A company’s ability to effectively use technology to monitor, share and manage information contributes to the success of its ethics and compliance program. Some laws and corporate policies contain compliance requirements that can only be executed by a company’s IT department. In my opinion, a company’s Chief Information Officer (CIO) and/or Chief Security Officer (CSO) is equally as important as the Chief Ethics and Compliance Officer (CECO) when it comes to maintaining workplace ethics and compliance. Since CIOs are responsible for implementing IT systems and controlling the flow of information into and out of a company, CIOs help protect their company from data breaches and other technical risks. As ethics and compliance grows as an IT concern, an increasing number of companies have reported looking for CIOs, CSOs and other IT staff that not only possess the required technical skills, but also have personal values and morals that are similar to those of the company.

Here are 3 different ways your company’s CIO and CSO can become ethics heroes:

1. Access Controls

In many companies, access controls are based on an employee’s role in the organization or the department they work in. This practice keeps information on a need to know basis, limiting the risks and opportunities for information to fall into the wrong hands. Access controls can be adjusted during times of need, for example, if an employee requires information for a special project they are working on, they can ask permission to be granted temporary access to the information. The ComputerWorld article “Ethics: IT Should Help the Company Steer Clear of Corporate Scandals,” by Mary K. Pratt, she discusses the importance of access controls at Texas Health Resources Inc.:

“Consider the challenge of handling patients’ medical records. Even though the federal Health Insurance Portability and Accountability Act mandates that agencies keep those records private, caregivers still need to access them- when appropriate. So the organization’s electronic health records system gives doctors and nurses who are caring directly for patients quick access when they use the right authentication, Alverson says. But additional authentication is required to get records for patients who aren’t under the provider’s immediate care. The system records who gets access to what, allowing officials to audit and review cases to ensure there’s no inappropriate access.”

2. Tone from the CSO

The primary responsibility of the CSO is to implement systems in the workplace that provide all employees with the ability to work together to maintain security. I came across a document published by Cisco Systems, titled “Security at Centre Stage,” discussing the important contributions CSOs make to the workplace. The document states that, similar to the “tone at the top,” CSOs must act as leaders to make sure the tone at the top is heard by the IT department. From there, the IT department can develop policies and systems related to security and ethics that will be communicated to the entire organization.

At Cisco Systems, they have introduced the Corporate Security Programs Organization (CSPO) into the workplace to:

• Provide training and awareness to employees- Informing employees of the various security risks at each level and training them to mitigate such risks.
• Constant interaction- The CSPO believes strongly in communication and constant reminders to help employees change their ways and adopt practices for maintaining security.
• Award and recognize- The CSPO has an annual awards ceremony, rewarding individuals who have gone above and beyond in ensuring security.

3. Build Compliance Rules into Company Systems

Building compliance rules, company policies and industry regulations into business systems holds employees and companies accountable for their actions. This is similar to what we do when building i-Sight for each of our unique clients, as companies today must proactively investigate allegations of fraud, theft or abuse to prevent significant financial liability and risk to the organization. As legislation surrounding ethics and compliance continues to increase, the IT department must take advantage of technology and develop systems that are capable of monitoring and tracking these issues. The Cisco Systems document addresses the practice of building laws and regulations into corporate information systems:

“Then, security and privacy legislation gained momentum. What once were merely mandates for government agencies quickly became strict guidelines for the public sector—the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley (GLB), to name but a few. So the CSO took on more of an oversight role. ‘Any organization with state or federal regulations around protection schemes absolutely must have a security officer,’ says Felix Santos, CISO for Performant Financial, based in Livermore, Calif. Unfortunately, the CSO often became a mere compliance tactician or, worse, was served up as a ’sacrificial lamb’ in the event of a security breach.” 

The issue of personal information protection is a hot topic. Companies such as Google and Facebook have been questioned in regards to their privacy policies, as the personal information gathered from users has been leaked to the public on multiple occasions. Most recently, the University Health Network made headlines when patient information was leaked due to the theft of an unprotected USB key- we discussed the topic in the post “Maintaining Information Security and Privacy.” Sharing information has been made easier due to the Internet and electronic files, which raise concerns when it comes to regaining control over personal information protection. As technology advances, the risks surrounding information privacy continue to increase. Will your organization be ready to respond to tighter information controls?

A Call to Action

According to the Ottawa Citizen article “World is losing grip on privacy: watchdog,” Ontario’s Privacy Commissioner Ann Cavoukian stated:

“The world has less than a decade to make the protection of personal information and online privacy a priority before the concepts are lost forever. Ann Cavoukian says legislation meant to safeguard privacy already can’t keep pace with the flow of information and advances in technology.”

