” and should not be retained so I wonder if this sentence could be re-written? The message we’re trying to get across so that employees don’t save too much in their system is that not everything is a business “record”].7

■ While 34% of companies have written e-mail retention/deletion policies in place, fully 34% of their employees don’t know the difference between business-critical e-mail that must be saved and insignificant messages that may be purged.8

e-Communications: are your employees reliable or e-liable?

By David J Simon, Esq.

DAV

ID J

SIM

ON

17February 2007


In view of these statistics, it’s no sur-prise that 24% of organizations have had employee e-mail subpoenaed, and 15% of companies have gone to court to battle lawsuits triggered by employee e-mail.9

What Are Employers Doing about

All of This?

As of 2004, four in five companies had promulgated policies regulating employee e-mail and Internet use (though 46% of these companies had not trained their employees on those policies), but only 20% of companies had policies governing IM use and content.10 As of 2005, less than 10% of companies had policies on blogging by employees.11 Inappropriate use of email has resulted in the termination of employees by 26% of employers, while only two percent have dismissed employ-ees for improper IMs or blog posts.12

Given these facts and figures, it’s no surprise that more and more employ-ers—now about 75%—monitor their employees’ e-communication activities at least to some degree. That number is bound to grow for several reasons:■ It’s not that costly or difficult to do,13

and the benefits of preventing and detecting wrongdoing are significant.

■ Companies that don’t monitor may be viewed as having failed to take reasonable precautions against e-com-munication problems—i.e., as being negligent.14

■ When e-communication problems arise, courts now expect companies to have comprehensive policies and pro-cedures in place for organizing their electronically stored information.15

Monitoring practices vary, but an increasing number of employers—about

one in three—record every keystroke on their employees’ work computers. Thus, whether employee e-commu-nication activities are business-related or personal, sent via company e-mail or a Gmail account, typed on the company’s messaging system or AOL InstantMessenger—everything done on a work computer could show up on the employer’s radar.

What’s Left for Employers To Do?

Whether from a lack of knowledge or caution by employees, or a failure to monitor or discipline by employers, inappropriate computer use is a fact of life in today’s—and likely tomorrow’s—workplace. Accordingly, it’s more impor-tant than ever for employees to know

(a) how applicable laws and company policies should shape their day-to-day e-communication activities at work, and (b) how a failure to understand this can lead to terminations and potentially dev-astating employee/employer liability.

Employers should do their utmost to impart this understanding to employees in training that goes beyond a didactic summary of the law and helps employees understand how each of their e-commu-nication activities has liability/termina-tion potential if not used carefully and effectively.

David Simon is Founder and President of WeComply, Inc., which develops and delivers online compliance training on a broad range of law-related topics. A trial and appellate lawyer for 14 years, he has created hundreds of computer-based training programs for both lawyers and non-lawyers over the past decade-plus. He is a frequent speaker and writer on com-pliance and employee-training issues. ■

1. Wasted Time At Work Still Costing Companies Billions in 2006. (aol.salary.com/careersandwork/salary/articles/atcl_careeradvice.asp?atc=573).

2. 2005 Electronic Monitoring & Surveillance Survey: Many Companies Monitoring, Recording, Videotaping—and Firing—Employees. (www.amanet.org/PRESS/amanews/ems05.htm).

3. 2004 Workplace e-mail and instant-messaging Survey Summary. (www.epolicyinstitute.com/survey/survey04.pdf ).

4. 2006 Workplace E-Mail, Instant Messaging & Blog Survey: Bosses Battle Risk by Firing E-Mail, IM & Blog Violators.(www.amanet.org/press/amanews/2006/blogs_2006.htm).

5. See www.michaelhanscom.com/eclecticism/2003/10/of_blog-ging_and.html; www.usatoday.com/money/workplace/2005-06-14-worker-blogs-usat_x.htm; www.hhnlive.com/rumours/more/84; www.out-law.com/page-4466.

6. Risky Business: New Survey Shows Almost 70 Per Cent of Email-Using Employees Have Sent or Received Email that May Pose a Threat to Businesses. (www.fortiva.com/news/pr_harris-survey.html)

7. Nothing Personal: Survey of Computer Use at Work. (For sur-vey report, go to: www.wecomply.com/land/esi1.htm)

8. 2006 Workplace Survey, op cit.9. 2006 Workplace Survey, op cit.10. 2004 Workplace Survey, op cit.11. 2006 Workplace Survey, op cit.12. 2006 Workplace Survey, op cit. The latter numbers maybe

reflect decreased monitoring of these e-communication modes rather than less misconduct by employees.

13. Monitoring Employee Communications in the Enterprise. (www.cio-today.com/story.xhtml?story_id=022000RAX40I).The market for this “secure content-management” software (including applications that monitor Web-surfing, e-mail, IMs and keystrokes) is expected to grow to $6.4 billion, more than double what it was three years ago.

14. Martinek, Paul M. Latest Risk to IT Management: Not moni-toring Computer Use. Comply. Week. Sept, 2006. p 62-63.

15. United States: Federal Courts Adopt Electronic Discovery Rules. (www.mondaq.com/article.asp?articleid=45044&searchresults=1)

A Case for Monitoring

In a recent New Jersey case, Doe v. XTC Corp., a company was aware that one of its employees was engaging in child-pornography activities on his work com-puter. The company issued a warning to the employee but failed to investigate further. Following the employee’s arrest, police discovered a cache of photos that had been stored and e-mailed, includ-ing several of the employee’s 10-year-old stepdaughter. The girl’s mother brought suit against the employer, claiming that the employer had negligently failed to report the employee’s unlawful conduct to the police. Although the trial judge dismissed the case, an appeals court reversed, holding that an employer could have a duty to prevent a crime from being committed against a third party. The court emphasized that the employer possessed and could have implemented software to monitor the employee’s Internet activity.

18February 2007


The Society of Corporate Compliance and Ethics (SCCE) began developing its professional certification program in 2005. The development process took more than a year of work by a 16-member SCCE certification com-mittee and the assistance of an outside certification development firm, Applied Measurement Professionals (AMP).

As a result, corporate compliance and ethics professionals can now earn a professional credential from one of the largest and most-respected member-ship organizations supporting their field. This credential — the Certified Compliance and Ethics Professional (CCEP) — represents the only certifica-tion available in the U.S. for corporate compliance and ethics professionals.

The benefits of the CCEP certification are many:• To demonstrate professional standards

and status for compliance professionals• To heighten the credibility of compli-

ance practitioners, and enhance the credibility of compliance programs staffed by these certified professionals

• To assure that each certified practitio-ner has the knowledge base necessary to perform the compliance function

• To facilitate communication with other industry professionals, such as government officials and attorneys

• To demonstrate the hard work and dedication necessary in the compli-ance field.

To sit for the CCEP exam, candidates must have fulfilled specific work experi-ence and continuing education require-ments. To review these qualifications, see the CCEP Candidate Handbook, which is available online at http://www.corporatecompliance.org/CCEP/docs/CCEP_2006_handbook.pdf.

In September 2006, 106 individuals earned the CCEP credential. These professionals are found online at http://www.corporatecompliance.org/CCEP/docs/CCEP_roster.pdf. What follows are interviews with some of these accredited professionals.

Editor’s Note: This interview with Marti Arvin JD, CHC, CIPP/G, CCEP,CPC Privacy Officer, University of Louisville was conducted in December with three CCEP designees. Achieving certification has required a diligent effort by these individuals.

MA: What is your professional back-ground (e.g., attorney, financial person, operational person, etc.)? CP: Attorney

MA: How did you become involved in the compliance profession?

CP: It is a part of my job as the VP Administration and Governance, and Ethics and Compliance Officer. Previously, I performed the compliance function in my role as General Counsel. Most of my 20-plus year career in gov-ernment contracts I have worked in the world of compliance in different roles.

MA: What prompted you to sit for the Certified in Compliance and Ethics Certification (CCEP) exam?CP: I wanted to have the credentials that reflected my expertise and experi-ence in compliance.

MA: Are you aware of the process used to develop the CCEP credential? If you are, was this process a factor in your decision to seek the credential?

featurearticle

Meet Marti ArvinPrivacy Officer, University of Louisville

19February 2007


CP: I was generally aware of the pro-cess. It was a factor in my decision.

MA: What benefit do you hope to achieve personally and/or professionally with your CCEP certification?CP: I plan to use it along with my legal credentials to achieve the best com-pliance program possible. I plan to use it to finish out my working career in the compliance field.

MA: Did your company pay for you to sit for the CCEP exam or did you decide to pursue it on your own? CP: My company paid for me to sit for the CCEP.

MA: What would you say to someone thinking of taking the CCEP exam? CP: Take the exam, get the creden-tials, and continue to maintain it with continuing education. That way you can get credit in your organization for doing the best possible job in compliance, because you will have the credentials and continuing education.

MA: If someone asked you how to study for the CCEP exam, what would your answer be?CP: I would review the USSC

(United States Sentencing Commission) requirements for an effective compli-ance program. Take the practice exam questions in the CCEP exam handbook first to identify areas where additional work is needed. Attend the SCCE Compliance & Ethics Institute and tai-lor my courses to the areas described in the CCEP exam handbook final detailed content guidelines where you have identified yourself as needing additional instruction. Lastly, get a good night’s sleep and relax.

MA: What is the importance of the CCEP credential related specifically to compliance work with your organization? CP: In my role as the Ethics and Compliance Officer, these credentials will help me by certifying that I have a level of knowledge above those who do not have the credential. Along with my expe-rience, I will start out with more credibil-ity as I solve problems that arise. ■

Joe Murphy interviewed by Marti Arvin

MA: What is your professional back-ground?JM: I am an attorney.

MA: How did you become involved in the compliance profession?JM: I got involved in compliance in 1976, when I was first hired into the law department of a company and started doing antitrust compliance work. I grad-ually expanded this into other aspects of compliance and came to see compliance as a separate field requiring a skill set different from being a lawyer.

MA: What prompted you to sit for

the Certification in Compliance and Ethics Certification (CCEP) Exam?JM: I believe that it is extremely impor-tant for this field to become a strong profession. The certification process is a major step forward in that direction.

MA: Are you aware of the process used to develop the CCEP credential? If you are, was this process a factor in your decision to seek the credential? JM: I was aware of the rigor required in developing this program, and was impressed by the amount of research and work that went into it, and the profes-sional nature of the process.

MA: What benefit do you hope to achieve personally and /or professionally with your CCEP certification? JM: I expect that for me the CCEP title will help communicate to others how strongly I support professionalizing this field. It shows that I consider com-pliance and ethics as something different from the practice of law.

MA: Did your company pay for you to sit for the CCEP exam or did you decide to pursue it on your own?


SU

SAN

GA

SPA

RIA

N

JO

E M

UR

PHY

20February 2007



JM: I paid for this on my own.

MA: What would you say to someone thinking of taking the CCEP exam? JM: I think anyone interested in compliance and ethics should consider this. Even for someone who has been in the field for 30 years, as I have been, there is value in taking time to review the various reference materials and re-focus on what this field is about. For anyone new to the field, preparing for certification is a good, disciplined way to study the field.

MA: If someone asked you how to study for the CCEP exam, what would your answer be?JM: I have heard Roy say the real reference point is the Sentencing Guidelines standards and I agree. But it is also true that one should have a broad feel for what is involved in the day-to-day work in this field. While the exam is not a test of legal skills, you should have some awareness of the legal environment companies face before taking this exam.

