Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: Compliance Know-How
Jan 10, 2018

What is the message of compliance inside of a corporation and how it is distributed? In a compliance program, the largest portion of your consumers/customers are your employees. Social media presents some excellent mechanisms to communicate the message of compliance going forward. Many of the applications that we use in our personal communication are free or available at very low cost. Why not take advantage of them and use those same communication tools in your internal compliance marketing efforts going forward?

I visited with Louis Sapirman, Chief Compliance Officer at Dun & Bradstreet (D&B) about the company’s integration of social media into compliance. Sapirman emphasized the tech savvy nature of the company’s work force. It is not simply about having a younger work force. If your company is in the services business it probably means an employee base using technological tools to deliver solutions. He also pointed to the data driven nature of the D&B business so using technological tools to deliver products and solutions is something the company has been doing for quite a while. This use of technological tools led the company to consider how such techniques could be used internally in disciplines which may not have incorporated them into their repertories previously.

Not surprisingly, with most any successful corporate initiative, Sapirman said it began at the top of the organization, literally with the company’s Chief Executive Officer, Robert Carrigan. Sapirman noted that the CEO saw the advantage of using social media internally and challenged his senior management team to take a new look at the manner in which their corporate functions were using social media. From there Sapirman and his compliance team saw the advantages of using social media for facilitating a 360-degree approach to communications in compliance. Sapirman comprehended the possibility for use of social media for compliance with those external to the company as well.

Internally Sapirman pointed to a tool called Chatter, which he uses similarly to Twitter users who engage in a Tweet-up. He has created an internal company brand in the compliance space, using the moniker #dotherightthing, which trends in the company’s Chatter environment. He also uses this hashtag when he facilitates a Chatter Jam, which is a real-time social media discussion. He puts his compliance team into the event and they hold it at various times during the day so it can be accessed by D&B employees anywhere in the world.

He said that he seeds Chatter Jam so that employees are aware of the expectations and to engage in the discussion respectfully of others. When D&B began these sessions he also reminded employees that if they had specific or individual concerns they should bring them to Sapirman directly or through the hotline. However, he does not have to make this admonition any more, as everyone seems to understand the ground rules. Now this seeding only relates to the topics that each Chatter Jam begins with going forward.

One of the concerns lawyers tend to have about the use of social media is with general and specific topics coming up on social media and the ill it may cause the organization. Sapirman believes that while such untoward situations can arise, if you make clear the ground rules about such discussions, these types of issues do not usually arise. That has certainly been the D&B experience.

Each employee uses their own names during these Chatter Jams so there is employee accountability and transparency as well. Sapirman said they further define each communication through a hashtag so that it cannot only immediately be defined but also searched in the archives going forward. He provided the examples of specific regulatory issues and privacy. This branding also enhances the process going forward.

I asked Sapirman if he could point to any specific compliance initiatives that arose during or from these Chatter Jams. Sapirman emphasized that these events allow employees the opportunity to express their opinions about the compliance function and what compliance means to them in their organization. One of these discussions was around the company’s Code of Conduct. He said that employees wanted to see the words “Do The Right Thing” as the name of the Code of Conduct.

I inquired about D&B’s use of social media in connection with their third parties. Sapirman said that the company allows some of them access to its internal Chatter tools to facilitate direct communications. Further, these external contractors can connect with both Sapirman and the company through Twitter. He said that he is consistently communicating to the greater body of customers about the compliance initiatives or compliance reminders on what the D&B compliance function is doing and how it is going about doing them. He believes it is an important communications tool to make sure that he and his team are getting their compliance messages out there.

Both of these initiatives drove home to me three key insights. The first is how compliance, like society, is evolving, in many ways ever faster. As more millennials move into the workforce, the more your employee base will have used social media all their lives. Once upon a time, email was a revelatory innovation. Now if you are not communicating, you are falling behind the 8-ball. Employees expect their employers to act like and treat them as if this is the present day, not 1994 or even 2004.

The second is that these tools can go a long way towards enhancing your compliance program going forward. Recall the declination to prosecute that Morgan Stanley received from the Department of Justice, back in 2012, when one of its Managing Directors had engaged in FCPA violations. One of the reasons cited by the DOJ was 35 email compliance reminders sent over 7 years, which served to bolster the annual FCPA training to the recalcitrant Managing Director. You can use your archived social media communications as evidence that you have continually communicated your company’s expectations around compliance. It is equally important that these expectations are documented (Read – Document, Document, and Document).

