Sleuthing for Compliance Data: Where to find it (plus a handy checklist with 60 examples!)

/

After compliance officers had sifted through the updated Department of Justice’s Evaluation of Corporate Compliance Program’s guidance, the most popular question we received was, “I understand that I need to have data, but where do I find it?”

In the DOJ’s new guidance (published earlier this month), an entire paragraph was added on data analytics and data analysis.  Specifically, the new guidance tells prosecutors to ask a company under investigation, “Do compliance and control personnel have sufficient direct or indirect access to relevant data sources of data to allow for timely and effective monitoring and/or testing of policies, controls and transactions?”  The requirement to obtain and analyze data isn’t just in the new guidance.  It’s become a theme at the DOJ.  Matt Kelly of Radical Compliance notes, “In several speeches over the last year or so, the Justice Department has talked about the importance of data analytics when looking for misconduct.” 

We know we need data, but where can we get it?  There may be more data available than first meets the eye.  Where do you start?  Consider the following ideas for data collection from the compliance, legal, HR, audit, finance, IT, and procurement departments. You can also download this handy checklist to help you find the data you need.   

Compliance-Related

The obvious place to start is with compliance-related systems.  Do you have any of the following?

  • Third-party due diligence software

  • Policy management software

  • Conflicts of interest management software

  • Investigations management tools

  • eLearning modules

  • Risk assessment and tracking software

  • Gifts and hospitality register

For each program you have, call your vendor representative and ask about the data analytics that can be gathered from the system(s).  You may think you know everything about running reports, but software companies are continually updating the ability to parse data into usable information.  Ever since the original DOJ Guidance on evaluating compliance programs focused so intensely on proving the effectiveness of the compliance program, technology vendors have stepped up to develop advanced metrics within their software.  Find out everything you can from the systems you already have.

You can also obtain your own data using:

  • Focus groups

  • Surveys

  • Questionnaires

While compliance-related systems are a good place to start, other data will give you a much greater understanding of the state of the company.  You can begin your search for more data with the Legal Department.

Legal

Many Legal Departments have contract management software that will help you find information.  Some contract management software can do keyword searches.  Other software can separate contracts using tags for important terms, or by contract amount.  You may be able to find out the:

  • Number of contracts above and below a certain threshold amount

  • Number of contracts with higher-risk third-parties

  • Number of contracts with a requirement to report known or potential:

    • Data breaches

    • Bribery-related allegations, charges, or convictions

    • Trade sanctions and/or export violations

    • Modern slavery/human trafficking allegations, charges or convictions

  • Other compliance-related allegations, charges, or convictions

  • Number of contracts requiring the company to agree to sign a supplier code of conduct

  • Number contracts requiring the contracting party to sign onto your company’s supplier code of conduct

Ask the legal team for training on, and access to, the contract management system’s reporting function.  There will be a wealth of information at your fingertips.

Human Resources

In most companies, the Human Resources department houses a treasure trove of data.  Systems like PeopleSoft, Sage SMRS, ADP, and Workday have sophisticated reporting tools to help you gather information that can be used to improve the compliance program.  But even if your HR department only has paper data, you can still find great information.  This may include:

  • Statistics and reporting derived from exit interviews

  • Statistics and reporting about HR-related issues, including:

    • Sexual harassment

    • Bullying

    • Reports of management misconduct

  • Number/percentage of employees on “performance management” plans on a quarterly or annual basis

  • Number/percentage of employees fired on a quarterly or annual basis

  • Number/percentage of employees whose ratings (inadequate, satisfactory, excellent) have changed on an annual basis

  • Data from the engagement survey, including:

    • Engagement levels by department

    • Engagement levels by geography

  • Number/Percentage of employee turnover or “churn”

These types of statistics can give you a strong sense of how the company is managing people, and where compliance challenges may overlap with the greater employee management plan.

Audit

Audit’s function is to test and monitor controls.  Although Audit typically focuses on financial controls, many audit departments have implemented a review of compliance-related controls as well.  You may be able to find out the:

  • Number of audit findings, and how that number changes annually

  • Number of compliance-related audit findings

  • Number/percentage of cleared audit findings on an annual basis

  • Type of audit findings

  • Analysis of the most common audit findings/control failures

If you can, obtain permission to review audit reports as they are filed.  This will help you to identify trends that may affect compliance policies and help you to know where training would be useful.

Finance

Finance may have useful information, especially if your company doesn’t have a specialty procurement or supplier department.  You may be able to find out the:

  • Number of vendors/suppliers that have gone through due diligence

  • Number of vendor/suppliers that have failed payment controls (such as invoice review) versus the number that have passed

  • Amount of reimbursements for third-party spend (up or down?)

  • Number of gift and hospitality requests for reimbursement

  • Amount of due diligence performed (financial) for any merger or acquisition

Finance is the bottom line when it comes to money, and that includes reimbursements and invoice review.  Reviewing finance records can help you see monetary trends and spot anomalies that might indicate compliance-related issues.

Information Technology

A large part of the IT Department’s job is to collect, review, and maintain data.  You can leverage the data they have in many ways.  For instance, you can ask for:

  • Data relating to the outcome of table-top data breach exercises

  • Data relating to attempted system attacks

  • Data relating to successful system attacks

  • Number/percentage of employees clicking on phishing links in tests

  • Number of employees who accessed various compliance-related policies

  • Number of clicks or number of downloads of the Code of Conduct

  • Number of views of compliance-related blogs posted on the intranet

  • Number of comments posted on compliance-related blogs posted on the intranet

  • The average number of views of communications/blogs on the intranet compared to the average number of views of communications/blogs posted by compliance or on compliance-related topics

  • Number of subject access requests received and responded to (GDPR)

  • Number of consumer access requests received and responded to (CCPA)

Procurement

Procurement is the gateway through which suppliers, vendors, and other third-parties pass before getting to the finance department.  It separates the wheat from the chaff.  It also has great statistics and data.  You may be able to find out:

  • The number/percentage of each type of supplier/vendor/third-party

  • How many tenders strictly followed the tender process

  • The number/percentage of exceptions or overrides to the proper tender process

  • The number/percentage of third-parties that successfully passed due diligence

  • Number of declared conflicts of interest made during the tender process

  • Number of discovered conflicts of interested uncovered during the tender process

  • Statistics related to the third-party due diligence process

The collection of data points will enable you to effectively review your program.  Perhaps more importantly, by engaging with the other functions, you will raise awareness of the compliance program.  You will also get a more holistic picture of the state of your culture and awareness of compliance controls. 

Professor and Author Chip Heath says, “Once we know something, we find it hard to imagine what it was like not to know it.”  By gathering and analyzing data from multiple areas of the business, you will not only please the prosecutors, but also make your program thrive.

Download our Handy Checklist of over 60 Data Points to collect HERE.