I conclude this one month series by considering the recently concluded Securities and Exchange Commission (SEC) resolution of its outstanding Foreign Corrupt Practices Act (FCPA) enforcement action with Halliburton Company. I wanted to continue to explore the enforcement action around the issue of internal controls, their effectiveness (or lack thereof) and management over-ride of internal controls.
In a Cease and Desist Order which also covered former employee Jeannot Lorenz, the SEC spelled out a bribery scheme facilitated by both a failure and over-ride of company internal controls. The matter involved Halliburton’s work in Angola with the national oil company Sonangol, which had a local content requirement. The nefarious acts giving rise to the FCPA violation involved a third-party agent for Halliburton’s contracts with the state-owned enterprise.
According the SEC Press Release, this matter initially began in 2008 when officials at Sonangol, Angola’s state oil company, informed Halliburton management it had to partner with more local Angolan-owned businesses to satisfy local content regulations. The company was successful in meeting the requirement for the 2008 contracting period.
However, when a new round of oil company projects came up for bid in 2009, Sonangol indicated, “Halliburton needed to partner with more local Angolan-owned businesses in order to satisfy content requirements.” The prior work Halliburton had on local content was deemed insufficient and “Sonangol remained extremely dissatisfied” with the company’s efforts. Sonangol backed up this dissatisfaction with a potential threat to veto further work by Halliburton for Sonangol. It was under this backdrop that the local business team moved forward with a lengthy effort to retain a local Angolan company (Angolan agent) owned by a former Halliburton employee who was a friend and neighbor of the Sonangol official who would ultimately approve the award of the business to Halliburton.
In each of these attempts, the company bumped up against its own internal controls around third parties, both on the sales side and through the supply chain. The first attempt to hire the Angolan agent was as a third-party sales agent, which under Halliburton parlance is called a “commercial agent”. In this initial attempt, the internal control held as the business folks abandoned their efforts to contract with the Angolan agent.
The first attempt to hire the Angolan agent was rejected because the local Business Development (BD) team wanted to pay a percentage fee based, in part, upon work previously secured under the 2008 contract and not new work going forward. Additional fees would be paid on new business secured under the 2009 contract. This payment scheme for the Angolan agent was rejected as the company generally paid commercial agents for work they helped obtain and not work secured in the past. Further, the company was not seeking to increase its commercial agents during this time frame (Halliburton had entered into a Deferred Prosecution Agreement (DPA) for FCPA violations in December 2008 for the actions of its subsidiary KBR in Nigeria).
Finally, “As outlined by Halliburton’s legal department, to retain the local Angolan company as a commercial agent, it would be required to undergo a lengthy due diligence and review process that included retaining outside U.S. legal counsel experienced in FCPA compliance to conduct interviews. Halliburton’s in-house counsel noted that “[t]his is undoubtedly a tortuous, painful administrative process, but given our company’s recent US Department of Justice/SEC settlement, the board of directors has mandated this high level of review.”” In other words, the internal controls held and were not circumvented or over-ridden.
The Angolan agent was then moved from commercial agent status to that of a supplier so the approval process would be easier. The proposed reason for this switch in designations was that the Angolan agent would provide “real estate maintenance, travel and ground transportation services” to the company in Angola. However, the internal controls process around using a supplier also had rigor as they required a competitive bidding process which would take several months to complete. Over-riding this internal control, the local business team was able to contract with the Angolan agent for these services in September 2009 and increase the contract price, all without the Angolan agent going through the procurement internal controls.
A second internal control which was over-ridden was the procurement requirement that the supplier procurement process begin with “an assessment of the critically or risk of a material or services”; not with a particular supplier and certainly not without “competitive bids or providing an adequate single source justification.” However, as the Order noted, the process was taken backwards, with the Angolan agent selected and then “backed into a list of services it could provide.” Finally, there was a separate internal control that required “contracts over $10,000 in countries with a high risk of corruption, such as Angola, to be reviewed and approved by a Tender Review Committee.” Inexplicably this internal control was also circumvented or over-ridden.
