Random Thoughts on Ethics & Compliance

We’re still digging out from vacation last week, and working from Europe this week while attending a major internal auditing conference. To stall for time, then, we have another edition of random thoughts on all things related to audit, risk, and compliance, plus whatever else comes to mind. Without further delay… 

Can we talk once more about that FCPA enforcement action against Philips earlier this year? Where the SEC settled a fairly egregious case against the company for $62 million but the Justice Department has done nothing? My suspicion is that the Justice Department will keep doing nothing, which sends a signal that perhaps the department isn’t as serious about enforcement as it claims. 

The PCAOB got in front of skis with this proposal for audit firms to look for potential compliance violations. It’s a noble idea with too many practical problems, and the PCAOB should go back to the drawing board with it.

Who are these people saying that you should drink water every day equivalent to half your body weight, in ounces? All I do all day is drink water and go to the bathroom.

Not at all surprised by these compliance surveys suggesting that cybersecurity is driving boards’ attention to compliance, not anti-corruption. Cybersecurity is a business issue at least as much as it’s a compliance issue, so of course boards will respond this way.

Cryptocurrency is a security, people. Of course the Securities and Exchange can regulate it. 

I’m glad that the Justice Department has cracked down on employee use of improper messaging apps. I’m also glad that everyone knows there is no technical solution to this problem. It’s about trying to establish a strong corporate culture on messaging, even though some errant few will violate that culture anyway.

“Across the Spider-Verse” is stunning, one of the best films I’ve ever seen. If it isn’t a favorite to win a Best Picture Oscar next year — yes, even as a super-hero cartoon — then the nabobs of Hollywood truly have lost the plot.

If you want to see the really cutting-edge regulatory enforcement case for cybersecurity and data privacy, follow the New York Department of Financial Services and the Federal Trade Commission. Their settlement orders have the best practices we should all be racing to implement. 

That said, watch what the SEC is going with Solar Winds. Its CISO and CFO just received Wells notices. I’m mighty curious just what personal liability, if any, the SEC says the pair have for that 2020 cyber breach disaster.

If cryptocurrency isn’t a security, then it’s a currency, and therefore should be regulated by the banking regulators. So all these crypto outfits arguing that crypto isn’t a security and the SEC can’t regulate them — shut up already. You could have it way worse.

A compliance professional I met in France the other week said: “If your company only wants to do the bare minimum, that makes everything more complicated. You end up focusing on compliance, rather than ethics.” So much sense in those words.

Years from now, people will look with astonishment at the bad management Elon Musk foisted upon Twitter. Heck, people are astonished now. He’d have been better off taking his $44 billion and burning it. 

New York City is banning the use of artificial intelligence in hiring processes unless those AI systems undergo annual audits for bias. Nice idea, but who is able to audit AI with competence? Especially as we move ever closer toward ChatGPT and other large-language models, that will be beyond the reach of just about every audit firm.

Meanwhile, the EU General Data Protection Regulation forbids an IT system’s automatic decision-making without the user’s consent. So before we even get to new regulation about artificial intelligence, that clause of the GDPR alone could tie AI adoption into knots, right? 

The conflicts of interest committed by Supreme Court justices Clarence Thomas and Samuel Alito are appalling. If they had any shred of concern for the public interest (spoiler: they don’t) both would resign, but beyond that, their poor conduct does underline why a Code of Conduct for the justices is so important. 

At least two European Union member states — the Czech Republic and Malta — have adopted whistleblower protection laws that allow companies to ignore anonymous reports, and deny whistleblower protections to anonymous reporters. That’s pretty brazen defiance of the EU Whistleblower Protection Directive’s requirements. What gives? 

In its Groff v. DeJoy ruling, the Supreme Court expanded employee rights to claim religious protections at work. In its 303 Creative v. Elenis ruling, the court ruled that businesses have a First Amendment right to deny service to gay clients. Mark my words: the right-wing litigation machine will now try to combine those two principles, and argue that employees have an individual First Amendment right to refuse service to gay customers or to work with gay coworkers. 

And hats off to the Cercle de las Compliance, an association of compliance professionals in France who hosted me at their annual “compliance retreat” in Paris last week. The group was delightful, and the speakers were all top-notch — even if I could barely understand some of the conversation with my sixth-grade French. Merci! 

Leave a Comment

You must be logged in to post a comment.