Kusserow on Compliance: Time for Compliance Program evaluation

  1. Have a 2021 workplan focusing on improving the Compliance Program
  2. Not having independent evaluations is evidence of lack of program effectiveness
  3. DOJ & OIG: Identifying & addressing weaknesses evidences program effectiveness

With 2020 coming to an end, it is time to look forward to the New Year and plan ways to identify areas for improvement of the Compliance Program, building off of results of independent evaluations. Both the OIG and DOJ stress the importance of evidencing Compliance Program (“CP”) effectiveness and that all programs are in progress, never completed. They see compliance officers identifying weakness and gaps that lead to improvements as positive evidence of an effective program. The DOJ “Evaluation of Corporate Compliance Programs” notes that there will always be ways the program can be improved and enhanced. The DOJ, in its 2020 Compliance Program Evaluation Guidelines noted: “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment.”  The DOJ highlights the importance of effective implementation and evaluation measures” to determine whether the compliance program a “paper program” or one that is fully “implemented, reviewed, and revised, as appropriate, in an effective manner.” DOJ prosecutors are directed to ask: Does the company evaluate periodically the effectiveness of the organization’s compliance program?” Regular, rigorous, and consistent review of compliance programs is now the expectation.  The OIG calls for ongoing monitoring and independent ongoing auditing of Compliance Programs to evidence continuous improvement.

There are three general ways for independent evaluations: (1) a complete compliance program evaluation; (2) a compliance program gap analysis; or (3) an independently developed and administered employee survey of compliance knowledge, attitude and perceptions.

  1. Compliance Program effectiveness evaluations is recognized by experts as by far the best method to evidence how well the program is functioning. It measures outcome by conducting a 360-degree evaluation that includes: (a) full document examination and review; (b) on site review and testing of operations in action; and (c) interviews of Board members, executives, selective key staff, and focus group meetings. If done properly, the resulting reports with be 60 to 100 pages that include findings, observations, along with recommendations and suggestions for program improvement.
  2. Compliance program gap analysis is about half of the cost or less than a full compliance program evaluation, but the reduction of costs is matched by the diminished value of results. It is primarily a document “checklist” review, focusing on output metrics, rather than outcome metrics related to program effectiveness. It is best used with organizations with new or incomplete programs, desiring assistance in identifying elements needed to complete development of their program.  It can identify gaps for inexperienced compliance officers but lacks details by which this can be accomplished.
  3. Independently developed, validated, and administered compliance surveys of employees is the least expensive means, at a fraction of the cost for either of the two other methods, for evidencing and benchmarking compliance program effectiveness. The use of surveys has long been advocated by regulatory bodies, including in the Federal Sentencing Guidelines, OIG Compliance Program Guidance and DOJ guidelines. These organizations advise using surveys of employees to gauge how well the program is functioning. Surveys that are anchored in a large database of organization, permit benchmarking an organization to the universe. Compliance knowledge surveys test knowledge of the compliance program structure and operations and can provide very credible empirical evidence of the advancement of program knowledge, understanding and effectiveness. Compliance culture surveys focuses on employee beliefs, attitudes, and perception concerning compliance, useful in measuring the extent to which individuals, coworkers, supervisors, and leaders demonstrate commitment to compliance. Both types of surveys should be considered as they are useful in benchmarking and measuring change in the compliance environment over a period and provide different dimensions and perspectives on a compliance program.

For more information on the difference in scope of work between a full compliance program evaluation and a gap analysis, send your queries to Richard Kusserow at rkussserow@strategicm.com.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Compliance investigation witness interview questions

20 key questions to be answered

The biggest challenge to conducting successful compliance investigations is knowing how to conduct successful witness interviews. Many find a list of predetermined questions to ask witnesses in a compliance investigation useful. However, care needs to be taken that this approach limits the information the investigator will get from the interview. This is because it constrains the conversation within a rigid framework. Begin with simple questions about an individual’s position, how long they have worked for the organization, identify their supervisor, etc. This will allow the individual to relax a little bit before going into substantive questioning. Keeping the interview as a fluid conversation will likely result in more productive results. It is always preferable to use open-ended questions to let a witness tell their story in their own way, such as “Tell in your own words about….” The following 20 questions can be used as a guide to frame your interviews and can be used as a reminder at the end of the interview to ensure all the key points have been addressed:

