You are on page 1of 5

Compliance & Ethics

Professional
A publicAtion of the Society of corporAte compliAnce And ethicS
Vol. 8 / No. 3

06 / 2011

Top sTories inside
4
The Compliance Covenant: More pull, less push Is your chief watchdog an esquire? The compliance risk of compliant behavior Business gratuities: Sometimes it’s better not to give or receive Managing ethics upwards Third-party risk management: Properly managing compliance of outsourced relationships Global Compliance: Thailand The FAR raises the bar for ethics and compliance programs Culture and values: “Adequate procedures” under the UK Bribery Act

8 12 18

22 30

36 46

52

Meet Laurie Gallagher

Director, Healthcare Compliance Training at Amgen

This article, published in Compliance & Ethics Professional, appears here with permission from the Society of Corporate Compliance & Ethics. Call SCCE at +1 952 277-4977 or 888/277-4977 with all reprint requests.

Is your chief watchdog an esquire?
by Michael brozzetti, esq., cia, cisa Governance, risk, and compliance systems involve multiple stakeholders, which often include titles such as Audit, Risk, Compliance, Ethics, and Legal or combinations thereof. The term “compliance” has come to take on many meanings, so that overlap, gap, and even conflict can exist between organizational charters, duties, and responsibilities. This article expands upon the stark difference, and often-conflicting roles, of an organization’s general counsel (GC) and chief internal auditor (CIA) with respect to the application of law and ethics in the broader Governance, Risk, and Compliance systems of US-based organizations. Internal auditing as the corporate conscience In today’s New Normal, the concept of governance and risk management are evolving from mere written principles into robust practices within board and management processes. The Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing1 defines the role of internal auditing in governance in Standard 2110, where it states
8 compliAnce & ethicS profeSSionAl

“The internal audit activity must assess and make appropriate recommendations for improving the governance process in its accomplishment of the following objectives: • Promoting appropriate ethics and values within the organization; • Ensuring effective organizational performance management and accountability; • Communicating risk and control information to appropriate areas of the organization; and • Coordinating the activities of and communicating information among the board, external and internal auditors, and management.” With respect to business ethics, the internal audit function serves as part of the corporate conscience. Therefore, the posture of the internal audit function must be such that it can influence the corporate “brain,” which encompasses members of the board and management who are the keepers of the organizational “body” and trusted guardians of its well-being. As the corporate conscience, internal auditors must be prepared to have the open, candid, and constructive dialogues with

Michael bRozzetti

their boards and management to balance the scale between the organization’s legal and ethical performance.2 One of the more sensitive challenges internal audit executives are confronting is how to bring transparency to the board and management’s personal values, which are an essential part in establishing and maintaining the integrity and core values of an organization. In a new era where fraud and scandal seems to be standard fare, organizations must bring internal board and management transparency to the forefront of the reform agenda. Compliance stakeholders should recognize and consider this “inner” transparency when assessing governance structures and processes. Stakeholders must also provide assurances over the ethical systems and their related internal adjudication processes, going well beyond the minimum requirements set forth by the law.
www.corporatecompliance.org

June 2011

Esquires are the “shield bearers” of an organization Although many believe the term “esquire” is reserved for lawyers, it is not.  There is no federal or state statute prohibiting the use of the esquire (Esq.) designation. A properly licensed lawyer is an attorney-at-law, and a properly certified internal auditor is an auditor-at-fact. In fact, the term “esquire” derived from the Latin root word scutarius, meaning “shield bearer.” The internal auditor shield is the profession’s code of ethics, centered on four key principles: integrity, competency, objectivity, and confidentiality. In contrast, the chief legal officer or general counsel shield is the law, which is coded by its source: constitutional, statutory, administrative, or common. A recent study revealed that less than 15% of US corporations have senior internal audit professionals with titles of chief auditor or general auditor. In contrast, the most senior legal professional is widely known as a chief legal officer or general counsel. In fact, ALM Media’s Corporate Counsel magazine’s annual salary survey,3 says a general counsel is frequently among the top highest-paid executives whose pay packages must be disclosed, yet we rarely see a chief internal auditor on this list of honorable recognition. This suggests that the corporate culture at-large undermines its chief watchdog and its jurisdiction to freely sniff and
www.corporatecompliance.org