Finally, never forget the social part of social media. Social media is a more holistic, multiple-sided communication. Not only are you setting out expectations but also these tools allow you to receive back communications from your employees. The D&B experience around the name change for its Code of Conduct is but one example. You can also see that if you have several concerns expressed it could alert you earlier to begin some detection and move towards prevention in your compliance program.

Three Key Takeaways

  1. Incorporation of social media into your compliance communications can pay off big dividends.
  2. Focus on the ‘social’ part of social media.
  3. Use internal corporate social media to have facilitate a 360-degree conversation.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 9, 2018

Today, I visit with Mark Rainsford and Jason Sugarman, principals with RS Legal Strategies which is a pioneering Queen’s Counsel led business crime, fraud and legal strategy boutique. Its world-class professionals include leading and junior counsel, a solicitor, a former member of the judiciary and special advisor to the Serious Fraud Office, two former investigators, analysts, researchers, tax fraud and compliance specialists. RSL has special expertise in UK DPAs and NPAs and offers an Independent Compliance Monitor or Reviewers.

RS Legal Strategies employs former senior UK law enforcement investigators to provide expert analysis and an invaluable strategic advice on evidential and disclosure issues. RS Legal Strategies conducts internal investigations into wide variety of areas including: fraud detection, business and corporate crime, proceeds of crime and money laundering investigations and regulatory compliance.

In 2017, RS Legal Strategies formed a strategic alliance with Affiliated Monitors (AMI). With the complementary experience of the US and UK teams, it allows companies to take a more pro-active approach to addressing ethics and compliance deficiencies comprehensively and through the efforts of an independent advisors, there is a much greater likelihood that a successful outcome and improved practices can be achieved. Through the combination of RS Legal’s experience with UK enforcement actions, with AMI’s global ethics and compliance, this alliance can significantly increase the likelihood of any of a corporate client securing a non-prosecution outcome, a Deferred Prosecution Agreement, or other beneficial outcome resulting from ongoing investigations.

Together AMI and RS Legal Strategy offer a unique and compelling vision. Although independent, we would work alongside our client’s lawyers, thus allowing outside and in-house counsel to leverage the exceptional know how from both a UK and USA strategy and compliance consulting perspective.

The interviewees are Mark Rainsford QC, RS Legal Strategies Chairman and Head of Litigation and Jason Sugarman, RS Legal Strategies Managing Director.

For more information, click here.

Jan 8, 2018

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

ControlsWhat controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

here are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company.

Next is the vendor master file, which can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Internal controls are needed over the submission, approval, and input of changes to the vendor master file.

Contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices.

All situations involving the movement of cash or transfer of monies outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system. 

To prevent these types of activities, internal controls need to be in place. All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist at your organization. This will help you to determine whether adequate compliance internal controls are present in your company. From there you can move to see if they are working in practice or ‘functioning’. 

Three Key Takeaways

  1. Effective internal controls are required under the FCPA.
  2. Internal controls are a critical part of any best practices compliance program.
  3. SEC lead FCPA enforcement actions demonstrate the enforcement spotlight on internal controls.

                                                      

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 8, 2018

In this episode, I visit with QuantaVerse CEO/Founder David McLaughlin on the company’s new tool, the Chief Audit Checkup service, which leverages the QuantaVerse AI Financial Crime Platform to analyze enterprise data and more efficiently and effectively identify insider threats, bribery, corruption, money laundering, fraud, terrorism financing and third-party risks that traditional internal audit investigations routinely miss. The Chief Audit Checkup service identifies anomalous data patterns related to both known and not yet identified financial crime typologies. The Chief Audit Checkup service lets organizations see first-hand how AI analysis can improve their audit processes and outcomes.

We discuss what is new about this offering and how it can assist a CCO to manage many risks: AML, ABC, Cyber, Export, Fraud, Third parties? In ABC cases, the old Watergate maxim of ‘follow the money’ applies because the employees have to get the money from somewhere to pay the bribes and the Chief Audit Executive Checkup service helps a CCO to follow the money. We explore how the Chief Audit Executive Checkup service helps to see down the entire continuum of a transaction; from initial bid to contract signing and how financial anomalies presented to the user in the Chief Audit Executive Checkup service.

