In this episode, I consider the leadership lessons which can be drawn from our 7th President Andrew Jackson. I focus largely on the crisis surrounding the charter of the Second National Bank of the United States, which played out over 5 years from 1831 to 1836. This conflict pitted Jackson against most the nation’s political and financial elites, most prominently Nicolas Biddle, the President of the Bank. However, the great politicians of the day, including Henry Clay and Daniel Webster were lined up against President Jackson as well.

The crisis came to a head in the summer of 1832 when both the House and Senate passed a bill renewing the Charter of the Second Bank of the US early. Not only did Jackson veto the bill and give one of the most memorable veto addresses of any President, he then took on Biddle directly by removing first removing persons in the administration and government who were pro-Bank and pro-Biddle. In the coup de grace for the Bank, Jackson the gold species from the Bank and moving into state banks across the country. Jackson won the battle completely. His actions were not without negative consequence as the distribution of the species across the country led to rampant inflation and the Panic of 1837. However, by that time, Jackson had departed the Presidency and the fallout was left to his successor Martin Van Buren.

 Today I want to look at internal controls for third parties. One of the questions that GSK faced during the bribery and corruption investigation of its Chinese operations is how an allegedly massive bribery and corruption scheme occurred? The dollars paid out went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they must give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Below are 10 specific inquires you can make regarding your compliance internal controls specific to third parties.

1: Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?

2: Can the third-party’s activities be viewed as predatory, discriminatory or abusive?

3: Does your compliance regime include: policies and procedures to help manage third-party relationships; proper internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance?

4: Was adequate due diligence conducted that included a review of all available information about the third-party (e.g. financial condition, reputation, knowledge of laws, complaints, operations and controls, internal controls and marketing materials?

5: Are expectations and obligations of both the company and the third-party outlined in a written contract prior to entering the relationship?

6: Does the board of director’s review and approve any material third-party relationships?

7: Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specifies circumstances that constitute default, dispute resolution process, and provides indemnification provisions?

8: Did the board initially approve the third-party relationship and does it review each significant third-party relationship on at least an annual basis?

9: Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled?

10: Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the board of directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s sales patterns?

Obviously, the use of third-parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third-parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.

Three Key Takeaways

1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
2. General areas of review for compliance internal controls.
3. Third parties are still the highest risk of corruption related issues.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Kara Brockmeyer, the former Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point. 

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Do any personnel from accounts payable review and approve that expenses have the requisite receipts attached? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those recipients of any such gift, travel or entertainment identified on the expense reimbursement form? Was the business purpose of the meal, gift or entertainment recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Internal Controls Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

 As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three Key Takeaways 

1. Learn the internal controls your company currently has in place.
2. Map your compliance internal controls to the COSO 2013 Framework,
3. Use your gap analysis as a basis for remediation.

In this episode, I visit with Melanie Johnson, co-founder of Elite Online Publishing, which aids entrepreneurs, business leaders, and professional athletes to create, publish, and market their books, to build their business and brand. Melanie talks about her professional journey which led to this venture and how her career in broadcasting gave her a unique understanding for the world of online publishing. She discusses using your skills and passion to develop your own business. 

This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:

1. HSBC monitor report protected from release. See article in Reuters by clicking here.
2. The Odebrecht scandal continues to resonate across South America. See Dick Cassin’s post in the FCPA Blog.
3. The first half of 2017 has brought the final resolutions of only two FCPA matters from the new administration, but they were both declinations. Both declinations have significantly strengthened the FCPA Pilot Program as a clear path forward for every company that finds itself in FCPA hot water. See Tom’s article in Compliance Week.
4. Roy Snell says it’s not who’s who but who gets it. See article in SCCE Compliance and Ethics Blog.
5. Tom announces the rollout of the Compliance Podcast Network. It includes This Week in FCPA, FCPA Compliance Report, Compliance Report-International Edition, 12 O’Clock High, Unfair and Unbalanced, Compliance into the Weeds, Across the Board, Everything Compliance, One Month to a More Effective Compliance Program. See Tom’s article in the FCPA Compliance and Ethics Blog.
6. The next Everything Compliance podcast is in production. Topics include Walter Shaub’s departure from OGE and does it even matter? Jesse Eisinger’s book The Chickenshit Club; the SFO, UK Bribery Act and the Rolls-Royce enforcement action; differences in DPA practice in the US & UK; Trump Administration & FCPA enforcement; EU’s GDPR; and Hui Chen’s departure from Justice Department; both her public rebuke of Trump, and the substance of how she believes her guidance has been mis-interpreted. Part I will go up on Thursday, July 20.

A gap analysis is a method of assessing the differences in performance between a business' internal controls to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. Moreover, it is a determination of the degree of conformance of your organization to the requirements of an internal controls standard. A gap analysis is mainly a document review or a “show me the evidence” type activity, evidence which usually will come in the form of a record or document. During a gap analysis, there is some auditing accomplished, through key stakeholders providing the evidence they may have –or not- for each of the requirements set forth in the relevant internal controls standard.

