This article was first published on Global Investigations Review on 8 May 2026. To read the latest edition of the guide in which it appeared, please visit the GIR Guide to Monitorships.

Introduction

There is no substitute for starting off a monitorship on the right foot. The first month is critical: the company typically makes a series of presentations about its business, structure, systems and compliance programme. The forensic firm is typically busy from day one. During the first month, forensic experts help the monitor and the company determine which legal entities are relevant, what data they have and what internal controls already exist. This foundational work helps the monitor refine the work plan and quickly focus on issues material to the monitorship’s success.

Forensic accountants, technologists and other subject-matter experts commonly support the monitor’s evaluation by providing specialised technical expertise, including by identifying, collecting and analysing relevant system data; documenting and evaluating the design of current-state systems, processes and controls; executing risk-based testing procedures; and validating that the company’s remediation effectively addresses root-cause^[1] compliance and control deficiencies. Forensics experts also help solidify the monitorship team’s understanding of core business systems and processes and liaise between the monitorship team and the company’s technical stakeholder groups within accounting, finance and IT, providing valuable insights and perspective into how the company identifies and manages risks in key operating areas.

By striving to understand how the business works in practice – including the extent to which system-based processes and controls are embedded throughout the organisation – the monitorship team can work collaboratively with the company to identify risk-based enhancements that make sense, address root-cause issues and position the company to sustain changes after the monitorship ends.

This chapter focuses on several areas in which forensic professionals bring critical expertise, including initial efforts to scope the legal entities, data and processes that will be important to the monitorships. It then discusses how forensic firms test and retest key controls and processes to determine how the company’s financial controls and compliance processes function in actual practice.

Scoping

Overview

Data and process scoping at the monitorship’s onset helps the monitor contextualise business processes, identify relevant data sources and home in on processes and controls relevant to root-cause deficiencies and related remediation. It also serves as the foundation on which the monitorship team begins to understand how to identify and validate the completeness and reliability of data sources necessary to perform downstream testing and verification procedures.

The monitorship team’s approach to scoping varies based on the nature of the monitorship but often includes procedures designed to understand the company’s legal-entity landscape, including the role of subsidiaries and joint ventures; system infrastructure, including system implementations or migrations that impact relevant processes; and control environment, including financial controls relevant to the monitorship’s root cause. This is particularly relevant in monitorships involving multiple legal entities, businesses or geographies that employ differing systems, policies and procedures.

Once the monitorship team figures out where to work and what data and controls exist, forensic accountants can help identify the policies and procedures that govern key processes, the functional areas and personnel that execute those processes, and how company systems produce and store data relevant to those processes. Targeted initial information requests and walkthroughs with company stakeholders from finance, accounting, IT and operations facilitate this process and help streamline the monitor’s subsequent requests and procedures by ensuring they are relevant and appropriately tailored.

Legal-entity landscape

Companies on which the government imposes monitorships are often large and complex, spanning multiple countries and often maintaining different business lines. This makes understanding which legal entities within the organisation undertake business activities relevant to the monitor’s mandate an important first step. Forensics experts support monitors in identifying entities relevant to the monitor’s review and testing procedures, including those implicated in the underlying misconduct or those that share a similar operating model or inherent compliance risks. Legal-entity scoping allows the monitor to isolate the entities most relevant to their procedures, considering a multitude of factors, including each entity’s relative size (eg, percentage of total revenue, headcount and office count); inherent risk profile (eg, route-to-market, customer and vendor pool and governmental touchpoints); and systems and controls maturity (eg, extent of remediation, recency of systems implementation and continued use of manual or off-line systems). Even where the resolution prescribes the specific in-scope legal entities, the monitor must ensure that they understand the interrelationships between various company entities, including the flow of relevant data and information.

Thorough legal-entity scoping at a monitorship’s onset also provides a clear mapping of the risks, systems, processes and controls that exist across various company entities, which enables the monitor to more easily document, track and communicate observations and recommendations throughout the monitorship.

Data sources and relevant business systems

Data is the lifeblood of most monitorships because, no matter what controls exist on paper, the only way to test how they function is to figure out what happens in the real world – and the contemporaneous record of those real-world controls applications lives in the company’s data. Forensics experts, including accountants and data experts, use corporate data – including accounting data, surveillance data, contemporaneous communications, and other data – in nearly every matter they execute. They can, therefore, help the monitor to quickly assess where relevant financial and operational data resides, how it flows through the company’s systems, and how the monitorship team can meaningfully and reliably test it.