MA: What is the importance of the CCEP credential related specifically to compliance work with your organiza-tion? JM: My work involves dealing with compliance professionals in a variety of organizations. The CCEP certification will communicate to them that this is a profession and that I strongly support professional standards for those who do this work. ■

Susan Gasparian and Marti Arvin

MA: What is your professional back-ground (e.g., attorney, financial person, operational person, etc.)?

SG: Attorney with Ford Motor Company for over 26 years.

MA: How did you become involved in the compliance profession?SG: After 20 years as an interna-tional attorney, I moved to Ford’s Legal Compliance and Strategy Group in January 2006. At that time, Ford was expanding its formal legal compliance program to affiliates in Asia and South America so my background was a good fit. While I had significant compliance responsibilities as an international attor-ney at Ford, the entire focus of my new position is compliance.

MA: What prompted you to sit for the Certified in Compliance and Ethics Certification (CCEP) exam?SG: After many years in one posi-tion at Ford, I started in the compliance group by trying to learn my responsibili-ties for the compliance position. While it would have been nice at the start of this job to think about the “big picture” of compliance and ethics, like many people, I had to start right in with learn-ing my specific responsibilities, filling in the background when I had time. After several months, I thought that if I was going to seriously work as a compliance professional, I needed to begin to under-stand that “big picture” of compliance and ethics. That was also about the time I started seeing the references to the CCEP exam on the SCCE web site. The more I learned about the certification process, the more it seemed to meet my need to understand compliance and eth-ics beyond my day to day job responsi-bilities.

MA: Are you aware of the process

used to develop the CCEP credential? If you are, was this process a factor in your decision to seek the credential?SG: I was not aware of the process at the time I first decided to take the exam, but before I took the exam, I found out as much as I could about how it was developed and why.

MA: What benefit do you hope to achieve personally and/or professionally with your CCEP certification?SG: From either point of view, by achieving this certification and main-taining the certification with continuing education, there is a benefit in thinking of compliance and ethics as a distinct profession, separate from practicing law, which is my background. While I am still an attorney, I now think of myself as a compliance and ethics professional as well. For example, in preparing for the CCEP exam, I began to focus more on compliance and ethics generally–the issues and trends, and how to identify and analyze issues from a compliance point of view, rather than providing legal advice.

MA: Did your company pay for you to sit for the CCEP exam or did you decide to pursue it on your own? SG: Since I took the CCEP exam the first time it was given, there was no charge. However, I also attended the SCCE Annual Compliance and Ethics Institute which preceded the first exam, in order to prepare for the CCEP exam and to ensure that I had sufficient con-tinuing education credits. My company paid for my attendance at the Institute.

MA: What would you say to someone

Meet Joe Murphy ...continued from page 19

21February 2007


by Frank J. DalyFRANKLY SPEAKINGFRANKLY SPEAKING

Editors Note: Frank Daly has been involved in the business ethics movement for almost 20 years. He directed the ethics program on a number of levels for a $30 billion Fortune 500 corporation since the program’s inception in 1986. From 1996 to his retirement in late 2004, Frank was the corporate ethics officer responsible for plan-ning, directing, and executing the compliance program for the company’s 125,000 employ-ees. Over the years, Frank has addressed a variety of audiences on the subject of business ethics. Watch for Frank’s new book entitled An Ethics Officer’s Perspective. He can be contacted at: [email protected]

It is encouraging to see that Ethics is front and center as a compel-ling issue with the recent change

in Congress. The problem is that while Congress and almost all public entities use Ethics to describe their committees/commissions, most of these bodies oper-ate in terms of rules only.

Nevertheless, though many people in business would take umbrage at the suggestion that they have similarities with politicians, there are lessons to be learned for business. We are, after all, part of the same society, and both sectors reflect what our culture—and those of western free-market democracies—value. The private sector can learn from the public sector and vice versa.

I encountered a case in point on a recent trip to the Irish Republic. On December 19, 2006, the Moriarty report was released. It was the result of a nine-

year inquiry into the conduct of the late Taoiseach (Prime Minister) Charles Haughey. Haughey was perhaps the most important public figure in Ireland during the second half of the twentieth century. The commission found that between 1979 and 1996 Haughey had enriched himself with payments (from sources other than his compensation from the state) to the tune of 35 million Euros in today’s value. These payments “funded Mr. Haughey’s conspicuously lavish life-style beyond what his relatively modest salary should have afforded him.”

The commission also criticized Ireland’s largest bank for its “forbearance” in a debt settlement with Mr. Haughey. It amounted to “…an indirect payment or, benefit equivalent to a payment.” Thus we have a leader unconscionably enrich-ing himself and an institution forgiving loans to same. Sound familiar?

During the period in question, the cur-rent Prime Minister, Bertie Ahern, co-signed blank checks provided to his party leader’s account. The Commission found that Ahern was not aware that Haughey was using the money for personal needs rather than its intended purpose, but was nevertheless, highly critical of the practice. Among the comments made by Ahern in response was that such a prac-tice was commonplace. It sounds very close to the opinion of the lawyer advis-ing the Hewlett Packard board member that “pretexting was apparently a com-mon investigatory method.”

In other words, everyone was doing it. I wonder if we will ever get to the stage where a statement that “no laws were violated but the practice was highly

inappropriate” will not be seen as pro-viding comfort, but rather damning with faint praise. If the practice was common-place, perhaps we have to change our response to that. Rather than providing comfort, should it be a red flag?

The opinion of Marianne Jennings, JD in her new book “The Seven Signs of Ethical Collapse” should be instruc-tive here. “However, the law was never intended to be the maximum for stan-dards of behavior. The law represents the minimum standard of behavior required. We are permitted to do more than the law requires and less than the law allows. A company can be teetering ethically without crossing legal lines.”

Haughey’s nickname was “The Boss.” In his eulogy at Haughey’s funeral, Ahern addressed him as “boss” and called him a “patriot to his finger tips.” With char-acteristic wit, the Irish Times noted that those patriotic fingertips found their way into a lot of pockets.

It won’t help to protest that you did nothing illegal in the face of such wit. We must learn to deal with a larger real-ity. Reputation is not saved by legal pre-cision. It’s saved by ethical action. Rules are important, and the consequences of violating them can be severe. Frankly, however, ethics is a much larger and more complicated reality. Taking refuge in rules can reduce your fine, but it can also blind you to the impact of Saturday Night Live or a cartoon that helps to devastate your stock price. ■

22February 2007


I recently received a copy of a compliance article that had been published in The Chronicle of Higher Education. This article was an overwhelming condemnation of compliance profession-als and compliance programs. It was entitled “The Compliance Racket,” and was written by a lawyer from a major university. I have seen a few anti-compliance rants before, but this one was off the charts. I am going to leave out the author’s and the university’s names, as I am not interested in smearing his institution any more than he already has.

I am very familiar with this institution. One of their compli-ance professionals has been a member of one of our associa-tions for almost nine years. They are committed to compliance and have contributed to the development of the compliance profession. They don’t deserve the damage this author has caused to their reputation, and they are very upset. The author is from their legal department but was probably speaking from his position as a philosophy professor, a fact he did not make clear. This whole discussion should probably have been kept in the classroom as an academic exercise.

The following is an excerpt from my response to the article, which I believe will be printed in the next issue of The Chronicle. “In his article, the author misrepresents the value of the U.S. Sentencing Guidelines, implies that people in the enforcement community are barbarians, and says that invest-ing in compliance programs is akin to paying off the Mob.” I went on to explain why I thought that was wrong.

Included in his article was the great-est collection of misinformation on compliance I have ever seen. I have observed a few people, with no appar-ent knowledge on the subject, write anti-compliance articles, but this one takes the cake. What is the most dam-aging is that the average reader may think that the author is some sort of expert because he has a law degree and works in a legal department. He neglected to tell the reader that he is a tax attorney, a subject he probably should have stuck to.

Here is a quote from his article. In fact, he summarized the article with the following statement: “Compliance programs ultimately serve a self-defense purpose. They are good for an institution in the way that paying protection money is good for a business that is being squeezed by the mob. If have them we must, let us at least recognize that the value of such pro-grams lies less in instilling law-abiding behavior than in keep-ing the barbarians from the door.”

After Enron, WorldCom, Tyco, and with more corporate scan-dal on the news daily, this sort of philosophical banter is of limited value. It’s especially not funny to compliance officers who are concerned that their staff will be running down the halls saying, “I told you; you are wasting my time! Because the author is a lawyer from the legal department in a major uni-versity, he must be right. I am no longer compelled to spend time on compliance.” When I was a compliance officer at the University of Wisconsin, I got this type of response several times. Someone would grab some printed rant by some ill-informed individual and say that they were done cooperating.

Responding to his statements was like “shooting ducks in a pond.” His article was ill-conceived, inaccurate, and badly timed. I also forwarded the article to several people whom I thought might want to respond. The compliance community was on fire.

The outcry and response to his article reminds me of watch-ing a building implode. The world has come crashing down on the author’s head. Several people have written a response to the article for publication in the next issue of The Chronicle, including a professor from Xavier, a University of Minnesota compliance officer, a compliance attorney, and someone

ROY SNELL

RO

Y SN

ELL

I have seen a few anti-compliance rants before, but this one was off the charts.

23February 2007


from the Department of Justice. I have been assured by The Chronicle that they will print as many responses as space allows. The next issue will be an interesting read. Some indi-viduals have been so bothered by the article that they have contacted the University directly. This lawyer is probably now on a first-name basis with his Chancellor.

It is possible no one from his organization saw the article prior to publication. Can you imagine what the leadership thought when they opened up their copy of higher education’s most respected publication? Imagine an article, written by one of your employees, which discredited compliance professionals, compliance programs, and the enforcement community; and misrepresented the value of the U.S. Sentencing Guidelines. Oh the humanity!

This guy clearly should have shared his thoughts with someone in a leadership position prior to sending in the article. They have discussed it with him now. I can hear him explaining to his superiors about free speech and other academic defenses. The problem is that free speech comes with some responsibil-ity. The classroom is a great place for debate; but when some-one puts themselves out there as an expert in the field and presents their opinion in this way, they can cause problems for a lot of people.

Academic debate and free speech are important to all of us. However, flippant, theoretical ranting on such a sensitive topic from ill-informed people, who end up hurting the tire-less efforts of others, bothers me. How can we help stop the endless investigations, fines, penalties, and bad PR with this sort of misinformation? It may be entertaining to him, but his entertainment should not come at the expense of others. Free speech is alive and well, but you can’t yell fire in a crowded theater, and you probably shouldn’t write articles like this. Many people are upset and believe he has set back their com-pliance efforts; all at a time when academia has so many ongo-ing investigations. It’s unbelievable!

The academic community is rife with compliance issues. Several universities have gotten into trouble on issues rang-

ing from the death of a research patient to professors getting caught for going through a 90-page online ethics training course in less than two minutes. I have also heard that a lead-ing research journal is publishing several articles on academic research fraud. This is a bad time to discourage compliance efforts in academia.

