April 22nd, 2014

By Bill Henderson

For many companies today, anti-corruption has become their highest compliance priority.

Bill Henderson

The well-publicized enforcement of the U.S. Foreign Corrupt Practices Act – along with the attendant high costs of internal investigations, possible penalties, and the distractions to management when the U.S. or other countries begin investigations – means corruption has become a risk that needs to be aggressively addressed.

Yet many companies, while operating in high-risk markets, frequently do not consider the need to monitor their employees’ compliance until after problems occur. Monitoring compliance in the form of anti-corruption internal audits is recognized as one of the most crucial elements for heading off the risk.

So, what is an anti-corruption internal audit?

Here’s what it is not: It is not an internal investigation of allegations of wrongdoing. It is not a hunt to find and punish misconduct, though fraud or corruption may be uncovered. And it is not routine internal audit work.

Rather, an anti-corruption internal audit is a proactive, focused review of a company’s anti-corruption risks and of the policies and controls put in place to mitigate such risks. It is a business process that reviews the effectiveness of a company’s anti-corruption compliance program by looking at policy and control compliance and by testing substantive transitions for potential violations and red flags.

As forensic accounting professionals with extensive experience in anti-corruption investigations, we understand corruption risk and know where to look to make the highest-quality testing selections. Then we apply our judgment to ask the most relevant questions of employees.

Talking to employees is a sensitive task. We try to put them at ease, explaining we’re not investigating them, but rather looking more broadly at the compliance program in risk areas. We’re not trying to make anyone nervous – indeed, that would be counterproductive to the process.

 Read more.

April 10th, 2014

By Adam Cohen

Second of two parts - View part 1 here.

One of the most basic steps a lawyer can take in strengthening the security of client data held by cloud services providers is to negotiate a contractual obligation on the part of the provider to take reasonable security precautions.

Adam Cohen

The difficulty of defining such standards notwithstanding, there should be a term acknowledging the security issue and requiring attention to it. This should not be thought of as a shifting of responsibility but rather a sharing.

Further, several ethics opinions advise lawyers to pay careful heed to any agreements with their clients that cover confidentiality, or any instructions from their clients regarding how their data is to be handled.[1] Special caution is advised where data is particularly sensitive.

In such cases, it is recommended that lawyers obtain prior approval from their clients before storing the data in the cloud. Obtaining informed consent is a suggested precaution even where the level of sensitivity of the data does not appear to be particularly elevated.[2]

Mirroring developments in other technology-related legal ethics opinions[3], the cloud opinions instruct lawyers to stay abreast of relevant technology, as well as legal developments relating to technology.[4] Alabama goes so far as to indicate more specifically that lawyers should stay abreast of best practices regarding data safeguarding, including “reasonable security precautions” like passwords and encryption.[5]

With respect to certain basic security measures, such as authentication through the use of passwords, there are numerous implementations that lawyers should consider with which most users of networked services are familiar, including automatic logouts after periods of inactivity and network access termination after a designated number of login attempts.

However, the utilization of more technically complex measures, such as encryption, ventures into a highly complex, technical field that requires substantial expertise on behalf of the evaluating party.

Some ethics opinions intimate an even greater requirement of technical sophistication, inherent in some of the steps that the opinions would have lawyers take to evaluate third-party cloud service providers. Such steps include evaluation or verification of a vendor’s security environment.

  • An Arizona opinion directs lawyers to evaluate the nature of the vendor’s technology and periodically review its security measures.[6]
  • Iowa asks lawyers to determine the degree of protection the vendor provides to its clients’ data.[7]
  • New Jersey wants lawyers to make sure that vendors are using available technology to guard against foreseeable infiltration attempts.[8]
  • North Carolina requires the evaluation of the vendor’s security and backup strategy.[9]

Lawyers aiming to achieve this level of diligence will have to learn some basics about network security defenses such as firewalls, intrusion detection systems and patches, as well as physical or environmental security for data centers.