To assist the monitor in understanding how to most efficiently and effectively obtain relevant system data, forensics experts often conduct with company stakeholders walkthroughs that address systems architecture and administration, data-hosting locations, data storage and retention, supporting documentation locations, data volume, data privacy and data-transfer considerations, among other topics.

Systems relevant to the monitor’s mandate depend on several factors, including the conduct underlying the resolution, the company’s industry and the company’s systems infrastructure. In almost any monitorship, the company’s enterprise-resource planning system – which houses transaction-level accounting data that the company uses to prepare its financial statements – is among the most critical data sources. Beyond that, other relevant systems vary and could include procurement and expense-management systems that house important financial and operational data; customer- and supplier-relationship management systems that manage commercial and counterparty data; and other industry-specific systems such as trading platforms (in the commodities industry), electronic medical records systems (in the life sciences industry) or project-management systems (in the construction industry).

An early discussion among the monitor, forensic experts and company ideally helps everyone understand why the monitor needs the data they are requesting and will also establish the quickest and most cost-effective method of taking that data. Counterintuitively, it is often less expensive to take more and rawer data rather than collect data piecemeal. Forensics experts generally prefer back-end data extracts or backups to front-end reports because they follow a standardised format, illuminate transactional flow and system controls and allow the monitorship team to validate the accuracy and completeness of data in advance of subsequent analyses. Forensics experts often load relevant system data into a secure database or data warehouse that supports the ingestion and processing of large (and often disparate) data populations while also enabling more efficient quality-review procedures around data integrity and completeness.

There are many ways to collect the required data, and each method can yield different datasets, making a thorough quality check indispensable. Quality review procedures often involve developing and applying analytical tests to evaluate the data’s completeness and accuracy relative to other available data sources. This includes validating that record counts, transaction totals and data fields reconcile between database extracts, source systems and other relevant sources before proceeding with substantive analyses.

These validation procedures serve an important role from both a systems and testing perspective: they provide confidence that the monitor has obtained a complete and accurate data population from the relevant source systems, which, in turn, provides confidence that the monitor’s downstream data analysis, sample selection and controls testing are grounded in reliable system evidence. Performing these procedures as part of initial data scoping also affords the monitorship team and company sufficient time to address and remediate any identified data gaps or irregularities in advance of the monitor’s data analysis and testing. From a substantive perspective, the procedures themselves can sometimes surface gaps related to data governance, system configuration, record retention, and other areas that warrant further review.

Design and structure of internal controls

Companies under monitorship have often already identified and reported to prosecutors on what they consider to be the root causes of misconduct, including specific controls gaps or breakdowns—which can be an excellent start, given the company’s intimate knowledge of its business and the investigation that led to its resolution. Forensics experts can bring a fresh set of eyes to help the monitor flesh out which controls were likely critical to the underlying misconduct and which controls, when strengthened, can mitigate the risk of recurrence. The key controls will differ by matter: For example, an FCPA resolution might centre on insufficient invoice-review and approval controls whereas a commodities-manipulation resolution might centre on inadequate trade surveillance.

Although some companies under monitorship already have dedicated resources to remediating these areas, the decision to impose a monitor typically reflects a determination that the company has not yet fully remediated controls or has not validated through testing that their remediation efforts sufficiently mitigate the risk of recurrence. Scoping, therefore, helps identify and align the monitorship team’s procedures with the aspects of the company’s control environment that are most relevant to root cause. Effective scoping at a monitorship’s outset also provides the monitor with important baseline information about the current state of the company’s controls, including the status of any remediation-related efforts the company has already undertaken.

Forensics experts use a variety of information to understand the structure and organisation of a company’s control environment, including policies and standard operating procedures, risk and controls matrices, and process narratives and workflow diagrams. As in data scoping, forensic experts also facilitate with relevant company stakeholders walkthroughs to understand how processes and controls function in practice, including any day-to-day activities that circumvent established controls, which should be identified, analysed, remediated and tested. Forensics experts also seek to identify and document instances in which local policies, procedures or controls deviate from those of the parent company, which often warrant further evaluation.

