8 minute read 14 Sep 2020
ey-fluorescent-color-interior

How companies are responding to investigation and compliance demands

Authors
Dan Torpey

EY Americas Forensic & Integrity Services Partner

Forensic accountant, author and speaker. Competitive Masters Athlete for Olympic Weightlifting and Strongman competitions. Board Member, Finance Committee for US Olympic & Paralympic Weightlifting.

Sarah Nguyen

EY Americas Forensic & Integrity Services Senior Manager

Problem solver. Devoted to efficiency. Always ready to tackle something new — ceramics, cooking, even the outdoors.

8 minute read 14 Sep 2020
Related topics Forensics

A managed serviced approach provides a company flexibility in complying to regulatory obligations.

Changes and uncertainties in the market are adding further pressure on the compliance efforts of organizations, making it more and more challenging to simply maintain the status quo. The following market dynamics are creating an increased level of focus on an organization’s compliance and investigative functions.

Regulatory pressures

The regulatory environment continues to be unpredictable, with swings in compliance and regulatory demands across different areas of the organization that force organizations to keep up. The focus on compliance has grown dramatically over the past several years, and ethical behavior has received more attention than ever before.

In April 2019, the Criminal Division of the Department of Justice released a new guidance document for white-collar prosecutors on the evaluation of an effective corporate compliance program for corporations. The document describes specific factors to consider when determining if a corporation’s compliance program was effective during the time of the offense. In the 2017 report, The True Cost of Compliance with Data Protection Regulations, conducted by Globalscape and Ponemon Institute LLC, the average cost of compliance for multinational organizations in the US was $5.47m, an increase of 43% from $3.53m in 2011.

For more highly regulated industries, such as financial services and industrial, the cost of compliance was much higher at $30.9m and $29.4m, respectively. Specifically, the penalties incurred by multinational companies for comparable investigations that EY Forensic & Integrity Services conducted ranged from $675m to $1b, exemplifying the high cost of noncompliance.

Additionally, organizations are conducting more investigations and expanding their compliance functions. Compared to the 2015 benchmarking report conducted by the Association of Certified Fraud Examiners (ACFE), Benchmarking Your In-House Fraud Investigation Teams, the 2017 report saw that 16%2 of fraud investigators within organizations investigate 20 to 99 cases at a given time, an increase from 11.9%3 in 2015, and 37% of fraud investigators spend 76% to 100% of their time on fraud investigations compared to 33.1% in 2015. Furthermore, organizations with more than 10,000 employees had on average 59 fraud investigators internally in 2017, a growth from 41.9 in 2015.

While housing a large compliance function can help an organization be responsive to its regulatory and compliance matters, it may not be the most cost-effective method. The model is not flexible to the peaks and valleys that often are associated with the regulatory environment. When regulatory demands slow down, organizations are left with high expenses associated with underutilized staff in nonrevenue-generating areas of the organization. Salaries and benefits are the most obvious costs incurred to maintain an in-house compliance function, but additional costs, such as technology and training and development, also figure prominently.

ey-total-compliance-cost-by-industry

Macroeconomic and geopolitical environment

Political power shifts, both domestic and international, and economic growth challenges continue to create uncertainty as organizations struggle to figure out how these external factors will impact their business. In the EY Global Fraud Survey 2018, 42% of survey respondents stated that the macroeconomic environment poses the greatest risk to their business.

Additionally, in the 2018 annual survey of global business executives conducted by A.T. Kearney, a weak macroeconomic performance and an unstable geopolitical environment were identified as top concerns of many organizations. For example, the international sanctions environment, trade confrontations and Brexit are top matters of importance that will have a domino impact globally.

Despite the instability and increasing levels of complexity in the macroeconomic and geopolitical environment, organizations are still expected to comply with new regulatory decisions and minimize the risk exposure these decisions will have on their business.

ey-todays-complex-risk-landscape

Market demands

Regulators and consumers today are demanding a greater level of transparency and accountability from companies. At the same time, shareholders expect organizations to continue to find ways to generate profit, often by exploring emerging markets and making acquisitions to both accelerate growth and profit from less-developed markets. This leads to a greater exposure to third-party risk that increases the strain on the compliance function. These pressures and demands place organizations in a precarious situation as they seek to grow their business without sacrificing their compliance duties while managing their risks.

The EY Global Fraud Survey 2018, with a perspective on emerging markets, indicates that fraud and corruption risks remain one of the biggest risks in the emerging markets, with 52% of respondents stating that bribery and corruption practices occur widely in business in their country vs. 20% in developed markets. To limit the risks involved with acquiring or forming new relationships with businesses abroad, proper third-party due diligence is critical, as is an understanding of the regulatory environment abroad and the risk trends that exist there.

ey-corrupt-practices-are-perceived-in-emerging-markets

Digitization and technology

Digitization and the continually advancing frontier of technology bring their own challenges. While organizations embrace and implement technologically advanced features into their business for added benefits and efficiency, these changes also create vulnerability.

Ninety-one percent of the survey respondents from the EY Global Fraud Survey 2018 stated that they will incorporate advanced technology, such as digital payments, the Internet of Things (IoT), robotics and artificial intelligence, into their business within the next two years. However, the survey respondents also recognized the increased risks of cyber-attacks and data breaches as a result of the digital era. In fact, the EY Global Forensic Data Analytics Survey 2018 showed the most prevalent increase in the levels of concern around data protection and data privacy compliance, cyber breach and inside threat compared to previous years.

Without transforming their compliance functions to properly manage the risks associated with the digital era, organizations will expose themselves to financial risk, as well as reputational damage from consumers and regulators.

ey-rising-risk-levels-across-the-board

Is housing effective compliance and investigative teams important for organizations?