Gap analysis are very often conducted at the beginning of the journey of an organization seeking compliance to an internal controls standard or it can be used as the basis for internal controls enhancement. Interestingly this can lead to more or even less internal controls, as sometimes in the realm of internal controls, less is more. The primary reason why a gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where they stand regarding meeting the relevant internal controls standard and they want to know specifically what they need to do to close the gaps. Companies need to understand where their gaps in internal controls are located, how large those gaps might be and what they need to do to close those holes and get closer to fully meeting the requirements of the chosen specification or standard.

Gap analysis is a technique that can be used to assess if an enterprise can meet its needs using its present capabilities. The capabilities that may be examined for improvement include staff competencies, facilities, applications, technical infrastructure, processes and lines of business; all with an eye towards (1) improving the compliance environment and (2) operationalizing compliance into the functional business units. 

Miriam Boudreaux posed the following, “Imagine a situation where you have been asked to improve the performance or efficiency of a particular unit of an organization. You have no clue whatsoever as to what set of factors is the real cause of the degraded performance you have been asked to improve. Identifying the gap between what is expected and what you are delivering, that is, the difference between the current state and the future state, is referred to as “Gap Analysis”.” 

She goes on to state that a “gap analysis can be defined in a number of ways, which more or less point towards the same meaning: 

1. It is the process through which a company compares its current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. 

2. It is a technique that businesses use to determine what steps need to be taken in order to move from their current states to their desired future states. 

From both definitions, it is evident that gap analysis is a technique that can help a business reach its peak eventually. By defining and analyzing gaps, a project team can create an action plan to move the business forward and fill performance gaps.” 

After the completion of the gap analysis there should be a report which presents a clear summary or where the major gaps exist between the company’s documentation and the internal controls requirements. It also should show a detail recount of each requirement and the degree of compliance, with corresponding actions that need to be taken to close these gaps. Here lies a major difference between an Audit report for example and a gap analysis report: the gap analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. 

Another way to consider a gap analysis is the steps you should take. These include: 

1. Accurately defining the future goals: If you are not clear about the organization’s goals, all your efforts will be in vain. The first and foremost thing to be done is to identify what exactly the goals of the business are and the changes needed to achieve these goals. If the goal is not clear, the improvement exercise will keep on deviating from its desired path. 

2. Identifying the current scenario and associated issues: To reach the place you desire, you should first assess where you are located in your internal controls regime. For example, a failure to see the real reason behind the poor compliance performance of your business units may affect profit and growth on the long run. At this stage, the analyst may organize brainstorming sessions, employee interviews, document review sessions to gain insight into present challenges. Only after a comprehensive definition of present challenges can one get a clear picture of the situation. 

3. Devising the action plan: Now that you know the present and future expectations, you can think of the how factor, which is in form of a plan. How will you implement the action plan to close the identified gaps? The solutions may include several steps like hiring more employees, procuring extra machines and equipment, offering perks and incentives to get the best out of employees and so on. 

4. Report: Finally, you will want to report your findings with the appropriate data and analysis presented. To do this, you may wish to use our gap analysis report template. In your report, you will include things like the background of the company and analysis, problems that have occurred, and even reasons for undertaking the analysis. Then, you will present your findings, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. If the situation is unacceptable, you will present a course of action for improvement. Finally, all your analysis will be backed up with the data gathered during the analysis.

Three Key Takeaways

1. Be prepared to require evidence from key stakeholders.
2. Use a multistage approach to a gap analysis.
3. To get to where you want to be, you have to know where you are.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Today, I consider some ways in which a compliance professional can work to implement internal controls in a multi-national organization. The first step is to convert your company’s compliance risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process. 

One example of how the process might work in the situation where the compliance risk is that a third-party representative may be paid for an invoiced amount before that third-party representative has gone through your company’s full third party approval process. Here your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made. 

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Then the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request. 

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls.  What happens when the compliance function receives push back and is told the controls are too burdensome and will also make operations less efficient? Many business development types will raise the hue and cry that internal controls prevent them from effectively running the business.  Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money. 

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However, this can be expanded into solid presentations about why it is important to assess and mitigate compliance risks using your corporate peers that have been the subject of a Foreign Corrupt Practices Act (FCPA) enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions. 

The premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, then it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs. 

Another key factor, as with all compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for compliance-focused internal controls to your company’s Executive Leadership Team, Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating compliance and fraud risks. Some of these might include the following: 

• Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
• Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
• With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
• As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
• It may be possible to build in more electronic controls, which can replace existing manual controls. 

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

There are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Another example is internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement. 

Good compliance internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls. 

Three Key Takeaways

1. Convert your compliance risks into internal control objectives.
2. As with many components of a best practices compliance program, tone at the top is critical.
3. If you receive pushback from the business folks, always remember, good internal controls make for a better run, more efficient and more profitable business.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode I visit with Carlos Ayers on steps you can take to make your compliance program more effective to employees in Latin America. This includes such things are localizing your training and presentations, consideration of local laws, use of language and regionalizing your approach. 

Next, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks. 

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.    

One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The Securities and Exchange Commission FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents. 

The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented? 

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company. 

The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs. 

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal control over financial reporting, and could be useful for companies complying with compliance internal controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal control and includes various scenarios which illustrate several practical examples of how the templates may be used. 

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment. 

