Skip to content


Harry Cassin
Publisher and Editor

Andy Spalding
Senior Editor

Jessica Tillipman
Senior Editor

Bill Steinman
Senior Editor

Richard L. Cassin
Editor at Large

Elizabeth K. Spahn
Editor Emeritus

Cody Worthington
Contributing Editor

Julie DiMauro
Contributing Editor

Thomas Fox
Contributing Editor

Marc Alain Bohn
Contributing Editor

Bill Waite
Contributing Editor

Shruti J. Shah
Contributing Editor

Russell A. Stamets
Contributing Editor

Richard Bistrong
Contributing Editor

Eric Carlson
Contributing Editor

Should some parts of a compliance program be kept secret?

Most big companies publish their ethics and compliance programs online. Anyone can read them and know what goals the company has set and how it hopes to achieve them.

That sounds like the right approach. Totally transparent. Accountable. And fair to everyone.

But does full disclosure about compliance programs always make sense?

Internal controls, for example, share some DNA with corporate security systems. The controls must be there, according to the FCPA and securities laws, so that management knows where all the company’s assets are, who’s handling them, and for what purpose. That’s a way to stop the company assets from being used to pay bribes.

But from a corporate security perspective, the internal controls are there to stop people from stealing from the company, or using the assets to commit fraud or other crimes. Internal controls, then, are something like the security system around a bank vault.

Most vaults are protected by a combination of visible and invisible security. You can see a guard standing nearby, and security cameras jut down from the ceiling. There’s a big lock on the vault’s thick door and a touch pad beside it.

But there might also be invisable features — hidden cameras, invisible motion detectors, weight sensors, perimeter doors that shut and lock automatically, silent alarms, and so on. The secret parts are there as another line of defense against the crooks.

In Israel, the defense forces say they destroy all the attack tunnels they discover. But some speculate that the IDF keeps some tunnels open. Why? To find out who might use them and for what purpose.

Does that same concept work inside corporations? Should some aspects of the internal controls be kept secret, as a way to catch bad actors in the act?

Another argument for some corporate secrecy is to avoid becoming a target. We know that whenever a company announces that its systems can’t be hacked, hackers from everywhere take up the challenge and usually succeed. Does publicizing internal controls do the same thing?

Last week I wrote about AI-enhanced internal controls. Powerful new tools will be able to detect when anyone leaves a virtual fingerprint anywhere inside the company. Is it a good idea to reveal where all those new tools are embedded and how they’ll work? Or will publicizing them incite devious employees to challenge the artificial intelligence embedded in the internal controls?

In an ideal world, we would always disclose all aspects of a compliance program. And that should be the aim. After all, transparency is good and secrecy is bad. But is transparency always . . . . practical? Does it always produce the result we’re looking for?

If parts of a compliance program also have a role in corporate security, there’s an argument to be made for secrecy. As distasteful as that outcome might be, it’s probably going to become more common as AI-enhanced internal controls proliferate.


Richard L. Cassin, pictured above, is the publisher and editor of the FCPA Blog.

Share this post


Comments are closed for this article!