The table below highlights the various issues and challenges faced by organizations in undertaking compliance matters and investigations.

Business issues/challenges in investigations and compliance

  • Resource optimization

    Is is often a challenge to get the right number of people with the right skills in the right locations. High variability in resource needs and specialized skills make an in-house model inefficient and difficult to simultaneously achieve hig productivity and high quality.

  • Resource prioritization

    Organizations may have other important matters or other priorities that they need their in-house teams to focus on.

  • Geographical sensitivity

    Investigations and compliance issues may occur abroad or in areas where the organizations does not have a strong team present to undertake and resolve the matters. Additionally, local expertise is needed to understand the regulatory requirements abroad, the local language and any cultural no

  • Cost overruns

    Legal advice may be needed to undertand the ramifications of a compliance issue. The costs involved in hiring a law firm and a consultant and associated technology fees can became burdensome.

  • Technology constraints

    Organizations may not have the right tools or people with the knowledge to use the optimal investigative tools. Additionally, an organization's on-house team may not have access to the most innovative tools to perform the work efficiently.

  • Business restructuring

    A change of management or business reorganization often calls for a review of key process and controls in place regarding compliance matters.

  • Lack of knowledge of event or issue

    An organization's in-house team can lack the broader experience to undertake every investigative or compliance matter, but an external consultant hired on a one-off basis has a limited understanding of the company's business and history of compliance issues.

What does the move to a managed services model for your investigative and compliance functions look like?

Managed services involves outsourcing or integrating your non-strategic functions with an external third party. Compared to a traditional third-party consulting model where support is provided on a one-off basis, managed services hopes to amplify the relationship between the organization and third party to offer better coordination, consistency, responsiveness and follow-through on complex matters of interest to the organization.

Organizations are changing their buying behavior with professional services providers and are seeking longer-term relationships that drive value versus one-off project-based relationships. They want expertise, domain and sector understanding, global capabilities, and data insights and tools that are wrapped together in a solution that is specific to their industry. Managed services provides an opportunity for organizations to obtain these competencies in one place through a longer-term arrangement that maintains the domain knowledge acquired, motivates the service team to continuously improve and drives value. Through a managed services relationship, a third party can become a trusted advisor to help organizations pave the way through the changes and uncertainties in the market and the challenges associated with them.

The outsourcing or integration of the investigative and compliance functions will help organizations address their regulatory matters with better-managed costs and the added flexibility of accommodating the highs and lows of the regulatory landscape. Managed services can make the non-strategic areas of an organization more cost-effective and allow organizations to focus on utilizing their capital for more strategic uses, such as investing in technology and tools to better manage their compliance needs. Through flexible pricing models and the ability to scale up or down based on business needs, managed services can help control compliance program costs without sacrificing risk management effectiveness.

Managed services provide better effectiveness, quality of work and efficiency compared to a traditional third-party arrangement. For example, the time spent on procuring a new consultant for every matter and onboarding a new team could be better spent on discussions with your managed services partner on expectations for the new matter and procedures to be performed. Overall, less time is spent on administrative matters that bring little value. Furthermore, the added benefits of using a single managed services partner for investigative and compliance needs include quality and consistency in the work performed, better coordination between the organization and the consultant, the consultant’s familiarity with the business and history of compliance issues, follow-through on projects, and security of information and data being shared.

Additionally, domain knowledge is preserved over time in comparison to a fragmented list of providers. Knowledge transfer is better facilitated for continuous improvement relating to compliance issues, and improved solutions tailored to the inherent risks facing the organization are provided.

When can managed services work for you?

All organizations face transformational change during their lifetime, whether acquiring another organization to expand the business into a new market or going through internal restructuring. During these pivotal times, it is important for organizations to reassess their investigation and compliance functions and determine if there is a place and need for a third party to come in and provide advice and support. Based on our experience developing managed services relationships with organizations, the following triggers were often present when our clients were considering a managed services opportunity with us.

  • Four Triggers to consider managed services

    1. Insufficient or ineffective resources to conduct investigations and compliance reviews.
    2. Change in key personnel triggering a review of the investigation and compliance program, such as a change in the general counsel, chief compliance and ethics officer, or director of internal audit.
    3. Organizational change driving opportunity, such as an acquisition, divestiture, new market entry or another business change, which may require a re-evaluation of many company systems and the structure.
    4. Tail end of a regulatory matter, driving the need to scale down resources, for example, companies often staff up to deal with a monitor, and they are left with a large staff at the end of the monitorship. 

Which areas and functions should not be outsourced?

While managed services can be an effective solution in many situations, certain investigative and compliance activities are better managed in-house. Investigative matters that require strong connectivity to the business or activities that are extremely sensitive or technical in nature are often best maintained in-house, with the organization bringing in external advisors or support as needed. Some examples include human resources matters or product failures requiring the company’s intellectual capital and engineering.

Summary

Like today’s business environment, the landscape for investigations and compliance will continue to change at a rapid pace in ways that can be difficult to predict. Managed services can help your organization be nimble and agile in staying on top of your regulatory obligations.

About this article

Authors
Dan Torpey

EY Americas Forensic & Integrity Services Partner

Forensic accountant, author and speaker. Competitive Masters Athlete for Olympic Weightlifting and Strongman competitions. Board Member, Finance Committee for US Olympic & Paralympic Weightlifting.

Sarah Nguyen

EY Americas Forensic & Integrity Services Senior Manager

Problem solver. Devoted to efficiency. Always ready to tackle something new — ceramics, cooking, even the outdoors.

Related topics Forensics