Three Key Takeaways

1. Third party risks are still your highest risks under the FCPA so use your internal controls appropriately to help prevent this risk from becoming a violation.
2. Use mapping and a gap analysis to collate risks to existing controls.
3. Always consider the regional and geographic variances.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In an article entitled, 12 Leadership Qualities of An Often-Overlooked President, Matt Myatt, writing in forbes.com online reviewed the leadership qualities of John Adams as laid out in David McCullough’s Pulitzer Prize winning biography, appropriately entitled John Adams. Adams presidency was glossed over with little more than a brief mention, most probably because he was President between two of our more memorable presidents – Washington and Jefferson. Samuel Eliot Morrison once said that history teaches us how to behave and Adams provides a great example on it. The following list contains 12 qualities that made him a great man and a great leader: 

1. He valued education. He began his education at college when he was fifteen and he never lost his curiosity. He passed this tenet to his children, stressing education to his children and played a large role in their learning. The more Adams thought about the future of America, the more he was convinced it was through education. 

2. He strove for a good reputation. As a young lawyer, Adams knew he would get nowhere without a good reputation. The same is even more so today. 

3. He loved his wife. McCullough’s book made clear the love story that was of John and Abigail Adams. As much as he was apart from his wife, the more he sought her counsel. The benefit for the historian and for us is that such counsel came through correspondence preserved for posterity. Adams never operated in a bubble and neither should you. 

4. He fought for what was right. Adams knew that defending the British soldiers involved in the Boston Massacre would harm his reputation and it did but it was also the right thing to do. 

5. He was a great communicator. This surprised me a bit as I had always thought this was a weakness of Adams. Yet he made himself into both a great writer and speaker, through study of the Classics. 

6. He recognized his weaknesses and brought in others to fill those talent gaps. When Adams found himself in a situation where he felt inadequate, he did one of two things: recommend someone else, and if that was not possible; he would learn what he had to, and then work diligently to achieve the desired outcome. 

7. He could spot talent. This is perhaps where Adams shined the brightest, as Adams was the first to submit George Washington’s name for general of the Continental Army, a post being clamored for by many. He also recruited the pen of Thomas Jefferson to draft the Declaration of Independence and the wisdom of Benjamin Franklin to help edit it.

8. Physical courage. Leaders should always stand up for others and exhibit courage in the face of danger and Adams was exception. Particularly during the revolutionary years, Adams demonstrated great personal courage.
9. He had unwavering integrity. Many people disliked Adams for his political views, but they never could say that he was not a man of integrity. He was loyal to a fault to those he called friends. 

10. He had perseverance. Adams was in the long line of hearty and dogged New Englanders. Yet when he was a diplomat he found it did not suit him but he preserved and helped negotiate favorable treaties for the colonies and later United States. 

11. He had the ‘vision thing’. Long before it was so articulated, Adams was able to articulate a vision for the fledgling colonies as an independent nation that many others could not. Being able to see the bigger picture is a trait that leaders must possess if they are going to be successful in the long-run. 

12. He was a true public servant. The public career of John Adams can be described as nothing other than service beyond self. Adams believed in something bigger – he literally gave his life so that every American might have the freedom and liberty to live the life we choose.

Today, I want to discuss how to assess for your internal controls regime for international operations. It is incumbent that you need to review as much information so you can to understand the financial and operational structure of an entity and how the financial and operation structure outside the US is integrated with the corporate headquarters, or the US business unit’s financial and operation structure, if the foreign operation is part of a US business unit. 

You could begin with the Transparency International (TI) Corruption Perceptions Index (CPI) to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your operations at a location outside the US. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third party representatives are coming into a commercial relationship with your company through your supply chain. 

Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the US and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which local disbursements are made in local currency and, of course, is there a local petty cash fund. 

As with many other areas around internal controls, it is important to consider the local Delegation of Authority (DOA) and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or US business unit approvals are required for transactions initiated locally, such as: (1) Approval of vendor invoices, (2) Disbursements of funds, including wire transfers; (3) Execution of facilities leases; (4) Execution of contracts with agents; and (5) Approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate segregation of duties at the local business unit level. 

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment to customers? Are products drop shipped from US directly to the customers of the local operation? Are products drop shipped to distributors for delivery to the ultimate customer? 

Hopefully you are already doing the above but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and if so, what were the results of the investigation? In the area of customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities. 

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Some of these considerations would be an inadequate segregation of duties because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there is internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms, and update applications. This means that an employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises. 

It is not necessary to prove a bribe to have been paid in order to have an enforcement action against a company for violation of the internal controls provisions of the FCPA.  In the SEC enforcement action against Smith & Wesson, that was the situation. It was this lack of effective internal controls, not the payment of a bribe, which was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals. 

Such a situation could arise in several different scenarios. The first is where an account manager's signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a Country Manager provides a true control as an approver; or where the Country Manager or the local Finance Manager has ability to conceal the true nature of transactions without detection by anyone else. 

Another important area involves sales and compensation for the international business unit in question. On the sales side of the equation, you review the three-year historical sales for the location and what are the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as what is the sales incentive compensation plan for local sales personnel and for the Country Manager; as this inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe in order to win a contract which results in a large sales incentive compensation to the employee.  