Yet this arrangement was not deemed sufficient local content by Sonangol officials. After all of this and further negotiations, Halliburton entered into another agreement with the Angolan agent, where the company would lease commercial and residential real estate and then sublease the properties back to Halliburton at a substantial markup, and also provide real estate transaction management consulting services (the “Real Estate” contract).
This Real Estate contract also had to go through an internal control process. Initially, there were questions by the company about the Real Estate contract as a single source for the procurement function, the upfront payment terms to the Angolan agent, the high costs, and the rationale for entering into subleases for properties that would cost less if leased directly from the landlord. Indeed, “One Finance & Accounting reviewer at headquarters noted that he could not think of any legitimate reason to pay the local Angolan company over $13 million under the Real Estate Transaction Management Agreement and that it would not have cost that much to run Halliburton’s entire real estate department in Angola.”
Halliburton internal controls required that when a single source was used by the company it had to be justified. This justification would require a showing of preference for quality, technical, execution or other reasons, none of which were demonstrated by the Angolan agent. Finally, if such a single source was used, the reasons had to be documented or in Halliburton’s internal controls language “identified and justified”. None were documented by the company.
Finally, as the internal controls were either circumvented or over-ridden; “As a consequence, internal audit was kept in the dark about the transactions and its late 2010 yearly review did not examine them.” This was yet another internal control failure but was built on the previous failures noted above.
So how many internal controls failures can you spot? Whatever the number, the lesson for the compliance practitioner is that you must do more than have internal controls. They must be followed and be effective. If you are doing business in high risk regions, you have to test the controls and then back up your testing by seeing if payments are being made in those regions. Perhaps the best concept would simply be Reaganian, trust but verify.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In this episode, I visit with Virginia Suveiu who counsels on legal risk management, regulatory compliance and public policy, as well as commercial and international law matters.
She is a subject matter expert on risk and developed the Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program as well as the Contract Management Certificate Program. She has published articles on a variety of business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum, among others.
There are a wide variety of risks that every corporation and compliance practitioners faces. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to on the over-arching concept of risk management or if the approach needs to be fined tuned by organization? We discuss the Legal Risk Management Specialized Studies Certificate Program, including what are the program benefits and who should attend. We explore the approach in teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk.
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. The amendments become effective for public entities for annual reporting periods beginning after December 15, 2017. In other words, we are now less than six months away from a new Revenue Recognition (“new rev rec”) standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward.
I conclude this section on the COSO 2013 Internal Controls Framework by considering what COSO says about assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal control.
This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
The fifth and final Objective is Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and frequency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of directors as appropriate.”
However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In the Five Principles of an Effective Compliance Program, Principle 5 includes ongoing monitoring and this is reinforced in the 2013 COSO Framework.
In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.
The Monitoring Activities objective consists of two principles. They are:
Principle 16 - “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”
Principle 17 - “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”
Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.
For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated.
This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.
Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”
Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.
Here the thing which is most important is that all the controls all need to be sustainable. You cannot just build one off controls that allow you to do one period and not have a process in place that is going to help you through all the periods that you need to cover. The controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.
There must also be a mechanism for the communication of controls which do not work or can readily be over-ridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect and remediate going forward.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
In its Framework Volume, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is how information is disseminated throughout the organization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant external information, and it provides information to external parties in response to requirements and expectations.”
However, as with the other components of the COSO Cube, the objective of Information and Communication is not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Rittenberg says that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”
Information and Communication
The objective of Information and Communication consists of three principles. They are:
Principle 13 - “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”
Principle 14 - “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”
Principle 15 - “The organization communicates with external parties regarding matters affecting the functioning of internal control.”
A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the CCO or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the SEC will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.
The Framework Volume makes clear that this Principle relates to ‘relevant’ information and not simply reams and reams of data for data’s sake. Rittenberg said this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas within a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.” The Framework Volume goes on to detail several categories of both internal and external information which can be a good starting point to be used as sources from which management can generate “useful information to relevant internal controls.”
This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.
Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.
This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any compliance related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”
Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.
Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program. A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success so you can bring a wide range of talents, skills and imagination to bear on this objective.
Howell noted that “communication internally is how you establish the communications with your sales organization, with your sales operations? How do you establish communications with the legal organization? How do you establish information with the post-sales organizations? Even with the auditors, and your internal auditors and your external auditors and the board, to give the audit committee of the board comfort that the company has put in place the right levels of controls.