While these types of mandates may seem cumbersome and unreasonable to many lawyers, they are really no different in nature from the level of technical knowledge that electronic discovery requires. For example, with respect to the same duty of confidentiality that is the subject of this article, ethics opinions require lawyers to be familiar with the workings of metadata so that they do not inadvertently provide privileged information when sharing electronic documents.[10]

Moreover, these demands on a lawyer’s technical competence can be viewed in light of another important suggestion contained in many of the opinions; that lawyers make use of technical experts. It should be cautioned, however, that hiring an expert does not shift the lawyer’s ethical duty to the expert.

In fact, the lawyer not only retains the duty of confidentiality, but he or she takes on the additional duty to supervise, which requires oversight of and responsibility for the expert’s work.[11] This duty to supervise may also extend to cloud service providers.

Access to data is part of the hallowed cybersecurity triad of confidentiality, integrity and availability. Lawyers are advised to confirm, through enforceable agreements, that they will have unfettered access to their client’s data, including in situations where service is terminated or the provider goes out of business. Similar concerns exist with respect to steps taken by a service provider in the event of nonpayment. Access should be defined so that it is not limited to data in a proprietary format that cannot be read or used other than by someone with particular, inaccessible technology.

A corresponding obligation that should be imposed on the provider is to purge the client’s data upon termination of service. This is more easily said than done, as the steps necessary to achieve true data cleansing can be onerous. For example, purging a specific client’s files from backup tapes containing data from multiple clients can be difficult and expensive.

As demonstrated by the news headlines, data breaches may be unavoidable. If a breach does occur, the vendor should be required to notify the lawyer. The lawyer in turn should investigate and determine whether and to what extent any client data was compromised.

With consideration for the common threads discussed in the ethics opinions on cloud use by lawyers, certain further steps are suggested. While it is tempting to ignore the risks of data hacking, regardless of firewall or encryption implementations, lawyers cannot simply avoid data security, as this is not a viable business solution in our networked world.

Given that surrender is not an option, lawyers must choose carefully when evaluating cloud options. Even before confirming that contract terms with cloud providers and other data storage vendors contain general terms mandating certain levels of security, careful consideration should be paid to the selection of providers.

Choosing carefully may, as a practical matter, address many of the concerns regarding the appropriateness of security measures. A critical consideration here is whether the service provider is a reputable company with a strong record of serving other similarly positioned parties.

Moreover, the common theme across many ethics opinions addressing the cloud provider issue make it clear that lawyers may require assistance from experts in cybersecurity who can explain concepts and help make informed decisions on how to secure client data.

While increased cybersecurity measures are now necessary in the face of the aforementioned threats, not all information needs to be kept in the electronic equivalent of Fort Knox. Accordingly, counsel will have to weigh the confidentiality considerations in particular circumstances against the costs of available protection measures.

Adam Cohen is a Principal in the Forensic Technology and Discovery Services practice of Ernst & Young LLP. Adam is co-author of the annually updated treatise Electronic Discovery: Law and Practice (Wolters Kluwer Publishers), which has been cited as authority in several landmark Federal Court opinions involving electronic discovery.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. This material has been prepared for general information only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

[1] State Bar of California Standing Committee on Professional Responsibility and Conduct: Formal Opinion 2010-179 (2010).

[2] Penn. Op. 2011-200 (2011).

[3] See, e.g., ABA MODEL RULES OF PROF’L CONDUCT R. 1.1 cmt. [8] (2013).

[4] N.H. Op. 2012-13/4.

[5] Alabama Ethics Opinion 2010-02.

[6] State Bar of Arizona Ethics Opinion 09-04 (December 2009).

[7] Iowa Bar Ethics Opinion 11-01 (9 September 2011).

[8] New Jersey Ethics Opinion 701 (2006).

[9] North Carolina 2011 Formal Opinion 6 (27 January 2012).

[10] State Bar of Arizona Ethics Opinion 07-03 (November 2007).

[11] The Pension Committee of the University of Montreal Pension Plan, et al. v. Banc of America Securities LLC, et al., No. 05 Civ. 9016 (SAS), 2010 WL 184312 (S.D.N.Y. Jan. 15, 2010) (Judge Scheindlin reiterating her series of decisions in Zubulake).

April 1st, 2014

By Adam Cohen

First of two parts – View second part here.