All of these reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the Fraud Triangle, which lays out breeding ground for fraud in the corruption context: 

• Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
• Rationalization – a fraud perpetrator always rationalizes that he / she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
• Opportunity – the perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment. 

Three Key Takeaways

1. You must understand the financial and operational structure of your company and how the financial and operation structure outside the US is integrated with the corporate headquarters.
2. Are your financial statements and reporting systems integrated?
3. Always consider the fraud triangle?

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, Matt Kelly and I take a deep dive into the 4th of July weekend use of the New Jersey beaches by Governor Chris Christie. Governor Christie had closed the beaches in a budget dispute but was still able, as Governor, to give himself and his family full access to the now wide open beaches on the recently passes holiday weekend. We consider Governor Christie’s example of undeserved privilege in the context of ethical leadership and tone at the top. Matt draws upon his Catholic school education to remind us that undeserved privilege is private law, as “privilege” comes from the Latin privus, private law; and lex, law. It’s a private law that benefits only one person, who doesn’t deserve it. 

Read more about the issue and Matt’s thoughts on his blog post Tone at the Top Gone Wrong: The Christie Example.

Next, I want to consider some of the issues around internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. However, this provides an opportunity to further operationalize your compliance program through internal controls more narrowly tailored to mirror your business practices. 

Every Chief Compliance Officer (CCO) should consider your entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. 

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability. 

A third situation may exist at locations outside the US that began simply as a sales office.  Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew.  Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk. 

The next area for inquiry is where should a CCO begin in any of the above scenarios? The initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator. 

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated is performing a Location Risk Assessment, whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks. 

Three Key Takeaways

1. Modifying your internal controls can work to more fully operationalize your compliance program.
2. Check the effectiveness of your internal controls for your international locations.
3. Revisit your internal controls when a country or region experience large growth or other disruption.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

The issue of beneficial ownership is one which still bedevils many compliance professionals. Today, I visit with Brian Alster, Dun & Bradstreet’s Global Head of Supply and Compliance about the problem this issue continues to raise in the anti-corruption compliance space. Beneficial ownership is a critical inquiry for financial institutions and financial services companies but is becoming more important to non-financial commercial corporations. KYC is a well-worn phrase in the financial industry and Alster explains how it is becoming more important to the anti-bribery compliance specialist.

Alster discusses the new D&B service; D&B Beneficial Ownership, a solution that delivers quick and reliable data for actionable management of regulatory compliance. D&B Beneficial Ownership provides companies a fast and comprehensive picture of corporate hierarchy with entity and individual level share ownership based on Dun & Bradstreet’s 265 million verified business records. D&B Beneficial Ownership capabilities can be easily embedded into companies’ current workflows to help accelerate due diligence and ensure regulatory compliance. 

You can learn more about this service, D&B Beneficial Ownership by visiting: http://www.dnb.com/products/corporate-compliance/beneficial-ownership.html

This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance related stories, including: 

1. U.S. charges top Colombia anti-graft prosecutor with money laundering. See article by Dick Cassin the FCPA Blog.
2. US Supreme Court may finally settle one of the fiercest debates arising from the Dodd-Frank Act: What is a whistleblower and when are they protected against corporate retaliation? See Joe Mont’s article in Compliance Week.
3. Alstom obtains ISO 37001 certification but does it mean anything?
4. Benefits of FCPA Pilot Program becoming clear after two 2017 declination. See article by Jaclyn Jaeger in Compliance Week.
5. Head of federal government ethics office to step down. See article in The Hill.
6. At nearly the half-way mark, the Astros lead the majors with the best record. See Tom’s article on how and why in the FCPA Compliance Report.
7. New eBook on Trump and Compliance: the First 100 Days is out. It collects the musings from the four amigos on the Everything Compliance podcast (+1). You can download your copy by clicking here.

There are four significant controls that he would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency. 

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company. While it is quite often true that a DOA is prepared without much thought given to compliance risks, once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or does not define authority in a way even the approvers could understand it. Therefore, it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this, you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid. 

Furthermore, if a DOA is properly prepared and enforced, it can be a powerful preventive tool for compliance. Consider the following example: A wire transfer between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of the same amount to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Finally, a DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US. 

The vendor master file, can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted. 

Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, are present in a contract, the terms must be approved not only by the original approver but also by the person so delegated in the DOA. Unfortunately, contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room. 

The Hewlett-Packard FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. All situations where funds can be sent outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.  

To prevent these types of activities internal controls, need to be in place. This means all wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose. 

The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. 

Three Key Takeaways

1. Remember the top four internal controls for an effective compliance program.
2. Effective internal controls should do more than protect but also prevent internal program violations.
3. Effective internal compliance controls are good financial controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Today, New York Times columnist David Brooks’ thoughts on building and maintaining order inform our discussion on internal controls. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increased operationalization around the internal controls a company should consider including gifts, travel and entertainment (GTE). 

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. The Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer.  However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense. 

Petty cash disbursements in locations outside the US have unique control issues. Some petty cash funds outside the US have small balances but substantial throughput of transactions. Your DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US. 

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) corruption enforcement action in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. You should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place. 

