Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, with a focus of the release of the latest Star Wars movie, The Last Jedi:
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this concluding episode, we consider what does it all mean.
Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 2: What the logic of your transaction price?;
Part 3: Shaking up software revenue recognition;
Part 4: Auditors need to pay attention; and
Part 5: What does it all mean for compliance (and everyone else)?
As you might expect from the Compliance Evangelist, I see most issues through the lens of compliance practitioner. A key reason this is so important in the compliance area is because the internal controls over financial reporting involved in implementing this new standard are critical to effective implementation. The Securities and Exchange Commission (SEC) has said explicitly in several public statements, and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. This makes it clear to me that this is a really a compliance issue.
Moreover, the SEC has indicated that these disclosures are central to the new revenue recognition standard. This is because if a company has some sort of failure in their disclosures for an accounting standard, they are treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting. While disclosure of internal controls might not typically bring Section 404 scrutiny, under the new revenue recognition standard, they may now do so. Kelly stated, the SEC has made it “clear that it will be watching this first year of financial statements under the new standard closely.”
This new revenue recognition standards intertwines two concepts. This first is the convergence and overlap between the compliance profession, compliance programs and compliance practitioners with internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.
The second concept is the continued operationalization of compliance. During my tenure in compliance, you rarely heard a CCO consider revenue recognition as a compliance related issue. By going into detail, we have shown how this new revenue recognition standard can change the manner in which a company might recognize revenue, leading to a greater risk of the obfuscation of payments for bribery by corrupt employees. This means as a CCO you must not only be aware of the risk to manage it but you also must take active steps to mitigate against it.
Kelly believes this new revenue recognition standard means a lot of work for probably the next 12 months; particularly in the next six months or so, from the end of this year until about May or June 2018. This is when most large companies publish their first annual reports, under the new revenue recognition rule. It is difficult to say how many companies will go through all of this to find that actually their numbers will not change to any material amount. However, for many companies, they may not be able to quantify it but their internal mechanisms are going to get a lot more scrutiny. There will be pressure on the internal financial controls and processes to determine how a business is justifying what is being audited and reported to investors.
Kelly concluded by adding that, at the end of the day, “revenue recognition is a financial process. It is a financial issue. This standard really gets to how are you justifying the process of putting forth these numbers. It is about documenting your judgment. It is about making sure the processes you use are full and complete and sound. Who is the one who makes sure that people understand what the process is the process is well thought out and correct and sturdy.”
Matt and I are preparing a white paper based upon our writings on revenue recognition and this podcast series. It will be available through JDSupra when released.
Opinion Releases
Prior to the 2012 FCPA Guidance, the Justice Department issued two 2007 Opinion Releases which offered guidance to companies considering whether to, and if so how to, incur travel and lodging expenses for government officials. Both Opinion Releases laid out the specific representations made to the DOJ, which led to the Department to approve the travel to the US by the foreign governmental officials. These facts provided strong guidance to any company which seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor's US operations sites. In Opinion Release 07-01 the representations made to the DOJ were as follows:
The response from the DOJ stated: “Based upon all of the facts and circumstances, as represented by the requestor, the Department does not presently intend to take any enforcement action with respect to the proposal described in this request. This is because, based on the requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the requestor's] products or services."
In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor's US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC).
In Opinion Release 07-02 the representations made to the DOJ were as follows:
As with Opinion Release 07-01, the DOJ ended this Opinion Release by stating, “Based upon all of the facts and circumstances, as represented by the Requestor, the Department does not presently intend to take any enforcement action with respect to the planned educational program and proposed payments described in this request. This is because, based on the Requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the Requestor's] products or services."
Travel and Lodging for Governmental Officials
What can one glean from these two 2007 Opinion Releases? Based upon them, a US company can bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon Releases Opinions 07-01 and 07-02, the following should be incorporated into a compliance policy regarding travel and lodging:
Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.
The 2012 FCPA Guidance does specify some types of examples of improper travel and entertainment
$10,000 spent on dinners, drinks, and entertainment for a government official;
However, you can use the matter as a good reason to review not only your company’s procedures but to test to determine if they are being followed or if there are issues which you might need to take a closer look at. When a Wal-Mart, News Corp or GSK is in the news for alleged FCPA violations, it provides you a good reminder to review your compliance program.
Three Key Takeaways
Payment for travel expenses is appropriate it there is a legitimate business purpose.
This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
In this episode, I visit with Sheila Hooda on culture on a Board of Directors and how Board's can drive culture throughout an organization. Some of the topics we highlight are the following:
1. What is good Board culture?
2. What is the Board’s role in building an ethical culture within a company?
3. How can the Board assess senior management leadership to set appropriate culture?
4. How can the Board help to sharpen the company’s cultural focus?
5. What is the Board’s role in cultural evaluation and feedback?
6. What information should the Board ask for or consider in assessing a company’s culture?
7. What information should the Board impart to the Chief Compliance Officer or Chief Integrity Officer regarding culture?
8. Should Board members be a part of CCO cultural initiatives such as town hall meetings or focus groups?
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider auditors and the new revenue recognition standard, including disclosures, the ICFR and PCAOB guidance on the new revenue recognition standard.
Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 2: What the logic of your transaction price?;
Part 3: Shaking up software revenue recognition;
Part 4: Auditors need to pay attention; and
Part 5: What does it all mean for compliance (and everyone else)?