  1. What happened?
  2. Where did it happen?
  3. When did it happen?
  4. Who did it?
  5. Has it happened before?
  6. How often?
  7. Who else was present?
  8. Do you know of others who may have been affected by the incident or behavior?
  9. Who else may have seen or heard the incident or behavior?
  10. How did you react?
  11. How did any others present react?
  12. Did you ever indicate that you were upset or offended by the incident or behavior?
  13. Have you discussed the incident or behavior with anyone?
  14. Has anyone else reported this?
  15. How has the incident or behavior affected you?
  16. How has the incident or behavior affected your job?
  17. Have you sought medical treatment or counseling because of the incident?
  18. Do you have any evidence or documentation about the incident or behavior?
  19. Is there anyone else who may have relevant information?
  20. Is there any other relevant information that I haven’t asked you about?

For more information on conducting compliance investigation interviews or securing investigator training, contact Richard Kusserow at  Rkusserow@strategicm.com .

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ issues 2020 compliance program guidelines

Provides a more in-depth analysis of compliance programs

The DOJ released the updated Evaluation of Corporate Compliance Programs to assist prosecutors in making an informed analysis about an organization’s compliance program at the time of charging decisions. It has not changed much from the prior releases that included a list of 119 compliance-related questions. The new guidance continues to focus on three core questions derived from the Justice Manual, namely,  whether a compliance program is “well designed,” “being applied earnestly and in good faith,” and “works in practice.” It restates the importance of having a compliance program suitable for the company’s risk profile but added context and detail for companies to ensure that their compliance priorities are aligned with the DOJ’s expectations.

These include: (1) the importance of having an evolving, dynamic program; (2) the need for the compliance function to engage with company employees; (3) ensuring the program is thoughtful and responsive to the company’s context; and (4) the importance of adequate compliance resources and empowerment of the compliance function. Additional attention is given to these principles for companies to enhance their compliance program and adhere to best practices that would best position themselves in the event of an inquiry or enforcement action from a government regulator. It reflects the continued expectation that a compliance program should continue to evolve and improve over time as the business changes and the compliance function matures. Meaningful risk assessments and program evaluations are critical to this end. There is added language asking prosecutors to assess “why and how the company’s compliance program has evolved over time” and “has the periodic review led to updates in policies, procedures, and controls?”

The DOJ has continued to move away from the antiquated model of a generic, “off-the-shelf” compliance program and focus more on how an organization acts in response to risk assessments. Other questions include whether the company has a process for tracking and incorporating into its periodic risk assessment lessons learned either from the company’s own prior identified issues or from those of other companies operating in the same industry and/or geographical region. The DOJ asks about effective monitoring of compliance and whether a company’s compliance program has continuous access to operational data and information across functions. The DOJ underscores, once again, the importance of having regular reviews of the compliance program; and make it clear that this should not be “cookie cutter” “check the box” type reviews. These reviews should lead to useful findings that result in meaningful changes and improvements. Greater emphasis is also given to the adequacy of compliance resources, quality of trained staff, and empowerment for the program. The importance of oversight of any third-party agents that act on a company’s behalf is stressed, including whether the company engages in risk management of third parties throughout the lifespan of the relationship. The questions include whether the company completed pre-ad post-acquisition due diligence; and a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls.

The guidance asks whether the company tracks access to various policies and procedures to understand what policies are attracting more attention from relevant employees; and if the policies have been published in a searchable format for easy access and reference. Employee training received new attention, suggesting companies consider the format of their trainings to be more responsive, including by: (1) investing in shorter, more targeted training sessions, and (2) ensuring a process by which employees can ask questions arising out of the training. In addition, there is the question as to the extent to which the training has an impact on employee behavior or operations. With regards to the hotlines, the guidance had added language to ensure that the hotline is an accessible, responsive tool, whether the company test whether employees are aware of the hotline and feel comfortable using it, and if reports are tracked from inception to finish.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.