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. If your company uses procurement cards, assume this to be a very high-risk area, not just for bribery and corruption but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements. 

If the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which would be subject to stringent controls. In such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the GTE items to the appropriate level of review and requires appropriate documentation. 

One question I am often asked is why does a company need internal controls in place regarding gifts because in many companies, where there internal audits of these expense reports are common. It is important to keep in mind that, with respect to GTE, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations.  So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies. 

David Brooks’ has said, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Howell has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring. 

Three Key Takeaways

1. You must maintain rigor around your internal controls.
2. Controls against fraud can also help to prevent corruption.
3. Building and maintaining good internal controls requires rigor. 

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, I visit with Patrick Henz, a compliance practitioner and author of Access Granted: Tomorrow’s Business Ethics. Henz has written one of the most fascinating books on compliance going forward into the future that I have recently read. His book analyzes actual and future technological developments to discuss how these will affect tomorrow's business reality and its impact on the human. Henz believes that robotization and the implementation of Artificial Intelligence will change companies and societies. This does not mean automatically a shift for the better or worse, but life will be different, and it is in our hands to use technology for the first.

Artificial Intelligence, robots, 3D printing, micro-learnings, virtual reality, self-driving cars and all other autonomous software and machines will be a part of tomorrow's business. We should start thinking about the consequences. A chance and challenge for management, where the Ethics & Compliance function can position itself as a key-player and include AI inside its responsibilities.

In addition to the above, we discuss the role of gamification of training going forward. How will AI impact compliance. We also consider how the German electro-rock group Kraftwerk influences compliance to this day. Finally, we consider how the movie Minority Report and Asimov’s Three Laws of Robotics will inform your compliance program going forward. 

Patrick Henz can be reached at Patrick.Henz@primemetals.com.

You can check out his book Access Granted on amazon.com.

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences …. 

The Justice Department (DOJ) and Securities and Exchange Commission (SEC), in their 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and the author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” 

Internal controls expert Joe Howell, EVP at Workiva, Inc. has said that internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Howell adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets. 

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its 2013 Internal Controls Framework defined internal controls, in its publication entitled “Internal Controls – Integrated Framework”, as follows: 

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition reflects certain fundamental concepts. Internal control is: 

• Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance
• A process consisting of ongoing tasks and activities - a means to an end, not an end in itself
• Effected by people - not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
• Able to provide reasonable assurance - but not absolute assurance, to an entity’s senior management and board of directors
• Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.

The Integrated Framework goes on to note, “This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.”

Why are internal controls important in your compliance program? Two FCPA enforcement actions demonstrate the reason. The first came in late 2013 when the DOJ obtained a criminal plea from Weatherford International (WFT). There were three areas where WFT failed to institute appropriate internal controls. First, around third parties and business transactions, limits of authority and documentation requirements. Second, on effectively evaluating business transactions, including acquisitions and joint ventures (JVs), for corruption risks and to investigate those risks when detected. Finally, around excessive gifts, travel, and entertainment, where such expenses were not adequately vetted to ensure that they were reasonable, bona fide, and properly documented. 

The second case involved the gun manufacturer Smith & Wesson (S&W). The case did not include a criminal charge filed by the DOJ but a civil matter was prosecuted administratively by the SEC. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Moreover, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization”. 

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe. 

As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist. This will help you to determine whether adequate compliance internal controls are present. From there you can move to see if they are working in practice or ‘functioning’.  Internal controls will only become more important in FCPA enforcement. This month you will learn how to get ahead of the curve. 

Three Key Takeaways

1. Effective internal controls are required under the FCPA.
2. Internal controls are a critical part of any best practices compliance program.
3. The Weatherford and Smith & Wesson FCPA enforcement actions demonstrate the enforcement spotlight on internal controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, I visit with Ed Buthusiem, with BRG Business Transformation. BRG  partners with companies and their stakeholders to deliver sustainable results with speed and transparency through a data-driven and expert-led approach. We discuss the work of BRG and how BRG helps companies to drive a value proposition. We explore what this means for a Chief Compliance Officer or compliance practitioner and how can BRG help compliance professionals to operationalize compliance. We also discuss how compliance can become a more integrated part of the business process. You can find out more about BRG by checking out their website by clicking here.

This episode is sponsored by Ark-Group publishing who recently released my latest book 2016-The Year in Corporate Enforcement. This is the only book which details one of the most significant years of FCPA and global anti-corruption enforcement. You can check more on this book at the Ark Group website by clicking here. 

In this week which starts the 4th of July holiday weekend, Jay and I return for a wide-ranging discussion on some of the week’s top compliance related stories, including: 

1. The second Declination of the Session’s Justice Department, CDM Smith. For a copy of the Declination click here. For article in the FCPA Blog, click here. 
2. The son of Equatorial Guinea's president went on trial this week in France for embezzlement of funds from the country. See trial reports of Days 2 & 3 in the Global Anti-Corruption Blog.
3. Is the DOJ afraid to go to trial in white collar prosecutions. Jesse Eisinger considers this issue in his new book The Chickenshit Club. See review of Eisinger’s book in the Financial Times by clicking here.  
4. Tom nominates former Uber engineer Susan Fowler for top blog of the year (so far). Who is your nominee from the first half of the year? See Tom’s article in the FCPA Blog. 
5. Hui Chen talks to Matt Kelly on a podcast on Radical Compliance.
6. Jay discusses his weekend report, which came out yesterday. You can read by clicking here.
7. At nearly the half-way mark, the Astros lead the majors with the best record.
8. Tom announces the premier of the Compliance Podcast Network, which will make its debut the week of July 10. It will be the only Podcasting Network dedicated to compliance, the compliance profession and compliance practitioners.