A final point on communications externally. In the compliance realm, your external communications fall towards your third parties because that is your greatest risk for bribery and corruption. Your third parties are either part of your sales side of the organization in the form of agents, distributors, resellers, et cetera, or on the supply chain side who are delivering a product yet, as part of the supply chain, they are helping you create and build your product or integrate into your service that you're going to deliver, that you're going to sell, that is going to be subject to review.
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.
We take things a different way in this episode as the commentators throw out five topics for consideration by the group. Last week we had topics from Jay and Matt; this week from Jonathan and Tom.
Topics from Jonathan:
Topics from Tom:
The top commentators in compliance are back for another episode of Everything Compliance.
In its Framework Volume, COSO Control Activities “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and business performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, management selects and develops alternative control activities.” The concept of a ‘second set of eyes’ is directly enshrined in this objective. Finally, Control Activities should be performed at all levels in the business process cycle within an organization and this speaks directly to the operationalization of your compliance program.
The objective of Control Activities consists of three principles. They are:
Principle 10 - “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”
Principle 11 - “The organization selects and develops general control activities over technology to support the achievement of the objectives.”
Principle 12 - “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”
A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”
Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.”
The Framework Volume recognizes the dependency between the use of technology in business processes and compliance control. The use of technology will only be greater and more important going forward. I would certainly expect the SEC to focus on a company’s use of technology in any evaluation of its overall compliance program. Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.
This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”
While the objective of Control Activities should be the most familiar to the CCO or compliance practitioner, this objective demonstrates the inter-relatedness of all the five COSO Objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.
This Objective demonstrates the inter-relatedness of the corporate functions in your organization. From a financial reporting perspective, the Control Activities objectives requires that you put in place accounting processes, revenue recognition tools, contract management systems and other accounting tool sets, software to manage your process. This easily translates into the compliance realm as well. This puts you into the entire whole technology issue and portends an enormous amount of information provided by entity.
Howell explained in the financial realm, “if you're dealing with the cost to acquire contracts, you may well have all of the contract information in your accounting systems but you have never before had to go get that commission information and some of these other COSO elements.” Such data will be scattered literally across the globe, so you need to have the controls over both the accumulation and the attestation required that that is the right set of data. This is in many ways more challenging, and it is the difference between pulling a band aid off all at once or pulling it off slowly.
This requires two separate processes, so you need to be able to reconcile those two and to get the auditors and yourselves comfortable with the controls over the accumulation and the reporting of that information. This process will typically require a lot of changes to IT systems, the technologies involved and it requires that the controls be in place both for the disclosures that you need to make for the reconciliation of that disclosure.
This Objective requires that you have new ways of capturing that information, gathering that information, confirming the accuracy and completeness of the controls reporting it. When selecs the control activities, what control activities do you need if you are using disparate accounting systems in different locations across the globe? Moreover, if you getting into the general controls over technology, what are the system controls are in place to ascertain that the new information that you're getting is the information you really need and it's what you think you're getting? The Control Activities regarding the policies and procedures is certainly an important consideration going forward.
Three Key Takeaways
In this episode, Matt Kelly and I take a deep dive into the Dodd-Frank and Sarbanes-Oxley reform initiatives in the House of Representatives and as articulated by incoming SEC Chairman Jay Clayton. Will the new administration gut SOX and Dodd-Frank compliance requirements?For more see Matt Kelly's blog post SEC Chair Clayton Talks Compliance Costs.
The Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.
I. Objective-Risk Assessment
The objective of Risk Assessment consists of four principles. They are:
Principle 6 - “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”
Principle 7 - “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”
Principle 8 - “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”
Principle 9 - “The organization identifies and assesses changes that could significantly impact the system of internal control.”
Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.
Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”
Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.
It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.
The SEC has made it clear that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Obviously risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluatoin of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should be seeing new risks that they need address because of the changes brought about by the new standard.