Kelly identified three areas where he sees immediate auditor impact. The first is that the audit firms’ regulator, the Public Company Accounting Oversight Board (PCAOB) has clearly communicated to auditors they must pay attention to this new revenue recognition standard. One of the clear themes throughout this podcast series has been the increased amount of judgment which will come into these calculations going forward. This means companies will need to have more complete documentation which can then be reviewed and tested by their auditors. Add to this PCAOB auditing standards and there may well be a time for some sorting out of what will be required going forward.
Secondly, with this new emphasis on judgment, auditors will have a renewed emphasis on fraud detection. There may be some incentives for sales executives to manipulate the numbers a bit or to close the deal more quickly to hit a bonus. Such pressure could transgress into fraud and as Kelly noted “auditors will be looking more closely at fraud risk because there could well be circumstances where sales commissions could be higher because of the new revenue standard; that would let some firms recognize more of a transaction more quickly.” Finally, Kelly also noted the International Controls for Financial Reporting will have renewed focus from auditing firms.
Kelly pointed to the straightforward issue of whether a contract exists and then posed some of the questions auditors may be asking going forward: How do we know the organization’s contracts are complete and accurate? How does a company demonstrate its contract management system has not be tampered with after execution? What are the controls around these programs you might use to manage your financial transactions? Are we capturing all of the contracts that our employees are generating and that employees are not generating some contracts, have not informed management or that the company’s contract management system has not captured them? Finally, is there contract system security to insure there is no manipulation after the contract is signed?
Another key area for auditing will be whether the pattern and practice of doing business is the same as the contract performance terms and conditions. One immediate area is payment terms. Most contracts specify 30 days net payment terms. However often this date may slip 30, 60 days or even longer. Now take this same concept into the FCPA realm around vague deliverables in third party agent’s agreement and you begin to see some additional issues. If the performance deliverable terms are so vague as to render them meaningless, how will that be handled under this new revenue recognition standard.
My observation is there is a continuum, working backward from the PCAOB, to auditors and audits to the disclosures companies may have to make. Under GAAP, a disclosure may only need to be made if it is material. Yet in the FCPA world there is no materiality standard. At what point does the lack of materiality of a contract outside the United States make your books and records not correct leading to a potential exposure under a law unrelated to traditional revenue recognition; IE., the FCPA? Kelly concluded by noting that companies need to be (or have been in) discussions with their audit firm for to plan these things out as “these sorts of complexities are not to be dismissed because we don't know when they might boil up and suddenly grab you in the rear end. And when that happens it will happen at the least convenient time and cause the most pain.” (ouch!)
I hope you will continue to join us for our exploration this week. Tomorrow in Part V, we will conclude with what it all means going forward.
If one were to reflect upon the providing of gifts and business entertainment to foreign governmental officials, one might reasonably conclude that after 40 years of the FCPA, companies might follow its prescriptions regarding gifts and business entertainment. However, there have been some notable FCPA enforcement actions in this area.
The 2012 Guidance clearly stated the FCPA does not ban gifts and entertainment. Indeed, the Guidance specified that “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”
What does the FCPA Itself Say?
While prohibiting payment of any money, or thing of value, to foreign officials to obtain or retain business, the FCPA arguably permits incurring certain expenses on behalf of these same officials. There is no de minimis provision. The presentation of a gift or business entertainment expense can constitute a violation of the FCPA if this is coupled with the corrupt intent to obtain or retain business. Under the FCPA, the following affirmative defense regarding the payment of expenses exists:
[it] shall be an affirmative defense [that] the payment, gift, offer or promise of anything of value that was made, was a reasonable and bona fide expenditure, such as travel and lodging expenses, incurred by or on behalf of a foreign official, party, party official, or candidate and was directly related to…the promotion, demonstration, or explanation of products or services; or…the execution or performance of a contract with a foreign government or agency thereof.
As with most matters under the FCPA, there is little direct guidance on what conduct may step over the line set out above. Of course, there is always the gut check test, which simply measures “if it feels wrong in your gut, it probably is wrong”. It is something good to always keep in mind in any circumstance.
Opinion Releases
Somewhat surprisingly, there are not any recent DOJ Opinion Releases from the past 10 years dealing with the values for gifts and business entertainment under the FCPA. However, there are three Opinion Releases from the early 1980s which can provide some guidance to current practitioners.
In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However, the value of the cheese to be presented was not included in the Opinion Release. In Opinion Release 81-02, the DOJ approved a gift of its packaged beef products from the Iowa Beef Packers, Inc to officials from the Soviet Ministry of Foreign Trade. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc averred that the individual sample packages would not exceed $250 in value.
The final Opinion Release relating to gifts is 81-01. In this release, Bechtel sought approval to use the SGV Group, a multinational organization headquartered in the Republic of the Philippines and comprised of separate member firms in ten Asian nations and Saudi Arabia, which provide auditing, management consulting, project management and tax advisory services. The SGV Group desired to solicit business on behalf of Bechtel who had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. Regarding the reimbursement of gift expenses by Bechtel to the SGV Group the DOJ stated:
(d) Expenses for gifts or tangible objects of any kind incurred without Bechtel's prior written approval will be reimbursed only where such expenditures are permitted under the local laws, the ceremonial value of the item exceeds its intrinsic value, the cost of the gift does not exceed $500 per person, and the expense is commensurate with the legitimate and generally accepted local custom for such expenses by private business persons in the country.