I can’t imagine what was going through his mind. It’s like a four-year-old child finding a stick of dynamite and wondering what would happen if he lit the little stringy thing at the end of the tube. I can just see him marveling at the fiery sparkles as the fuse burns down, waving it in the air with a smile on his face. Then…BOOM. If this was a joke, he didn’t say so. If it was a joke, it was really bad timing. If it was some kind of ill-conceived academic exercise and an extension of his philosophy classroom, he did not say so. He presented it as an expert opinion coming from a legal counsel, in a legal depart-ment, in a major academic institution. He mentioned that he was a philosophy lecturer, but at the front of his title, he listed University Counsel. It was bad form.

I really get tired of complaints about our legal system. Of course it is complicated, expensive, and requires effort. It’s easy to ridicule lawyers, the enforcement community, and compli-ance professionals. What I don’t understand is what these people would suggest as an alternative. You don’t have to look far to find a country that has limited rule of law, no enforce-ment, and no compliance; where their economy is in shambles and their people and their culture suffering.

The Society of Corporate Compliance and Ethics helped make sure that the next issue of The Chronicle of Higher Education will be replete with feedback. That’s what an effective profes-sional association does. It helps represent the profession. It can do so because it has dedicated resources and a large network.

Perhaps this author has actually helped the compliance com-munity. If the outcry to this article is as strong as it appears to be, the message to all academic employees will be that compli-ance is important. Anyone who reads the responses will think twice before following this guy’s lead. Maybe we should ask him to join a panel of experts debating the virtues of compli-ance programs at our next meeting. I am thinking he may have some trouble getting permission. ■

This is a bad time to discourage compliance

efforts in academia.

24February 2007


Auditing a compliance and ethics program

By Dan Swanson and José Tabuena

Editor’s Note: Dan Swanson, CIA, CMA, CISA, CISSP, CAP is President and CEO, Dan Swanson and Associates. He is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors (IIA) As an independent audit consultant Dan has completed audit projects for many govern-ment, federal and private sector organiza-tions. Presently, Dan is a Compliance Week columnist and has a monthly column with IT Compliance Institute. José Tabuena is with the Center for Corporate Governance at Deloitte & Touche USA LLP and has previously served as a compliance officer and in-house counsel. He is a member of the Advisory Board for Compliance & Ethics.

Broadly understood, assuring compliance with an organiza-tion’s policies and procedures, as

well as legal and regulatory requirements, is an important activity that supports the functioning and reputation of successful organizations. Monitoring and maintain-ing compliance is not just to keep the regulators happy; compliance with regula-tory requirements and the organization’s policies and procedures is also a critical component of an effective enterprise-wide risk management program and is a sign of good corporate governance. It is an impor-tant way in which an organization achieves its business goals, sustains its ethical health, works towards long-term prosperity, and preserves and promotes its values.

This article focuses on leading practices regarding auditing compliance and eth-

ics programs. References are included for those who are charged with governance responsibilities and professionals tasked with completing an audit of a compliance and ethics (C&E) program. An “audit” of the program can provide an independent and objective assessment on the appro-priateness and adequacy of the C&E pro-gram structure and the operating effective-ness of specific program C&E activities.

Auditing the C&E program can further provide a basis for identifying areas to improve and enhance the program. As such, the audit can serve as a technique to support assessing the performance and the effectiveness of the program.

An effective C&E program is best imple-mented as integrated processes that are owned by designated functions and managed by a senior executive who has overall responsibility and accountability. Compliance has proven to be a significant implementation and change management challenge, but it provides an opportunity to establish and promote “operational effectiveness” throughout the organization. The trend toward increased integration of governance, risk management, and com-pliance efforts1 (referred to as a “GRC”) is another emerging development. A well-conducted C&E audit can serve as a cata-lyst for change to assist the organization in linking these critical and related areas while supporting operational effectiveness.

This article draws extensively from the Open Compliance and Ethics Group

(OCEG) Internal Audit Guide, which was developed specifically to support the evalu-ation of a compliance and ethics program, and provide key concepts, issues, and rec-ommended audit practices to consider. We recommend that the OCEG IAG guideline itself be studied closely (see the resource sidebar for more information).

The measurement challenge

As with the testing and evaluation of entity-level controls under Sarbanes-Oxley §4042, the audit challenge with C&E programs is how to assess and measure the performance and overall impact of the program – including mak-ing any assertions on “effectiveness.” This has been an elusive challenge for compliance professionals since the U.S. Organizational Sentencing Guidelines became effective in 1991.

Although the 2004 amendments to the Sentencing Guidelines provide more rigorous criteria for defining an effective C&E program, it does not specify how to measure or otherwise determine if a particular program element is indeed operating effectively. One can agree with the case made in the amended Sentencing Guidelines that to have an effective pro-gram it should “promote an organization-

DAN

SW

ANSO

N

25February 2007


al culture that encourages ethical conduct and a commitment to compliance with the law”; but there is not yet a commonly accepted measurement technique to evaluate an organizations’ ethical climate or other features of the C&E program.

Still, some form of program evalua-tion should be undertaken to at least determine if program features are in place and to identify opportunities for improvement. The government itself will make an assessment of the C&E pro-gram in determining whether to indict an organization3 or when applying the credit under the Sentencing Guidelines for an organization that is charged (and they have retained independent experts to assist in the assessment).

Given the lack of the standard measure-ment technique, how should a C&E audit be approached? There are sev-eral considerations given that auditing C&E (and other governance processes) requires the examination of intangibles (such as the management philosophy and operating style of senior manage-ment) and where even tangible areas (such as policies and rules and employee perceptions) do not lend themselves to obvious measurement.

For example, substantive and process-oriented audits can be viewed as evalu-ating whether employees are actually complying with the law and are follow-ing corporate procedures (or controls) that have been put in place to foster law-compliant conduct. One could conduct a process audit to determine if an employee is adhering to required pro-tocols and then perform a substantive audit to determine if the resulting work product meets regulatory requirements.

In auditing a program, one must have a basis for making an evaluative assess-ment. One consideration is viewing a C&E program as effective compared to what? In addition to testing compliance with standards (e.g., transactions in the area had a 5% error rate), an organiza-tion can compare its practices to the Sentencing Guidelines criteria and other indicators—such as the COSO control environment framework, industry spe-cific standards, etc.

Another perspective is considering effectiveness compared to whom? An organization can look at its practices and benchmark to its peers, recognizing that others can appropriately approach program design with varying levels of rigor, each likely seeking to meet the spirit of a guide-line, framework, model, standard, criteria, etc., in light of their actual business risks.

More likely a C&E program audit is con-ducted to assess whether key features of the C&E program itself (e.g., distribution of the Code of Conduct, attendance at ethics training, hotline operations) have been implemented and are operating as intended. This type of audit may not ulti-mately answer the question as to whether C&E program activities are actually

reducing incidences of non-compliance but it can tell you if the design is in place and the program operating as intended.

Auditing the C&E program should thus be viewed as part of an overall evaluation process that alone is likely not sufficient to demonstrate effectiveness unless it is approached in a comprehensive manner.

A summary of potential audit and relat-ed evaluative approaches are as follows:

■ Review compliance program design, structure and processes

Identify effectiveness indicators Perform gap analysis—how do your C&E program features compare to established criteria and leading-edge practices?

Benchmarking—how do your pro-gram features compare to your peers?

■ Audit the program—assess imple-mentation

Validate operational features of the C&E program

Gauge awareness and perceptions on the C&E program and assess organizational culture (conduct cultural assessment surveys, focus groups, etc.)

■ Audit compliance with standards outcome/impact analysis Test whether transactions and activ-ities meet legal requirements and company policies and standards

Perform other analysis to evaluate whether C&E program activities are reducing the risks of misconduct

Periodic program evaluation

At a minimum, the board and manage-ment need to evaluate the design and operating effectiveness of the company’s

JO

SÉ T

ABUE

NA


26February 2007


Are you a member of a professional compliance and ethics organization? Join the Society of Corporate Compliance and Ethics!You may already have a strong compliance program in place, but changing times demand more. Join SCCE in developing a culture that says, “Let’s do it right!” SCCE membership can help move you and your organization closer to a total compliance spirit.

The Society of Corporate Compliance & Ethics (SCCE) is an international, non-profit organization solely dedicated to improving the quality of corporate governance, compliance, and ethics. Our mission: SCCE exists to champion ethical practice and compliance standards in all organizations and to provide the necessary resources for compliance professionals and others who share these principles.

Visit SCCE’s Web site at www.corporatecompliance.org

27February 2007


Please print:

First Name MI Last Name

Credentials Title(s)

Organization

Street Address

City State Zip Country

Telephone Fax

E-mail Address

What year did you start in the compliance and ethics field?

What is your industry?

How did you hear about SCCE? Booth at meeting Magazine ad Colleague Mailing Conference brochure Other(If you check “Other,” please list on the line above the publication, meeting, or colleague name)

What is your primary function? Please check only one. (If you check “Other,” please list above)

PrivacyAuditingInvestigationsBankingFraud examinersHR

LegalRisk managementITEducationEnvironmentalSafety

SOXSecurityCorporate secretaryOther (please list above)

Individual Membership . . . . . . . . . . . . . . . $295

Group Employee Membership . . . . . . . . . $250 (four or more from same company:

please fill out one form for each applicant)

Corporate Membership . . . . . . . . . . . . . .$1,500 (includes four individual memberships

plus corporate publicity benefits)

Government or Student Membership . . . . $150

Total Enclosed $

Check enclosed (payable to SCCE) Invoice me Purchase Order #

Charge my Credit Card: MasterCard Visa AmEx

Credit Card Number

Exp. Date

Name of Cardholder

Signature of Cardholder

Federal Tax Identification Number 23-2882664

MEMBERSHIP APPLICATION

6500 Barrie Road, Suite 250Minneapolis, MN 55435(888) 277-4977 • Fax (952) 988–0146www.corporatecompliance.org

YES, PLEASE ACCEPT MY APPLICATION FOR MEMBERSHIP:

28February 2007


C&E program on a regular basis. Under the Federal Sentencing Guidelines for Organizations, one of the criteria of an effective program is for an organization to take reasonable steps, “to evaluate periodi-cally the effectiveness of the organization’s compliance and ethics program”4. A regular program evaluation supplements the ongoing, day-to-day monitoring of C&E related activities. An internal audit provides one means for an in-depth analysis of the C&E program, includ-ing its design, effectiveness, and possibly overall performance. (Other effectiveness techniques and auditing and monitor-ing methods, such as a self-assessment or management review of its C&E efforts are beyond the scope of this article, although many concepts are relevant and could be considered by management).

Every audit has three general phases: plan-ning, fieldwork, and reporting; and an audit of a C&E program is no different.

During the planning phase, after the scope is agreed upon, the audit team should confirm that all key risks and issues are identified and considered, that the audit objectives will meet the organi-zation’s assurance requirements, and that the C&E program is well understood.

Defining the objectives of the audit is one of the most critical steps, because it defines the level of assurance the board and management will be provided and the objectives must support the purpose of the audit. Early in the audit project, the internal audit team should hold discus-sions with management and the board to assess the stakeholders’ assurance needs and ensure the audit will meet these needs.

Compliance and ethics efforts cover a very

broad span of activities, which can include such things as implementing a code of conduct, operating a whistle-blowing hotline service, and maintaining a quality management system. The audit team must define a proper focus for their efforts.

