In their breakout session at the 30th Annual ACFE Global Fraud Conference, Vince Walden, partner, Jonathan Feig, partner, and Arpit Bothra, senior manager, all from the Forensic and Integrity Services unit at EY, laid out a roadmap for effectively measuring integrity within an organization. Feig emphasized at the beginning that this is a difficult task and it isn’t perfect, but he said, “we can’t let perfection get in the way of progress.”
But, where do you start when you want to calculate the strength of your company culture or the growth or decline of the effectiveness of your controls? According to the presenters it is a thorough adhering to the latest guidance, creating an integrity agenda and then putting that agenda into operation. The guidance Feig discussed in overview was the U.S. Department of Justice’s (DOJ) most recent Evaluation of Corporate Compliance Programs and the ACFE and COSO’s Fraud Risk Management Guide. According to Feig, these two documents have one commonality that anti-fraud professionals should take to heart and action: the use of data analytics. “It’s about that next layer of questions,” Feig said. It really is about what is happening and what the program is, as well as what are you doing to enact it.
“The word effective or effectiveness came up 49 times in the DOJ guidance,” he said. “The trend is data analytics and the question is how.”
After implementing the guidance, the EY team shared how they move from the intentions of strengthening corporate integrity to the actual behaviors exhibited at an organization. This is what they refer to as the integrity agenda. It consists of four elements, each with its own set of metrics:
Governance: The structure of integrity management, encompassing board, line management and corporate functions, and the policies that guide organizational behavior
Metrics: governance maturity, performance evaluations for risk and compliance personnel and integrity risk assessments
Culture: The commitment to integrity that guides decisions across the extended enterprise. A culture of trust is vital for success.
Metrics: tracking of ethics issued raised, resolved or ignored; perceptions of ethics risks and tone at the top; performance evaluations, assessments of compensation plans on behaviors
Controls: Procedures that embed integrity into day-to-day operations, preventing and detecting violations of laws and policies
Metrics: monitoring and auditing results, incident response data, testing of controls operations and effectiveness
Insights: Data-based insights about emerging risks and integrity performance, driving program effectiveness, and enriching employee knowledge
Metrics: risk-specific controls like third-party diligence and an audit of implementation, timeliness, quality of decision support; compliance office processes (policy deployment, training, code certification, incident response, management reporting)
Fieg emphasized that some of the measurements may just be a starting point and proposed a new way to put data behind these intangibles: by measuring progress. You can measure whether things are getting better or not and whether there are changes simply by asking the right questions, and then by continuing to ask them on a regular basis. That’s when you will capture the data you need to measure corporate integrity.