Howell noted that “in the internal control arena, fraud risk in particular is something that has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company's business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”
Another example is that sales folks are giving concessions to customers that are not being reflected in their understanding of the contract and the accounting for the contract.” Howell went on to add might be other activities that are going on to acquire contracts that aren't being properly accounted for or even recognized at some level. That the concessions are being given at the backend for return that aren't being reported back into the process of how does that affect the estimate of cheap revenue going forward.
Finally, risks that a company has misstated or underestimated, require a determine if revenue should be recognized over a period of time or estimated what that period of time is to recognize the revenue if it is a rolling time frame Howell stated, “For example, the period of time could be longer which means that your revenue would recognized over a longer period of time. There's always the risks that revenue could be recognized too early and that cost could be pushed out and spread over too long of a period of time. As we begin to think about these new judgments that are required, you get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls, and have a plan to respond if they discover that the risk has actually happened and they have a failure.”
Three Key Takeaways
In this episode, Richard Lummis and I explore leadership lessons from Toussaint Louverture, who held the only successful slave revolt in the Western Hemisphere. Our remarks are based on the recent biography of him entitled, Toussaint Louverture by Phillipe Gerrard. While not an obvious character for study in a business leadership podcast, Louverture nonetheless presented several important lessons which translate into to today’s business environment.
The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. However, it built up Objectives. The 17 principles represent fundamental concepts associated with the five components of internal control. Together, the Objectives and Principles constitute the criteria will guide companies in assessing whether the components of internal controls are present, functioning and operating together within their organization.
The first of the five objectives is Control Environment and it sets the tone for the implementation and operation of all other components of internal control. It begins with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees. The five principles of the Control Environment object are as follows:
Principle 1 - The organization demonstrates a commitment to integrity and ethical values.
Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.
What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or another baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, this requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.
This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively to manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.
This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you will need to consider all the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.
This Principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and, equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.
This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorities and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.
Both Board of Directors’ independence and Compliance Committee (or other applicable committee) oversight issue are essential to this Objective because the Compliance Committee needs to be actively engaged to be comfortable that the company has implemented the internal controls under Sarbanes-Oxley (SOX) 404(a); as required under Principles 1 & 2. The external auditors must then be comfortable this requirement is met. Finally, there must be evidence the company has appropriate disclosure controls in place because that is central to the Objective itself. This is all tested against Board independence and Compliance Committee oversight over those activities that management has undertaken and their engagement and conversations with their external auditor.
Howell related that under Principle 3, “structures in reporting lines, authority and responsibility are essential to the recognition of revenue. An entity’s internal controls or financial reporting details there are processes, there are policies, there is documentation, the authority and documentation of the judgments are being made, the review of those in responsibility for making those ultimate judgments about the recognition of revenue and the recognition or timing of the revenue and the expenses, that those need to be in place.”
Under Principle 4, a business must attract and develop, then retaining competent talent. Of course, this is good business as well. But it is more than simply some appropriate levels of staffing, as Howell stated, “One of the big reasons that companies have said do not have money to invest again the deep dive study and process improvement necessary to implement it [the 2013 Framework], is that it comes down to both to commitment level from the top and the tone at the top that this important and these financial disclosures are critical to the ability of the investors to rely on the company's disclosures.” You must only “put in place the right team, give the team the right tools, but also ensure the team has the ability to access the right level of technical accounting talent and business process and controls talent to make the judgments.”
All these leads of course ties into Principle 5, which mandates individuals being held responsible. This requires someone to document that they have made a judgment based upon the evidence that they have been able to accumulate, that the company has analyzed that evidence and has gone through the process of comparing this to the COSO 2013 Framework and to the spirit of the standard. Howell said, “those individuals are being held responsible for having done that properly. I think when you tie all that back together, when you get to the control environment, that the COSO principle number one is it can be completely tied back to what is being required.”
Three Key Takeaways
For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com
In this episode I visit with James Koukios, a partner at Morrison and Foerster on the firm’s newsletter, Top Ten International Anti-Corruption Developments for May 2017. Our topics include:
To see a full copy of the firm’s publication, Top Ten International Anti-Corruption Developments for May 2017, click here.
This week we turn our attention to COSO, with an introduction to the organization and its framework for internal controls. I will go through the internal controls and how they relate to compliance. Finally, I will end with a discussion of evaluation of internal controls through the COSO Framework. Once again, I am joined in this exploration by internal controls and accounting expert Joe Howell, EVP at Workiva, Inc.