Risk assessment

The audit should be based on a compre-hensive audit risk assessment—that is, the auditors must identify the key risks fac-ing the company’s C&E program efforts and use them to help decide where to concentrate the audit. Key risks to the organization include: reputation, ensuring compliance with multiple and complex regulations, establishing a culture of trust and excellence, and many more.

Three key audit goals that should be determined for a C&E program audit are:■ Whether the C&E program provides

reasonable assurance of compliance with organizational policies and appli-cable laws and regulations.

■ Whether the compliance and ethics program is documented, in place, and appropriately resourced to meet the organization’s needs.

■ Whether the C&E program has been implemented effectively, and that its performance reporting system has been defined and accurately presents the results of the program.

Some critical program structure and process issues to explore during the audit include: the consistency and integration of C&E program among the different business units within the organization; coordination between the compliance and ethics officer(s) and the individual business units; a clear and effective division of roles and responsibilities among the many par-ties involved; and most importantly, that

an effective “tone at the top” has been suc-cessfully communicated and implemented across all levels of the organization.

It is vital that the audit focus is on evalu-ating the significant components of the C&E program—that is, that the audit team uses a risk-based approach to find the key elements most likely to cause problems for the organization and/or in most need for confirming that they are operating properly. The planning phase is an oppor-tunity for the audit team to confirm that the audit scope will be appropriate and that management and the board agree (at least in principle) with the audit plans.

Evaluating the components

In the fieldwork phase, the team evaluates the C&E program’s various components, based on the goals and methodology finalized in the planning phase. Three key questions to answer are: 1) how the board sets its “tone at the top” and communi-cates their values to employees; 2) how employees at all levels of the company perceive management’s commitment to those values; and 3) how the company handles compliance or ethics issues that arise from compliance failures.

The evaluation of the quality of the pro-gram’s data gathering, information sys-tems, and performance reporting is also very important. If performance report-ing is not robust, the board may not be informed appropriately, management will be challenged to respond to issues on a timely basis, and the organization could be “out of control.”

Determining what is sufficient audit testing and what is the appropriate evi-dence (for the audit findings and con-clusions) involves extensive professional

Auditing a compliance and ethics program ...continued from page 25

29February 2007


judgment. As discussed in the OCEG Internal Audit Guide, there is no right answer. It depends on the purpose of the audit (for which audit tests will be critical), the intended client of the audit report, and its conclusions (for the audit evidence requirements).

Evaluating the information

In evaluating collected data from the audit, a starting point is assessing whether the C&E program covers the bare minimum requirements that an organization must meet, such as hav-ing qualifying program elements under the Federal Sentencing Guidelines. The inquiry in this instance seeks to determine whether the program’s design incorporates criteria that are either explicitly delineated in the Sentencing Guidelines or considered fundamental to their plain meaning. Thus, for example, questions to determine whether a com-pany has met these minimal require-ments might include: Has a compliance officer been designated? Is that person, or does that person report to, someone who is high-level? Does the organiza-tion have a code of conduct, or is there a helpline employees can call to report misconduct or seek guidance?

Clearly a baseline evaluation is insuf-ficient. Merely looking to the guidelines has the potential effect of screening out criteria that arguably many practitioners have come to believe are associated with effectiveness. Further, some guidelines expressly caution that their standards should be viewed only as minimum requirements. Thus an organization that considers only baseline practices may not, in fact, have a compliance program that would be deemed creditworthy under the Sentencing Guidelines.

For these reasons, organizations should go beyond minimum requirements and assess their program based on another level of design analysis; that of estab-lished or common practices—namely those features that, while not explic-itly stated in the elements of effective-ness, may significantly contribute to a program’s performance. Here, the analysis considers whether the compli-ance program is consistent with practices that companies with relatively mature programs have found to correlate with effective compliance management.

A common practice model, which should provide the basis for these evaluative questions, can be derived from pri-mary sources. The company can create a model itself by comparing its systems against identified leading peers. In the field of organizational compliance, this can be facilitated through member-ship in such organizations as the Ethics and Compliance Officer Association or OCEG, and supplemented by published commentary on best practices. The audit team can then synthesize this information using a gap analysis model. For instance, sample questions to determine whether a compliance program incorporates com-mon practice features may include: ■ Does the helpline have a publicized

non-retaliation policy? ■ Is the board of directors systematically

briefed on compliance issues?■ Was the code of conduct vetted with

employees prior to its publication?

A third category of design analysis seeks to determine whether the C&E program is informed by what might be called leading-edge practices, i.e., practices that are likely to be found in only a small percentage of programs, but which

companies with especially well-regarded programs have found to correlate with effectiveness. Arguably, a company estab-lishing that its C&E program meets a high percentage of leading-edge criteria will be more likely to make the case that its program is effective, should it ever have occasion to do so. However, because leading-edge criteria go beyond what is undertaken by many compa-nies, a company could decide not to adopt leading-edge design criteria and still have what would be regarded as a creditworthy compliance program under the Sentencing Guidelines. But, because leading-edge practices often correlate with effectiveness, it is worth at least considering them as part of the design component of the audit review.

Example questions to determine whether a compliance program incorporates lead-ing-edge design features may include: ■ Does the company take affirmative,

follow-through actions to ensure that retaliation does not occur?

■ Is the compliance officer involved in the company’s strategic decision-mak-ing process?

■ Is the compliance program periodi-cally and comprehensively evaluated for effectiveness?

Ultimately what was once considered leading-edge may eventually evolve into the realm of common, best, or expected practices.

In the reporting phase, the internal audit team communicates the audit results to all the stakeholders. This includes providing an unbiased assessment of whether the objectives of the C&E efforts are being met and outlining steps that management


30February 2007


plans to take to improve C&E efforts. A well-planned and executed internal audit should make audit reporting straight forward: you tell them what you did, you tell them what you found, and finally you tell them what management plans to do about it. That’s all there is to it.

Are governance efforts having an

impact?

The audit of a C&E program must also be part of a larger overall, long-term audit plan that will meet the assur-ance requirements of the board and management. A series of internal audits or assessments of C&E efforts may be advisable when the program has a large and/or complex scope.

Management should not be developing processes, procedures, and the like during the actual audit. The audit team should be evaluating whether the “established” pro-cesses of the C&E program are meeting the organization’s requirements. It is also recommended that management complete a “self-assessment” of their C&E program prior to an internal audit. The OCEG 20 Questions guidance that is available in the OCEG Internal Audit Guide’s Appendix is an excellent tool to help complete a management self-assessment.

Sarbanes-related efforts have been focused on ensuring the accuracy and integrity of financial reporting and disclosure. The board should now be given an internal audit opinion on the organization’s broad-er organizational governance and control environment activities—and in particular the C&E program efforts and results.

Compliance and Audit Resources

Auditing compliance and ethics efforts is not for the uninformed. The internal audit

team and chief compliance and ethics offi-cers should study all the various guidance that is available, and in particular, review closely the OCEG Internal Audit Guide for auditing a C&E program. 1. The OCEG Internal Audit Guide

(IAG) for the audit of a compli-ance and ethics program and OCEG Framework and Foundation-level and Domain-level guidelines (The OCEG Red Book: www.oceg.org).

2. The Ethics & Compliance Officer Association (ECOA) has resources for individuals who are responsible for their company’s ethics, compliance, and business conduct programs: www.theecoa.org/

3. The Society of Corporate Compliance & Ethics (SCCE) strives to champion ethical practice and compliance stan-dards and to provide the necessary resources for compliance professionals and others who share these principles: www.corporatecompliance.org

4. Although focused on the healthcare industries, the guide Evaluating and Improving a Compliance Program, A Resource for Health Care Board Members, Health Care Executives and Compliance Officers is a use-ful source of information and best practices regarding the operation and evaluation of compliance and pro-grams: www.hcca-info.org/Content/NavigationMenu/ComplianceResources/EvaluationImprovement/default.htm

5. Surveys and benchmarking of C&E program practices can be found at OCEG and other various sources, including the following: The Conference Board and the ECOA: Resisting Corruption: An Ethics & Compliance Benchmarking Survey (2006) at www.conference-board.org; and Corpedia’s various Compliance

Program and Risk Assessment Benchmarking Surveys at welcome.corpedia.com/

6. Some thought provoking presenta-tions on ethics and ethical self-assess-ments from PDK Control Consulting International Ltd.: www.csa-pdk.com

7. The National Association of Corporate Directors series of Blue Ribbon Reports: www.nacdonline.org

8. The Institute of Internal Auditor’s “Expressing Opinions on Internal Control” resource repository. www.theiia.org/index.cfm?doc_id=5317

9. Organizational Governance: Guidance for Internal Auditors (and useful for others involved in corporate gover-nance processes and oversight) from the Institute of Internal Auditors: www.theiia.org/?doc_id=126

10. An excellent ethics and philosophy repository: www.ethicsquality.com/philosophy.htm

11. Ask the Auditor: Business Risk vs. Audit Risk: www.itcinstitute.com/display.aspx?id=1673

12. IT Compliance Institute IT Audit Checklist: Risk Management. This document supports an internal audit of the organization’s risk management program and processes and provides guidance to improve your risk man-agement program and to assess the robustness of your risk management efforts: www.itcinstitute.com/wp/WPContent.aspx?pID=137 ■

1. A general description of GRC processes is provided by the Open Compliance and Ethics Group (OCEG), at www.oceg.org

2. And commensurately evaluating the points of focus and compo-nents under the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework.

3. Applying the McNulty Memorandum (U.S. Department of Justice) or the Seabord Report (Securities and Exchange Commission).

4. United States Sentencing Commission Federal Sentencing Guidelines, §8B2.1(b) (5)(B): www.ussc.gov/2005guid/8b2_1.htm

Auditing a compliance and ethics program ...continued from page 29

Send me Working for Integrity: Finding the Perfect Job in the Rapidly Growing Compliance and Ethics FieldYES

Working for Integrity SCCE Members . . $245.00 Working for Integrity Non-Members . . . $295.00

Number of copies: (Free FedEx Ground shipping within continental U.S.)

Please type or print:

SCCE Member ID

First Name M.I. Last Name

Title

Organization

Street Address

City State Zip

Telephone

Fax

E-mail

Please make your check payable to SCCE.For more information, please call 888-277-4977.

Mail check to: 6500 Barrie Road, Suite 250Minneapolis, MN 55435

Or FAX to: 952-988-0146

Total: $ _______________

Check enclosed

Invoice me PO # _______________ Charge my credit card:

Mastercard VISA American Express

Account number

Expiration date

Name on card

Signature

Federal Tax ID: 23-2882664

Prices subject to change without notice. SCCE is required to charge sales tax on purchases from Minnesota and Pennsylvania. Please calculate this in the cost of your sub-scription. The required sales tax in Pennsylvania is 6% and Minnesota is 6.5%.

6500 Barrie Road, Suite 250, Minneapolis, MN 55435Phone 888-580-8373 • FAX 952-988-0146info@corporatecompliance.orgwww.corporatecompliance.org

NEW—Working for Integrity: Finding the Perfect Job in the Rapidly Growing Compliance and Ethics FieldJoseph E. Murphy, one of the leading experts in compliance, has collaborated with Joshua Leet to write a remarkable book about the compliance and ethics field. If you want a career in this field, you must read Working for Integrity. If you already work in compliance and ethics, you will want to avail yourself of the advice and insight Mr. Murphy offers in this book. If you hire compliance professionals, you will want to refer to this resource to make wise choices. This book contains valuable information such as:

Interviews with more than 20 professionals in compliance and ethics Ways to promote compliance to management Résumé builders Protections for compliance professionals Finding the right employees for compliance jobs A glossary of compliance and ethics terms and a suggested reading list

Working for Integrity is a marvelous resource for EVERYONE involved with the compliance field!

