woman seated at desk surrounded by monitors displaying data

How recent DOJ activities signal importance of data analytics

A compliance analytics strategy and roadmap can help companies respond to increased guidance on the use of data.

In brief

  • The DOJ’s revised guidance emphasizes using compliance metrics and data to verify the effectiveness of a compliance program.
  • Compliance analytics can help a company confirm that it meets the DOJ’s expectations and identify, predict and monitor for noncompliance more broadly. 

Companies need to develop a compliance analytics strategy and roadmap in response to increased guidance by the Department of Justice (DOJ) on the use of data; their companies’ increased investment in data analytics; and increased pressure on their budgets to do more with less. While compliance analytics can help a company ensure that it meets the DOJ’s expectations and avoid costly and reputation-damaging investigations and litigation, their use can also help identify, predict and monitor for non-compliance more broadly and ensure an effective allocation of compliance resources and compliance program effectiveness. Compliance analytics can help a company go from data to insight to action.

Download the full article on: How recent DOJ activities signal importance of data analytics

PDF (354 KB)

How EY can help

DOJ signals the increasing importance of data analytics

 

The Evaluation of Corporate Compliance Programs (revised June 2020) (ECCP) provides guidance to DOJ attorneys when conducting an investigation of a corporation, determining whether to bring charges, or negotiating plea or other agreements (Justice Manual 9-28.300). The June 2020 revisions added specific guidance on the DOJ’s expectations for data collection and use. These revisions and updates reflect, in part, the DOJ’s own evolution and their experience applying data analytics tools to identify and investigate fraud schemes. The revised guidance outlines the DOJ’s specific expectations for data collection and use. The ECCP directs DOJ attorneys to ask:

 

Do compliance and control personnel have sufficient direct or indirect access to relevant sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions? Do any impediments exist that limit access to relevant sources of data and, if so, what is the company doing to address the impediments?

 

The revised guidance emphasizes using compliance metrics and data to ensure the effectiveness of a compliance program. Examples used in the guidance include understanding which policies and procedures are being accessed by relevant employees; evaluating how training impacts employees’ behavior or operations; measuring helpline awareness and effectiveness; and monitoring investigations and resulting discipline for consistency. 

 

Going forward, we anticipate that the use of compliance analytics will play a role when companies attempt to benefit from the DOJ’s Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy. The policy requires a company to demonstrate that it had an effective compliance program, including a system of internal and accounting controls which enabled the identification of the misconduct and led to the company’s voluntary self-disclosure. As part of this analysis, data analytics can (1) demonstrate and enhance how the compliance program effectively measures, reports and operates; (2) be used to identify trends and create insights; and (3) assist with monitoring.

 

Importantly, the DOJ has also recently hired several former chief compliance officers including (1) Glenn Leon as the chief of the Fraud Section, who was previously the CECO of Hewlett Packard Enterprise; and (2) Matt Galvin, former CECO of AB InBev, to a new role within the Fraud Section as Counsel, Compliance and Data Analytics. They bring deep in-house experience and perspective to the DOJ. Their recent statements indicate a pragmatic expectation for companies to use the data and technology that they have access to — it isn’t about using the “shiniest tool in the toolbox.”

Companies need to get their arms around their data and their existing business intelligence tools and they need to start paying attention to what that data is telling them.

Amy Schuh

Partner, Morgan, Lewis & Bockius LLP

Leaders need to use compliance analytics as evidence of effectiveness in preventing and detecting non-compliance for their companies’ prioritized risks.

“Companies need to get their arms around their data and their existing business intelligence tools and they need to start paying attention to what that data is telling them,” says Amy Schuh, a partner at Morgan, Lewis & Bockius LLP. Amy suggests that one way is to “start and build on what you have, and importantly act on what you find as you’re looking at your data and trends.”

An effective compliance program will use data to make objective decisions to focus on specific high-risk areas of their business (e.g., specific business units or types of transactions, or third parties).

If the data points you’re pulling together aren't leading to actions and helping you make decisions, you're not living up to the use case expectation of analytics," says Spyro Karetsos, Chief Compliance Officer at Google. As a result, compliance analytics will help companies prioritize where resources should be allocated from a mitigation perspective. As Scott Schools, Chief Compliance & Ethics Officer at Uber says, “the value of compliance analytics is in their ability to help company management address real risks and real problems.” Compliance analytics can help prevent risks from becoming issues.

When we think of our practice’s work with EY Virtual, we certainly have some great pre-built solutions available for our clients to allow them to effectively manage their compliance risks.

Miles Ripley

Principal, Forensic & Integrity Services, Ernst & Young LLP; EY Americas Investigations & Compliance Leader

Corporate compliance departments should:

  • Use data and technology available to other departments (e.g., sales, finance, internal audit, HR and operations).
  • Use data as part of ongoing compliance processes.
  • Use “compliance data” (e.g., investigations, training, conflicts and compliance helpline data) and “business data” (e.g., financial, customer relationship management and human resources data) and consider multi-dimensional risk analysis combining these types of data sets.
  • Analyze trends, patterns and relationships in the data — look for anomalies.
  • Allocate resources and act based on insights created by compliance analytics.

Summary 

Revised guidance outlines the DOJ’s specific expectations for data collection and use. A compliance analytics strategy and roadmap can help companies respond.

Related articles

How economic sanctions and export controls are changing business

The international response to conflicts in Europe has resulted in the most sweeping sanctions and embargoes ever levied against major powers. Read more.

18 Jan 2023 Jeff Ferguson + 1

How EY Virtual optimizes compliance analytics for Honeywell

EY Virtual optimizes compliance analytics for Honeywell. Learn more in this case study.

22 Dec 2022

How to keep data from leaving with a departing employee

Departing employees have access to privileged data. Here’s how companies can protect data.

07 Dec 2022 Shawn Fohs
    Contact us
    Like what you’ve seen? Get in touch to learn more.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.