The Ottawa Citizen article raises the point that there are currently no laws in place requiring private companies to disclose incidents where personal information has been leaked or stolen. Unfortunately, many companies only go public about information privacy breaches if there’s a significant amount of data lost- with each company’s definition of “significant” varying significantly. The article then suggests that governments around the world should take privacy matters into their own hands in order to protect personal information and hold companies responsible for failure to do so.

I feel that it would make a difference if governments enforced greater control and accountability of privacy issues. However, in order to reach ethical goals and act as good corporate citizens, companies must build privacy protection controls into their business strategies immediately. Companies cannot afford the costs associated with information breaches or the lack of trust from the public- take initiative and be proactive in protecting information.

Suggestions for Keeping Personal Information Private

Accountability: Treat personal client, employee and patient information as if it were your company’s most important trade secrets. If an information breach occurs, make an announcement immediately- regardless of the size of the breach.

The Ottawa Citizen article “World is losing grip on privacy: watchdog,” by Vito Pilieci, discusses Cavoukian’s suggested plan for implementing stricter privacy laws:

“Cavoukian has been trumpeting her Privacy by Design agenda to privacy commissioners all over the world. The concept takes a radical look at the way privacy issues are governed and forces companies to make the safeguarding of personal information the standard in every new product, technology or service they release. Before mining personal data, a company must approach each individual, ask for access to the information and explain exactly what the information is going to be used for. Numerous European countries, as well as the U.S. are adopting Cavoukian’s concept.”

Define Intention and Use of Data: Let consumers, clients and the general public know what is done to personal information once it has been collected by a company and provide them with options as to whether or not they grant your company permission to share their information. People want to know that companies are taking the proper measures to keep their information safe. Consumers use cards that contain personal information to pay for items, they are asked to divulge increasing amounts of information and proof of identity when signing up for services or making purchases and in return, companies are being trusted to use this information for the sole purpose of providing the service or business transaction- not selling client lists to marketing companies.

Think of Your Users First: Privacy concerns have increased significantly due to the rise of social media. Google and Facebook have demonstrated a lack of concern for the privacy of their users, as both companies only took additional privacy matters into consideration after services were launched and users were furious with the lack of information protection.

When Google Buzz first launched, many Gmail users were confused by the service and the ability to opt-out of it in order to refrain from having their contacts, location, comments and other information available to anyone viewing them. In response to the criticisms, Google made many announcements and multiple privacy revisions. Google encouraged users to set their privacy settings to the appropriate level they desire and disabled users’ auto-connect capabilities so that they now have the opportunity to accept and reject people’s requests to connect.

In the hydro industry, homes in Ontario are going to be added to a smart grid system, which is described in the Ottawa Citizen article:

“With a smart meter, the electrical utility knows how much electricity a person is using and when. The utility can also tell when a person is home or out, based on power usage. Some utilities in the United States have expressed interest in selling that data to market research companies. Cavoukian believes that information should not be shared openly. She said she has been working with Toronto Hydro and Hydro One to ensure utilities in Ontario keep personal information private. The two large utilities have agreed to make privacy a top priority. ‘It’s your information, you should be able to decide what happens to it,’ Cavoukian said in applauding the approach of the Ontario utilities.”

I’ll have to side with Cavoukian on this issue- I should be able to decide what happens to my personal information. The next time your company collects a client’s information or launches a new product or system, consider the impact it will have on your company’s ability to protect personal information.

The turn of the century was marked with a number of accounting and ethics scandals that would significantly alter the importance of corporate ethics and compliance. The Securities and Exchange Commission (SEC) began investigating the accounting practices at Xerox in 2000, which eventually led to Xerox agreeing to pay a $10 million settlement. During Xerox’s post-scandal transformation, Sarbanes-Oxley came into effect to improve financial and accounting compliance. Today, Xerox has turned their practices around and secured a spot on numerous ethical company lists. This post discusses the tactics deployed at Xerox to regain consumer confidence and instill ethics and compliance back into the company.

Accounting Scandal

In 2002, the SEC filed civil fraud charges against Xerox. The charges were filed after a two year investigation into the company’s accounting practices. The SEC charges came at a time when major fraud scandals- WorldCom and Enron, broke out. In the CFO Magazine article “Xerox: New Lease on Life,” Craig Schneider wrote:

“The commission alleged that Xerox management accelerated the revenue recognition of leasing equipment over a four-year period by more than $3 billion, and inflated pre-tax earnings by $1.5 billion, to meet or exceed Wall Street expectations and hide its true operating performance.”