32February 2007


“More on McNulty”By Bill Prachar

Editor’s Note: Bill Prachar has over thirty years experience in Compliance, Ethics, and Corporate Governance. . Mr. Prachar is an attorney practicing with the Compliance Systems Legal Group (CSLG). Because he has extensive business, as well as legal background, he specializes in the practical issues associated with develop-ing and implementing effective ethics and compliance programs. He can be reached via-email at [email protected].

The recently released Department of Justice internal guidance memo, called the

“McNulty” memo, amends past DoJ charging policy by narrowing the abil-ity of prosecutors to require a company to waive the attorney-client privilege in order to demonstrate “cooperation.” This is important because “cooperation” with prosecutors investigating alleged wrongdoing is one of the elements which can result in a decision by the government not to prosecute under criminal statutes. I won’t review that memo, as it is done elsewhere in this issue, but the whole topic of legal “privi-lege” raises, in my view, some interesting practical problems for compliance and ethics officers and highlights one of the principle stress points between lawyers and C&E officers, each doing their respective jobs.

As the McNulty memo states, the attorney-client privilege is, “one of the oldest and most sacrosanct privileges under U.S. law” designed “to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the

observance of law and administration of justice.” Herein lies the problem—the privilege is a legal principle which is critically important in protecting the rights of defendants; it is not, how-ever, an effective tool in the day-to-day operations of a compliance and ethics program.

Lawyers are trained to contain problems when they arise. Compliance and ethics officers have a different responsibility: they must identify and resolve problems. While these are both appropriate objec-tives for each “profession” in the context of what they do, the two approaches to dealing with problems are often in con-flict when it comes to implementing an effective compliance program. Let me pose a couple examples.

In recent months I have given or attend-ed at least a dozen seminar sessions on risk assessment. In every one of these sessions a lawyer has raised his or her hand and asked something like, “How do you handle the privilege issue when conducting a risk assessment?” It’s a fair question which I always answer from the point of view of a compliance officer charged with developing an “effective compliance program” for my organiza-tion.

My answer to the question is always the same—the whole reason for conducting a risk assessment is to identify poten-tial problems and develop appropriate controls. The process of conducting a risk assessment clearly raises, ironically I suppose, at worst the risk of stumbling on some current criminal conduct, and

at best the risk of being placed clearly on notice of potential problems. A lawyer might even advise that taking “corrective action” could be used as an admission of wrongdoing in future litigation. As compliance people we must convince our management (and their lawyers) that the benefits of fully identifying the risks unique to our businesses far outweigh the potential adverse consequence. Clearly a company should never undertake a risk assessment if it is not prepared to deal with risks identified, in real-time if required, or in the future as appropriate.

The tension between acting as a lawyer and acting as a compliance person is its greatest in the area of conducting investigations. This is where the instinct of lawyers to contain problems and the duty of compliance officers to solve problems run headlong into each other. An effective compliance program needs to appropriately respond to identified problems on an enterprise-wide basis. This requires an open inquiry into the causes for a compliance failure so that measures can be put into place through-out the organization to prevent reoccur-rence. Investigations conducted under the cloak of privilege, while perfectly appropriate in some circumstances, will

BIL

L PR

ACHA

R

33February 2007


not lead to quick enterprise-wide con-trol measures. The lack of transparency (critical to maintaining the privilege) is not conducive to building a culture of compliance. One could argue that the investigation under privilege of an alleged organizational compliance fail-ure, while legally appropriate, is none-theless inconsistent with the goals of an effective compliance program.

There are other examples beyond the two mentioned. Helplines, for instance, are by their very nature non-privileged accidents waiting to happen. That is, of course, the principle purpose of helplines—to have problems brought into the open so they can be resolved. While it is hard to remember, helplines met with strong resistance from lawyers when the notion was introduced in the late ‘80s and early ‘90s.

How do we resolve the problem I have posed? Some, including my colleague

Joe Murphy, have argued for a strong “self-evaluation” privilege to encourage full and open internal compliance risk assessment and investigation. In a legal context, certainly such a privilege would help—but it would still likely have the principle problem of the attorney-cli-ent privilege, that is the technicalities of maintaining and protecting the privilege discourage open and transparent discus-sion and resolution of problems.

My sense is that the right answer is to build on the foundation established by the Federal Sentencing Guidelines—cre-ate an effective ethics and compliance culture and try to prevent wrongdoing and non-compliance before they occur. I know there is a lot of cynicism about “effective compliance programs” in the legal community, on both sides of the prosecutorial aisle. The defense bar often assumes that if a wrong occurs, DoJ will ignore a company’s compli-ance program, and likewise prosecutors

often assume that that all the Code of Conduct and training stuff is just a “paper program” and not a serious effort to prevent and detect wrongdo-ing. Done properly however, the FSG approach amounts to real, meaningful protection, far beyond what is offered by relying on a privilege.

The portion of the McNulty memo dealing with privilege should have little effect on how we do our jobs as compli-ance professionals. Lawyers will argue, as the courts have suggested, that the privilege promotes “broader public interests in the observance of law and administration of justice.” I suggest that building and managing strong cultures of ethics and compliance in our orga-nizations will make discussions about privilege, in the compliance context, largely academic. ■

thinking of taking the CCEP exam? SG: Do it! Even if you can’t see the immediate benefit for your organiza-tion, by preparing for the exam, taking it, passing it, and then maintaining your certification with annual continuing education, you will improve as a com-pliance and ethics professional and can only enhance the profession overall.

MA: If someone asked you how to study for the CCEP exam, what would your answer be?SG: Start early--as soon as you know you are going to be taking the exam. This it not the kind of exam you can

prepare for overnight, even if you have a broad-based compliance and ethics job. ■ Study the Federal Sentencing

Guidelines and SOX. It is helpful to read summaries and analysis of these, but you should also read the original text at least once before the exam.

■ Read compliance articles particularly in areas you are not familiar with (for me, that was HIPAA and ERISA).

■ Be prepared to answer questions based on fact situations—you really have to think!

MA: What is the importance of the CCEP credential related specifically to

compliance work with your organiza-tion? SG: At this point, the CCEP creden-tial is very new, so that is difficult to say. It is not a requirement for working in our compliance office. I am not sure it is widely known yet in any organization. However, I think this will change in the near future as more people and orga-nizations become aware of the CCEP credential. ■

Meet Susan Gasparian ...continued from page 20

34February 2007


Compliance & Ethics is a leading compliance magazine published by the Society of Corporate Compliance and Ethics (SCCE). SCCE is an organization dedicated to enhancing the role of compliance professionals and advancing corporate governance, compliance, and ethics.

Purpose

Th e purpose of Compliance & Ethics is to provide current compliance regulations, topics, and issues that aff ect today’s compliance industry.

Professionals in the compliance fi eld are attracted to the Compliance & Ethics magazine because it is the ultimate source of compliance and ethics information, providing organizations with the most current views on the corporate regulatory environment, internal controls, and the overall conduct of business. National and global experts provide informative articles, sharing their knowledge and providing professional support so readers can make informed legal and cultural corporate decisions.

Audience Profile

Over the past three years Compliance & Ethics has grown to become one of the leading magazines for compliance professionals. Compliance & Ethics has a current distribution of over 1,500 readers bi-monthly; is distributed at all SCCE conferences, academies, and workshops; and is used as a communication tool for other interested parties. Recipients of this national magazine are executives and others responsible for compliance: chief compliance offi cers, risk/ethics offi cers, corporate CEOs and board members, chief fi nancial offi cers, auditors, controllers, legal executives, general counsel, corporate secretaries, government agencies, and entrepreneurs in various industries.

Why Advertise With SCCE?

Th e wealth of news and resources provided by SCCE attracts a desirable business market of compliance professionals. We believe public relations are a great way to build your business, and Compliance & Ethics off ers you the opportunity to create awareness and access a targeted audience.

Rapid Growth

SCCE has grown signifi cantly over the past three years, and as we look into the future, we predict that our expansion will continue with your support.

Compliance & Ethics Magazine

Society of Corporate Compliance and Ethics

35February 2007


Please fill out the following information for your advertisement:

Name of Company Placing Advertisement

Dates of Insertion (please check all 2007 insertions or indicate 2008 insertions on the line below):

2007 ISSUES AD DEADLINES

February ........................12/15/2006

April ................................2/15/2007

June .................................4/15/2007

August .............................6/15/2007

October ...........................8/15/2007

December ......................10/15/2007

2008 insertions:

Size of Advertisement (please check one):

Full-page: trim size 8.5" x 11" (include additional ⅛" bleed)

½ page horizontal: 7" wide x 4.5" high (no bleed)

½ page vertical: 3.5" wide x 9.5" high (no bleed)

¼ page: 3.5" wide x 5" high (no bleed)

*Note: all ads are black-and-white except for cover ads, which are full-color.

If purchasing a color cover, please check below:

Inside front cover Back cover Inside back cover

Compliance & Ethics Magazine Advertising Order Form

Contact Person:

First Name M.I. Last Name

Title

Place of Employment

Address

City State Zip

Phone

Fax

E-mail

Total Cost

❏ Check enclosed (please make your check payable to SCCE).

❏ Invoice me PO #

Charge my credit card: ❏ Visa ❏ MasterCard ❏ American Express

Account No.

Exp. Date

Name on Card

Signature

Fax to: 952-988-0146 (ATTN: Marlene Robinson)

Mail to: SCCE | 6500 Barrie Road, Suite 250 | Minneapolis, MN 55435

SAVE 20% ONYOUR FIRST AD

36February 2007


Editor’s Note: Gabriel Imperato is the Managing Partner of Broad and Cassel’s Fort Lauderdale office and head of the firm’s White Collar/Health Care Criminal and Civil Fraud practice. He may be reached at 954/745-5223 or by e-mail at [email protected].

Judith Waltz is a partner and vice chair of the Health Care Industry Team in the San Francisco office of Foley & Lardner, LLP. She is also a member of the firm’s White Collar Defense and Corporate Compliance Practice Group. She can be reached by calling (415) 438-6412, or by email at [email protected].

In December 2006, the Department of Justice (DOJ) modified its “Principles for Federal Prosecution

of Business Organizations,” originally pub-lished in January, 2003 (i.e., the Thompson Memo), related to requests for waiver of the attorney/client and work product privi-leges and payment of attorney fees for orga-nization employees. These recent modifica-tions to the DOJ prosecution policies may have the effect of strengthening compliance effectiveness for business organizations.

In addition, DOJ has confirmed that it will continue to evaluate the existence and adequacy of the corporation’s pre-existing compliance program in making its decision as to whether to bring criminal charges against the corporation.

The 2006 revised “Principles for Federal Prosecution of Business Organizations” (now referred to as the McNulty Memo) emphasize that requests for waiver of privilege should be rare, and prosecu-tors should not negatively consider a refusal by an organization to consent to a request for waiver or the advancement of legal fees to organization employees when making charging decisions in criminal and civil enforcement matters. There were a number of reasons for these revisions, but one important rea-son cited by Deputy Attorney General McNulty in announcing this change to the Thompson Memo prosecution policy was to strengthen organizational efforts to detect and prevent wrongdo-ing and misconduct and to encourage self-policing and cooperation with law enforcement by business organizations.

