Over lunch, a CFO recently shared the difficulties C-level management face since the enactment of Sarbanes-Oxley (SOX) with Kathleen M. Marcus, Shareholder at Stradling Yocca Carlson & Rauth and Chair of its Compliance and Corporate Governance Practice Group. He spoke of joining a company whose books and compliance policies are “a mess” and his struggle to put the company on the right path without alienating the team.
“In recent years, SOX and the Dodd-Frank Wall Street Reform and Consumer Protection Act have put a new emphasis on compliance programs,” says Marcus, a former Enforcement attorney with the SEC.
SOX effectively requires a code of ethics for public companies, the implementation of a complaint hotline and raises the bar for management on financial statement accuracy. Dodd-Frank took it to the next level with financial incentives for employees to bypass internal company reporting and become whistleblowers. Today, public and private companies face a very aggressive regulatory environment. For any company concerned about an unwanted visit, letter or subpoena from any number of regulatory agencies, having a legal compliance audit can ease the pressure.
Smart Business spoke with Marcus about what compliance audits involve and how an audit can ensure your policies are up to date.
Why would a company need a compliance audit?
Any business operating in heavily regulated areas, such as the medical device or pharmaceutical industries, government contractors or businesses with international offices or sales, needs to be wary of regulations. Compliance audits are not just for public companies. In fact, the explosion of regulatory enforcement activity has begun to usurp private litigation as the bigger overall threat.
In a company’s early stages of growth, only a few basic compliance policies are required. As companies mature, they frequently enact new policies without revisiting the old ones. This can result in incomplete, inconsistent or outdated policies with large gaps in utility. A compliance audit streamlines the total compliance package, places policies under a single source of control and provides a plan for routine updating and distribution. The audit report is a roadmap for a company to take advantage of all the protections offered by a comprehensive compliance program and provides peace of mind for executives. Notably, compliance audits are not expensive, and some changes can be easily made in-house.
As a former SEC enforcement officer now in the compliance business, what would you say are the key benefits of a compliance audit?
By altering certain high-risk practices, compliance audits can protect individuals and entities from becoming the subject of an investigation. Audits also help facilitate organic conversations about topics such as the wisdom of certain business or reporting practices and corporate risk appetite. In addition, in the critical period following a crisis, a streamlined compliance program ensures pre-designated individuals have a plan for taking immediate action in the best interests of the organization.
When investigations do occur, the audit and/or the policy improvements can provide significant protection for the company and its management. At the onset of an investigation, government regulators routinely request relevant compliance policies. Robust policies lessen sanctions because they demonstrate a genuine culture of compliance and best efforts by management.
With so many compliance-related organizations in the marketplace, who is best suited to perform a compliance audit? And, what does it involve?
A customized compliance audit report developed by an attorney is not discoverable in an investigation or lawsuit. Therefore, hiring an attorney to perform your audit and provide recommendations gives executives control about whether and when to implement changes.
The audit itself is fairly simple. A law firm should first provide an industry-specific audit checklist to help identify existing policies. Be certain to search for policies in various departments, as they may be housed with human resources, the CFO/CEO and/or the legal team.
The audit should then begin with a full policy review by a team of attorneys. Lawyers analyze the policies in their specific practice area and provide assessments. The firm should then author a privileged report highlighting the strengths and weaknesses of each policy and detailing recommendations. Depending on the complexity, a company can choose to close the identified gaps itself or seek help.
Upon request, a law firm should provide training to company personnel. Training is a vital component of compliance, particularly in complex legal areas such the Foreign Corrupt Practices Act or the False Claims Act where enforcement activities are skyrocketing. One estimate suggests the government is recovering $15 for every $1 it invests in the enforcement of False Claims Act violations in the health care arena.
What could happen if a company’s policies are not comprehensive?
If investigated and found in violation, outcomes range from career-ending industry bars for executives to massive financial penalties for management and entities. Government settlements usually involve some aspect of compliance reform. Regulators may mandate:
- The appointment of a compliance monitor paid for by the company to oversee compliance activities;
- Mandatory self-reporting by the company to the government concerning any violation, no matter how small; or
- Stringent amendments to compliance policies.
In contrast, when a company has adopted a comprehensive compliance program, it provides a layer of protection for the company, as well as board members and management. A customized compliance program may prevent an investigation entirely, and should an investigation occur, tailored policies provide an excellent defense.
Kathleen M. Marcus is a Shareholder and Chair of the Compliance and Corporate Governance Practice Group at Stradling Yocca Carlson & Rauth. Reach her at (949) 725-4080 or [email protected]
Insights Legal Affairs is brought to you by Stradling Yocca Carlson & Rauth