What is COSO? That acronym stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted in 1992, as a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, to provide a more supportable approach when adversarial third parties challenge whether a company has effective internal controls (such as the SEC). While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s compliance internal controls. This means that you need to understand what is required under the 2013 Framework and can show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.
COSO has produced three volumes detailing the 2013 Framework. The first lays out the Framework and is entitled “Internal Control – Integrated Framework”, herein ‘the Framework volume’. The second is an Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, herein ‘the Illustrative Guide’, which discusses how best to assess your internal control regime and provides forms and work sheets to use in this exercise. The third volume is the Executive Summary of the first volume, herein ‘Executive Summary’. All three works form an excellent starting point for exploration of the COSO Framework and how you might use it for your best practices anti-corruption compliance program.
In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting Objectives – internal and external financial reporting; and (III) Compliance Objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.
The COSO Framework defines internal controls, from bottom to top, with the following Objectives: (a) Control Environment, (b) Risk Assessment, (c) Control Activities, (d) Information and Communication, and (e) Monitoring. From these five Objectives come 17 Principles which we will be exploring throughout this series.
Larry Rittenberg, in his book “COSO Internal Control-Integrated Framework”, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls [and compliance programs] evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is significant because it directly speaks to the need for the compliance practitioner to operationalize internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.
The primary object is to keep in mind that even if an organization adopts the Framework, there will be very few people within that organization who will have the unique knowledge that a compliance officer has that would impact all the elements of the Framework. The compliance officer's role is to provide the input to the Chief Financial Officer (CFO) and others involved in the implementation, to be sure that there is a proper focus on the risks that really are part of the compliance world. This primarily comes through the risk assessment component, the control activities, and then the monitoring. Companies typically do risk assessment from an operational standpoint and address business risks going forward and then develop the controls that deal with those business risks, which could be project financial results, doing business in certain countries, strategic decisions and similar issues. All of this puts the compliance function in the unique position to be the fulcrum on many issues which will come up with a COSO based analysis or implementation.
The updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.
Joe Howell noted that the COSO Framework can be seen as both a prevent and detect control. He also related that your internal controls need to be sustainable over the long haul. He stated, “You cannot just build one off things that allow you to do one period and not have a process in place that is going to help you through all of the periods that you need to cover. The controls cannot just be a one and done. Many companies are going to find that their initial approach to all of this is one and done.” As we explore the COSO Framework, the compliance practitioner should understand how the entire Framework interacts and intersects with the compliance function in a manner which is sustainable throughout the organization.
Three Key Takeaways
This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
Last year, one of the most interesting non-Foreign Corrupt Practices Act (FCPA) enforcement actions was announced by the Securities and Exchange Commission (SEC). It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.
The reason that it is so interesting from an enforcement prospective is that it is not foreign corruption but domestic corruption, therefore not subject to the FCPA. However, the actions of United’s former Chief Executive Officer (CEO), Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials. That sounds suspiciously like a books and records violation of the FCPA. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement (NPA) settlement with the Department of Justice (DOJ), which resulted in a penalty of $2.25 million. Chairman Samson has also pled guilty in July for putting pressure on United to reinstitute a flight service which was near his weekend residence.
The scandal also cost the resignation of Smisek and two high-level executives from United. In a Press Release at the time of the resignation, the company stated, “The departures announced today are in connection with the company’s previously disclosed internal investigation related to the federal investigation associated with the Port Authority of New York and New Jersey. The investigations are ongoing and the company continues to cooperate with the government.”
Adding another twist to this also fascinating case was that it all came out of the Bridgegate scandal from New Jersey, although it was not related to the original claim that the New Jersey Governor’s office ordered the closing of certain traffic lanes around Fort Lee, NJ to punish the mayor for not supporting the Governor. The entire affair involved a flight from Newark to Columbia, South Carolina. The flight was reported to be a money-losing route, yet it was reinstated by United at either the request of the Chairman of the Port Authority of New York and New Jersey, Samson, or was reinstated by United to obtain a benefit from Samson.