The accounting techniques used by Xerox violated the generally accepted accounting principles (GAAP). Revenues were inaccurately assigned to time periods in which they were not yet received. This resulted in inflated revenues, and also provided investors with inaccuate information pertaining to the company’s income/ assets. It was reported that management was aware of and even approved these accounting methods. According to the initial complaint filed by the SEC:

“The allegations in the complaint center around seven different accounting actions used, in Xerox parlance, to “close the gap” between the company’s operating results and the market’s expectations from 1997 through 2000. Many of these actions had the purpose and effect of accelerating Xerox’s recognition of revenue at the expense of future periods. According to the complaint, Xerox fraudulently disguised these actions so that investors remained unaware that the company was meeting earnings expectations only by using accounting maneuvers that could compromise future results.”

Another interesting point to consider is the fact that, unlike Siemens, it was reported that Xerox didn’t fully cooperate with SEC investigators. The lack of cooperation lead to the stiff penalty handed down by the SEC, as the $10 million fine was the largest fine administered by the SEC in a financial fraud case at that point in time.

Xerox’s Response

Practices at Xerox are much different today, as the company- like many others that find themselves facing compromising charges, has learned their lesson. The CFO Magazine article “Xerox: New Lease on Life,” stated that prior to settling with the SEC, Xerox had already ousted executives that had participated in the accounting fraud schemes. Following the $10 million settlement with the SEC and the restatement of company financials from the 1997-2000 time period, Xerox began their transformation, lead by CEO Anne Mulcahy.

According to the CCN Money article “Xerox Turns a New Page: Less than three years ago, the iconic company seemed doomed. Here’s how CEO Anne Mulcahy is bringing it back,” Mulcahy’s first step was to replace the company’s accounting team and begin cutting costs to reduce the company’s large debts. The article also takes note of Mulcahy’s optimism in her role as CEO- believing in the company and its ability to achieve greatness. When a company’s leader exhibits infectious optimism, it rubs off on employees. Mulcahy managed to successfully change the tone at the top at Xerox, which contributed to her ability to rebuild Xerox into the company it is today.

In rebuilding Xerox, Mulcahy focused on three areas that can be applied to executives in all organizations. The case study “From Goliath to Lazarus: Xerox is Revived by the Power of Customer-led Innovation,” discusses how Mulcahy responded to feedback from both employees and customers to make positive changes, she walked the talk and was able to prove to employees the need for change within the company. The case study also documented Mulcahy’s efforts to open up the lines of communication within the company by traveling to speak with people who would provide her with constructive criticism to bring the company back to success.

Of course, turning the company around and working towards gaining a profit wasn’t easy. Employees were laid off and various corporate functions were outsourced to save money. One of the processes selected for outsourcing was the company’s internal audit. If a company can manage to do so, it’s wise to outsource the internal audit function. Although there has been much debate over the decision to outsource the internal audit function, the objectivity and opinion of an outsider can provide greater benefits for the company, as an external auditor doesn’t have any direct relationship to the company. According to the article “Internal Audit Outsourcing Services,”:

“The benefits of internal audit outsourcing include:

• Quick start-up of the function and execution of work, including already-developed methodologies and audit tools provided by the outsourcing organization.
• A variable-cost arrangement rather than a fixed-cost function.
• Access to a greater number and wider range of resources.
• Potentially greater objectivity and independence.”

Companies must learn from the mistakes other organizations have made in the past in order to avoid making similar ones in the future. Leaders must understand how to identify ways the issue could have been detected and addressed sooner. The ethical lapse at Xerox forced company executives to reevaluate the way accounting matters would be handled within the company, while new members were brought in to ensure that known inaccuracies were reported and corrected.

According to a report from the Association of Certified Fraud Examiners, occupational fraud and abuse costs businesses in the United States upwards of $400 billion a year. Today’s business leaders must focus on protecting their brands through prevention and proactive measures to rid their workplace of fraud, theft, violence and other unethical acts. However, managers still need to be prepared to react to these types of events and conduct investigations into reported allegations, as accidents do happen. One of the main concerns facing businesses during times of economic recession is employee theft. As businesses do their best to cut unnecessary costs, they must also monitor for theft, as the costs associated with theft place significant burdens on the organization. We have covered tips for preventing and detecting employee theft in our posts “Workplace Theft & Fraud Prevention Tips Part 1,” and “Workplace Theft & Fraud Prevention Tips Part 2,” therefore, this post will focus on the proper handling of workplace theft allegations and conducting employee theft investigations.