Yesterday I considered an article by Ryan Hubbs, entitled “10 Factors Leading to Reporting Mechanism Distrust”, in which he detailed 10 factors leading to hotline distrust. Today I want to pick up on that article with Hobbs' tips for building a trusted hotline reporting program and culture, talk about the SEC whistle blowing program, and conclude with a few thoughts on why experienced, invested counsel is so critical in these. 

Organizations implement and maintain hotlines, trusted programs, hotline programs differently depending on their sizes, cultures, geography, and many other factors if they must decide if they'll construct such programs. Many organizations find benefit to taking it outside from the experience and expertise, the appearance of independence which can increase employee trust. A smaller organization may not be able to do so. Nevertheless, there are many competent companies that put on hotline services for small individuals. 

What can you do to help build trust for your reporting system?

1. Training and awareness. Increased awareness of the program will help build employee's confidence around it, and organization should continually strive to help employees know that the hotline reporting system program works, why the organization believes in it, who operates it, and why it's a critical part of the culture of the company and the compliance ethos of the company. Organizations should include hotline frequently asked questions and answers for all employee new hires and supervisory training.           

2. Ongoing communication. Communication about a hotline reporting program, recent compliance issues, and messages from management should be a routine and commonplace. I have talked about putting posters in workrooms and coffee rooms to announce hotlines, but you have to continually communicate it. Think of the example of Louis Sapirman at Dun & Bradstreet, where they are continually communicating via the company's internal social media program about the hotline.           

3. Accessibility. Information on a hotline reporting program and how to report a concern should be within one click of the organization's intranet or external website. An organization should communicate program information in as many languages is as necessary to provide coverage. Certainly here, the Department of Justice and Securities Exchange Commission have made clear in the 2012 guidance that local languages must be respected and utilized. Web-based reporting platforms should be available to facilitate anonymous reporting and allow for inclusion of attachments. Conversely, you may have a situation where a large amount of your workforce does not have access to a computer. They may be in a country where there's limited internet or, frankly, they may not be trained on computers, so you be required to maintain other mechanisms as well.           

4. Transparency. Prominently display your organization's hotline reporting and investigative process including the expertise and contact information of your trained investigators, what employees should expect, plus the organization's responsibilities, cooperate, and protecting against retaliation. We have talked about anti-retaliation before, but I'm going to emphasize it again because it is so important. You must incorporate the fair process doctrine, you must not retaliate, and you must make clear to your employees that you will not tolerate retaliation.           

5. Proficiency and objectivity. Those who manage the hotline and investigation process should be technically proficient, professional, well trained, and experienced in the handling and reporting of concerns. The organization should also install adequate systems, processes, and technologies to support the investigators and ultimately the employees. This includes an in depth and routine training, I would say no less than annually, for the organization's investigative, legal, HR, and compliance staff, but you've got to get the word out. You got to have proficiency and objectivity. Prong three of the 2016 Department of Justice pilot program required compliance expertise. You must have that proficiency and it should include into your investigative staff.           

6. Ongoing assessment. Is your organization assessing your compliance program and your hotline? How do employees currently view the hotline reporting program and corporate culture? Can people get the information to the appropriate disciplines within your organization? Here you can think about Wells Fargo, where there was clear evidence that the culture had failed yet even with a reporting mechanism in place and use of that mechanism, management did not follow up to determine the issues which led to the company’s catastrophic reputational damage. 

Next, is an assessment on whether the ethics and hotline policies, procedures, and technology are meeting the needs of the organization and the employees. Here let me emphasize technologies, because I earlier about a situation where an employee does not have access to a computer. What if the employees are out on a drilling rig? Would they have access to a cell phone, or could they report in that manner? Maybe not. They may have to use a computer. You must have the appropriate technology for your diverse workforce. 

What about after the report is made? Are your internal investigations and resulting disciplinary actions consistent with the organization's desired culture of compliance? Here you need to make sure that the actions you have taken really are consistent because employees understand this and they will watch and see what happens. Are independent reviews conducted by internal audit or external professionals with ongoing oversight by an audit committee of the hotline and results? Finally, are complaints and resolutions disclosed to or discussed with external auditors? Are you bringing in outside experts to help you? 

All of this is important because of Dodd-Frank and its creation of a Whistleblower program for securities violations, such as the Foreign Corrupt Practices Act (FCPA) for issuers. As of April, of 2017, the Securities and Exchange Commission (SEC) has made 43 whistle blowers awards of over $153 million to whistle blowers under the Whistleblower program established under Dodd-Frank. This is a direct result of failure of corporate hotlines. Any regulator will tell you that 95% of all employees attempted to report internally first and they were either rebuffed, they were retaliated against, or in some other way rejected. The amount of money, fines and penalties, paid out for ignoring whistle blowers, people who report anonymously, is significant.