Policies and Procedures for Gifts and Business Entertainment
Gifts to Governmental Officials
Based upon the FCPA language and relevant Opinion Releases and allowing for inflation over the past 30 years, it would appear reasonable that a Company can provide gifts up to a value of $500. Below are the guidelines which the Opinion Releases would suggest incorporating into a compliance policy regarding gifts:
Business Entertainment of Governmental Officials
Based upon FCPA language (there are no Opinion Releases on this point), there is no threshold that a Company can establish a value for business entertainment. However, I believe there are clear guidelines which should be incorporated into your business expenditure policy, which should include the following:
The incorporation of these concepts into a compliance policy is a good first step towards preventing potential violations from arising, but it must be emphasized that they are only a first step. There must be procedures to implement these policies. At a minimum, you must require a business justification from the business representative requesting to provide the gift or business entertainment. Next it should be reviewed and approved by a front-line compliance professional. Then, depending on the amount and nature of the request, it may need CCO approval. Finally, if there is a Compliance Oversight Committee it should go to that Committee for a final check to make sure everything is in order.
These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.
And, as always, do not forget the gut check test.
Three Key Takeaways
There continue to be significant FCPA enforcement actions around the area of gifts.
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
As many of you all know Matt Kelly can rant with the best of them, right up there with Howard Sklar. I was quite intrigued with I read Matt’s December 11, 2017 blog post entitled, “At What Cost Dishonesty? For VW Exec, Seven Years” as it was one of the most strident blogs I have ever read from Matt. I wondered what had him so excised over the sentencing of former Volkswagen regulatory compliance engineer Oliver Schmidt. It turns out quite a bit, yet it was in a different way from his blog post.
In this podcast Matt and I take a deep dive into the compliance weeds to consider Schmidt’s conduct, the sentence and the roles of various parties involved in this unfortunate series of events. We consider at what point Schmidt committed to path of clearly unethical, immoral and illegal conduct? We explore what it means for a compliance professional to stand up and say this is wrong; whether it be on ethical, moral or legal grounds? In short what are some of the philosophical underpinnings of the compliance profession and even the compliance psyche?
We also consider the role of the trial judge who laid down the harsh sentence, the role of regulators such as the SEC and EPA in dealing with individual liability for compliance professionals. We discuss the distinguishing factors in this case but conclude that if a Chief Compliance Officer or compliance professional is a part of the illegal conduct, they will be vigorously prosecuted.
In addition to this episode, Matt and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard, which is running this week. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 1: Introduction
Part 2: What the logic of your transaction price?
Part 3: Shaking up software revenue recognition.
Part 4: Auditors need to pay attention.
Part 5: What does it all mean for compliance (and everyone else)?
A new episode premiers at 12 noon CST, each day this week.
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider how the new revenue recognition standard could shake up the software industry.
Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 2: What the logic of your transaction price?
Part 3: Shaking up software revenue recognition.
Part 4: Auditors need to pay attention.
Part 5: What does it all mean for compliance (and everyone else)?
One of the industries which may greatly feel the impact of the new revenue recognition standards is the software industry. Kelly noted, the new revenue recognition rule will ultimately allow some portion of the software sector to recognize more of their long-term contract revenue immediately. He believes they initially may think something along the lines of “Hey that's sounds good right. We can hit our quarterly numbers. However, that then brings about bigger strategic questions.” So the reality may be somewhat different as a software company might need to think about this might well drive much more volatile revenue patterns over a multi-year period.
Kelly provide an example of the volatility from one of the companies he has studied, Microsoft. He stated that “when Microsoft adopted the revenue recognition standard earlier this summer, it actually pushed its revenues up because all those liabilities that would have been deferred revenue on the balance sheet recognized them all at once. Microsoft's total revenue for 2017 went from $8.9bn to $26.5bn.” All that just because of a change in revenue recognition.
He then gave a more tangible example of a specific contract, where a company entered into a contract for five years, paying $500,000 and receiving 1000 seat licenses and four years of updates. Under the prior revenue recognition standards, the software company recognized a $100,000 in that first year when they signed the deal and then they had $400,000 of deferred revenue, which they recognized in chunks of $100,000 per year. Now a software company under the same scenario could recognized the entire $500,000 in the first year. While this may look great, it has serious implications. First and foremost, it will impact the software company’s balance sheet for the final four years of the five-year contract. It will seem most bare, with no deferred revenue. Kelly concluded “that's the sort of thing that the software companies sector is going to go through a bit of a blender in early 2018 as people start to realize what all this means.”
Another obvious area of change will be in commission payments for sales persons and third parties. Previously they may have been paid when the revenue was recognized over the life of a contract. Now it may be all up front in the first year. This could cause a commission payment to be made in Year 1 of a 5-year contract. This would present the same cash flow issue for a sales person. Now consider this in a FCPA context. The five-year split of a commission payment has acted as an internal compliance control to keep such payments low enough so as not to create a fund for bribery. Now that type of internal control may not be available to the Chief Compliance Officer.
In a white paper for CalcBench, Kelly and Pranav Ghai found several themes emerging for software companies under the new revenue recognition standard.
First, software companies expect the new standard to accelerate revenue recognition for some long-term software contracts, where previously the revenue would have been recognized in increments across the life of the contract. This is because the new standard eliminates the need for “vendor-specific objective evidence” (VSOE). With the VSOE requirement gone, the new standard will allow firms to recognize more of the revenue from a long-term contract immediately.
Second, numerous firms said the new standard will change how they account for sales commissions, which qualify as costs of obtaining contracts. Under the new standard, sales commissions can be capitalized over the term of a contract, rather than expensed immediately. That means deferred commissions will increase as an asset on the balance sheet, and the amortization costs will be expensed over the term of the contract.
Finally, the data does raise questions about how well-prepared some software firms are for the new standard. While numerous firms say they plan to implement the standard by Jan. 1, 2018— but still report that they are uncertain about its possible effect, or even what adoption method they will use.