Handling Theft Allegations

Whether it’s allegations of employee theft involving physical property, intellectual property, money, supplies or other workplace materials, all allegations must be treated with the same level of importance. When allegations are initially received, investigative or HR managers- whomever allegations and complaints are received by, must designate an appropriate investigator to the case. There are a number of ways to determine an appropriate investigator. Some organizations choose to filter allegations by location, organization department or type of allegation. Investigation software solutions, including i-Sight, make it easier to control case assignment through built in process rules. Incoming allegations can be held in a pending queue to be assigned manually by the investigative manager, or, new cases can by routed to the designated investigator based on the various filters mentioned above. 

When theft allegations arise, the FindLaw article “Handling Employee Theft Claims,” recommends:

“When a theft is detected, you must move quickly to investigate and discipline the employee. If an employee is caught by direct observation, the “investigation” should be straightforward. However, more often than not, an employee theft is suspected based upon indirect or circumstantial evidence, such as another employee report or in the results of an audit. In such cases, an investigation is necessary. However, do not unnecessarily delay the investigation, since criminal and civil statutes of limitation will begin upon discovery of the loss.”

Software for Managing Employee Theft Investigations

Take Action: Once it has been determined that the theft allegations provide grounds for further investigation, it’s important to determine what to do with the subject (accused employee) while the investigation commences. The action taken will vary based on the nature and scale of the employee theft reported. In the FindLaw article “Handling Employee Theft Claims,” they suggest that sometimes it’s best to leave the employee in their position and monitor their actions to confirm the fraud, whereas sometimes it’s best to immediately suspend the employee until a decision has been made.

Maintain Confidentiality: As with every workplace investigation, ensure confidentiality is upheld to the highest degree possible.  i-Sight provides investigators with the ability to control who has access to entire case files, as information pertaining to internal issues may even require confidentiality amongst members of the investigation unit. Since theft is a criminal offense, information will likely need to be shared third parties. Access can be granted to members of third parties, granting them access to an entire case or specific parts within the case file. Once they have the information the need, access can be restricted once again to maintain privacy.

Confidentiality must also be addressed during investigation interviews, as some individuals being interviewed may be hesitant to divulge information for fear of retaliation. Remind interviewees that retaliation isn’t permitted and if they feel anyone is acting in a retaliatory manner towards them, to report it. Communicating the company’s commitment to investigation confidentiality will allow for stronger information to be collected, greatly improving the quality of the investigation.

Stay on Track: Employee theft investigations not only require immediate attention but must also be conducted in a timely manner. A company that has already lost money due to theft cannot afford to lose additional money by being slapped with a lawsuit for negligence. i-Sight keeps investigators on task by using a system of approvals and alerts that make it easier for investigative managers to keep an eye on the progress of their investigators. Alerts are used to inform investigators of newly assigned cases, task assignment, inactivity or overdue tasks and approval requests (confirming ownership of cases and tasks). By selecting due dates when assigning cases and tasks, alerts keep investigators on top of their investigations and ensure that no step is overlooked.

Repeat Offenders: It’s important to be aware of an employee’s involvement in previous theft incidents. It has been reported that many employees commit an act of theft more than one time within their organization. Identifying repeat offenders helps determine a suitable punishment to be administered when the investigation has concluded. i-Sight makes it possible to identify repeat offenders through case linking and search functionalities.

Track Restitution Payments: One of the best features of i-Sight Investigation Software, for theft investigations, is the ability to track restitution payments and case-related expenses. This information is stored directly in the case file and alerts can be sent if restitution payments are not made on time. This helps companies gain back monetary losses they have incurred, while holding the subject accountable for making timely payments.

The values associated with workplace fraud continue to rise- especially during economic downturns. Preventing workplace fraud begins on the inside of an organization. One of the largest fraud risks companies must address is the opportunity for fraud to occur. There are a number of anti-fraud techniques and systems that are easy to implement within any organization. When fraud grows out of control within an organization, reputations and public trust are destroyed. To reduce the opportunity for fraud to occur, accounting and money handling responsibilities must be divided. Monitoring and enforcement of anti-fraud programs is necessary in order for the program to be effective and for employees to take it seriously. When employees know they are being watched, their work is being reviewed on a consistent basis and punishments are administered to those who violate anti-fraud policies, there’s less room for fraud to go undetected.

Fighting Fraud

An effective system of internal checks and balances greatly reduces and may even eliminate all opportunity for workplace fraud to occur. Here are 4 tips to help reduce the opportunity for fraud in the workplace:

1. Dividing Responsibility

Create a small team to handle the money handling and accounting responsibilities.  This makes it easier to identify any misallocated funds or errors that could lead to the discovery of a fraud scheme. Dividing responsibilities decreases the opportunity for fraud, as different employees are responsible for separate tasks, making it difficult to explain missing funds or expense forms. Make it known that all financial reports and corporate bank accounts are reviewed item by item- any expenses or charges out of the ordinary will be questioned and investigated. If employees are aware that bank statements and other documents are never reviewed, the opportunity to commit fraud is wide open.

