Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Scott Shaffer: Due diligence still needs the human element

Over the past 10 years, I’ve seen many new firms enter the FCPA due diligence space. They’re often big data companies commoditizing the investigative field.

These firms use technology to expand outside of their niche, into the domain of investigations and licensed private investigative agencies, whose entire business model focuses on investigative analyst-led research.

I’m the Managing Director of a firm in the last-mentioned category, and I am biased.

I believed 20 years ago and I still believe that no amount of automation can or should replace the human element, especially when it comes to investigative due diligence.

The availability of information at our fingertips today is overwhelming. But if you don’t have the skill set (and believe me, research is a highly technical skill) or the time to sift through the extraordinary amount of information, how can you possibly make a credible decision based on it?

Raw data has limited value if it is not presented in an easy to digest, logical manner following a thorough analysis. A trained investigator has the experience necessary to process and categorize the information they are reviewing and they know which rabbit holes are worth pursuing.

As a result, their review may uncover red flags which require research beyond the original scope of work. Red flags which would not have been uncovered through automated processes. 

Further, to thoroughly research an international partner, local investigative sources must be utilized. Only a handful of locales around the world have database access to corporate registration, criminal/civil court filings, and regulatory agencies. Therefore, in order to conduct research of official and up-to-date records, you need to conduct on-the-ground research using trusted and knowledgeable local sources.

Database records often contain inaccurate, incomplete, out-of-date or self-reported information. This is not to say that database information has no value. Many third-party transactions fall into the low risk category and, for low risk engagements, it is a cost-effective source of information. However, for high risk engagements, it is not prudent to rely solely on such sources.

We recently completed a series of “test” cases using subscription-based database services only, without the assistance of a human analyst. We compared the results of the test cases with our manual (human-led) research.

Although some of the cases were fairly similar, others were drastically different. Adverse media items were missed, political exposure was not addressed, and countless legal filings were not found. 

You could argue the significance of these findings. If one additional adverse media article or litigation record was found, would that change the risk profile of a given third party? Well, the answer is that it depends entirely on what is found. It could be significant if the media article or litigation record relates to fraud, corruption, or government exposure, etc.

I have reviewed many adjudicated FCPA cases. More often than not, had thorough due diligence been conducted on the parties involved, serious red flags would have surfaced. And although having this knowledge does not guarantee that a given company will, or even should necessarily, disengage from the situation, it allows them to consider the challenges and possible consequences of the engagement. It gives them the opportunity to consider their options and potentially mitigate the risks; it gives them the opportunity to protect themselves and the company.

If the day comes when a database solution is able to replicate an analyst-led investigation at the push of a button, I will need to find my second career. But I’m not concerned. There are enough corporations that still consider well-written, expertly produced, specifically sourced and critically reviewed reports a mandatory component of their compliance program. And there’s plenty of regulation and enforcement to justify the consideration.


Scott Shaffer is the Managing Director for the Kreller Group in Cincinnati, Ohio. For the past 22 years he has consulted with clients to address due diligence objectives, customizing due diligence programs for new clients, and analyzing current trends regarding regulatory compliance.

Share this post



  1. This is such a significant and needed post. In my brief experience in due diligence, coupled with the common sense I have gained over my years, I see that quality investigations require a skilled examiner, not to speak of results coming from performing an expert investigation.

  2. I strongly agree. Data mining alone will not determine the beneficial owners, enablers and controllers. I have heard this from speakers at several events in Washington, DC. In addition, data mining will not usually be adjusted for industry specific data, such as the unique financials in the energy industry, slight changes in spellings of foreign names, and differences in legislation among countries. As someone with a background in energy, advocacy for legislation and foreign languages, I have observed frequent data mining deficiencies.

  3. I totally agree with Scott Shaffer am more biased because, I believe and even insist on adding boots on the ground to aspect of due diligence.

    I use Data Analytics, among other things, for all kinds of regular and irregular financial transactions in the books of account. After all Bribery, Corruptions and Money Laundering activities are part and parcel of overall Fraud spectrum(p). In consistence what Scott mentioned, I even go further, Due Diligence without boots on the ground is simply baseless and even useless.

    A simple test on unbalanced Journal entries (which I never come across in decades of career in eight countries, three continents) in the financials led me to find who was the ultimate business owner in “Travel & Entertainment” fraud cases. Interviews conducted with middle and senior management revealed (a) they were they doing just their jobs (b) Management Override. Compliance, FCPA, Ethics and other bloggers do not agree with me because “it is not just cost effective”. When the DOJ knocks on their doors or a Whistle blower blows his/her whistle, the element of cost effectiveness evaporates in thin air. It is high time to go back “the thinking that created the problem could not solve the problem” – with due respects to late Einstein.

  4. In a perfect world, I’d completely agree with Mr. Schaffer. Unfortunately the realities of budget constraints dictate that today’s compliance programs utilize both: database services and analyst-led investigations. It simply requires, dare I say, a risk-based approach to diligence. The simple fact is that most third party relationships do not justify the cost of an analyst-led investigation. The trick is to use them when necessary. As compliance leaders, we are charged not only with mitigating risk but doing so in a cost effective manner … and that differentiates a good compliance leader from a bad compliance leader.

  5. Very good points here. While I can understand the tendency of many companies to prioritize "cost effectiveness." I think, in many, if not most instances, it is often a misguided impulse. I always say providers in the due diligence space are in the position of selling a difficult "product." We are asking clients to pay so we can conduct diligence and try to mitigate the risk of future issues often when they are on the verge of significant transactions and already seeing dollar signs. Humans are notoriously geared towards "instant gratification," so paying money now in order to potentially avoid paying lots of money later is a tough sell. Even more so when the information we find sometimes makes deals fall apart. Given that reality, I often wonder if many clients would simply opine that ignorance is bliss. Of course, when an enforcement action comes, that sentiment is gone. I operate in a region where there is very little in the way of centralized, organized databases of relevant records. In addition, given the political aspects involved in much of what goes on here, doing any sort of significant or complex diligence without coordinating "boots on the ground" and speaking to key human sources is very ill-advised. The percentage of my client base comprised of people who thought they could handle things on their own without a proper diligence (and later got burned) is quite significant as well.

  6. I couldn't agree more. I am based in jurisdiction (Nigeria) where the available data sets often present a different reality when considered without the benefit of informed context provided by local human resources. Risk-relevant associations for FCPA and other purposes are rarely captured on paper or in official databases, and it would be naive (and negligent) of anyone to rely on automation alone. I've had the privilege of working with Scott and Kreller in the past, and I can confirm that he knows exactly what he's talking about.

Comments are closed for this article!