Sampling methodology

Even when a monitorship will last for years, there is not enough time to look in depth at every transaction that might be relevant to the monitor’s mandate; the key is selecting and testing just enough transactions of the right nature to understand how the company’s controls function. Controls testing seeks to illuminate how controls function in practice and whether the company can reasonably expect those controls to detect and deter similar future misconduct.^[2] This often involves analysing data and supporting documents from historical transactions to understand whether the company’s controls functioned as designed. Given time and resource constraints and the volume of transactional data that often exists within relevant populations, monitorship teams generally evaluate a sample of transactions and then use observations from that sample to draw broader conclusions about the effectiveness of processes and controls.

Consistent with the monitor’s approach to scoping, the approach to sample selection depends on the monitorship’s subject matter, the controls and process areas in scope for testing, and the size and complexity of relevant data populations. Although some matters may require statistically valid random samples to derive and extrapolate conclusions across a broader population, forensics experts in investigations and compliance matters often use judgmental sampling – aided by advanced data analytics – to assess controls’ operating effectiveness in transactions with greater inherent compliance risks and within higher-risk business activities and processes.

Data analytics and sample selection

Using information gleaned from scoping, forensics experts often use data analytics and forensic technology to select a risk-based and diverse sample of transactions for testing. Doing so allows the monitorship team to analyse large and often complex datasets in a systematic, scalable and repeatable way; enables monitorship team members to review a greater volume of data more efficiently and effectively; promotes consistency in the monitor’s sample-selection methodology; and ultimately supports the monitor’s evaluation of whether key controls are functioning as intended across relevant systems and processes.

Forensics experts execute a variety of analytical procedures to risk-rank and surface higher-risk transactions for testing, including transactions with descriptions, timing, amounts, counterparties, jurisdictions, approvals or other attributes relevant to the matter’s root cause. Using analytics, forensics experts also seek to identify transactions for testing that will allow the monitor to evaluate controls’ effectiveness in detecting and responding to potential process and controls circumvention, including by evaluating how controls functioned in situations involving manual entries or approvals, amounts recorded just beneath approval thresholds or triggers, or transactions that were seemingly split or divided across multiple submissions to avoid value limits.

The monitorship team considers several factors when determining the sample selection’s size and substance, including the complexity and criticality of the underlying process or control and the size of the underlying data population. When performing judgmental sampling, the monitor ultimately seeks to prepare a sample sufficiently diverse to offer insights into how controls function in various situations, including across various transaction types, categories, regions, dates and legal entities. Before finalising the sample, the monitorship team often calculates and considers various metrics, including the sample’s “coverage” – meaning the total count and value of the sample population relative to the overall population.

Transaction testing

Like scoping and sample selection, the monitor’s approach to designing and executing testing procedures depends on several factors, including the nature of the conduct underlying the monitorship. In a bribery-related monitorship involving improper payments through a third-party intermediary, the monitor’s testing may, for example, evaluate the company’s process to source, diligence and onboard vendors as well as its process to review, approve and disburse outgoing payments. In a monitorship stemming from improper sales practices, the monitor’s testing might evaluate procedures and controls related to new-client onboarding, credit assessment and approval, pricing and discounts, and reversals and write-offs.

For each process or control in scope for testing, forensics experts define testing “attributes” based on scoping and information-gathering procedures performed in advance of testing, including document review, walkthroughs and summaries of existing remediation actions.^[3] At larger or more complex companies – particularly at multinationals with operations spread across distinct operating companies that employ varying systems, policies and processes – the monitor generally tailors their testing to the company’s local procedures but often also includes an evaluation of whether those local procedures (including any deviations from parent-level controls) adequately mitigate underlying risks.

For each transaction in the monitor’s sample, the monitorship team analyses data and supporting documents necessary to understand the nature and substance of the transaction, assess inherent compliance risks and evaluate the extent to which the company executed the transaction in accordance with applicable policies, procedures and controls, including whether relevant preventative controls operated as designed. The monitorship team should tailor the specific documents it requests and analyses based on insights gained from earlier process and data scoping to ensure that requests are practical and aligned with the scope of the monitor’s review.