2. Monitoring

Monitoring the anti-fraud program is one of the key success factors in reducing the opportunity for workplace fraud. Implementing anti-fraud systems to detect and deter fraud isn’t enough. Monitoring and assessing identified fraud risks must become an ongoing processes in order for employees to understand the company’s commitment to fighting fraud.  The article “The Importance of Antifraud Programs and Controls,” published by Deloitte Canada addresses the importance of monitoring anti-fraud programs:

“A final step for management and audit committees is the monitoring of the quality and effectiveness of an entity’s antifraud programs and controls. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Separate evaluations can be performed by internal audit or other interested parties, such as business process owners. Monitoring activities can include timely reconciliations, confirmation of information by external parties, and periodic confirmations from personnel that they understand and comply with the company’s code of conduct.”

3. Anonymous Reporting System

A reporting system must be established in order to allow those who have observed fraud to report it. Reporting systems help reduce the opportunity for workplace fraud, as employees are less likely to commit fraudulent acts, knowing that their fellow employees are watching and are equipped with the proper resources for calling them out on their actions. Many companies receive tips related to workplace fraud through a whistleblower hotline or internal HR teams. Implement a system that provides the opportunity for anonymous reporting, as some individuals will be more apt to bring information forward if they don’t have to expose their identity. Opt for a case management software solution that can be easily integrated to work with existing hotline or reporting systems and platforms, allowing for simplified, multi-channel case entry.  A system that supports multi-channel case entry is important, as tips and reports of observed misconduct can be made via an Internet web form, company intranet and telephone hotline.

4. Effective Case Management

Effective case management reduces the opportunity for fraud within the workplace by providing managers with the ability to launch investigations into fraud-related incidents as soon as a new case is entered. i-Sight for Fraud Investigations uses automatic alerts to notify managers when a new case is entered. Reducing the time it takes to respond to cases, as well as conducting timely investigations, helps end fraudulent acts before they compromise the entire company.

i-Sight dashboards provide managers with the tools to identify common allegations or investigation types, analyze cases by geographic location or other relevant variable and spot patterns and emerging trends. Dashboards communicate complex information quickly. They translate corporate data into rich, graphical presentations using gauges, maps, charts, and other graphics to show multiple results together. Dynamic dashboards also let investigation managers drill-through to other data sources and reports for more detail about what the dashboard is communicating. This is useful for monitoring and tracking fraud related tips and investigations, as the ability to understand the frequency and location of fraudulent events within an organization allows managers to revisit these areas and make amendments to the anti-fraud program.

Almost two weeks ago, I was reading through a local paper, and stumbled across an article discussing the arrest of Nazir Karigar, a Canadian citizen accused of bribing an Indian official. Since our company is located in Canada, the article prompted me to dig a bit deeper and look into the implications faced by those charged under the Canadian Corruption of Foreign Public Officials Act (CFPOA). According to CBC News, it’s been reported that this is only the second time a charge has been made under the CFPOA.

Canada is part of the OECD, which enacted the Convention on Combating Bribery of Foreign Public Officials in International Business Transactions on February 15th, 1999. Canada has identified the need to work harder to crack down on the bribery of foreign public officials. As mentioned in the Wrageblog post “Questioning Canada’s Commitment to Combating the Corruption of Foreign Public Officials: Watching Bill C-31,” the country was labeled as a “laggard” by the OECD in 2009 for their lack in action when it comes to enforcing anti-corruption laws.

Canadian Department of Justice

On February 14th, 1999, the CFPOA was introduced as law in Canada. The CFPOA states that an offence is committed against the act:

“In order to obtain or retain an advantage in the course of business, directly or indirectly gives, offers or agrees to give or offer a loan, reward, advantage or benefit of any kind to a foreign public official or to any person for the benefit of a foreign public official.”

The act applies to everyone, Canadian or not, and isn’t limited to individuals, as it includes corporations. In the OECD Convention against bribery, the offence of bribing foreign public officials refers to the conduct of “international” business. According to the Department of Justice in Canada, a violation of the CFPOA occurs if the bribery of a foreign public official takes place “in the course of business.” This means that bribery doesn’t need to occur through cross border transactions in order to violate the CFPOA, it must however, have close ties to Canada. In an example provided by the Department of Justice, it would be illegal to bribe a foreign public official in Canada to obtain a business contract to build a new wing on an embassy in Canada.

