Today is Halloween and we celebrate the greatest Halloween cartoon in the history of the world, ever, “It’s the Great Pumpkin, Charlie Brown”, which premiered in 1966. As usual, the story revolves around the Peanuts gang, who are preparing for Halloween, Linus writes his annual letter to the Great Pumpkin, despite Charlie Brown’s disbelief, Snoopy’s laughter, Patty’s assurance that the Great Pumpkin is a fake, and even his own sister Lucy’s violent threat to make her brother stop. On Halloween night, the gang goes trick-or-treating. On the way, they stop at the pumpkin patch to ridicule Linus missing the festivities, just as he has done every year. Undeterred, Linus is convinced that the Great Pumpkin will come, and even persuades Charlie Brown’s little sister, Sally, to remain with him to wait. At 4:00 AM the next morning, Lucy awakes up and notices that Linus is not in his bed. She finds her brother asleep in the pumpkin patch, shivering. She brings him home and puts him to bed. Later, Charlie Brown and Linus are at a rock wall, commiserating about the previous night’s disappointments. Although Charlie Brown attempts to console his friend, admitting that he himself has done stupid things in his life also, Linus angrily vows to him that the Great Pumpkin will come to the pumpkin patch next year.
The compliance lesson from Linus’ adventure; it is process validation. Unlike Santa Claus, who we have been repeatedly told “Yes, Virginia there is a Santa Claus”; there has been no process validation for the Great Pumpkin. Linus faints when he thinks he sees the Great Pumpkin rising from his pumpkin patch; unfortunately it is only Snoopy. In the compliance world, process validation comes through oversight. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.
Finally, as was emphasized again with last year’s Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols:
(a) On-site visits by an FCPA [Foreign Corrupt Practices Act] review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training;
(b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market;
(c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and
(d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.
Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.
I hope that you have the chance to watch It’s the Great Pumpkin, Charlie Brown again this year. I did. When you watch, think about the compliance implications. Will anyone ever set a ‘second set of eyes’ on the Great Pumpkin? If not, will it ever be validated? I hope that if you are trick-or-treating tonight, you will be safe and dry.