Perhaps one of the most unintended consequences will be for software companies looking for some sort of a merger, exit or those looking for an investment round from private equity or venture capital. The difficulty for PE or VC will be to determine what a software company’s value might be over a period of time. This may end up being one of the most critical questions facing software companies and those who invest in them.
I hope you will continue to join us for our exploration this week. Tomorrow in Part IV, we will consider how and why auditors need to pay attention.
Simply having a Code of Conduct, together with compliance policies and procedures is not enough. As articulated by former Assistant Attorney General Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” The 2012 FCPA Guidance stated “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.” Some of the questions you should consider are:
After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process which can be fully documented as a basis to include revisions to your compliance policies and procedures.
Get buy-in from senior leadership of your company
Your company’s highest level must give the mandate for a revision to compliance policies and procedures. It should be the Chief Executive Officer, General Counsel or Chief Compliance Officer, or better yet all three to mandate this effort. Whoever gives the mandate, this person should be consulted at every major step of the policies and procedures revision process if it involves a change in the direction of key policies.
Establish a core policies and procedures revision committee
You should have a cross-functional working group would be ideal to head up your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally, there should be functions within the company represented such as finance and accounting, IT, marketing and sales.
From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is important that you establish a timetable for the revision process and you hold representatives accountable for meeting their revisions.
Conduct a thorough technology assessment
The cornerstone of the revision process is how your company captures, collaborates and preserves all the comments, notes, edits and decisions during the entire project. In addition to this use of technology in revising your compliance policies and procedures revisions, you should determine if they will be available in hard copy, online or both. There must be a distribution plan, particularly if the Code and compliance policies and procedures will only be available in hard copy.
Determine translations and localizations
The 2012 Guidance made clear that your compliance policies and procedures must be translated into local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures-no matter the language.
Develop a plan to communicate the revised policies and procedure
A rollout is always critical because it is important that the revised policies and procedures are communicated in a manner which encourages employees to review and use the policies and procedures on an ongoing basis. Your company should use the full panoply of tools available to it to publicize the revised compliance policies and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However, you deliver the new or revised policies and procedures, you must document that each employee received it.
Stay on Target and Budget
You should work to set realistic expectations that to stay on deadline and stay within your budget. This is equally applicable to your policy and procedures revision. Also remember to keep a close watch on your budget so that you do not exceed it.
These points are a useful guide to not only thinking through how to determine if your policies and procedure need updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process now. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider how you should set your transaction price.
Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 1: Introduction
Part 2: What the logic of your transaction price?
Part 3: Shaking up software revenue recognition.
Part 4: Auditors need to pay attention.
Part 5: What does it all mean for compliance (and everyone else)?
FASB states that Step 3, determine the transaction price, is the amount of consideration to which an entity expects to be entitled in exchange for transferring promised goods or services to a customer, excluding amounts collected on behalf of third parties. To determine the transaction price, an entity should consider the effects of:
Kelly noted all of this means judgment are going will become more important under the new revenue recognition standard. He said “People should be thinking about that judgment means, who will be able to defend, precisely how your organization is defining the transaction price. That is something that your audit firm will want to look at and you should understand that the audit firms have more pressure to be more skeptical about judgments their clients make.”
One particular problem could be non-cash transactions or even consideration. He advised to think “about the difference between cash and non-cash compensation for a deal. What if some of your payment for a transaction was in Bitcoin; the value of which is literally changing by the day right now. You could have a transaction that you agree to payment on the first of the month and some part of it might be conveyed in Bitcoin at the end of the month. However, the value of bitcoin could change dramatically before the end of the month or the quarter. Further, compensation can come in many forms, such as receipt a patent from a joint venture partner, travel voucher or really anything of value. It will create a requirement to accurately value them and implement that valuation.
An ancillary result will be that many non-accountants are going to find that they get pulled into these conversations that you probably have not had much experience with before over revenue recognition. Lawyers and compliance practitioners, for instance may well be a part of these conversations going forward. They typically have not been a part of the discussion to determine the transaction price in the past. That is really going to be the tricky part of defining what a transaction is under this new revenue recognition standard.
For the compliance practitioner, it is not simply being able to read a spreadsheet anymore. It is understanding the underlying basis of that spreadsheet and are those underlying bases defensible. Consider in the FCPA and greater compliance ream, you may be required to justify the values assigned to either discounts, rebates or some other form of payment variance. In the overall context of an FCPA investigation, under the books and records provisions, a compliance professional may well have to take a much more detailed view of this to determine the transaction price when you sit down across the table from somebody at the DOJ.
Kelly concluded, “in the grand scheme what FASB wanted to achieve with this new revenue recognition standard was to bring more transparency to the logic of the economic action.” You will need to be able to justify where did these numbers come from related to this business transaction the companies are engaged in going forward. It is certainly going to be a very different world for some people.
I hope you will continue to join us for our exploration this week. Tomorrow in Part III, we will explore how this new revenue recognition standard will shake up the software industry.
Welcome to Episode 7 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on typical mistakes, which Compliance officers do sometimes. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast and text more appealing, will also illustrate today’s episode with an illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov.
For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance reality. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.
Myth 1-There is no practical way to improve Compliance program. This is just a fancy and useless statement. In corporate practice, it is just unreal.
Myth 2-As compliance practitioners, we should draft and amend exclusively compliance policies. The list of such policies is well known and is exhaustive like code of ethics, gifts policies and alike. There is no need spare time for reviewing corporate policies beyond our Compliance Policies List.
There are numerous reasons to put some serious work into your policies and procedure. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.