Finally, we walk through a fascinating FCPA hypothetical can how the Chief Audit Executive Checkup can help a CCO in the following. A compliance team is tasked to audit an international electronics company’s line of business with a central Asian country, the team would manually review 150 travel and expense reports for anomalies, one month’s worth of core accounting system records of financial transfers to/from the central Asian country, and 30 days of vendor payments as they relate to possible FCPA or other insider threat or corruption risk. The internal audit team might identify 1-2 cases in which employees submitted questionable travel expense reports. Using Chief Audit Executive Checkup, the compliance team could leverage AI to examine thousands of combined data points to holistically screen all LOB data related to central Asian country for known and unknown financial crime red flags truly worthy of their attention.

For more information on Chief Audit Executive Checkup, click here.

Jan 7, 2018

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by using the word “considered”, it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated set of policies and procedures; all of which are systematically reviewed and updated. Moreover, having policies written out and signed by employees provides what some consider the most vital layer of communication and acts as an internal control. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

The specific written policies and procedures required for a best practices compliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct.

The role of compliance policies is to protect companies, their stakeholders, including employees, third-parties and others, despite an occasional lapse. A company’s compliance policies provide a basic set of guidelines for employees and others to follow. Compliance policies should give general prescriptions and should be supplemented by more specific procedures. By establishing what is and what is not acceptable ethical and compliant behavior, a company helps mitigate the risks posed by employees who might not always make the right ethical choices.

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, Accessibility – How has the company communicated the policies and procedures relevant to the misconduct to relevant employees and third parties? How has the company evaluated the usefulness of these policies and procedures?

Compliance policies do not guarantee employees will always make the right decision. However, the effective implementation and enforcement of compliance policies demonstrate to the government that a company is operating professionally and ethically for the benefit of its stakeholders, its employees and the community it serves.

There are five general elements to a compliance policy. It should stake out the following:

  • identify who the compliance policy applies to;
  • set out what is the objective of the compliance policy;
  • describe why the compliance policy is required;
  • outline examples of both acceptable and unacceptable behavior under the compliance policy; and
  • lay out the specific consequences for failure to comply with the compliance policy.

The Evaluation mandates there must be communication of your compliance policies and procedures throughout the workforce and relevant stakeholders such as third-parties and business venture partners. Under Part B of Prong 4 is the Operational Integration section with the following components.

Responsibility for IntegrationWho has been responsible for integrating policies and procedures? With whom have they consulted (e.g., officers, business segments)? How have they been rolled out (e.g., do compliance personnel assess whether employees understand the policies)? 

There are also two specific area that policies and procedures need to focus on. They are around payments and third parties. They have the following components.

Payment SystemsHow was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved? 

Vendor ManagementIf vendors had been involved in the misconduct, what was the process for vendor selection and did the vendor in question go through that process? 

This means that it more than simply having appropriate policies and procedures. It is operationalizing them into your compliance program, down to the business unit level. How can you do so? Compliance training is only one type of communication. This is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Another technique can be the posting FAQ’s in common areas and virtually. Also, having written compliance policies signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises. Finally, never forget the example of the Morgan Stanley declination where the recalcitrant employee annually signed such certifications. These signed certifications help Morgan Stanley walk away with a full declination.

The 2012 FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” It is important that compliance policies and procedure are applied fairly and consistently across the organization. The Fair Process Doctrine demonstrates that if compliance policies and procedures are not applied consistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated. This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

Three Key Takeaways

  1. The Code of Conduct, together with written compliance policies and procedures form the backbone of your compliance program.
  2. The DOJ and SEC expect a well-thought out and articulated set of compliance policies and procedures.
  3. The Fair Process Doctrine holds for the application of policies and procedures. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 6, 2018

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to wave in regulator’s face during an enforcement action by using it to claim we are an ethical company. Is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What should be the goal in the creation of your company’s Code of Conduct?

In the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission stated, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In the Society for Corporate Compliance and Ethics (SCCE) 2017 Complete Compliance and Ethics Manual, article, entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.”