It turned out Samson had a weekend home at Aiken, which is near Columbia, SC and was not happy there was no direct flight service from Newark. So he got a direct flight. The flight was money loser it was derisively named “the chairman’s flight.” The SEC Cease and Order (Order) said that United lost some $945,000 on the flight.
However, at the time United was in the midst of trying to renegotiate its lease at Newark airport with the Port Authority. The flight from Newark to Columbia was cancelled after Samson resigned his post as Chairman.
According to the Order, “In the summer and fall of 2011, representatives of United and the Port Authority’s Aviation Department (which manages Newark Liberty) negotiated a proposed agreement that the Port Authority would lease approximately three acres of land at Newark Liberty to United for the construction and operation of a wide-body aircraft maintenance hangar (the “Hangar”). The Hangar would facilitate United’s ability to perform maintenance on its incoming fleet of wide-body aircraft at Newark Liberty, rather than having to perform such maintenance at a suitable United facility at another airport. Based on preliminary assessments and using information available at the time, United estimated that the Hangar would result in efficient routings that would drive $47.5 million in value to the United network on an annual basis post-construction.
During this time period, Samson was communicating to a third party his desire that United reinstate the Chairman’s Flight. This culminated in a dinner meeting between Smisek, his senior team and Samson. Samson once again pressured for a reinstitution of the route, “Samson stated that Continental Airlines used to have a non-stop route between Newark Liberty and Columbia, South Carolina and asked the CEO to consider re-establishing that non-stop route.”
United’s “Network Planning Group analyzed the projected financial performance of the South Carolina Route… United’s standard process for initiating new routes generally included: the preparation and consideration of financial forecasts and other market data of how the route could be expected to perform, review and approval by several levels of United’s Network Planning Group, including approval by the Chief Revenue Officer (“CRO”) or his staff, and thereafter presentation of the route and its details to a group of senior United executives at a regularly scheduled marketing meeting.”
This review determined that the Chairman’s Flight would likely be a money loser and, indeed, when it was previously operated by Continental Airlines, prior to its merger with United, the route “was continually one of the hubs poorest performing markets”. (Recall the Order reflected the flight did lose United $945K.) However, after United declined to reinstitute the Chairman’s Flight, Samson pulled the proposal from consideration by the full Board, effecting scuttling the arrangement. Shortly after this development, “the CEO (Smisek) approved the establishment of the [Chairman’s]route.” On the same day, United’s contract for the new hangars was approved by the Port Authority.
At the time United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to improperly influence the recipient.” Only the United Board of Director’s could grant a waiver to the Code and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s Policies.”
Mike Volkov has often worried that if that companies create internal controls and then do not follow those internal controls, will be prosecuted for such action (or perhaps inaction). This is the situation which led to the SEC enforcement action against United. The company had a Code of Conduct, it was not followed but was violated by the CEO and this caused the company to violate Section 13 of the Securities Exchange Act of 1934. It would be easy enough to see this resolution in the FCPA context but this was all domestic conduct and jurisdiction. This may be the first time the violation of a Code of Conduct resulted in an enforcement action by the SEC around domestic bribery and corruption.
Yet the company was also sanctioned for not having internal controls in place to prevent such actions as those taken by Smisek, with the SEC also finding this was a violation of Section 13. This was in the face of detailing the protocol for United instituting or reinstituting a route. The Order stated, “In particular, United had insufficient internal accounting controls in place to prevent approval of the South Carolina Route in derogation of United’s Policies.”
All the underlying facts, enforcement theories and remediation points towards the use of failure of internal controls when domestic bribery corruption occurs. This might well be a new enforcement theory to use inside the United States, for domestic bribery allegations. Imagine if United’s profit estimates of $47.5 million had been used as the basis of a profit disgorgement order.
Three Key Takeaways
Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).”
Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.
I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.
Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation.
A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:
There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.
Three Key Takeaways
Show Notes for Everything Compliance-Episode 14
Topics from Matt:
Topics from Jay:
Rants are at the end of this week’s episode.
Joe Howell, EVP of Workiva, Inc. as noted that it is reasonable to expect that internal controls over gifts, travel and entertainment (GTE) be designed to ensure that all satisfy the criteria as defined in company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?