Adam Cohen

Cybercrime has taken the front pages by storm. Recent revelations include the theft of huge volumes of credit card information from household-name retail businesses[1], the emergence of cybercrime as a potential “WMD” perpetrated by foreign agencies devoted to industrial and military espionage[2] and even nuclear reactors becoming vulnerable to the threat of computer hacking[3].

Let’s not forget the incident heard around the globe involving the disclosure by a contractor of thousands of classified documents describing the inner workings of a major U.S. intelligence agency.[4]

In light of the recent front-page data breaches at sophisticated business organizations, the challenge of safeguarding confidential information is self-evident. Unfortunately, law firms are now in the crosshairs of criminal enterprises looking to get their hands on valuable client data.[5] For lawyers with ethical and professional responsibilities to maintain client confidences, the difficulty in keeping private data from becoming public may present problems that go beyond having sound cybersecurity practices behind their own firm’s firewalls.

When using cloud service providers to store and provide access to confidential client information over the internet, lawyers have a duty to act with reasonable care by addressing a series of issues in this environment of rampant cybercrime. Several of these issues, discussed below, involve contractual requirements for adequate cybersecurity measures, and the advisability of many of these security measures apply equally to the law firm.

When it comes to data within their own networks, law firms need to be up-to-date on sound cybersecurity practices and technology. Law firms should also be aware of the cybersecurity risks beyond their own networks. Similar to other businesses, law firms are keen to take advantage of the benefits of cloud computing, whether it is storing data on the internet or utilizing software as a service over the internet.

Major cloud providers have sophisticated cybersecurity programs from which law firms can benefit. This attribute alone suggests lawyers have a benefit to move to the cloud, if not also for other key advantages, including convenient remote access and expanded storage space.

Still, while some cloud providers may be at the forefront of cybersecurity technology, cloud providers will continue to emerge as tempting targets for cybercrime, given the breadth of data that is now being stored there.

 Read more.

March 25th, 2014

By Eric M. Williams and Gregory E. Wolski

Eric M. Williams

Greg Wolski

Nothing ventured, nothing gained: There may be no more apt axiom when considering the current business climate in the emerging markets that make up Africa.

With increased regulations in many of the more developed emerging markets, newer frontier markets, such as Africa, offer new opportunity for business.  In the past, information on market conditions in Africa have been largely negative, deterring investors in many cases.

But the numbers show, from EY’s report, Africa by numbers, that economic growth across Africa is strong and more than half the population in sub-Saharan Africa lives in countries where adjusted GDP growth has averaged more than five percent annually over the last two decades. Many of Africa’s economies continue to be among the fastest growing in the world, presenting investors with significant opportunities for growth.

For years, perceptions of corruption inside African state governments had all but curbed foreign investments. To be sure, corruption and graft still exist, but a critical mass of African economies have grown quickly and consistently for years; so much so that, despite the impact of the ongoing global economic situation, the size of the African economy has more than tripled since 2000.

EY’s 2013 attractiveness survey for Africa enumerated many positive metrics regarding Africa’s viability. But perhaps no finding was as important as the assertion that this viability is sustainable.

The survey found that the stereotypes of Africa being wracked with disease, poverty, corruption and conflict persist. However, these failures are no longer the norm, and many data points reveal that Africa’s ascent to commercial relevance goes back as far as the year 2000.

 Read more.

March 13th, 2014

By Elizabeth Junell and Shawn Giles

In our previous blog post, Fraud Management Programs – Time to Grow Up, we talked about the adolescence of fraud management programs and the need for companies to advance maturity. We also described the various approaches we see companies taking to institute comprehensive fraud management throughout the organization.

Elizabeth Junell

In this post, we will give you some tips on advancing maturity of your fraud management model, including the seven primary elements therein.

Developing a fraud management model requires two key types of information. First is an understanding of the organization’s specific risks. Second is regular assessment of, and attention to, fraud trends and schemes that can lead to loss generally and within the company’s specific industry.  A company can determine where its fraud management program needs improvement when business process owners bring this information to bear. The information also helps a company to make the changes necessary to mature its fraud management program.