The consequences for violating the CFPOA consist of a five-year maximum term of imprisonment if found guilty of bribing a foreign public official- this ensures that it is an extraditable offence. Since corporations cannot be imprisoned, they can be fined. If a corporation is found guilty of violating the CFPOA, the dollar value of the fine has no maximum and is set at the discretion of a judge. As outlined on the website for the Department of Justice in Canada:

“The Act allows for “facilitation payments,” which are made to expedite or secure the performance by a foreign public official of any “act of a routine nature” that is part of the foreign public official’s duties or functions.”

In response to the OECD’s “laggard comment” mentioned above, the Department of Justice in Canada created a new division in the RCMP (Royal Canadian Mounted Police), with a commissioned officer responsible for overseeing the anti-corruption programs. The unit investigates tips related to corrupt acts to increase enforcement of the CFPOA.

Export Development Canada (EDC)

As part of EDC’s social responsibility commitments, they require companies to sign a statement of declaration that denies any presence of corruption in EDC supported business transactions. If the declaration is signed without knowledge of corruption related to the transaction, liability will be voided, unless “willful blindness” is proven. We have previously addressed this issue in a post written about control person liability.

Yesterday, Monday June 28^th, 2010, the US Supreme Court voted on a decision in the Free Enterprise Fund and Beckstead and Watts, LLP v. Public Company Accounting Oversight Board and United States of America case. The vote rejected a challenge to the constitutionality of the Sarbanes-Oxley Act. The PCAOB was created under Sarbanes-Oxley in 2002, to oversee the auditors of public companies. The goals of the PCAOB are to protect investors and public interest through the promotion of informative, fair and independent audit reports.

In the New York Times article “Justices Uphold Sarbanes-Oxley Act,” Floyd Norris writes:

“The court turned aside a broad challenge to one part of the law, which established the Public Company Accounting Oversight Board (PCAOB) to regulate the accounting industry. Some commentators had forecast that the court might throw out the entire law because of problems with the way the accounting board is appointed, but the justices refused to do so. Instead, in a 5-to-4 split, the court found that the way members of the oversight board could be removed was unconstitutional.”

This case raises awareness of the issues surrounding separation-of-powers and accountability. As it currently stands, Sarbanes-Oxley continues to live on as a law. However, changes have been made to the removal process for members of the PCAOB. Prior to the decision from the Supreme Court, the Securities and Exchange Commission (SEC) had the ability to appoint 5 people to the PCAOB, and their removal could only be warranted if there was a good enough reason to do so. Now, the SEC can remove members as they please.

Yesterday’s decision allowed those within the accounting industry to breathe a sigh of relief, as accounting rules are important and help foster trust with investors. A lack of accounting rules (among other things) in the pre-Enron and WorldCom days lead to the need for standardized accounting rules.  Therefore, if Sarbanes-Oxley was to be eliminated in its entirety, what would the future look like for businesses and investors?

The Wall Street Journal article, “3rd Update: US Supreme Court Invalidates Part Of Accounting Board,” written by Brent Kendall and Fawn Johnson, provides an overview of the reactions to the Supreme Court’s decision, as well as the separation-of-power issue:

“Roberts said the structure of the accounting board violated constitutional separation-of-powers principles because it was too difficult for the president to remove board members. ‘The president cannot take care that the laws be faithfully executed if he cannot oversee the faithfulness of the officers who execute them,’ Roberts wrote. The court, however, refused to strike down the accounting board in its entirety, saying the board’s mere existence didn’t violate the Constitution. PCAOB said it will continue to run all programs as usual, and no legislation will be needed to bring it in line with the Constitution. ‘We are pleased that the decision allows the PCAOB to continue without interruption to carry out its important mission of overseeing public company audits,’ said PCAOB Acting Chairman Daniel L. Goelzer.”

Governance, ethics and compliance continues to be a growing concern for both business and government. It’s important for executives and other employers to understand that it’s becoming increasingly challenging to protect their company from a public ethics lapse. Even companies with the strongest ethics and compliance programs have faced lawsuits and allegations for violating policies and laws.

Many people often refer to the Enron example: before the collapse of Enron, the company had been recognized and praised for creating and implementing one of the most comprehensive ethics and compliance programs at that point in time. Former CEO and COO, Jeffrey Skilling, is now in prison and the company is no longer. So how could a company with an outstanding ethics and compliance program fall victim to ethical lapses?

 Ethics and compliance are extremely challenging tasks in the workplace, as it’s the responsibility of every single employee to uphold company values and make ethical choices.

