Since news broke about the nationwide cheating schemes for college admissions, the scandal has garnered front-page press coverage and generated multiple lawsuits, and it has also fueled enthusiastic discussions about fairness versus entitlement.

The scandal involves an experience common to so many people—most of us have been through the college application process and/or watched someone else go through it—but with seemingly unique sensational details. How many of us are rich and famous people cheating and getting caught via wiretapped conversations?

But throughout the 200-plus page complaint that reads like The Bonfire of Vanities, I found many broadly applicable compliance lessons to be learned. Below are a highlighted few.

1. Bribery Happens in the United States

In my conversations with higher education compliance officers, the reaction to bribery and corruption risk was always dependent on whether their institutions had foreign operations. This attitude pervades corporate compliance environments, too: “We don’t have bribery risks if we don’t have foreign operations.”

Bribery, however, is not an act confined by geographies. Like most frauds, it is a product of motive, opportunity, and rationalization. Where there are power and benefits to be traded, there would be bribes.

2. Exceptions Are Often the Weak Link

One way I examine the health of a compliance system is to look at exceptions to processes:

  • how often they are made,
  • how are they made, and
  • by whom.

The cheating schemes in this case involved the abuse of two exceptions:

  • exceptions made in standardized testing, and
  • exceptions made for athletic recruits.

The cheating schemes involved getting children to be falsely certified for learning disabilities so that they could get individualized testing and extended time, as well exceptions in testing locations so that the bribed proctor could provide or correct their answers, or take the tests for them. They also involved falsely claiming athletic abilities to enter through athletic programs where the same level of academic scrutiny is not applied.

These abuses are no different than the preferential hiring of sons and daughters of customers or government officials to gain business advantage: exceptions were made—with little transparency, scrutiny, monitoring, or audit—to regular processes.

3. Controls and Gatekeepers Need to Be Monitored

The college admission standard testing systems obviously considered cheating a risk: hence the proctors. It appears, however, that there was insufficient monitoring of these control gatekeepers. Parents and students were apparently able to choose their own proctors, as well as testing locations, with little more than reasons for convenience.

Similarly, there appeared to be few checks to balance the power of the coaches, who were the gatekeepers for the athletic programs.

It is important to ask who the critical control and gatekeepers are in your compliance systems, how they are incentivized, and how they are monitored and held accountable.

4. Data Could Have Helped

Some basic data analytics that should have been tracked for purely performance analysis purposes very likely would have helped identify these bribe-based anomalies much earlier. The companies that administer standardized testing should have been collecting and comparing data on test scores associated with each testing center, proctor, and exception and standardized settings.

Analyzing such data would have yielded useful information on how these factors impact testing and scoring over all, not to mention identifying unusual patterns.

Similarly, colleges are making an investment in designating athletic admission spots. The least they could do would be to track performance of every student admitted under these programs to assess the returns on these investments and to continually improve recruitment criteria, and had they done so they would likely have found the non-performing recruits.

5. Self-Reported Due Diligence Needs to Be Verified

Like many companies’ due diligence programs, college applications are assessed based on self-reported information. Some of the false claims made in the cheating scandal could easily have been exposed through publicly available information or independent verifications: One applicant, for example, claimed to be among the “Top 50 ranking” in the U.S. Tennis Association Junior Girls Tennis when her actual ranking was at best 207th.

If your due diligence program is still relying only on third parties’ self-reported information, it is long overdue for one that relies just as much—if not more—on publicly available or independently verifiable information.

6. Just Because No One Else Has Been Caught Yet Doesn’t Mean You Won’t Be the First

The wiretapped conversations indicated one driving concern of the parents who participated in the cheating schemes: Would they get caught? The reassurance was always that the scheme had been done many times and for many years, and no one had been caught.

Often times, when compliance advises the business not to do something, the response is: “Has anyone been caught doing this?” Compliance officers ask the same questions: “Has there been enforcement on this?”

The assumption is: If no one else has been caught (no enforcement), then I won’t be (no risk). That’s an assumption that has certainly been proven invalid here. And when you are the first to be caught, your name becomes far more infamous than you’d ‘ever want it to be.

This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.

Author Information

Hui Chen is an independent ethics and compliance consultant and was the Justice Department’s first-ever compliance counsel expert. She had served in global senior compliance lead positions at Microsoft, Pfizer, and Standard Chartered Bank.