It’s the Great Pumpkin: Lessons in Process Validation and Oversight

Thomas Fox - Compliance Evangelist
Contact
LinkedIn
Facebook
X
Send
Embed

Today is Halloween and we celebrate the greatest Halloween cartoon in the history of the world, ever, “It’s the Great Pumpkin, Charlie Brown”, which premiered in 1966. As usual, the story revolves around the Peanuts gang, who are preparing for Halloween, Linus writes his annual letter to the Great Pumpkin, despite Charlie Brown’s disbelief, Snoopy’s laughter, Patty’s assurance that the Great Pumpkin is a fake, and even his own sister Lucy’s violent threat to make her brother stop. On Halloween night, the gang goes trick-or-treating. On the way, they stop at the pumpkin patch to ridicule Linus missing the festivities, just as he has done every year. Undeterred, Linus is convinced that the Great Pumpkin will come, and even persuades Charlie Brown’s little sister, Sally, to remain with him to wait. At 4:00 AM the next morning, Lucy awakes up and notices that Linus is not in his bed. She finds her brother asleep in the pumpkin patch, shivering. She brings him home and puts him to bed. Later, Charlie Brown and Linus are at a rock wall, commiserating about the previous night’s disappointments. Although Charlie Brown attempts to console his friend, admitting that he himself has done stupid things in his life also, Linus angrily vows to him that the Great Pumpkin will come to the pumpkin patch next year.

The compliance lesson from Linus’ adventure; it is process validation. Unlike Santa Claus, who we have been repeatedly told “Yes, Virginia there is a Santa Claus”; there has been no process validation for the Great Pumpkin. Linus faints when he thinks he sees the Great Pumpkin rising from his pumpkin patch; unfortunately it is only Snoopy. In the compliance world, process validation comes through oversight. Two of the seven compliance elements in the 1992 US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. In the 2012 FCPA Guidance, in Hallmark IX of the Ten Hallmarks of an Effective Compliance Program, it mandated ongoing monitoring to continually update and improve your compliance program. The Evaluation of Corporate Compliance Programs made clear that it is the operationalization of your compliance program through determining data and looping it back into your system that is a bare minimum for an effective compliance program.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

What are some of the ways to do so? The Pfizer Deferred Prosecution Agreement, laid out how your company can establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols:

(a) On-site visits by an FCPA [Foreign Corrupt Practices Act] review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training;

(b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market;

(c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and

(d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

I hope that you have the chance to watch It’s the Great Pumpkin, Charlie Brown again this year. I did. When you watch, think about the compliance implications. Will anyone ever set a ‘second set of eyes’ on the Great Pumpkin? If not, will it ever be validated? I hope that if you are trick-or-treating tonight, you will be safe and dry.

Doug Cornelius Responds:

Are you trying to say that the Great Pumpkin is not real?

Just wait ’til next year, Tom Fox. You’ll see!

Next year at this same time, I’ll find a pumpkin patch that is real sincere! And I’ll sit in that pumpkin patch until the Great Pumpkin appears. He’ll rise out of that pumpkin patch and he’ll fly through the air with his bag of toys.

The Great Pumpkin will appear! And I’ll be waiting for him!

I’ll be there! I’ll be sitting there in that pumpkin patch… and I’ll see the Great Pumpkin. Just wait and see, Tom Fox. I’ll see that Great Pumpkin.

I’ll SEE the Great Pumpkin!

Just you wait, Tom Fox.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox - Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox - Compliance Evangelist
Thomas Fox - Compliance Evangelist
Contact
more
less

Thomas Fox - Compliance Evangelist on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide