You might want to dismiss 2013 as an irritating year for corporate compliance, marked by botched healthcare reform, a government shutdown, litigation that left new regulatory efforts in limbo, and the like. And you'd be right: all of them were distractions, whose significance over will fade to nothing. I'd be irritated by that too.
Still, as the year draws to a close, we have other landmark events in compliance that do matter, either as harbingers of trends to come or as glaring examples of problems we still need to solve. My list, no particular order, is below.
The Target breach. You can't expose the credit-card data of 13 percent of the country to data thieves and not expect to be on this list. That said, data breaches are now so common they scarcely make headlines any more; no matter what precautions companies take—and Target took all the precautions you can expect a business to take—hackers still keep getting ahead of us.
I suspect the lessons compliance officers can draw from Target are more about crisis management than IT security. Even then, I don't expect Target to be terribly forthcoming about its breach response plans any time soon, and how well those plans worked once this specific breach put them to the test. How quickly can you notify 40 million people of a breach? How many laws apply to a breach so large? How much does credit monitoring cost on that scale? What new disclosure laws might states adopt in response? Those are the questions rolling around my head when I think about Target.
Compliance officers should not waste time wondering how this specific breach could have been prevented. Your IT security guys might ponder that, but another breach will come along anyway.
The compliance surge. Over the summer and fall several large banks announced plans to hire more compliance staff in staggering numbers: 3,000 at JP Morgan, 3,000 more at HSBC, thousands more at Bank of America and Barclays. Do the banks need all these people? Absolutely. The questions compliance officers should ask, however, are (1) where will the industry find these employees; and (2) what will the consequences be for other companies?
We've already seen some salary inflation for compliance officers, with increases in the financial sector outpacing those in other industries. Still, if you're a CCO at a non-financial company and you believe your personnel budget is safe, remember that all these banks have boards of directors filled with CEOs from other sectors—CEOs like, say, yours. They hear all the CEOs in banking worrying about risk and compliance, and those fears will eventually waft over to your C-suite.
The new COSO framework. COSO unveiled its new framework for internal controls in May, and not a moment too soon. The original framework, so widely used for Sarbanes-Oxley compliance, was published in 1992, while fax machines were still cutting-edge technology; we wish it a speedy retirement. The “COSO 2.0 framework” should pull internal control into the modern age of data security, globalized business, and extended enterprises full of third party risk.
I say “should pull” because companies have so far moved slowly to adopt the new framework. In 2014 the clock will be ticking: COSO will end its support of the old framework at the end of the year, and the Securities and Exchange Commission has made clear that it will recognize only the new framework as COSO-approved after that. So internal control departments better get cracking this year.
The PCAOB audit inspections. The Public Company Accounting Oversight Board continued its stream of unflattering inspection reports on audit firms big and small (mostly big) in 2013, with some catchy enforcement actions to boot. Its bigger actions, however, were the warnings it telegraphed across the second half of the year, telling auditors to pay more attention to internal control over financial reporting. Pay attention the audit firms will, which means you will too.
Don't forget that the SEC is watching internal control too, suspicious that audit firms failing to catch mistakes in ICFR means corporate management (read: you) is failing to catch those mistakes too. All that portends for an unpleasant audit cycle this spring, and plenty of work in the remainder of 2014 to prepare for the following year's audit—including fierce fights at the end of 2014 about higher audit fees to come for 2015's audit.
The China conundrum. China has long been a headache for ethics & compliance departments, but 2013 induced two new migraines—one starting here in Washington, the other in Beijing. Neither is likely to go away any time soon.
First, we saw Chinese authorities step up their own anti-bribery enforcement efforts, particularly against pharmaceutical companies. GlaxoSmithKline, Novartis, Sanofi, Eli Lilly, AstraZeneca: all were in the headlines by summer, with the usual allegations of cash and other goodies going to government officials to win contracts. The question is whether China's Ministry of Public Security will enforce anti-corruption law with the same zeal and equal treatment as the Justice Department here. I suspect not.
Prosecutors in Washington, meanwhile, have expanded their interpretation of the Foreign Corrupt Practices Act yet again to include the hiring of relatives of foreign government officials—in, of course, China. JP Morgan is the current target of Justice Department scrutiny, with more likely to come. From a legal standpoint, I can see the argument that hiring a ministry official's deadbeat brother-in-law is giving something of value, with the expectation to get business back in exchange. That smells like a bribe to most people. From a business standpoint, however, the most important part of doing business in China is having a relationship, and you always have a relationship with your relatives. Irresistible logic is hitting immovable reality here.
Those are five of my big events in compliance for 2013. I have more, but we're at the end of the column. Send me yours and I'll put them in a future column.
No comments yet