Fraud management programs can be organized into seven primary elements:

  • Board oversight and executive-level sponsorship
  • Risk assessment
  • Code of conduct
  • Anti-fraud policies and procedures
  • Communications and training
  • Controls monitoring
  • Incident response

Most companies have some form of all seven of these elements. Within each element, however, organizations can be at varying stages of maturity.

 Read more.

March 4th, 2014

By Elizabeth Junell and Shawn Giles

How mature is your (or your client’s) fraud management program?

Elizabeth Junell

Our experience is that fraud management at many companies seems to be stuck in permanent adolescence – it’s grown a lot – but still hasn’t reached adulthood.

Certain types of fraud, like bribery, corruption and inventory theft, are certainly getting attention from companies. Other types of frauds are often less of a priority, particularly if a company has not seen a significant fraudulent incident. Too often fraud management programs are overlooked or allowed to become stale, significantly increasing the risk of fraud.

When properly instituted, a comprehensive fraud management program can help an organization achieve efficiencies by providing cost savings, reduced fraud loss and making better use of limited resources. Selecting the right fraud management model – and nurturing that model to maturity — is no easy task.

We see four main approaches emerging:  Read more.

February 18th, 2014

By Chris Fordham and John Auerbach

Chris Fordham

John Auerbach

EY Fraud Investigation & Dispute Services published its first Asia-Pacific Fraud Survey this fall.

The backdrop to the survey is the heightened regulation and enforcement, together with an economic slowdown in Asia after a decade of growth. Responses indicated challenging conditions are putting pressure on managers to take short cuts. Nineteen percent said bribery and corruption has increased due to the tough economy.

At the same time, many countries, China, most notably, are cracking down on corruption. A heightened local regulatory environment, combined with the aggressive U.S. enforcement of the Foreign Corrupt Practices Act and promised enforcement of the relatively new U.K. Bribery Act, means increased legal and reputational risk for companies in the region.

EY asked 681 executives, senior managers and working-level employees across eight countries about their perceptions of fraud, bribery and corruption. Respondents came from both multinational and local corporations.

One of the most notable findings from the survey was a disconnect between the strong compliance programs respondents said their companies had in place, and how the programs worked in practice. Almost half of respondents, 48 percent, believed that while their companies have strong anti-corruption and anti-fraud policies in principle, these policies are not effective in practice.

The survey also highlighted that multinational companies were at risk if they failed to localize their policies and procedures to make them relevant to their employees.  For example, a ban on gifts over $100 in the United States may need to be adjusted down in country like Vietnam, where the per-capita income is only around $1600 a year, according to the World Bank.

Almost a quarter of respondents surveyed noted that giving gifts and entertainment to win and retain business continues to be a common practice. For local Asian companies, anti-corruption and anti-fraud policies and procedures were still fairly nascent.

The use of whistleblower hotlines and other channels for employees to report potential wrongdoing is relatively new in Asia. Although 81 percent of respondents in the Asia survey said they would use such channels if available, only 32 percent said their companies had developed the proper procedures, compared with 53 percent in EY’s Global Fraud Survey.

 Read more.

January 23rd, 2014

By Alex Sleightholme

Alex Sleightholme

Alex Sleightholme

The life sciences industry has long been under heightened scrutiny by the Department of Justice under the authority of the Anti-Kickback Statute and the False Claims Act. Further, the authority of the Foreign Corrupt Practices Act brings scrutiny from the Securities and Exchange Commission as well as DOJ.

Together, these laws form a powerful arsenal with which to fight corruption, fraud and abuse.

With the primary enforcement focus to date being the large multi-national pharmaceutical companies and major medical device companies, biotech and small medical devices companies have spent less time in the limelight. Many of these companies are in the early stages of, or yet to start, the commercialization of products.

2013 has certainly seen plenty of reason to believe that the regulators are willing to look beyond Big Pharma in their scrutiny of the life sciences sector. Although the numbers in these cases are much smaller than the headline-grabbing fines paid by Big Pharma, the impact on the business can be far greater.

For example, while an emerging pharmaceutical company settled for a relatively small $33.5 million in 2013 for alleged kickback violations and false marketing, the company also entered into a Divestiture Agreement which excluded the company’s drugs from being reimbursable by Medicare, Medicaid or other Federal healthcare programs for 15 years. All existing drugs were transferred to the company’s new parent (which had bought the company after the actions that led to the action had stopped).  Read more.