The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company. Procedures are the documents that implement these standards of conduct.
The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.
The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures it states, Applicable Policies and Procedures – Has the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?
Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.
There are five general elements to a compliance policy. It should stake out the following:
The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Compliance training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.
The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
How can you work to operationalize the Code of Conduct as articulated in the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs? The Evaluation focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the Evaluation that touch upon your Code of Conduct.
Prong 2, Senior Leadership and Middle Manage states the following:
Shared Commitment – What specific actions have senior leaders and other stakeholders (e.g., business and operational managers, Finance, Procurement, Legal, Human Resources) taken to demonstrate their commitment to compliance, including their remediation efforts? How is information shared among different components of the company?
The Code of Conduct process should involve these corporate disciplines. Your Code of Conduct should enshrine your company’s values. Those are set by senior management and their input and support for any Code of Conduct project, whether initial draft or update, is critical.
Prong 4, Policies and Procedures states the following:
Designing Compliance Policies and Procedures – What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?
This question gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the Code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the three DOJ questions from the Evaluation in a manner consistent to support operationalization.
This project team diversity will also help to operationalize your Code of Conduct after implementation. You will have various business unit members invested in your new or revised Code of Conduct. This ownership will help not only in your internal marketing but demonstrate to employees the commitment to doing business ethically and in compliance to your entire workforce.
Prong 6, Training and Communication, states:
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?
There are several different types of training, including live, interactive and online training. But in addition to training, your Code of Conduct can form the basis of ongoing communications throughout the organization. Through a Code of Conduct, a company has acknowledged certain risks and it can communicate those risks through effective use of a Code of Conduct. It can also serve as a jumping off point for training and communications about more focused topics and discussions led by employees outside the compliance department.
You can measure the effectiveness of your training through a variety of mechanisms including knowledge assessments, culture surveys, focus groups, tracking your internal intranet training, reporting of trends and even hotline calls. These techniques can help to drive compliance into the very fabric of your company by operationalizing compliance. Another important consideration around effectiveness for training, and the text of the Code of Conduct, is translations, or as the DOJ stated, “Has the training been offered in the form and language appropriate for the intended audience?”
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we provide an introduction to the new revenue recognition standard.
Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:
Part 1: Introduction
Part 2: What the logic of your transaction price?
Part 3: Shaking up software revenue recognition.
Part 4: Auditors need to pay attention.
Part 5: What does it all mean for compliance (and everyone else)?
This standard has been a long time in coming but the go live date is here; it becomes effective on December 15, 2017. This means the financial reports your company will submit which will come out sometime in February or March will be under the new revenue recognition standard. Kelly noted that “upwards of 80 percent of filers in the United States have a year end of December 31 as their fiscal year end. For most companies, this new revenue recognition standard is here you are going to have to start worrying about it now. You are going to have to start reporting under the new standard early in the spring.” While some companies, such as Google, General Motors and Microsoft adopted the standard early, most will be doing so on the fly in Q1 2018.
The prior revenue recognition standard was rules-based, while this new revenue recognition standard is principles-based. This was done deliberately as FASB is coordinating this rollout with how revenue is recognized in other parts of the world, specifically International Financial Reporting Standards (IFRS) which are put forth by the International Accounting Standards Board. This was a joint effort to have a one global approach to how companies recognize revenue and the process involves a lot more judgment. Kelly noted, “The good news is that you can exercise a lot more judgment and if you have good judgment you can finesse things to be much more reflective of what's the economics of the deal.”
The new revenue recognition standard is really about a series of performance obligations; what a company is committing to do in delivering a good, delivering a service, or both. Next, has a company fulfilled those performance obligations. Finally, is do these actions give that obligation to a company beyond the contract language? Kelly said, “It's a sweeping standard. The philosophy of when you have a transaction and when you do not, has changed. Different types of industries will be hit by this quite a bit by this new revenue recognition standard but others will not.”
Kelly said this use of more judgment, than rules cuts, both ways. “If your judgment is not sound or if your judgment could be called into question because you have not properly documented your logic and your chain of thought, your organization is opened itself to questioning your judgment much more than might have happened under the old standard. This means a key will be the logic in determining the transaction price.” In addition to the process aspect, there is the document, document, document process which should warm the heart of every compliance practitioner. As the prior revenue recognition standard was rules based, “you went through all the contortions you come to a number that's the number.” Now, as Kelly noted, “it's down to this is our judgment and if our judgment is good and we can document it.”
Kelly also noted the Securities and Exchange Commission (SEC) has gone to great lengths over the past two years at least about this new revenue recognition standard, giving what he termed “gentle nudges and sometimes not gentle nudges to companies that you've got to get on board with this new revenue recognition standard.” The good thing is that while the SEC may well provide a few comment letters, as companies are reporting under the new revenue recognition standards, they will probably not sanction companies for reporting errors for some period of time. Kelly believes, “as long as you are actually trying to embrace the spirit of the new revenue recognition standard” the SEC will not sanction your organization. However, if an organization is “committing accounting fraud you are still going to get nailed.”
Kelly concluding by raising the very interesting question of whether the investor community is ready for this new revenue recognition standard. This may be truer for private equity companies investing in the tech space are the rules around revenue recognition for software companies could be more greatly impacted than other organizations. (We will take up the new revenue recognition standards for software companies in Part 3.) The bottom line is that a wide variety of interests, in a multitude of organizations will be impacted by this new revenue recognition standard; including the compliance profession.
I hope you will join us for our exploration this week. Tomorrow we will ask, and hopefully answer, the question: What is the logic of your transaction price?