Finally, as I end this one-month series, I would just like to re-emphasize the need for experienced investigative counsel for serious matters. Recently had a declination issued in the Linde Gas case by the Department of Justice (DOJ), and it really was clear that the counsel used by Linde in in addition to the decision self-disclose, was a critical factor in Linde getting the superior decision it did, which was a declination to prosecute. The investigation was a very difficult set of facts, very convoluted, very muddled up over many countries with shell companies, direct companies, and others. You really must have experienced investigative counsel for things that are outside the routine. Having an experienced, season and competent FCPA bar-lawyer who could both investigate it and negotiate with the government is very critical going forward. 

Three Key Takeaways

1. Work to engender employee trust.
2. The SEC Whistleblower program is a huge success and is not going away.
3. Use experienced investigative counsel for hotlines reports of serious wrongdoing.

Today I want to consider some factors which can lead to employees’ distrust of an internal reporting system. Ryan Hubbs wrote an excellent article entitled “10 Factors Leading to Reporting Mechanism Distrust”. 

The guidance and mandates for companies on reporting mechanism reporting are numerous, overlapping and sometimes very broad. There are the US Sentencing Guidelines; regulations under Sarbanes-Oxley (SOX), the Dodd-Frank Act and the 2012 FCPA Guidance. There are international guidelines from the EU, US and London based stock exchanges and even the United Nations deems reporting mechanism reporting a necessary good business practice. Dodd-Frank attempted to strengthen accountability by specifically providing protections for those who come forward as whistle blowers but also allows regulators to respond to misconduct through finding some legal action. While the goal of whistleblowers and reporting mechanisms might be to identify and correct wrongdoing, they do not guarantee success and they do not even guarantee effective and trusting programs. 

Trust is a primary factor as to whether an employee will come forward with a concern. Management might try a quick-fix reaction to a messy investigation with more reporting mechanisms, posters or asking a CEO to use compliance training to generally get the word out. Nevertheless, employees view it as a trust issue, and you must have that trust. If an employee chooses not to report and an outside source later discovers misconduct, the organization will certainly be subject to potential financial losses and reputational damage that could have been avoided. If the employee does report, but the culture of trust is lacking or they faced retaliation, up to and including termination, then you have a disgruntled employee who is most likely going to go to the Securities and Exchange Commission. 

What are Hubbs’ 10 factors leading to distrust of internal reporting mechanisms? Number one is that employees do not understand the reporting mechanism system. Some the questions include, “who answers the reporting mechanism number? Will they know that I filed a reporting mechanism complaint if I do so anonymously? Will they tell my boss that I've reported a concern? Where does my complaint go and who reviews it?” Employee doubt and uncertainty can impede an employee's decision to report a concern. Transparency is also noted to aid in trust and the more likely an employee is to come forward. 

Number two is inadequate reporting mechanism resources and poor reporting program design. Companies can demonstrate their commitment to a reporting mechanism by spending money on well-designed reporting mechanism programs and professionally trained, efficient responders and investigate, fully integrated case management systems and all necessary supported tools. Anything less, will engender employee mistrust. 

Number three is the lack of personalization of employee concerns. Utilizing an internal reporting mechanism can be a very personal experience for an employee as the whistleblower might be a victim, the employee could well have witnessed significant wrongdoing. He or she may view using the reporting mechanism as simply taking a personal chance by coming forward and doing the right thing. This means that if an employee only hears a recorded message or an automated response; they may view the entire program as machine-like and indifferent. Having qualified and experienced compliance or investigative professionals who should follow a predesigned investigative protocol, should immediately follow up on reported concerns. Moreover, concerned employees need support and reassurance they have done the right thing and the organization will address their concerns and that they will be protected from retaliation. There should also be a strong written statement against retaliation. 

Number four is the improper handling of whistleblower complaints and lack of training of investigators. The mishandling of complaints and poor training of reporting mechanism calls and investigations can cause reporting errors in which the company conducts an inadequate investigation and/or comes to the wrong conclusion. As noted above an investigative protocol coupled with skilled investigators early in the reporting process. Employees who experience mishandled complaints will almost certainly communicate their dissatisfaction with colleagues, and that can certainly destroy reporting mechanism morale. 

Number five is the always dicey question of whether management is involved in the reporting mechanism. If local management gets involved early when they may be the problem, or complicit in allowing concerns to go forward or unaddressed. Local HR professionals might also appear to employees to be closely aligned with management, they also might be inadequately trained and show bias or favoritism. To ensure transparency and objectivity, often when it's effective to use a third-party administrator for your reporting mechanism. At the point when concern becomes part of an investigation, the organization can involve management, including internal audit, compliance, legal and HR, depending on the type of complaint. 

Number six is too many reporting mechanisms. Your corporate reporting mechanism should be the primary entry point for all concerns regardless of who reports or how companies identify them. Unfortunately, companies also have avenues such as emails, web portals, writing and of course, in person. These can require companies to struggle to determine who owns the proactive and reactive assessments of reporting and responses. Many companies offer reporting mechanisms just beyond the centralized reporting mechanism, but you should have a professionalized, centralized, clearly articulated program that help streamline reporting, increase communication and awareness, and decrease confusion to help build trust. 

