1. Jeff Kaplan/Kaplan & Walker LLP jkaplan@kaplanwalker.com SCCE Upper North East Regional Conference May 16, 2014

2.  Auditing  Monitoring ◦ But not all the uses of technology  Other forms of checking  All through two different scopes ◦ General program ◦ Different risk areas (e.g., anti-corruption)  We hope to learn what your respective companies are doing in these areas www.kaplanwalker.com2

3.  Official expectations ◦ Auditing and monitoring have always been particularly important to the government  1992 Antitrust Division statement  The 2010 compliance “half measures” FCPA case  As programs mature, understanding (e.g., policies and training) become relatively less important and ensuring (auditing and monitoring) become more so  Auditing and monitoring are particularly important for ◦ Global/highly dispersed companies ◦ Those in highly regulated industries ◦ Companies with cultural challenges www.kaplanwalker.com3

4.  Relationships between relevant C&E categories can be confusing  E.g., ◦ Auditing can overlap with program assessment, and with risk assessment ◦ The line between auditing and investigations is not always well marked ◦ Monitoring can overlap with governance and management ◦ Metrics are part of monitoring, but are sometimes discussed separately www.kaplanwalker.com4

5. ◦ Encouraging reports of suspected violations can be seen as a form of monitoring – but is generally treated as a different animal ◦ Other types of internal controls (e.g., preapprovals) can also be viewed as a form of monitoring – but really serve a different function  Does this matter? It can – if people are talking past each other www.kaplanwalker.com5

6.  The big picture is important – but so is the small one ◦ Companies generally should be moving in the direction of “nano compliance”  Location or risk area specific  Learning to paint with a narrow brush ◦ Monitoring in particular is a useful vehicle for this www.kaplanwalker.com6

7.  Differs from auditing in that it is ◦ Less independent ◦ More real time  Generally, an under-utilized C&E function  Covers a lot of ground, but a major distinction is between monitoring by ◦ Business people – both risk area and general program ◦ Non-audit staff www.kaplanwalker.com7

8.  Often called “the first line of defense”  The most immediate – and least independent –form of C&E checking  Risk-area examples include tasking managers to ◦ T&E reviews by direct supervisors ◦ Review invoices of third parties for any indicia of corruption (or violation of other rules) ◦ Review pricing and other activities for any indicia of antitrust violations ◦ Monitoring COIs that have been conditionally okayed www.kaplanwalker.com8

9.  Challenges to risk area monitoring ◦ Is it informed? ◦ Is it documented? ◦ Making it happen  Note that this type of monitoring is often part of larger business monitoring ◦ E.g., of high-risk agents (making sure not only that they are acting properly but that they are doing what you want/pay them to do) www.kaplanwalker.com9

10.  General program monitoring ◦ Ensuring that employees in the managers BU have taken required training ◦ Seeing how junior managers communicate about C&E to their subordinates  Other points about monitoring ◦ Serves to educate business people (learn by doing) ◦ Provides a predicate for  C&E-based compensation  “Supervisory liability” (meaning internal, not actual legal, accountability) www.kaplanwalker.com10

11.  What do your companies do to require monitoring by business people ◦ Risk area? ◦ General program?  What is your experience with “supervisory liability”? www.kaplanwalker.com11

12.  These include ◦ Finance ◦ Legal ◦ HR ◦ IS ◦ EH&S ◦ Security ◦ C&E  They are seen as non-independent because they may be reviewing their own work www.kaplanwalker.com12

13.  Anti-corruption ◦ Periodic controls reviews by Finance ◦ C&E reviewing gift registers and third party due diligence files  Competition law: Legal department reviewing sales files  Employment: ◦ Looking for required postings ◦ Reviewing personnel file  EH&S: many examples  Risk-area specific ◦ Life sciences “ride-alongs” ◦ Review of trading at financial service firms www.kaplanwalker.com13

14.  Looking at ◦ Training and communications ◦ C&E concerns reporting ◦ Investigations and discipline ◦ Hiring and incentives ◦ Mostly by the C&E office, but not exclusively  Two other forms of checking that are monitoring like ◦ C&E questions in employee engagement survey ◦ C&E questions in exit interviews www.kaplanwalker.com14

15.  A self check tool (consider adding a geographic or product/service line tool)  Note that it would include both business personnel and staff monitoring www.kaplanwalker.com15 Area of lawNature of risk Current monitoring Monitoring to consider adding FCPA Antitrust Etc.

16.  The “third line of defense”  Independent and occasional  Includes both internal and external  C&E audits are ◦ Sometimes stand-alone ◦ More often part of broader audits  Is having C&E part of audit planning process an independence problem? www.kaplanwalker.com16

17.  Risk areas commonly audited ◦ FCPA ◦ Fraud ◦ Privacy ◦ IP/confidential information ◦ Trade controls ◦ Industry-specific regulated areas  Many others  Sometimes stand-alone, more often as part of more general audits www.kaplanwalker.com17

18.  General program ◦ C&E reporting and investigations  Flows from Caremark/Stone v Ritter ◦ Employee knowledge of program requirements ◦ Auditing against governance requirements  E.g., regional committees  A good reason to have charters www.kaplanwalker.com18

19.  Ensuring sufficient domain knowledge by auditors  Ensuring follow up  Should audit results be a metric? www.kaplanwalker.com19

20.  Or discussion www.kaplanwalker.com20