In this episode, I visit with Don Fischer, a San Francisco and Washington, based lawyer who is one of the country’s leading practices dedicated to assisting corporations, universities and research institutions with the development of comprehensive Export Control compliance. He has extensive strategic and practical experience in helping implement cost-effective, risk proportionate compliance programs. Fischer has specific export control services include risk assessments, export process development, export licenses (EAR, ITAR and OFAC), Technology Control Plans, Requests for advisory opinions, Voluntary Disclosure investigations, Data security analyses, training and web content development.
In this episode we discuss, the following issues:
-What are export controls?
-Which government agencies regulate exports?
-What's a deemed export?
-Do these requirements only affect defense contractors?
-How do these requirements impact corporations?
-What are the consequences for getting this wrong?
-What are some of the challenges that companies face in becoming compliant?
-What is the best way for a company to implement necessary oversight of an export compliance program, in a cost-effective manner?
It is a fascinating exploring a type of compliance which converges with anti-corruption compliance more and more in the commercial corporation setting.
Don Fischer can be reached at dfischer@fischer-associates.com.
You can check out his law firm by clicking here.
What about the training on your finalized Code of Conduct? While there have been criticisms of Code of Conduct training, if you consider training as one source of your 360-degrees of compliance communications, the rollout of a new or updated Code of Conduct can be an opportunity. This rollout fits directly into the concept of 360-degrees of compliance as rollout is part of both communications and engagement. The delivery of a Code of Conduct is a key element of its effectiveness. By allowing your employees and other stakeholders to engage and interact with the Code of Conduct, through live or interactive training, the effectiveness can be better monitored and measured.
In a white paper, entitled “Top 5 Tips for Effective Code of Conduct Revisions”, Eric Morehead noted that often companies have a formal launch of the Code of Conduct where senior management and the corporate compliance function “conduct on-site activities across the organization to promote the launch of the new Code, or launch interactive activities such as video competitions that ask stakeholders to such submit short videos on Code topics.” However, this is not the sole manner to have such a rollout as other companies “keep the message more informal but use frequent touchpoints, for example, through email or cascading messages through line managers, to keep up the drumbeat on compliance topics and reinforce the role of compliance.” The key is to exploit on the opportunity a new or revised Code of Conduct gives you to communicate in a 360-degree manner on your compliance program.
One of area in 2017 Department of Justice’s Evaluation of Corporate Compliance Programs that articulated a new emphasis was in the effectiveness of training. I think everyone would understand you do need to train but now the government's talking to us about effective training. Begin with live training that can be held at the corporate headquarters with senior management and even executive involvement. Many companies will videotape a message from the CEO to help celebrate the rollout. Then there is the opportunity for localized training that gives employees an opportunity to see, meet, and speak directly with a compliance officer, not an insignificant dynamic in the corporate environment. Such personal training also sends a strong message of commitment to the Code of Conduct. It gives employees the opportunity to interact with the compliance officer by asking questions which are relevant to markets and locations outside the United States, which can often provide employees with the opportunity to have confidential in-person discussions.
An important part of in-person training is the opportunity to interact with the audience through Q&A. There are a couple different approaches to Q&A. The first is to solicit questions from the audience. However, many employees are reluctant, for a variety of different reasons, to raise their hands and ask questions in front of others. This can be overcome by soliciting written questions on cards or note pads. A second technique is to lead the audience through hypothetical examples in which the audience is broken down into small discussion groups (up to five people) to discuss a situation and propose a response. However, with a worldwide, multi thousand-person workforce with multiple languages, an entire Code of Conduct roll-out based on live training may not be feasible.
Not surprisingly, and one of the key themes in compliance, is to understand your company and tailor your compliance program, including your Code of Conduct training, for your audience. Companies have to consider their audience when considering drafting the Code of Conduct, the kind of tone it is going to have, how long it is going to be and topics you are going to cover in the Code of Conduct; the same analysis is true for your training.
Most organizations put together custom training for their Code of Conduct rollout. Live training is generally viewed to be the most effective with online training next in effectiveness. One technique which as gained traction is a modular approach where you might identify 10 key risk areas and train on each in 10 minute segments throughout the year, one per month. This drives engagement and lessons complaints that employees have to take an entire hour for such training.
Another mechanism is more interactive training. When audience members are required to answer questions on an ongoing basis it can foster more engagement. It can also help to meet the DOJ requirement to demonstrate the effectiveness of training. Of course, gamification which is another form of interactivity and it has become more popular over the last few years. It also has the advantage of more favor with millennial members of the workforce.
However, your Code of Conduct training should be an extension of the way you communicate compliance in your organization. If it is divorced from your 360-degrees of compliance communications style, you may well be missing an opportunity to drive better understanding of the Code of Conduct and denigrate the effectiveness of the training. Whatever approach is used, one of the critical factors is the length of time of the training session. Although lawyers and ethics and compliance professionals can (sometimes) sit through a multi-hour Code of Conduct, it is almost impossible to keep the attention of business and operations employees for such a length of time. The presentation and number of PowerPoint slides must be kept to a manageable length before the attendee’s eyes start to glaze over.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, including:
Next is the design of your Code of Conduct. Through attention to detail in the design process, you should be able to come out at the end with a Code of Conduct which will help you to more fully operationalize your compliance program.
You must begin with a determination of what you are trying to accomplish. It does not serve you to try and list every compliance risk you might think your company may encounter. You should determine the values you want to communicate, what the expectations are for employees and how to call the hotline. Under such an approach, a Code of Conduct can be the jumping off point for training on the issues stated in it. The Code of Conduct can also form the hub of the wheel for other policies and procedures and written standards you want to communicate to relevant stakeholders.