fact find to discover fraud, waste, and abuse. Directors and officers ought to consider placing equal weight on the views and opinions of their two essential shield bearers – the chief audit executive (CAE) and the chief legal officer (CLO). It is important for directors and officers to view the work of the CAE, primarily within the context of business ethics, and the work of the CLO, primarily within the context of law. Free interaction and balanced discussion between these two esquire servants will bring both ethics-based and legalbased perspectives to those matters reflecting upon the director and officer duties of prudence, loyalty, and care. A common theme for corporate failures The majority of corporate failures share a common theme. The house of cards comes crashing down, the culprits will often take their fortunes at the expense of those who entrusted their fortunes to them, and then take refuge behind the legal maze to mystify what really happened. In the U.S., obscuring the legal process is not very difficult in light of more than 4,450 US federal criminal laws, which grow at a rate of about 500 new laws per decade, and the Federal Registry, with more than 80,000 pages, which records all of the regulations the federal government imposes on businesses, all

of which carry the force of law.4 The explosion of more law and regulation has made a very heavy shield for the GC to bear, thus a more balanced shield of protection should be sought with respect to the CAE and CLO in the New Normal. Courtroom motion practice has little tolerance for bringing ethical matters to light. In contrast, motion practice in the boardroom should encourage bringing these matters to the table for deliberation and judgment. The paradox for in-house general counsel In-house counsel has a conflicting interest when it comes to providing business advice to corporate executives versus legal advice, where the attorney-client privilege is enforceable. According to Michael A. Lampert of Saul Ewing LLP: When it comes to the successful assertion of the attorney-client privilege, any litigator currently active can tell you that the task is a whole lot easier if the lawyer involved is outside, rather than inside, counsel. While the legal principles are generally the same in both situations, practical experience and some recent court decisions suggest the emergence of a double standard, arguably resulting in a weakening of the privilege for inside lawyers.5
continued on page

10

June 2011 compliAnce & ethicS profeSSionAl 9

Is your chief watchdog an esquire?

continued from page

9

In a court case legal precedent,6 the view of the court was that the negotiation of a contract and the discussion of those negotiations with executives of the company did not constitute “exercising a lawyer’s traditional function,” but did constitute “acting in a business capacity.” So, although an executive may currently obtain both legal advice and business advice from in-house counsel, it is important to understand that these events are handled much differently within the context of the U.S. legal system, compared to that of the internal compliance system of the organization with respect to the discoverability of facts and evidence. The emergence of the “new era” internal auditor The Institute of Internal Auditors model audit charter states: “The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of the organization’s records, physical properties, and personnel pertinent to carrying out any engagement.”7 If this is accepted as a universal truth, then the authority of the internal audit activity should supersede the attorney-client privilege between in-house counsel and executives. If true, then the playing field has changed and an auditorstakeholder privilege must emerge
10 compliAnce & ethicS profeSSionAl

within the Internal Auditing profession, adopted by directors and officers, and respected by the Legal profession. This privilege must be consistent with the principles of conduct within the professions’ code of ethics regarding integrity, objectivity, confidentiality, and competency. A chief auditor who is a certified internal auditor certifies that he/she is accountable to uphold these four key principles: • Integrity. The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment. • Objectivity. Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments. • Conf identiality. Internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so. • Competency. Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. True freedom and independence to meaningfully carry

out internal auditing work can be achieved when the auditorstakeholder privilege is adopted and trumps the attorney-client privilege with a higher duty to the corporate entity at-large. By making internal auditors impervious to the legal system’s tolerance to shield unscrupulous executive behavior, they are no longer blinded from the activities that can prevent them from obtaining the relevant, reliable, and sufficient information necessary to discover the facts required to protect the directors’ and officers’ duties of prudence, loyalty, and care. Sustained ethical corporate culture In a comment letter from the National Association of Corporate Directors (NACD), Chair Barbara Hackman Franklin wrote to Secretary Elizabeth M. Murphy of the U.S. Securities and Exchange Commission, “A strong corporate culture is one of the best tools a company has for combating fraud.”8 In the 2010 Berkshire Hathaway annual report, Warren Buffet affirmed that culture, not rules, determines organizational behavior. Former Governor of Pennsylvania Mark S. Schweiker at one time professed, “You can’t substitute good conscience with rules and regulations” at an IIA conference in reference to the Sarbanes-Oxley Act.9 If we are to hold these statements as truth,
www.corporatecompliance.org

June 2011

then we must accept the fact that the significance of ethics is equal, if not superior, to that of law within the context of an organization’s culture and internal compliance system. The mere existence of a code of conduct or ethics code is no longer enough to demonstrate to organizational stakeholders that an ethical corporate culture exists or is effective. Sustained ethical corporate culture can be achieved with a continual and systemized process to monitor, evaluate, and internally adjudicate those who engage in risky behavior that does not conform to the ethics code of the organization. Boards and directors must identify, quantify, and mitigate cultural risk and play an active role in accepting or rejecting individual or group behaviors, before systems breakdown and fail. With respect to stakeholder relations, boards and directors must also consider how to substantiate their commitment to an ethical corporate culture by disclosing the method of measure and findings, and how results compare with other companies within their industry. Mark Rome, founder of zEthics, Inc, is leading the way in this regard with the zEthics cloud computing technology. The technology is designed to provide online corporate culture benchmarks and incident management reporting to support transparency and accountability within organizational governance and compliance systems. In 2009,
www.corporatecompliance.org

analysts suggested that the market size for ethics-related hotlines and incident management systems was about $5 billion; however, only about $80 million in actual market demand could be verified around that time. In 2011, according to Rome, the estimated market size for this space is well over $10 billion when you include government agencies and public and private corporations. These statistics bring to light both the challenges and opportunities for internal transparency and accountability in organizations. Our philosopher friend Socrates once said, “A self-aware person will act completely within their capabilities to their pinnacle, while an ignorant person will flounder and encounter difficulty.” My view is that organizations act the same way. Good governance, risk, and compliance calls for this higher level of thinking and Internal Audit can serve as the center of the corporate conscience to maintain an ethical corporate culture. 
Notes:

4 William R. Maurer and David Malmstrom: “The Explosion of the Criminal Law and Its Cost to Individuals, Economic Opportunity, and Society,” The Federalist Society (2010). Available at http://www.fedsoc.org/publications/pubid.1771/ pub_detail.asp 5 Michael A. Lambert “In House Counsel and the Attorney Client Privilege,” FindLaw (2000). Available at http://library.findlaw. com/2000/Oct/1/128767.html 6 Georgia-Pacific Corp. v. GAF Roofing Manufacturing Corp., 1996 WL 29392 7 The Institute of Internal Auditors: “Model Internal Audit Activity Charter.” Available at www.theiia. org/download.cfm?file=14380 8 National Association of Corporate Directors: “Comment Letter to the Securities and Exchange Commission.” Available at http:// www.sec.gov/comments/s7-33-10/ s73310-135.pdf 9 The Institute of Internal Auditors Philadelphia Chapter, Fall Conference Key Note Session, Philadelphia, PA. November 2007

1 The Institute of Internal Auditors “Standards and Guidance.” Available at http://www.theiia.org/ guidance/standards-and-guidance/ 2 Michael Brozzetti “A New Era for Internal Auditors,” Institute of Internal Auditors Insight (2009). 3 ALM Legal Intelligence: GC Compensation Survey. Available at http://www.alacra. com/ALM-Legal-IntelligenceSurveys-Lists-Rankings/ GC_Compensation_Surveygeneral_counsel_salary

Editor’s note: Michael Brozzetti is President of Boundless LLC, an internal auditing and governance firm that specializes in training and integrating organizational ARCs (Audit, Risk, and Compliance activities).  Michael serves as the Chairman for Business Integrity Alliance™, an organization committed to advocating and advancing the practices supporting the principles of integrity, transparency, accountability, and risk oversight. Michael can be contacted by phone at 267-297-0706 or by e-mail at mike@boundlessllc.com.

June 2011 compliAnce & ethicS profeSSionAl 11