The issue of cooperation and its relation to waiver of the attorney-client privilege and work product protections, and how this issue has evolved over the past sever-al years, resulted in the McNulty Memo. DOJ, as reflected in the McNulty Memo, has placed great importance on effective compliance programs, and some key guidelines are included in the memo itself for evaluating such programs.

The Thompson Memo

The original Thompson Memo pointedly focused on the thoroughness and authen-ticity of a business organization’s coopera-tion in investigating its own wrongdoing during a government investigation. The Thompson Memo, and the aggressive prosecution policies it reflected, was a natural by product of the abuses identi-fied in earlier corporate scandals, such as Enron, World Com, Arthur Andersen and Health South. The Thompson Memo noted that DOJ must evaluate several specific factors in considering whether to prosecute the corporation, including: the weight of the evidence, the likelihood of success at trial, the deter-rent effect, the consequences of filing charges and the adequacy of alternative approaches. The Thompson Memo, how-ever, acknowledges that a federal prosecu-

Department of Justice revises

prosecution policies, confirms

importance of effective

compliance plans By Gabriel L. Imperato, Esq. and Judith A. Waltz, Esq.

GAB

RIEL

L. I

MPE

RATO

37February 2007


tor must also examine additional factors before reaching a decision on the treat-ment of a business organization targeted for investigation. The additional factors cited in the Thompson Memo included: the nature and seriousness of the offense; the risk of harm to the public; the perva-siveness of wrongdoing within the orga-nization; the history of the organization’s similar conduct; the disclosure of wrong-doing; the organization’s willingness to cooperate; the existence of a compliance program or remedial action; and, the adequacy of charges against any individu-als responsible for the misconduct.

The Thompson Memo is perhaps best known for emphasizing its consideration of an organization’s “cooperation” dur-ing an investigation, and its remedial actions, when contemplating a deci-sion on whether or not to charge the organization. The Thompson Memo also cited factors which would be considered in this evaluation and mea-sured an organization’s willingness to cooperate including: the organization’s ability to make witnesses available; the disclosure of the complete results of the organization’s own internal investigation; and, if necessary, a waiver of the attor-ney-client privilege and work product

protection. The comment section to the Thompson Memo further stated that waiver of a corporation’s attorney-client privilege is not an absolute requirement, but sometimes it might be necessary. The Thompson Memo quite clearly advised federal prosecutors that in mea-suring “cooperation” they may consider whether a business organization turned over the results of its internal investiga-tion and whether it waived applicable attorney-client privileges and work prod-uct protections to allow the government adequate access to all materials in the corporation’s possession which might be useful to the government’s investigation.

An address by the then Deputy Attorney General of the United States, James Comey, to attendees of the American Bar Association Health Fraud Institute 2004 in New Orleans, further elabo-rated on the federal government’s view of “cooperation.” The Deputy Attorney General noted that DOJ understands the term “cooperation”, as reflected in the Thompson Memo, Sentencing Guideline Amendments of 2004, and in court decisions, to mean assistance that discloses all pertinent information suffi-cient for the government to identify the individuals responsible for criminal con-duct and to understand the full scope of that conduct. According to the Deputy Attorney General, at that time, DOJ expected that cooperating organizations should enable government investigators to gather facts before they become stale and assist in recovering losses incurred by the victims of wrongdoing. However, the Deputy Attorney General did note that what constitutes cooperation can vary from case-to-case and that, at a minimum, it must be recognized that if a corporation has learned precisely what

happened and who is responsible, then it must turn the information over to the appropriate authority to receive credit for cooperation or a reduced culpability score under the United States Sentencing Guidelines for Organizations. The Deputy Attorney General emphasized during his remarks that if a business organization expected to receive credit for cooperation, then “it must help the government catch the crooks.”

The critics of the Thompson Memo and its application regarding cooperation and waiver of the attorney-client privilege and work product protections believe that DOJ was effectively mandating waiver as a factor in assessing cooperation. These critics argued, as a practical matter, that DOJ was routinely demanding waiv-ers, making it the norm, rather than the exception, which was a proposition that Deputy Attorney General Comey express-ly rejected during his remarks at the ABA Health Fraud Institute in 2004.

The DOJ position of “give us the neces-sary information one way or another or face prosecution” is exactly the situ-ation that the critics of the Thompson Memo feared would develop regarding the issue of cooperation and waiver of the attorney-client privilege and work product protections. These critics argued that a waiver of privileged information would cause: (1) less thorough organi-zational internal investigations in their efforts to detect and prevent wrongdoing (because of the fear that the organization would ultimately have to turn over this factual information as a consequence of “cooperating” with federal law enforce-ment authorities); (2) a chilling effect on the ability of counsel to give advice to


JUD

ITH

A. W

ALTZ

38February 2007


Mark Your Calendars!The Society of Corporate Compliance and Ethics (SCCE) announces that its 2007 Compliance and Ethics Institute will be held in New Orleans from September 9–11, 2007.Featuring nearly 40 breakout and general sessions, SCCE’s Compliance & Ethics Institute is SCCE’s flagship event and is the primary educational and networking event for professionals working in the compliance and ethics profession.In addition to bringing attendees an outstanding educational program, SCCE invites attendees to fall in love with New Orleans all over again! The most celebrated and historic core of New Orleans is as rich, charming, and welcoming as ever, and we invite

you to celebrate the traditions that make New Orleans one of America’s most unique, authentic, and enthralling destinations. The meeting will take place at the Sheraton New Orleans Hotel. Located on historic Canal Street, the Sheraton New Orleans Hotel is at the heart

of the Big Easy. It features majestic views of the French Quarter and Mississippi River and is only a short walk to Bourbon Street, Riverwalk Marketplace, Canal Place, JAX Brewery, Harrah’s Casino, and all the world-famous restaurants and live music clubs of the Vieux Carré. Visit SCCE’s Web site regularly for event updates: www.corporatecompliance.org/events/institute.htm

Call for SpeakersSCCE is currently accepting proposals for breakout sessions at the 2007 annual institute. The submission deadline is March 2, 2007. For submission information, please visit SCCE’s Web site: www.corporatecompliance.org/events/cfs/htm

Exhibit/Advertise/SponsorIf you have a product or service that will assist compliance and ethics professionals in meeting their everchanging responsibilities, the SCCE Compliance and Ethics Institute offers unparalleled marketing opportunities.

If you have questions about the Institute or would like additional information, please contact Kathy Aro at 952-405-7925 or [email protected]

Travel+Leisure Magazine and Orbitz Insider name New Orleans as a Top Tourism Destination in 2007!

6th Annual Compliance & Ethics InstituteSeptember 9–11, 2007 | Sheraton New Orleans Hotel

www.corporatecompliance.org | 888-277-4977

39February 2007


CHECKS: Make checks payable to SCCE, and mail with registration form to:

SCCE6500 Barrie Road, Suite 250Minneapolis, MN 55435

:: or ::FAX: 952-988-0146 (including billing information)

REGISTRATION SCCE Compliance and Ethics InstituteNew Orleans, LA | September 9–11, 2007

Member ID

First MI Last

Credentials

Title

Place of Employment

Address

City State Zip

Phone

Fax

E-mail (required for confirmation notification)

Invoice me PO number___________

Check/money order enclosed (checks payable to SCCE)

Charge my credit card:††† AmEx Visa MasterCard

Account Number

Exp. Date

Name of Cardholder

Signature

††† SCCE will charge your credit card the correct amount should your total be miscalculated.

Until 8/17/07 After 8/17/07

SCCE Members .....................................................$699 ...............$799 Renew Membership ...............................................$295 ...............$295 Non-Members ........................................................$799 ...............$899 Become a Member & Register† .............................$899 ...............$999 Student .....................................................................$50 .................$50 Students: Become a Member & Register†† ...........$100 ...............$100 Pre-Conference (Sept. 9) .......................................Free ...............$100

†New members only††Student ID verification may be required.

TOTAL:

Please type or print your contact information below, and fill out the additional information such as phone, fax, and e-mail.

Payment TermsChecks are payable to SCCE. Credit cards accepted: American Express, MasterCard, or Visa. SCCE will charge your credit card the correct amount should your total be miscalculated.

Group Discounts: $100 per person for five or more from the same company, based on membership status; only if each attendee completes a registration and they are faxed or mailed in simultaneously.

Tax Deductibility: All expenses incurred to maintain or improve skills in your profession may be tax deductible; including tuition, travel, lodging and meals. Please consult your tax advisor.Federal tax ID # 23-2882664

Cancellations/Substitutions: No refunds will be given for “no-shows” or cancellations. You may send a substitute, or receive a credit for other conferences to be used within one year. Please e-mail Patti Hoskin at [email protected]

6500 Barrie Road, Suite 250 | Minneapolis, MN 55435Phone 888-277-4977 | FAX [email protected] | www.corporatecompliance.org

For more information: www.corporatecompliance.org/events/institute.htm

40February 2007


clients in compliance matters (also for fear of it being disclosed to federal law enforcement authorities); (3) an erosion of the fundamental relationship between business organizations and their employ-ees (because of the likelihood that orga-nization “cooperation” with federal law enforcement authorities would result in the disclosure of information forming the basis for individual employee culpa-bility); (4) a relaxation of government investigation methods by piggybacking the efforts of the organization’s review; and (5) an increased exposure to civil litigation by third parties (because of waiver of the attorney-client privileges and work product protections).

There is very little doubt that the com-bined effect of the Thompson Memo, the Sentencing Guideline Amendments of 2004, and aggressive incentives for a business organization to cooperate created dynamics which left business organiza-tions little choice but to cooperate fully and promptly with federal law enforce-ment investigators. These circumstances literally coerced business organizations into cooperation and according to critics created a “culture of waiver” of the attor-ney-client privilege and work product protections for business organizations. The chief executives and counselors of business organizations have speculated whether “cooperation” under these cir-cumstances really meant anything more than “unconditional surrender.”

Criticism Mounts and the McNulty

Memorandum is published

The application of the principles and guidelines enunciated in the original 2003 Thompson Memo by various DOJ attorneys across the country precipi-tated a mounting crescendo of criticism

and actions by the Courts, the United States Sentencing Commission, and ultimately the United States Congress. The Coalition to Preserve the Attorney-Client Privilege (“The Coalition”) lobbied the United States Sentencing Commission and the United States Congress about its concerns with the application of the Thompson Memo and erosion of the attorney-client privilege. The Coalition consisted of a broad base of business organizations, including the Association of Corporate Counsel, the Business Roundtable, the United States Chamber of Commerce, the Retail Industry Leaders Association, the National Association of Criminal Defense Lawyers, the National Association of Manufacturers and, ulti-mately, several former Attorneys General of the United States. The United States Sentencing Commission also weighed in on this issue and modified its commen-tary language, which was associated with the amendments to Chapter 8 of the Sentencing Guidelines for Organizations in 2004. The original commentary lan-guage stated the following with respect to cooperation and waiver of the attor-ney-client privilege:

Waiver of attorney-client privilege and of work product protections is not a prerequisite to a reduction in culpability score [for coopera-tion with the government]…unless such waiver is necessary in order to provide timely and thorough dis-closure of all pertinent information known to the organization.