On the Rebound

For many companies, ethics lapses are a wake-up call, drawing attention and focus back to compliance and ethics goals. In one of our previous posts, “Best Practices in Ethics Recovery: Tyco,” and an Ethisphere magazine article, “Ones to Watch: Developing a Strong Compliance Program After a Record Fine, both articles mention the introduction of Ed Breen as Tyco’s CEO. This introduction lead to sweeping changes at Tyco, including replacing the previous board of directors and letting go of 290 of the 300 corporate employees. Tyco was able to regain their reputation and public image thanks to the ethical overhaul conducted by Breen and his team. 

The article in Ethisphere magazine, “Ones to Watch: Developing a Strong Compliance Program After a Record Fine,” discusses the constant evolution of ethics and compliance. The article also discusses how some companies end up developing best in class programs or building on existing programs to create a competitive advantage within their respective industries. Ethisphere uses Pfizer as an example of a company rebounding from a very a public investigation- and fine,  related to ethics and compliance violations:

“One way Pfizer is working to get ahead of its peers is by increasing disclosure around payments made to doctors. Pfizer’s Corporate Integrity Agreement (CIA) required them to begin disclosing financial relationships with doctors. However, Pfizer announced it would go beyond the CIA requirements and will begin disclosing payments sooner than required. Pfizer also will be the first pharmaceutical company that discloses payments to researchers to perform clinical trials.”

The Pfizer example provided by Ethisphere demonstrates the approach taken by many companies that have suffered in the public eye. For fear of future failures, companies previously found guilty of ethics and compliance violations tend to go above what’s required of them. A lot of companies increase their efforts surrounding transparency, risk assessments and redesigning employee training programs, in order to minimize the opportunity for future ethics and compliance violations. Ethics and compliance programs require updates and regular evaluations in order to remain current with the issues faced by companies as times change.

Response time and actions taken to right the wrongs can influence the damage done to a company’s reputation. It takes a significant amount of time to build back public trust. Depending on the type of violation that occurred, it’s possible for some organizations to eventually overcome public backlash. I don’t like to keep making an example out of BP, however, it’s relevant to the point I am trying to make. Many people have criticized the company’s reaction time and tactics deployed in regards to capping the oil spill in the Gulf. Had the response by BP been quicker and initial techniques used to capture the leaking oil worked, BP may not be facing the level of scrutiny they are currently dealing with.

Ethics and Compliance Investigation Software

With the provisions outlined in the UK Bribery Act and US Foreign Corrupt Practices Act, legislation is being developed to hold companies responsible for the actions of their employees. These acts also include requirements for implementing adequate processes to prevent future offenses. In order to mitigate risk and catch policy/legal violations before they wind up in court, investigation software can be implemented to help HR departments and investigative units properly manage their case loads. i-Sight Investigation Software can be configured to meet the unique demands and reporting structures of any organization to ensure compliance.

To find out more about how businesses can use i-Sight to improve investigations and reporting, complete the form below:

Workplace violence and harassment continue to negatively impact the workplace. Newly introduced legislation, such as Ontario’s Bill 168, defines measures employers can take to protect employees from threatening work situations. When preparing policies and procedures to comply with such laws, it’s important to consult with employees. Employees are an employer’s number one resource for identifying workplace risks, as they are the ones performing their jobs on a consistent basis. It’s important for employers to remember that the time spent creating policies and training employees is an investment in a safe workplace.

Protecting a company’s employees needs to become a top priority.

Workplace Violence and Harassment

According to research done at the Queen’s School of Business in Kingston, Ontario, a single instance of workplace harassment can potentially be:

“Just as harmful to an employee as being exposed to one or even two additional types of harassment. General workplace harassment – the causes of which are more difficult to pinpoint – can actually be harder for victims to tolerate than racial or gender harassment, which are typically rooted in bias. The study also reveals that Caucasians report higher levels of general workplace harassment than minorities, and, surprisingly, women are not more likely than men to experience either gender harassment or general workplace harassment.”

For more information on the study, refer to the article “Workplace Harassment: Once, Twice or Three Times as Harmful?”

Ontario’s Bill 168

The Law Times Article “Few Ready for Bill 168,” discusses one of the reasons for passing the Bill:

“The Ontario government introduced the legislation in part in response to the murder of nurse Lori Dupont in 2005. Dupont’s former boyfriend, Dr. Marc Daniel, stabbed her to death at the Hôtel-Dieu Grace Hospital in Windsor, Ont. The facility was aware of repeated and escalating harassment by Daniel, an anesthesiologist, but failed to discipline him. The pair were scheduled to work together on the day he killed her.”

Bill 168 is now in effect for all businesses in Ontario. This Bill is in use to help prevent workplace harassment and strengthen controls surrounding workplace violence. The Ontario Ministry of Labour has established a resource entitled “Workplace Violence and Harassment: Understanding the Law,” to help employers understand the definitions of workplace harassment and violence, as well as clarifying employer responsibilities surrounding policies and programs.

