Chapter 1
The outlook for fraud and corruption
The digital disruption of business and increased data privacy legislation is increasing fraud, corruption and compliance risks.
We are in an era of digital transformation that continues to challenge how all aspects of business are conducted — and the implications for the legal, compliance and internal audit functions are significant.
Ninety-one percent of our survey respondents stated that their organization will be using advanced technology (such as digital payments, Internet of Things, robotics and artificial intelligence) regularly within the next two years. However, digital transformation has also created new risks.
For example, open and connected business models are likely to result in increased exposure to cyber threats and ransomware. In the last two years, cyber attacks have been widespread and have included a global ransomware campaign that impacted over 45 countries. It is therefore not surprising that 37% of our respondents see cyber attacks as one of the greatest risks to their business.
The good news is that advances in technology — particularly in artificial intelligence, machine learning and automation — can be used to transform legal and compliance functions. Incorporating forensic data analytics (FDA) into a company’s digital strategy is an opportunity to enhance risk mitigation and improve business transparency.
A growing digital footprint alters the traditional risk landscape for individual companies and entire industry sectors. Out-of-date risk assessments and antiquated policies, procedures and controls can result in companies missing opportunities to help employees comply with company policy.
Worse yet, such gaps can be exploited by rogue employees intent on fraud, data theft or other illegal acts. It is important that the effectiveness and efficiency of compliance is improved. Failing to do so exposes the company to regulatory and law enforcement scrutiny.
Fraud and corruption
33%of business leaders see fraud and corruption as one of their greatest risks; we have seen no improvement in the results on this topic at a global level since 2012.
In 2018, 38% of our respondents stated that bribery/corrupt practices happen widely in business in their country, with no improvement since we first asked that question in 2012. We continue to see a trend that respondents perceive risk to be higher in their country than in their business, with only 11% of our respondents believing it is common to use bribery to win contracts in their sector.
A significant minority (13% globally) would justify making cash payments to win or retain business. This increases to 22% of respondents in the Middle East and 29% of respondents in Far East Asia. Worryingly, 18% of our respondents in a financial position would justify these payments and even 6% of the heads of compliance surveyed.
We also found that respondents under 35 years old are more likely to justify fraud or corruption to meet financial targets or help a business survive an economic downturn, with 1 in 5 younger respondents justifying cash payments (compared to 1 in 8 respondents over 35). We also found that the under-35 age group would be more likely to act unethically to meet financial targets than older respondents.
Compliance spend
66%of heads of compliance surveyed stated that compliance spend needs to increase.
Digitization of compliance
For many companies, there is an opportunity for compliance functions to better optimize their resources. A compliance program that more intensively leverages data analytics can lead to more effective risk management and increased business transparency.
Traditional classroom training and web-based learning are not inexpensive, including the cost to productivity. More importantly, the lessons provided to employees may have been long forgotten before they face a situation for which they had been trained previously.
Using FDA, a Fortune 100 company’s compliance function provides timely, tailored guidance to individual employees. Data mined from enterprise resource planning systems, investigation and due diligence case management tools, and others is used to determine which employees receive guidance, from whom and in what format.
Our experience also shows that most companies do not disaggregate employees based on risk factors. A one-size-fits-all approach is not the most efficient or effective way to deliver key compliance messages.
Extending FDA’s benefits beyond basic risk functions can increase business transparency and improve operational efficiency. With the right level of investment and leadership support, data and technology will better address fraud and compliance risks while also offering business insight that can inform strategy.
Chapter 2
The effectiveness of anti-corruption efforts
Too many workers are willing to justify unethical acts. Is enforcement a deterrent, and is management doing enough?
Governments across the world continue to introduce and enforce corporate criminal liability laws.
Despite over $11bn in fines being issued globally under anti-fraud legislation by US government agencies and the UK Serious Fraud Office since 2012, 38% of global executives still believe bribery and corrupt practices remain prevalent in business.
The last four years have seen the introduction of new legislation and greater levels of enforcement outside the US. However, in our experience, there is often a lag between the introduction of anti-corruption laws and a response from management.
Anti-corruption compliance is not just a question of checking boxes and it shouldn’t happen only when things go wrong.
Ninety-three percent of respondents stated that senior leaders demonstrate a commitment to compliance, and 95% stated senior leaders set examples of good ethical behavior. But, when asked specific questions on the implementation and effectiveness of the compliance programs, our survey highlighted a number of differences between management statements and conduct by their organizations:
- In our survey, 97% of heads of compliance and 92% of heads of internal audit surveyed stated that their companies had an anti-corruption policy and/or a code of conduct — yet only 77% of sales and marketing respondents said so. This suggests that high level policies may be in place, but key employees are still not sufficiently aware of them.