The United States Sentencing Commission reconsidered this commen-tary and in May 2006 deleted the phrase “unless such waiver is necessary in order to provide timely and thorough disclo-

sure of all pertinent information known to the organization,” thereby staking out “neutral” ground on the issue. The federal courts also addressed the applica-tion of the principles in the Thompson Memo related to waiver of the attorney-client privilege in the case of U.S. v. Stein, in the Southern District of New York (otherwise known as the KPMG case). This case involved the prosecution of individual partners and employees of the accounting and consulting firm, KPMG. The organization had not only waived attorney-client privilege and disclosed information to the federal gov-ernment in this case, but had withdrawn financial support for the defense of its employees during its cooperation with the federal government and prior to reaching a settlement of potential charg-es against the organization. The United States District Court in reviewing the prosecutorial tactics against KPMG and the business organization’s response to those tactics found that the overwhelm-ing coercion against the organization to waive attorney-client privilege and to withdraw support to its employees, vio-lated the individuals Fifth Amendment right to due process and the Sixth Amendment right to counsel. These findings by the Court had a profound effect on the momentum and criticism of prosecutorial tactics involving waiver and support of the defense of employees by organizations. Finally, the United States Senate introduced Legislation in November of 2006 entitled the “Attorney-Client Privilege Protection Act of 2006.” This proposed legislation prohibits waiver of the attorney-cli-ent privilege by an organization and allows for limited and selective waiver of privilege upon disclosure of informa-

Department of Justice revises prosecution policies… ...continued from page 37


41February 2007


The Society of Corporate Compliance and Ethics welcomes the following new members and organizations. All mem-ber contact information is available on the SCCE website in the Members-Only section: www.corporatecompliance.org

Individual Members

Puetro Rico

■ Angel E. Garcia■ Jose Ortiz

South Carolina

■ Thomas Simms, Honda of SC

South Dakota

■ Cindy J. Matson, Sioux Valley Health System

■ Rob Nolan

Tennessee

■ Willie Jean Beard, Life Strategies of Arkansas

■ Nicole Gibson, United American of Tennessee

Texas

■ Teena W. Adams, Texas Southern University

■ Grant Adamson, Temple-Inland Inc■ Dale E. Clark, PhD, CHC, Memorial

Health System of E TX■ Nancy Doan, H-E-B■ Mark Elacqua, Ernst & Young, LLP■ Elizabeth R. Esparza, Austin Cancer

Centers■ Lestie Glover, State National

Bancshar■ Rochelle Jackson, BP■ Lames G. Junior, Texas Southern

University■ Darrell Kennemer, NEC Corporation

of America

■ Ronda E. LeBlanc, Texas Southern University

■ Byron L. LeFlore, Jr., Argonaut Group Inc

■ Emily A. Lloyd, Pilgrim’s Pride■ Kathryn Lonsdale, Noble Energy Inc■ Roy J. Monarch, EPCO Inc■ Yolanda E. Nimmer-Williams, Texas

Southern University■ Karen T. Paganis, Anadarko

Petroleum Corporation■ Steve Pritschow■ John Pryde, H-E-B■ Jayne Sippl, Grant Prideco Inc■ Jose Tabuena, JD, CFE, CHC,

Deloitte & Touche LLP■ Yoshiki Takiguchi De La Rosa,

Pilgrim’s Pride- Mexico■ Monica R. Trollinger, Southwest

Research Institute■ Toyi Vaughan, Neighborhood Centers

Inc■ Kimberly N. Whiting, Texas Southern

University■ Tena Winkle, Bell Helicopter Textron■ Thurmond Woodard, Dell, Inc

Utah

■ Michael Ward, Mrs Fields

Virginia

■ Matthew Curtis, Sprint■ Jennifer E. Dure, Holland & Knight

LLP■ Theresa LaSalle, Philip Morris USA■ Mary Lee Lekavich, Philip Morris

USA■ Samuel Rubenstein, MCG Capital

Corporation

Washington

■ Marian Durkin, Avista Corp■ Michele Kemper, Symetra Financial

West Virginia

■ Gayleen G. Smith, NiSource

Washington, DC

■ Adam H. Bryant, KPMG, LLP■ Thomas DiBiagio, Beveridge &

Diamond■ Carl Jaworski, Beveridge & Diamond

PC

Alberta, Canada

■ Kathryn Chisholm, EPCOR Utilitites, Inc

■ Hugh L. Hooker, Petro Canada■ Suzanne Polkosnik, EPCOR Utilities

Inc

Brazil

■ Andrea Dias, ICTS Global Consultancy

England

■ Ernest Pallett, Royal Dutch Shell

New SCCE Members

SCCE exists to champion ethical practice and compliance standards in all organizations and to provide the necessary resources for compliance professionals and others who share these principles.

SCCE’SMISSION

42February 2007



tion to the government. These actions clearly set the stage for a revision of the Principles of Federal Prosecution of Business Organizations reflected in the Thompson Memo, ultimately resulting in publication of the McNulty Memo.

The McNulty Memo is an attempt by DOJ to amend the content of the Thompson Memo regarding requests for waiver of privileges by organizations and indemnification of the costs for employee legal defense. The McNulty Memo affirmed the nine basic factors in making prosecution decisions, as reflected in the Thompson Memo, but adds some unprecedented restrictions on prosecutors who are seeking privileged “factual” and “legal” information from organizations. It creates new procedural approval requirements, within DOJ, before requests for a waiver of attorney-client privilege and work product protec-tions can be made by line prosecutors in law enforcement investigations. The McNulty Memo cautions that requests for waiver should be sought only in rare circumstances and mandates that federal prosecutors must establish a legitimate need for privileged information and must seek approval before requesting such information from the Deputy Attorney General of the United States. The new procedures require that when a federal prosecutor seeks privileged “fac-tual” information (i.e., facts developed as a result of an organization’s internal investigation) from an organization, then approval must be obtained from the local United States Attorney, who must consult with the Deputy Attorney General. On the other hand, a request for waiver of attorney/client privilege and work product protections which includes “legal advice given to a corpora-

tion before, during, and after the under-lying misconduct occurred, as well as attorney notes, memoranda, or reports. . . containing counsel’s mental impres-sions and conclusions, legal determina-tions reached as a result of an internal investigation, or legal advice. . . .” must be authorized in writing by the Deputy Attorney General and then communi-cated in writing to the business organiza-tion by the local United States Attorney.

The tone of the McNulty Memo was also reflected in the Deputy Attorney General’s remarks to “Lawyers for Civil Justice” in New York on December 12, 2006, coinciding with the announce-ment and dissemination of the revised Principles of Federal Prosecution of Business Organizations. Deputy Attorney General McNulty emphasized that the “memorandum amplifies the limited circumstances under which pros-ecutors may ask for waivers of privilege”. The Deputy Attorney General further emphasized that prosecutors must show a “legitimate need” for such privileged information and advised that in order to meet this test, prosecutors must show;1. The likelihood and degree to which

the information will benefit the gov-ernment’s investigation,

2. Whether information can be obtained in a timely and complete manner by using alternative means that do not require a waiver,

3. The completeness of the voluntary disclosure already provided, and

4. The collateral consequences to requesting a waiver.

The Deputy Attorney General went on to say that “the privilege is protected to such an extent, that even if prosecutors have established a legitimate need and I

approve a request for a waiver, the DOJ will not hold it against the corporation if it declines to give the information. That is, prosecutors will not view it negatively in making a charging decision” accord-ing to the Deputy Attorney General.

The content of the McNulty Memo and the Deputy Attorney General’s remarks before the civil lawyers reflect that the revisions to the Federal Principles of Prosecution of Business Organizations are designed to encourage organiza-tions to prevent wrongdoing through self-policing and cooperation with law enforcement. The Deputy Attorney General, in fact, stated that “the best corporate prosecution is the one that never occurs. Through successful corpo-rate compliance efforts, investor harm can be avoided. Corporate officials must be encouraged to seek legal advice if they are in doubt about requirements of the law”. The Deputy Attorney General fur-ther emphasized that “if that relationship (i.e. attorney-client) is interfered with, if those communications are unfairly breached, it makes it harder for compa-nies to detect and remedy wrongdoing.”

Finally, it should be highlighted that the McNulty Memo does make a distinction between the disclosure of attorney-cli-ent privilege “factual” information and attorney-client privileged “legal” informa-tion for purposes of a determination of the business organization’s cooperation. The factual information is the kind of information gathered by an organization through its own internal investigation and essentially involves the who, what, where, why and when of misconduct. This is the kind of information which can be requested with the permission of the


43February 2007


Marti J. ArvinPamela L. BennettShawn Y. DeGrootAilsa M. DelgadoLisa KucaRoy J. SnellGreg TrigubaDebbie TroklusLori M. TryggBrenda S. TunstillCheryl WagonhurstArlinda WillisEric S. WishnerTony D. AlexanderAnnette N. ArribasJohn A. BaceviciusDeann BakerAndrea L. BarclayLaDon J. Berndt KuncewiczEva M. BoucherLisa BrancatoJames Michael BrennanCora M. ButlerKathleen Louise CainLaura J. CarricoPenny Ane CecilPatricia A. CessnumMichele D. ChristiansenGayle Lea CobbPaul Sean CurtinChristina De CaroTalib Dhanji

Nancy K. DoanPaul Edward DworakThomas EdwardsJohn Scot EibelMark S. ElacquaBrian D. ElsberndElizabeth R. EsparzaNancy Lee FullerDarcey A. GartnerSusan Alexandra GasparianLestie J. GloverGary GoebelBryant Alan GoldmanJennifer Ann GoogeBonnie J. GrahamKathleen GreenfieldSusan E. Hahn ReiznerDebra S. HarrisonDwaine J. HepplerMichael G. HerczGregory Steven HerzogBrenda L. HildrethClayton J. HinesDebra D. HinsonJames Lyle HodgesSamantha Marie HultsDavid JaspenDeborah Lynne JoslynDebby J. KeeneWayne Patrick KellerTracy J. KilletteJay M. Krames

Michael Eric KreckJohn C. LatimerTeri Haywood LeeMarty LeonardOrville Dwight LinkousRufus R. LittleGayle S. LovingJames E. LukaszewskiJudith Lea MarrsRoy Jerome MonarchMorris MoriucuiMelissa Ann MorrisRobin MuretischChristopher A. MyersRobert William NolanKenneth R. NunezMary Jo NutterJose A. Ortiz-LozzdeAaron ParksLarry Michael ParsonsJohn Douglas PayneCharles L. PourciauSarah Ann RenfroDawn Denise RockJoyce M. Rutherford DonnerJohn Jahangir SardarBonnie J. SchommerGayleen Gayle Smith

Gail G. SomervilleMathew Shane SpencerAndrea M. SpudichKristina M. StielauAnn Louise StrawFrank Lawrence TaberImmanuel TchividjianDanna R. TeicheiraGeorge ThomasLinda A. ThompsonAngela Faye ThornhillHerschel Marvin TimmonsAnthony Michael ToccoLeon Nelson TomlinsonJacki D. TrevinoBridget Tucker GonderJean C. VandineToyi Dawn VaughanEric W. VersemanArthur Robert WeissRissa WelckerRita C. WilloughbyPatricia S. WindowmakerJasen WyattAmanda YohChester George YoungDawn Melissa Young

Achieving certification has required a diligent effort by these individuals. The CCEP is a professional with knowledge of relevant regulations and expertise in compliance processes sufficient to assist corporate industries to understand and address legal obligations, and promote organizational integrity through the operation of effective compliance programs.