There are several purposes which should be communicated in your Code of Conduct. The overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating those requirements, to providing a process for proper decision-making and then requiring that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your compliance program are ‘Document, Document and Document’. The same is true in communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands it. The DOJ expects each company to begin its compliance program with a very public announced, very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

How important is the Code of Conduct? Consider the 2016 SEC enforcement action involving United Airlines, which turned on violation of the company’s Code of Conduct. The breach of the Code of Conduct was determined to be a FCPA internal controls violation. It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The actions of United’s former Chief Executive Officer, Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials by failing to not only follow the United Code of Conduct but also violating it. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement settlement with the Department of Justice, which resulted in a penalty of $2.25 million. The scandal also cost the resignation of Smisek and two high-level executives from United.

Three Key Takeaways

  1. Every formulation of a best practices compliance program starts with a written Code of Conduct.
  2. The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity.
  3. Document Document Documents your training and communication efforts.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com

Jan 5, 2018

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs? In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board.

  1. What compliance expertise has been available on the board of directors?
  2. Have the board of directors held executive or private sessions with the compliance function?
  3. What types of information has the board of directors examined in their exercise of oversight in the area in which the misconduct occurred?

In the new FCPA Corporate Enforcement Policy, it supplements the above with the following requirement for a Board of Directors in a best practices compliance program, asking what is “the availability of compliance expertise to the board”?

At a general level, these inquiries several structural components for a Board around compliance. They include defining the Board’s role so there is a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities around compliance. The Board must work to foster a culture of compliance risk management so all stakeholders should understand the compliance risks involved and manage such risks accordingly. The Board must incorporate compliance risk management directly into a strategy by overseeing the design and implementation of compliance risk evaluation and analysis. The Board should help to define the company’s appetite for compliance risk so all stakeholders need to understand the company’s appetite or lack thereof for compliance risk. The Board must oversee the execution of the compliance risk management process by maintaining an approach that is continually monitored and had continuing accountability. Finally, the Board must demand benchmarking through compliance systems which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to compliance risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. Your  Board should create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information, the Board can give oversight to any modifications to managing risk that should be implemented. 

In addition to the requirement that a Board of Directors have a Compliance Committee, a Board should also have a compliance subject matter expert as a member. Mike Volkov looked at it from both a practical and business perspective stating, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.” Roy Snell considered it through the prism of the compliance profession and noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Board Compliance Committee

  1. What are the Board Compliance Committee’s responsibilities and what value does it bring to the board?
  2. How can the Board Compliance Committee assist the board to enhance its relationship with management?
  3. What is the role of the Board Compliance Committee?

Part II: Building an Effective Board Compliance Committee

  1. What skill sets does the Board Compliance Committee require?
  2. Who should sit on the Board Compliance Committee?
  3. Who should chair the Board Compliance Committee?

Part III: Directed to the Board of Directors

  1. What is the Board Compliance Committee’s role in building an effective compliance program within the company?
  2. How can a Board Compliance Committee assess potential members and senior leaders of the company’s compliance program?
  3. How long should directors serve on the Board Compliance Committee?
  4. How can the Board Compliance Committee assist in Board succession issues?

Part IV: Enhancing the Board’s Compliance Performance Effectiveness

  1. How can the Board Compliance Committee assist in director development?
  2. How can the Board Compliance Committee help the board chair sharpen the board’s overall performance focus?
  3. What is the Board Compliance Committee’s role in board evaluation and feedback?
  4. What should the Board Compliance Committee do if a director is not performing or not interacting effectively with other directors?
  5. Should the Board Compliance Committee have a role in chair succession?
  6. How can the Board Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

  1. How can the Board Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
  2. What is the Board Compliance Committee’s role in CCO succession?
  3. What role can the Board Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
  4. How can the Board Compliance Committee help the board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

Three Key Takeaways

  1. The DOJ Evaluation of Corporate Compliance Program requires active Board of Director engagement around compliance.
  2. Board communication on compliance is a two-way street; both in bound and out bound.
  3. Has the Board built an effective Board Compliance Committee?

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 4, 2018

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move down through the organization from senior management down to middle management and into its lower ranks. This means that one of the task is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization.

What should the tone in the middle be? What should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they will take their cues from how middle management will respond to a situation. Perhaps most importantly, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Your organization should train middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be organizational justice so that people believe they will be treated fairly. For if there is organization justice, it engenders perceived procedural fairness which makes it more likely an employee will be willing accept a decision that they may not like or disagree with end result.