Number seven is there is too much emphasis placed on reports which must be based solely on “credible complaints. Employees who file fictitious or malicious complaints against companies and colleagues defend pending terminations or to get others into trouble or retaliate for some perceived personal slight.” While some companies attempt to reduce meritless complaints by communicating that employees should only report credible or good-faith complaints, others might go a step further by saying employees could be subject to disciplinary action for filing complaints that are not found to be credible. However, these tactics may well deter employees from reporting any concerns. 

Number eight are the twin obstacles of negative incidences and retaliation. If I have had one key theme throughout this series on reporting, and indeed, throughout this month of investigations, it is an absolute prohibition against retaliation. Companies must prevent retaliation. When an employee is mistreated for following the organization's reporting policy, the reporting mechanism can sustain severe damage to its credibility and viability as a safe and secure mechanism. The damage from mismanagement and reprisals is memorialized on the internet and court records or public documents can create a devastating silent, do-not-report culture. Companies must communicate they have a zero tolerance for retaliation and deal with any retaliation swiftly and publicly. 

Number nine is the problem of inconsistent outcomes. Companies must demonstrate that consistent and fair outcomes are routine, regardless of people, relationships or scenarios. Employees will learn through the grapevine if the organization delivers fair, consistent discipline, regardless of how confidentially an organization hides such outcomes. Of course, if employees view outcomes as fair, they will be more compelled to report concerns. Employees know that inconsistency equals personal risk.

Finally, number 10 is the time worn adage that actions speak louder than words. Employees critique, judge and evaluate what an organization says about its reporting mechanism reporting program by what it does, rather than what it says. Does it follow policies and procedures as assigned? Does it really have a zero-tolerance policy on retaliation? Are outcomes consistent, fair and appropriate? Does it truly allow employees to report concerns anonymously? 

Three Key Takeaways

1. What are today's three key takeaways? Well, number one, you must not retaliate. That is probably the biggest destroyer of credibility and trust in a reporting mechanism reporting.
2. There must be ongoing communications and there must be follow up with the employees who made the anonymous reports.
3. Celebrate your reporting mechanism. Let employees know that it is acceptable to raise your hand because that is all you are doing at the end of the day, raising your hand. It is incredibly important and it is something that will make your reporting mechanism work much better.

The top compliance roundtable podcast is back with a wealth of new topics. Stayed tuned to the end where there are some heartfelt and somber rants in this edition. 

1. Matt Kelly opens with a discussion on Uber from the policies and procedures framework. Matt rants on the danger of overly legalistic approaches to compliance. 

For Matt Kelly’s posts on Uber and the intersection of policies and procedures, see the following:

What Uber Teaches About Culture & Policy Management

Car Crash Governance at Uber

2. Mike Volkov considers blockchain and how it will impact compliance going forward. 

For Mike Volkov’s post on blockchain and compliance, see the following: 

Blockchain and the Future of Compliance 

For reading on blockchain and compliance, see the following:

Will Blockchain Transform Compliance? by Tom Fox

How Blockchain Will Change Organizations, by Don Tapscott and Alex Tapscott in MIT Sloan Business Review.

Blockchain Explained, by Zach Church in MIT Sloan Management Review. 

3. Jonathan Armstrong considers the trend of fake news and mis-information around GDPR. Jonathan most somberly rants on the Grenfell towers disaster. 

For the Cordery Compliance client alert see the following: 

GDPR ‘Fake News’ 

4. Jay Rosen brings a detailed discussion FCPA sabermetrics in the context of of the dearth of FCPA cases brought forward under the Trump Administration and Session Justice Department. He considers the numbers, the continuing departures of numerous Justice Department career employees and new political appointees as well. Jay rants on breaking news. 

For Jay Rosen’s posts see the following:

The members of the Everything Compliance panel include:

• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
• Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

In an article entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in compliance parlance, a hotline, author Donald Dowling of the law firm of White and Case, provided a useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. The majority of his article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” You should obtain a copy of this article and keep it for reference in regards to your company’s hotlines. It is available on the White and Case website, by clicking here.

1. Laws Mandating Whistleblower Procedures

This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”

2. Laws Promoting Denunciations to Government Authorities

This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.

3. Laws Restricting Hotlines Specifically

This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.

4. Laws Prohibiting Whistleblower Retaliation

This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”

5. Laws Regulating Internal Investigations

Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”

6. Laws Silent on, but Possibly Triggered By, Whistleblower Hotlines

Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.

There are several key inquiries you should make for your hotline. What jurisdiction are you in and what is the binding law or laws which will govern you going forward. Must you confine your hotline reporting to specific topics or is it open to all issues? Can anonymous allegations be brought forward in the jurisdiction in question. Do you have a hotline staffed in-house or do you use an external third party vendor? Finally, must you disclose hotline data to government regulators?

Three Key Takeaways

1. You must understand the jurisdiction you are in and the laws which govern your hotline.
2. Can you use information which is reported anonymously?
3. Must you disclose any data to government regulators?