An article from CBC News reports that, as of today, all organizations in Ontario are responsible for:

• Carrying out a risk assessment to identify potential sources of workplace violence and harassment.
• Developing policies to address workplace violence and harassment.
• Training employees about the new policies. Being ready to investigate and deal with incidents or threats of workplace violence or harassment.
• Disclosing an employee’s history of violence to his or her co-workers.
• Preparing to protect employees from domestic violence in the workplace.
• Allowing employees to refuse work if they feel harassed or endangered by a co-worker. 

Here is a video released by the Ontario Ministry of Labour discussing Bill 168:

Corruption and the bribery of foreign public officials has gained significant public attention- especially since the verdict in the Siemens case.  The company was fined $1.6 billion, which is the largest fine administered to-date for violating the FCPA. The severity of the fines handed out are intended to send a message to all corporations, informing them of the consequences they will face if found to be engaging in corrupt practices. According to the Ministry of Justice in the United Kingdom, bribery ” is a serious crime that destroys the integrity, accountability and honesty that underpins ethical standards both in public life and in the business community.”

Passed in April, the UK Bribery Act is one of the latest developments in the fight against corporate corruption. Previously criticized for relaxed views on corruption, the UK has now introduced legislation that’s relevant to the current challenges imposed on organizations engaging in international business transactions.

UK Bribery Act

According to the Guardian.co.uk article “New Bribery Law Puts Overseas Payments Under Scrutiny,” the anti-corruption law overhaul in the UK is described as “one of the most significant reforms to corporate criminal law in a century.” Many of the requirements outlined in the UK Bribery Act are similar to those in the US Foreign Corrupt Practices Act.  However, the UK Bribery Act goes further than the FCPA to include prosecution for acts of bribery in both the public and private sectors. The study “Will You Act Now or Pay Later,” released by PricewaterhouseCoopers, provides insight into the Bribery Act, stating:

“Although the UK has anti-bribery legislation in place, the Act represents a notable enhancement, particularly in the area of corporate liability. Many companies appear unaware of the full implications of the Act and unprepared to deal with the practical consequences. In our experience, establishing adequate processes and procedures for compliance with anti-bribery legislation that are effective in practice takes considerable time, commitment (from top management downwards) and resources. Companies need to be taking action now.”

The Ministry of Justice in the UK outlines some of the elements included in the Act:

• An offence is committed for offering, promising or giving bribes, as well as requesting, agreeing to receive or accepting bribes.
• An offence is committed when a company engaging in business in the UK fails to take action to prevent bribery- even if the company originates in a different country.
• An offence is committed when a person bribes a foreign public official in order to influence decisions regarding obtaining business or related contracts.
• The Secretary of State must publish guidance relating to procedures that relevant commercial organizations can enact to prevent persons associated with them from bribing, revisions can be made by the Secretary of State.
• An offence is committed by a commercial organization should it fail to prevent a bribe being paid for or on its behalf.  It will be a defense if the organization has adequate procedures in place to prevent bribery.

Consult the Bribery Act in it’s entirety to view a complete list of offences and preventative measures companies must establish if they plan on doing business in the UK- or with anyone connected to the UK for that matter.

Grey Area

The UK Bribery Act contains elements requiring further clarification. The interpretation of these areas by regulators, enforcement agencies and courts, may have a significant impact on the outcome of the penalty administered for violating the Act. It’s important to pay attention to and refrain from involvement in the acts listed below in order to further reduce unexpected risks related to Bribery Act violations.

As outlined in the study “Will You Act Now or Pay Later,” released by PricewaterhouseCoopers, some examples of these “grey areas” include:

“• “Facilitation” or “grease” payments- These continue to remain illegal under the Act as they are under current UK law. Historically, prosecution discretion has been used to allow some flexibility in this area; this is set to continue but potentially with additional guidance as to how this discretion will be exercised.

• “Adequate procedures”- What constitutes as “adequate procedures” in the context of a corporate defense of failing to prevent bribery will be the subject of non-statutory guidance to be published shortly. This guidance will adopt a principles and examples approach, and will therefore leave organizations to interpret the appropriate response in their circumstances.

• The Act allows for unlimited fines but does not clarify how they will be calculated. The Government has stated that it may ask the Sentencing Council to provide additional guidance.”

To mitigate risk, companies must look beyond the reputation of the company or group they hope to do business with when making decisions. Companies need to consider the reputation of the country in which they plan to expand into, as each country has different views on corporate corruption. Bribery imposes significant costs on society, hindering global economic advancement.