To the extent that testing identifies deviations in practice from defined policies and procedures, forensics experts work to understand whether deviations stem from missing, misunderstood or ineffective controls and to understand the company’s pre-existing or planned approach to remediating those observations. Monitorship teams recognise that testing observations could represent either isolated exceptions or broader indications of process and controls gaps, including deficient system logic or configuration. In considering the severity and root causes of observations and the appropriate corresponding remediation, monitorship teams often provide companies with an opportunity to review and discuss preliminary findings to promote transparency, build trust and maintain alignment. Based on that assessment, the monitor’s recommendations with respect to remediation may include enhanced trainings, policy clarifications, controls refinement or some combination of these measures.

Throughout the course of the monitorship, monitorship teams remain mindful of changes in circumstances that warrant refinement to testing procedures, including changes to the company’s operating profile (including its route-to-market, locations and business activities) or to relevant processes, systems and controls. The monitor’s testing approach also depends on the status and maturity of the company’s remediation. As the company’s remediation matures, forensics experts support the monitor in performing post-implementation testing to assess whether enhancements satisfactorily address root-cause issues and have been appropriately embedded into relevant systems and processes.

Remediation and post-implementation testing

As the monitor conducts their procedures and begins to form observations about the state of the company’s control environment, observations and recommendations should be thoughtfully communicated, with a clear road map for how the monitor expects the company to remediate any observations, including the criteria by which the monitor will evaluate the company’s actions.

Because the monitor’s testing procedures stem from scoping and information gathering, their observations and recommendations should similarly consider practical realities of the business, including the current state of its processes and systems. Ultimately, the monitor, company and regulators all share a common goal of implementing sustainable change that will persist after the monitorship ends. Monitorship teams can support this goal by providing risk-based and reasonable recommendations that strengthen the company’s ability to deter and detect misconduct without overburdening the business.

Effective process and controls remediation takes time to design, socialise and implement, and often requires a defined operating period during which both the company and the monitor observe and evaluate revised processes and controls in practice. Monitorship teams conduct post-implementation review and testing to evaluate whether the company’s enhancements satisfactorily remediate the root cause of the monitor’s recommendation. This may include targeted document requests, interviews and process walkthroughs with relevant stakeholders, and follow-up controls testing. The monitor’s post-implementation review and testing procedures should also solicit feedback from functional areas within the business responsible for executing and overseeing impacted processes and controls, which could surface opportunities for further refinement to ensure long-term sustainability and effectiveness.

Conclusion

Forensic experts play a central role in monitorships, grounding the monitor’s procedures, observations and recommendations in data that reflects how systems and controls work in practice. By validating data sources and executing risk‑based testing, forensic experts help translate raw data into evidence‑based conclusions about the effectiveness and sustainability of the company’s compliance programme.

Looking ahead, we expect prosecutors and regulators to emphasise and scrutinise the integrity and reliability of system-based processes and controls. Companies (and the firms that monitor them and support post-resolution reporting efforts) should continue to surgically examine the root causes of misconduct, isolate process and controls gaps that require remediation and evaluate through testing whether enhancements meaningfully reduce the risk of recurrence. Effective scoping and data analysis will remain at the foundation of those efforts, particularly as companies grow increasingly complex in size, structure and geography.

Endnotes

^[1] This chapter uses the phrase “root cause” to refer to gaps or deficiencies in processes, systems, controls, and other factors that directly contributed to or allowed the misconduct underlying the monitorship to occur. Because of their relevance, the monitor’s review procedures often place greater emphasis on root-cause areas.

^[2] In addition to controls testing, forensics experts often support the monitor’s efforts to evaluate key compliance and risk-management processes and functions, including internal audit, compliance monitoring, and enterprise and third-party risk management. Although not addressed in this chapter, those activities similarly draw on risk-based scoping to identify second and third line of defence functions relevant to the monitorship. Procedures to evaluate those areas typically include (1) reviewing charters, policies and methodologies; (2) evaluating governance structures, including reporting lines, independence, escalation pathways and management oversight; (3) assessing risk assessment frameworks and how risk identification informs planning and resource allocation across functions; (4) analysing systems access, tooling and data infrastructure that enable continuous monitoring and reporting; and (5) interviewing stakeholders. These procedures support the monitorship team in evaluating whether functions are proportionate to the organisation’s risk profile and effectively identify and manage inherent risks across the business.

^[3] Testing attributes represent the specific characteristics, criteria or conditions subject to evaluation within each transaction. These may include, for example, whether a company obtained multiple quotes as part of vendor sourcing, whether due diligence was performed in accordance with policies and whether an invoice was approved before payment.