You should also consider how you are going to distribute your Code to your employees and stakeholders. If it is through an Adobe .pdf document, which is accessible for most stakeholders across an organization or via another method. If a significant part of your workforce does not have access to computers, online production only will not work as the primary distribution platform.
Values
One conundrum is whether and how to incorporate your ethical values into your Code of Conduct. You can integrate values by incorporating them into your discussion of the risk topics in your Code of Conduct. This aids in your roll out as a topic of interest in discussing your new or revised Code of Conduct. Integrity can be discussed in the context of a non-retaliation policy.
Benchmarking
Another tool is to benchmark other Codes of Conduct. You should consider other companies in your industry, organizations that operate in the same geographic jurisdictions as your organization does and companies with a similar employee size. Consider what they are doing, determine what appeals to you and think about what might work for your organization.
If you have not updated your Code of Conduct for some time, there will probably be new areas that you need to incorporate into the updated version. Two obvious new areas of risk involve social media and cybersecurity. Such an exercise will help with your goal setting at the beginning of the project and allow you to move directly to the drafting of the text.
Drafting and Redrafting
If you are starting from scratch an outline is a good way to go. If you are working from a current version, you may want to go through a few drafts with redlining the text to eliminate confusing language and unnecessary legalization which is meaningless to anyone other than lawyers. An example here is the move from a US-centric focus on the FCPA due to the proliferation of other countries enacting anti-corruption legislation such as the UK Bribery Act and the Brazil Clean Companies Act, Chinese domestic anti-bribery laws and other standards as well.
Operationalizing
Although the Code of Conduct was not specifically mentioned in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs, the over-riding concept of operationalization applies equally to your Code of Conduct drafting or updating exercise. This means you need to consider how are you going to involve the operational areas of your organization in that process, as there is a clear DOJ expectation around your Code of Conduct.
You should engage a focused group tasked with doing redlines of the text. A key is to involve employees from different parts of your company. It is just important to involve people from outside the compliance and legal functions in the process so that you get that buy-in from a wide variety of the corporate business units. This certainly can aid when the time for rollout comes.
Using your business folks to help develop Q&As, examples or scenarios, can help to address common questions from the field and can also be useful in making your Code of Conduct training more effective. Having somebody in operations suggest to you what would be a good example or Q&A because if there are issues the business unit deals with on a daily basis can be most useful. Further there are many different parts of this process where you can include employees into your Code development. This involvement will not only make your Code of Conduct more robust but it will help to further operationalize it by making it more applicable to the business folks. Indeed, the government will probably ask you who, outside the compliance/legal function, was involved and their contributions. (Insert-Document Document Document here!) Getting different perspectives is important but you need to include non-compliance teams early in the process by helping you from the planning phase through drafting and rewriting up to implementation and rollout.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
Next, the evolution of the structure and format of a best practices Code of Conduct. Initially, my experience with Codes of Conduct was that they were written by lawyers, largely for lawyers. This included ‘thou shalts’ and ‘thou shalt nots’ liberally sprinkled throughout a lengthy written document. This was what is now referred to as Code 1.0. The compliance community then evolved Code 2.0, where the writing was less turgid, we moved to more employee friendly language and then somewhere along the line we started putting in hyperlinks and pictures.
There are two factors which a company should consider on the structure of Code of Conduct. The first is to consider how your organization generally communicates, overlaid with the most effective way to communicate with the various stakeholders who will read and use the Code of Conduct. These stakeholders can include such diverse groups as employees, shareholders and third parties on both the sales and supply side of your business. This may require multiple approaches.
The second point involves considering the thinly veiled land of the future of compliance by considering how will your Code of Conduct be viewed and used going forward. A simple example is the switch to mobile devices as a mainstay of corporate communications. Think about how laptops were viewed as the primary vehicle through which most employees and stakeholders interacted with training and resources for many organizations. Now many companies are going to mobile devices. Will you're the format of your Code of Conduct work on those various platforms and perhaps some you have not yet considered?
With a current Adobe .pdf platform for instance, you can have a .pdf document because it is the easiest thing to provide to people who are looking at it on a phone on a PC on a tablet or want to print it out and hold the pieces of paper as it is the most compatible format out there. Also, you can embed some interactivity into a .pdf document. Such technology allows you to add functionality as it becomes available to you.
If your organization is one where communication is more free flowing and there is more free-wheeling internal communications, that should be reflected in your Code of Conduct form. This means if your organization is a startup in Silicon Valley or in a well-known fun-loving organization such as Southwest Airlines; there may well be more playful attitude and a more playful way to communicate Code of Conduct topics. Conversely if you work for a hierarchical energy services company, which communicates in a top down strategy, such playfulness is not appropriate. What you should strive for is a consistent communications strategy. If your employees and other stakeholders are accustomed to receiving communications in a certain style it would appropriate to maintain that style in your Code of Conduct. The key is to consider not just how the internal communication at your company occurs. Consider how does HR ops and marketing and other other corporate disciplines communicate. You should strive for a consistent communication strategy in your Code of Conduct.
Think about the evolution of the Code of Conduct from the type of document that was akin to an annual report to one that now addresses corporate culture. A Code of Conduct must speak to the typical important concepts such as values that define the ethical culture or should define the ethical culture of the company. Some Code of Conducts have been as long as 12,000 to 14,000 words but others can be quite short, only four to five thousand words. It all means there is no set length and the style of writing can vary. But it must ring true with your employees, stakeholder and shareholders.