- When asked if their organization had a tailored risk-based approach to due diligence that varies by country, industry or nature of activity of the third party, 66% of internal audit, compliance and legal respondents felt this applied vs. 56% of those in internal audit, compliance and legal (who would generally be responsible for engaging a third party). More worryingly, 29% of sales and marketing and 20% of other management were not able to answer the question.
Third party
33%of organizations have incentivized their third parties to act ethically.
- We found that management had often set clear intent regarding penalizing non-ethical conduct, with more than three in four respondents stating that there are clear penalties for breaking their policies. However only 57% are aware of people, actually being penalized.
- More than one in four of respondents stated that people managing relationships with third parties are not required to complete fraud and compliance risk training.
Chapter 3
Putting integrity on the management agenda
Amid the explosion of data and increased regulation, an organization’s integrity becomes the most important driver for ethical business.
Ninety-seven percent of respondents recognize it is important that their organization acts with integrity and rank “operating with integrity” at the top of their list of what they would like people to say about their organization.
Interestingly, although 43% of respondents recognize the importance of demonstrating integrity to avoid regulatory scrutiny and penalties, they also see integrity as a business advantage. Customer perception, public perception, successful business performance, recruitment and retention of employees were deemed more important benefits than avoiding scrutiny and penalties.
The link between integrity and successful business performance is supported by research performed by Ethisphere Institutes, which found that the World’s Most Ethical Companies outperformed the US large cap sector by over 10% over a five-year period.
However, we continue to see a prevalence of fraud and corruption, as well as significant business failures. The results show a mismatch between the 97% of respondents that believe it is important to demonstrate their organization acts with integrity and 13% who would still justify making a cash payment to win a contract.
The importance of integrity in a changing business environment increases as compliance functions, regulators and enforcement agencies may struggle to keep up with the pace of change. Business leaders should focus on instilling the concept of employees taking individual responsibility for the integrity of their own actions.
A potential explanation for this mismatch is that there is little or no clarity as to who in the company is primarily responsible for ensuring that employees behave with integrity. This appears to be common across industry sectors and geographic regions.
We found that fewer than one in four respondents believe that individuals should take primary personal responsibility for behaving with integrity. The remainder believe the primary responsibility for ensuring integrity sits with other groups in the organization such as human resources, compliance, legal, senior management and even the board.
We also found that the group who did not believe it was primarily an individual responsibility is significantly more likely to act inappropriately, including making cash payments to win or retain business. These same respondents are also more likely to extend the monthly reporting period or change assumptions that determine valuations or reserves in order to meet financial targets.
A successful organization stays true to its mission, keeps its promises, respect laws and ethical norms, and fosters public trust in the free enterprise system. Such companies close the gap between intentions — codified in values statements, codes of conduct, and other policies — and behavior, with verifiable data about organizational behavior and culture and improved metrics and enhanced accountability.
Chapter 4
The future of compliance
Business models are changing, and with that, compliance functions will also need to transform the way they prevent, detect and respond to fraud and corruption.
For some companies, management’s existing efforts to tackle fraud and corruption are lagging behind business change. Our experience suggests compliance policies and procedures, backed up by training and consistently applied enforcement, are necessary but not sufficient to deliver effective compliance.
So what is the future of compliance?
Technological advances in compliance such as enhanced data analytics, combined with an employee-centric approach to providing guidance, will result in compliance acting as a key driver of innovation in the use of forensic data analytics (FDA). Examples include:
- The proliferation of data analytics as a management tool is likely to challenge the traditional monitoring role of the compliance function. Our 2018 Forensic Data Analytics Survey shows that more and more companies are using advanced analytics technologies for continuous monitoring.
- Advances in the predictive capabilities of “big data” mean that analytics can be used to make real-time decisions, helping to identify and prevent fraud and providing management with more effective oversight. For many companies, there are substantial gains to be secured by better leveraging FDA, which can significantly improve the effectiveness and efficiency of monitoring and reporting, strengthening the second line of defense.
- Leading companies are using artificial intelligence technology to replace classroom and web-based training with individualized risk-based communications in real time.
- The first line of defense has typically been the responsibility of operational management within the business and included management controls and internal control measures. The chief compliance officer role should be seen as a fully-fledged management role in the organization responsible for proactively safeguarding the corporation’s reputation, not just helping it comply with laws and regulations.
Do the right thing because it’s the right thing to do, and not just because the code of conduct says you should.
Compliance should work with the business to reinforce front-line compliance by sharing insight from data analytics and promoting the Integrity Agenda. The Integrity Agenda has four foundational elements — culture, data insights, controls and governance — that align an individual’s actions with an organization’s objectives. The core challenge is influencing behavior over diverse and dispersed employees and third parties amid intense competitive pressures and rapid technological change.
Summary
Compliance has a role in the first line of defense. It is important that compliance professionals embed themselves within the operational and strategic parts of business, sharing insight and promoting a culture of integrity.