January 16th, 2014

By Penelope Sibun

People are difficult enough to read when talking face-to-face. Trying to decode their emails for the purposes of electronic discovery is a whole other story. Meaning and nuance can be lost in a hastily written note and decoding someone’s true intentions can be a challenge.

Penelope Sibun

Now, imagine that problem multiplied throughout an enterprise-level organization. Hundreds of employees sending thousands of emails filled with millions of words denoting different ideas, questions, and agendas.

With Emotive Tone Ontologies (sometimes referred to as Sentiment Analysis), organizations can identify the emotional tone of documents, especially email. Emotive language is a particularly good indication of the writer’s feelings and in turn gives insight into the attitudes of those inside an organization and their reactions to significant information or events.

Typically, the ontologies that forensic investigators build for an e-discovery matter focus on determining whether a document is responsive, non-responsive, or privileged, and this determination can usually be made directly, by examining the content of documents. (An ontology is a structured representation of linguistic and other features that is used to search data or locate evidence.)

Emotive Tone Ontologies, however, pick up indicators of emotion, independent of the subject matter of the documents: they cut across issues and detect underlying emotions. What is the emotional context behind this thread of e-mails? What is sitting below the surface of the document’s raw text? We know verbatim what our subjects said, but what emotions are bubbling beneath their words?

Emotions—particularly anger, surprise, or confusion—are incredibly valuable pieces of intelligence in litigation and investigation. Today, thanks to modern technology, these emotions are trapped in digital amber and accessible to those with the tools to extract them.

Since emotive language is independent of content, the text of emotional emails can vary widely. An expression of anger can appear anywhere: a berating email from a superior to a subordinate who has done something potentially illegal, or a personal note complaining to a spouse about a forgotten dinner reservation.

Looking for documents that contain both responsive language and emotive language can yield “smoking guns” on which a legal matter may turn. In the case of an irate spouse, the email is likely to be non-responsive, but can still be used in an investigative matter to build an accurate character profile of a key custodian: is this person volatile? foul-mouthed? abusive?

The process of exploring emotive tones—in English, at least—focuses on ten core feelings, including: Angry, Confused, Cursing, Derogatory, Frustrated, Problem, Secretive, Suspicious, Surprised, and Worried.

It’s easy to see how each of these emotions, preserved in time and recovered from an email server, could be useful in an e-discovery matter and in litigation readiness.

Context, as they say, is everything.

Penelope Sibun is an Associate Director in Ernst & Young LLP’s Fraud Investigation & Dispute Services focusing on advanced text analytics.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP. This material has been prepared for general information only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.

December 12th, 2013

By Jeff Ferguson

Jeff Ferguson

A successful compliance program is a monitored compliance program. Monitoring helps identify strengths and weakness and also helps determine where a company can focus resources to minimize risk.  As many incidents of corporate misconduct are reported by employees, a strong compliance program requires having an effective whistleblower process through which employees can report suspected or actual misconduct and request advice.

While many companies have a whistle-blowing policy, the communication of the program availability and how to access it are lacking. Communicating that the whistle-blowing hotline is accessible to all employees, at all times, and offers secure reporting, will increase the effectiveness of the program.

Allowing for anonymous reporting as well as having a non-retaliatory policy are undoubtedly key elements of this process. Setting the appropriate tone from management and corporate culture is important to support employee’s trust that the system is truly anonymous.  Retaliation against a whistleblower is illegal and can subject the company to substantial fines, as well as exposure in civil litigation. To support a confidential and anonymous report intake system, it is recommended that highly trained interviewers are used when dealing with internal whistleblowers to improve reporters’ comfort with the reporting process.  Personnel that meet this requirement may include individuals from a company’s Human Resources department and its legal counsel familiar with labor and employment law. Incorporating HR and Legal into the process can help to ensure programs run smoothly.  Read more.

About Ernst & Young LLP

Dealing with complex issues of fraud, regulatory compliance and business disputes can detract from efforts to succ...

EY's Ted Acosta on how life sciences companies can use their data to improve compliance.