Questions? Please contact:Lisa Colbert at (888) 277-4977 or [email protected] of Corporate Compliance & Ethics6500 Barrie Road, Suite 250Minneapolis, MN 55435

Congratulations to the first 106 CCEP designees!

The Society of Corporate Compliance and Ethics (SCCE) offers you the opportunity to take the Certified Compliance and Ethics Professional (CCEP) certification exam.

44February 2007


local United States Attorney who must merely consult with the Deputy Attorney General. If a corporation declines to pro-vide this information to the government, then the government prosecutors may negatively take that into consideration in measuring the degree of the organization’s cooperation. The request for waiver of the attorney-client privilege to obtain the advice of counsel or the mental impres-sions of counsel must be requested direct-ly from the Deputy Attorney General, and if approved, requested in writing from the business organization. A refusal by the business organization to turn this type of privileged information over to the government is not supposed to be negatively held against the organization during consideration of the government’s charging decision.

Payment of Counsel Fees

As many compliance officers have expe-rienced in all sorts of investigational inquiries, among the first questions asked by the individuals who may be implicated is whether the company will find them an attorney and pay for the associated cost. The associated expense is likely to be significant, particularly if multiple indi-viduals require separate counsel. There may be many reasons why the company would want to bear that cost: it may make the employee or other represented party more cooperative; it may assure that the employee is competently represented if the corporation has some control over the choice of counsel; and it usually assures a more cooperative and coordi-nated defense amongst the corporation and related parties. The corporation may also be obligated to advance fees by law or contract.

The Thompson Memo discussed the

advancement of attorney fees as poten-tially adverse evidence to be considered in weighing the extent and value of a corporation’s cooperation.1 As discussed above, the U.S. v Stein case found that DOJ prosecutorial tactics which had resulted in KPMG’s waiver of attor-ney client and work product privileges and withdrawal of the advancement of attorney fees for KPMG employees to demonstrate the corporation’s “coopera-tion,” violated constitutional protections for the individual employees of the corporation. Against the backdrop of Stein, and in contrast to the Thompson Memo, the McNulty Memo states that, “[p]rosecutors generally should not take into account whether a corporation is advancing attorneys’ fees to employees or agents under investigation and indict-ment.” The McNulty Memo emphasizes that many state indemnification statutes grant corporations the power to advance such fees for officers under investigation prior to a formal determination of guilt. (The Thompson Memo also noted this fact and observed in a footnote that, “[o]bviously, a corporation’s compli-ance with governing law should not be considered a failure to cooperate,”2 but otherwise found payment of fees poten-tially objectionable conduct in protect-ing culpable employees and agents.) In addition, as the McNulty Memo notes, contractual provisions may also require advancement of legal fees. Therefore, a corporation’s compliance with the law and its contractual obligations cannot be considered a failure to cooperate. Prosecutors may, however, inquire about the source of payment of fees, and in “extremely rare” conditions, the advance-ment of fees might be taken into consid-eration when the totality of the circum-stances show that payment was intended

to impede a criminal investigation. If such circumstances exist, approval must be obtained from the Deputy Attorney General before prosecutors may consider this factor in their charging decisions.

Importance of Compliance Programs in the

Decision to Prosecute

Also among the nine factors which prosecutors must consider in decid-ing whether to prosecute a corporation is “the existence and adequacy of the corporation’s pre-existing compliance program.”3 Consequently, the existence of an effective compliance program may help a corporation to avoid prosecution altogether, as well as give the corporate entity a favorable advantage under the U.S. Sentencing Guidelines, if it is pros-ecuted and convicted.

While expressing its support for com-pliance programs, the McNulty memo expressly notes that the existence of a compliance program is not sufficient, in and of itself, to justify not charging a cor-poration for criminal conduct undertaken by its officers, directors, employees, and agents. In fact, such conduct might sug-gest that the corporation is not adequate-ly enforcing its program. In short, the compliance program must be, as noted by DOJ, both adequately designed for maximum effectiveness in preventing and detecting wrongdoing, and enforced by corporate management. Although DOJ recognizes that no compliance program will ever prevent all criminal activity, a “paper program” will provide no advan-tages to the corporation in terms of a DOJ prosecution decision.

While DOJ has no formal guidelines for corporate compliance programs,



45February 2007


The Complete Compliance

and Ethics ManualAn accurate, comprehensive, and

authoritative reference source! Save time by improving the efficiency

of your compliance program. The manual comes with the full-version CD.

Member rate $315.00 Non-Member rate $349.00

The Complete Compliance and Ethics Manual includes more than 400 double-sided pages filled with up-to-date, valuable information on current compliance issues. Large, attractive three-ring binder with color front, spine, and back cover.

THREE WAYS TO ORDER: Mail to: SCCEVisit: www.corporatecompliance.org 6500 Barrie Road

Suite 250Fax: 952-988-0146 Minneapolis, MN 55435

For more details call 888-277-4977

Get great exposure for your employment ads!

Compliance and ethics professionalsbelong to a highly specialized fi eld. SCCE can match qualifi ed individuals with your staffi ng needs. Take advantage of SCCE’s Web site to advertise your unique career opportunities.

It’s easy and cost eff ective. List up to 200 words for 90 days for only $400. Get worldwide exposure for your classifi ed ad to a targeted audience!

200 words 90 days

only $400!

www.corporatecompliance.org888-277-4977

To post a job:Visit www.corporatecompliance.org and click on Advertising: Career Opportunities in the left-hand menu

46February 2007


specific factors for prosecutors to con-sider in evaluating the effectiveness of a compliance program, as identified in the McNulty memo, include the following:

The comprehensiveness of the com-pliance program;

The extent and pervasiveness of the criminal conduct at issue;

The number and level of corporate employees involved in the criminal conduct;

The seriousness, duration, and fre-quency of the misconduct;

Any remedial actions taken by the corporation, including restitution, disciplinary action, and revisions to the corporate compliance programs;

The promptness of any disclosure of wrongdoing to the government and the corporation’s cooperation in the government’s investigation;

Whether the corporation has estab-lished governance mechanisms that can effectively deter and prevent mis-conduct;

Whether the corporation has pro-vided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts; and

Whether the corporation’s employees are adequately informed about the compliance program and the corpora-tion’s commitment to it.

The McNulty Memo further notes that a compliance program must be designed to detect the particular types of miscon-duct most likely to occur in a particular corporation’s line of business. To evaluate this factor, prosecutors are directed to consult with other relevant federal and state agencies with the expertise to evalu-ate the adequacy of the program’s design and implementation. The importance of

employee disciplinary actions is also noted. Again, the emphasis as reflected in the McNulty memo is to give “credit” in the charging decisionmaking process only for robust, relevant and well-supported com-pliance programs which evidence convinc-ing efforts at the detection of misconduct and assuring that business activities are conducted in full compliance with the law.

Conclusion

The McNulty Memo clearly seeks to reverse a practice and/or perception involving “routine requests” for waiver of the attorney-client and work product protections by business organizations. The McNulty Memo attempts to emphasize the importance of the attorney-client priv-ilege and work product protections. The procedures for approval of such requests within the DOJ are unprecedented and clearly designed to ensure that such requests are rarely made, and that when they are made, the requests will be uni-formly reviewed at the highest levels of the Department of Justice. It will remain to be seen how the McNulty Memo and its principles and procedures are applied in practice and its impact on future organiza-tion compliance efforts and effectiveness.

The factors identified by the McNulty Memo for evaluating a compliance pro-gram are relevant even in the absence of concern about facing prosecution. Additional “expectations” for compli-ance program effectiveness were added by the 2004 amendments to the U.S. Sentencing Guidelines in Chapter 8, Part B, Section 8B2.1, including:1. The business organization must pro-

mote an organizational culture that encourages ethical conduct and a com-mitment to compliance with the law.

2. Senior Management/Board of

Directors must demonstrate a com-mitment to compliance efforts.

3. The individual with day-to-day oper-ational responsibility for the compli-ance program must be given adequate resources, appropriate authority, and direct access to the Board or an appropriate subgroup.

4. The business organization must not vest substantial discretion with indi-viduals known (through the exercise of due diligence) to have engaged in illegal activities or other conduct inconsistent with an effective compli-ance and ethics program.

5. Training must not only include all employees, including those with substantial discretion or supervisory authority, but also be addressed to members of the Board of Directors.

6. Enhanced auditing and monitoring is expected.

7. Incentives should be offered for performance in accordance with the compliance and ethics program (as well as discipline for compliance pro-gram violations).

8. An organization is expected to peri-odically assess the risk of occurrence of criminal conduct.

Compliance officers now have clear stan-dards against which to measure the func-tionality of their compliance programs. An effective compliance program may help the corporation to avoid prosecution and result in a downward departure in applica-tion of the Sentencing Guidelines, if pros-ecution (and conviction) is not avoided. ■

1. Thompson Memo at 5.2. Thompson Memo, n. 4.3. McNulty Memo at 4.


47February 2007

6th Annual Compliance & Ethics InstituteSeptember 9–11, 2007 | Sheraton New Orleans Hotel

CALL FOR SPEAKERS

SCCE is currently accepting applications for breakout sessions at its 2007 annual Institute. The SCCE annual Institute is the primary edu-cation and networking event for professionals working in the compli-ance and ethics profession around the world. At this meeting, present-ers have the opportunity to share their latest methods and strategies for developing and improving compliance programs in this rapidly growing and evolving profession.

If you would like to be considered as a speaker for this program, please submit your proposal no later than Friday, March 2, 2007. Incomplete or late submissions are not guaranteed full consideration.

If selected as a speaker, the information provided in your submission will be used for promotional materials. Please complete your submis-sion with this in mind. SCCE reserves the right to edit submissions to accommodate this purpose.

You may submit your proposal online at:www.corporatecompliance.org/events/cfs.htm

Or complete the form and return it via fax, mail, or email to:Kathy AroSociety of Corporate Compliance and Ethics6500 Barrie Road, Suite 250 | Minneapolis, MN 55435Phone: 888-277-4977 | Fax: [email protected]

FormatBoth standard breakout sessions and longer pre-conference sessions will be available at the Institute. Breakout sessions are one hour in length and will begin with a speaker introduction and end with a 10-minute question and answer period. Pre-conference sessions are four hours in length and will begin with a speaker introduction and end with a 10-minute question and answer period. In addition, there will be a 15-minute refreshment break midway into the presentation.

StyleSCCE looks for presentations that are dynamic and engaging. Please be creative in designing and preparing your presentation so that it is as interactive as possible.

SubstancePresentations should draw on your expertise in the compliance profes-sion and be original, insightful, and informative. They should enrich the knowledge of attendees and contain practical tools, real-world examples, and strategies for implementation.

TopicPresentations that will be accepted into the program will provide timely and valuable information that compliance professionals can apply to their real-world situations.

NotificationSCCE will notify submitters in March 2007 whether their presentation has been accepted into the program.

Proposals are due Friday, March 2, 2007

www.corporatecompliance.org | 888-277-4977

meet marti arvin join scce!...compliance & ethics (ce) (issn 1523-8466) is published by the...

Documents