Be sure to make your Code of Conduct readable. This is beyond simply eliminating legalese. It is writing English at a grade level that is sufficient for your employee population. It may be that an eighth-grade language level is appropriate for your work force. However, if you have a population consisting primarily of professionals, translating it into the appropriate languages it might be appropriate to aim for a higher level of language. Finally, you do not have to say the same thing, in multiple different ways.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
In this episode Richard Lummis and I explore the leadership lessons from the Battle of Hue in Vietnam in 1968. We consider the failures of the American high command, the role of leaders on the ground and the NVA and Viet Cong perspectives, all from the book Hue 1968 by Mark Bowden.
What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?
In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”
In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”
There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”
The substance of your Code of Conduct should be tailored your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.
As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.
How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.
The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
The cornerstone of a best practices compliance program is its written standards. These include a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement and Non-Prosecution Agreement. These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:
Element 1
Standards of Conduct, Policies and Procedures (a Code of Conduct)
An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.
In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”
In each DPA and NPA since that time, the DOJ has said the following as item No. 1 for a minimum best practices compliance program.
Your Code of Conduct, policies and procedures should be grouped under the general classification of written standards, comprising three levels of written standards. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. A second step mandates that every company should have policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.
Best practices now require companies to have additional written standards, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective written standards is to demonstrate that your compliance program is more than just words on a piece of paper.
Policies and Procedures
The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the 2012 FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and procedures are the documents that implement these standards of conduct.
The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general dos and don'ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company cans mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.
While policies are not a guarantee that things will not go sideways, they are a line of defense if they do. The effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating ethically and proactively for the benefit of its stakeholders, its employees and the community it serves. If it is a company subject to the FCPA, it is an international company so that can be quite a wide community.
The 2012 FCPA Guidance ended its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that policies are applied fairly and consistently across your company for if compliance policies are applied inconsistently, there is a greater chance for employee dissatisfaction. This point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.
There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.
In this episode, I visit with Morrison and Foerster partner James Koukios on the Department of Justice (DOJ) new policy regarding Foreign Corrupt Practices Act (FCPA) enforcement. Last week, Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” The new Policy has four sections: 9-47.100 Introduction; 9-47.110 Policy Concerning Criminal Investigations and Prosecutions of the Foreign Corrupt Practices Act; 9-47.120 FCPA Corporate Enforcement Policy and 9-47.130 Civil Injunctive Actions.
Koukios is a former DOJer who worked in the FCPA Unit of the Fraud Section at the DOJ. He brings a unique insight into some of the enforcement aspects of the new policy. Koukios highlighted three areas. The first is the creation of a presumption of declination for a self-disclosing, extensively cooperating, remediating and then disgorging any ill-gotten gain, through the mechanism of profit disgorgement. The second was the formalization of the category of declination created under the DOJ’s FCPA Pilot Program of declinations with disgorgement. The third issue raised by Koukios was what he believed was the lack of engagement with the business community over information is might have provided about what was or was not working under prior enforcement regimes; from the international business community perspective. This type of business involvement was used in the development of the 2012 FCPA Guidance, issued by the DOJ and SEC. Koukios felt this would have been a plus.
The cornerstone of any best practices compliance program is written protocols. This includes a code of conduct policies and procedures. These elements have long been memorialized in the U.S. sentencing guidelines. The Department of Justice’s Opinion Releases regarding compliance programs, the 2012 FCPA Guidance, 2017 Evaluation of Corporate Compliance Programs and 2017 FCPA Corporate Enforcement Policy all emphasize this key concept.
There are three levels of standards and controls code of conduct standards and policies and procedures. Every company should have a code of conduct which expresses its ethical principles. But a code of conduct is not enough. In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.
The Department of Justice has presented us with several questions you can ask around your policies and procedures and your code of conduct. For instance, what has been the company's process for designing and implementing the code of conduct and policies and procedures. Other questions include, who has been involved in the design of the code of conduct and policies and procedures have the business units been consulted prior to rolling them out. Another area of inquiry is whether the company has implemented policies and procedures which called out the illegal conduct; has the company assessed what are the policies and procedures have been effectively implemented. Any area for consideration is whether the corporate functions with ownership over the policies and procedures been held accountable for their implementation and oversight. Finally, are they accessible to company employees. How is the company communicated the policies and procedures relevant to bribery and anticorruption compliance programs and how is the company evaluated the usefulness of these policies procedures and code of conduct. These are just some of the questions we will explore throughout the month of December.
We are going to consider the basis for your code of conduct and written standards through a deep dive into the code of conduct, the structure, form design and training on the code of conduct of course with operationalization. The same consideration will be given to policies and procedures; revising policies and procedure. We will conclude with a deep dive into policies that the Department of Justice has mandated you have. This will include gifts travel entertainment charitable donations political contributions internal controls facilitation payments and extortion payments third parties and we're going to have one on cyber security because that's become such an incredibly important topic.
At the end of this month you will have a very detailed grounding on better written standards for your compliance program. You will be able to utilize the information presented to implement a more effective compliance program for your organization.
Three Key Takeaways
This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on compliance training. Look for dates of one of the top compliance related training going forward.
Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories of the week, including:
Deputy Attorney General Rod Rosenstein, in a speech, called it the FCPA Corporate Enforcement Policy and stated that it is now “incorporated into the United States Attorneys’ Manual.” See Tom’s article in the FCPA Compliance Report. See report by Sam Rubenfeld and Henry Cutter in WSJ Risk and Compliance Journal. Also see Matt Kelly’s thoughts in Radical Compliance and those of Doug Cornelius in Compliance Building.