The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. In considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.
The key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. There are four issues to evaluate.
While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.
Consider the format itself of an expense report, which can be a prevent control. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.
Next consider the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts. Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.
Some companies have two basic forms of expense reports. One pertains to US locations and does not involve any expenses incurred outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Howell believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Howell ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.
Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Howell has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.
Three Key Takeaways
In this episode, Matt Kelly and I discuss the recent Second Circuit Court of Appeals decision in HSBC v. Moore. In this case a federal district court had ordered the release of redacted monitor’s report in the HSBC money-laundering Deferred Prosecution Agreement (DPA), based upon the request of an interested citizen. Both the Department of Justice (DOJ) and HSBC appealed the order and the Court of Appeals supported their position in overturning the trial court’s decision. The case is about a hook, line and sinker overturning of any trial court jurisdiction as one can have. The district court tried to claim it did not have the same role as a “potted plant” but the Court of Appeals left no doubt that is the only role it sees for any district court where a DPA is filed. We discuss the implications for the compliance practitioner, FCPA enforcement and any potential changes going forward.
For additional reading, see my blog post on this case by clicking here.
In this episode, I consider the leadership lessons which can be drawn from our 7th President Andrew Jackson. I focus largely on the crisis surrounding the charter of the Second National Bank of the United States, which played out over 5 years from 1831 to 1836. This conflict pitted Jackson against most the nation’s political and financial elites, most prominently Nicolas Biddle, the President of the Bank. However, the great politicians of the day, including Henry Clay and Daniel Webster were lined up against President Jackson as well.
The crisis came to a head in the summer of 1832 when both the House and Senate passed a bill renewing the Charter of the Second Bank of the US early. Not only did Jackson veto the bill and give one of the most memorable veto addresses of any President, he then took on Biddle directly by removing first removing persons in the administration and government who were pro-Bank and pro-Biddle. In the coup de grace for the Bank, Jackson the gold species from the Bank and moving into state banks across the country. Jackson won the battle completely. His actions were not without negative consequence as the distribution of the species across the country led to rampant inflation and the Panic of 1837. However, by that time, Jackson had departed the Presidency and the fallout was left to his successor Martin Van Buren.
Today I want to look at internal controls for third parties. One of the questions that GSK faced during the bribery and corruption investigation of its Chinese operations is how an allegedly massive bribery and corruption scheme occurred? The dollars paid out went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”
Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they must give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”
Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””
It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?
Below are 10 specific inquires you can make regarding your compliance internal controls specific to third parties.
1: Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?
2: Can the third-party’s activities be viewed as predatory, discriminatory or abusive?
3: Does your compliance regime include: policies and procedures to help manage third-party relationships; proper internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance?
4: Was adequate due diligence conducted that included a review of all available information about the third-party (e.g. financial condition, reputation, knowledge of laws, complaints, operations and controls, internal controls and marketing materials?
5: Are expectations and obligations of both the company and the third-party outlined in a written contract prior to entering the relationship?
6: Does the board of director’s review and approve any material third-party relationships?
7: Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specifies circumstances that constitute default, dispute resolution process, and provides indemnification provisions?
8: Did the board initially approve the third-party relationship and does it review each significant third-party relationship on at least an annual basis?
9: Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled?
10: Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the board of directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s sales patterns?
Obviously, the use of third-parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third-parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.
Three Key Takeaways
As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Kara Brockmeyer, the former Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.
What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point.
As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Do any personnel from accounts payable review and approve that expenses have the requisite receipts attached? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?
Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those recipients of any such gift, travel or entertainment identified on the expense reimbursement form? Was the business purpose of the meal, gift or entertainment recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.
You can take this exercise through each of the five objectives under the COSO 2013 Internal Controls Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.
As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.
Three Key Takeaways
In this episode, I visit with Melanie Johnson, co-founder of Elite Online Publishing, which aids entrepreneurs, business leaders, and professional athletes to create, publish, and market their books, to build their business and brand. Melanie talks about her professional journey which led to this venture and how her career in broadcasting gave her a unique understanding for the world of online publishing. She discusses using your skills and passion to develop your own business.