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. One of the things you can do is assemble a compliance focus group to find out how business is done in the field and if it differs from what your company expects from an ethical and compliance perspective. Begin by assembling a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions to discuss the challenges of doing business ethically and in compliance. Ask them questions about their understanding of your compliance regime. Then categorize the answers into the theory and practice of compliance in your company.

From this then test what is real in theory and in practice. You can check and see which employees are promoted more regularly; those who do business ethically and in compliance or those who meet their sales quotas every quarter. After you have internally tested, reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your how your compliance model tested. Lead a discussion that attempts to identify any what is different in practice and in theory and then how you can move from theory to practice to operationalizing compliance. Finally, and in the feedback step, test how to more fully operationalize your compliance regime. These tests can be accomplished in the regular course of business or through a special project with a special team and separate budget.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect them as well.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

  1. Tone at the tops- direct supervisors become the most important influence on people in the company.
  2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
  3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 3, 2018

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

  1. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as it focuses on the conduct of senior management. The Justice Department wants to see a company’s senior leadership actually doing compliance. The DOJ asks if company leadership has through their words and concrete actions brought the right message of doing business ethically and in compliance to a company. How does senior management model its behavior on a company’s values and finally how is such conduct monitored in an organization?

How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Five factors, derived from the article, can be used guideposts to not only to set the right tone from senior management on doing business ethically and in compliance but also lay the ground for senior management to model appropriate behavior and then have it monitored by the company going forward.

  1. The guiding values of a company must make sense and be clearly communicated by senior management in a variety of settings, to the entire company workforce.
  2. The company’s leader must be personally committed and willing to take action on the values. This means that management must not simply ‘overlook’ the transgressions of top producers.
  3. A company’s systems and structures must support its guiding principles and these internal systems and structures cannot be over-ridden by senior management without both justification and Board approval.
  4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions. Sometime a company must turn down business if there are too many red flags present or by engaging in such behavior the company’s value and ethics will be violated.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis. This means senior management must fully support and back-up such decisions.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’ to fully model the conduct that senior management must show.

  • Reject a ‘do as I say, not as I do’ mentality;
  • Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
  • Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
  • Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
  • Oversee the development of a Code of Conduct and written compliance program implementing it;
  • Ensure there are compliance metrics on all key business reports;
  • Provide leadership to middle managers to facilitate filtering of the zero-tolerance message down throughout the organization;
  • Not only have a whistleblowing, reporting or speak up channel but celebrate it;
  • Keep talking about doing the right thing;
  • Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Inspired by a list from Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business, you can do some of the following.

  1. Keep a copy of the Code on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
  2. Give Your CCO Real Authority. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
  3. Hold them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
  4. Reward and Punish. Have both sanctions for violation of company compliance policies and incentives for doing business in a compliant manner.
  5. Walk the Walk. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
  6. Be a Compliance Student. Be seen at intra-company compliance training. Take a one or two-day course or attend a compliance conference outside your organization.
  7. Recognize Compliance at Your Company. You should recognize outstanding compliance efforts with companywide announcements and awards.
  8. Enshrine Compliance at the Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the compliance committee.
  9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Compliance Committee.
  10. Push Compliance into Your Supply Chain. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
  11. Create an Executive Network for Compliance. Talk to other CEOs and senior executives in your industry on how to improve your company’s compliance efforts.

Another area a CEO can forcefully engage an entire company through is a powerful video message about doing business the right way and in compliance. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. Finally, as noted by Amy Lilly, Director, Corporate Ethics and Compliance at CenterPoint Energy, the cost for the video was quite reasonable as it was produced internally.

Three Key Takeaways

  1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
  2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
  3. CEO as Compliance Ambassador.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 2, 2018

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you know about detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the 2012 FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the 2012 FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Compliance professionals should be able to say with some degree of authority, what will happen in the next three months, six months, twelve months, twenty-four months. This can facilitate resources deployment where they think is appropriate in order to meet these future demands. 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, are continuously refined based on incoming data. 

All of these three tools tie back into process management and process improvement. There is a balance between what is actually important for your business or for proper execution; versus the practical aspects of the whole process. Ben Locwin stated, “If you are not measuring at a high enough resolution, then you are not capturing a lot of the environmental, market forces and  external factors that probably are of high leverage to your operations in business that you simply do not know about.” 

For example, if there is a one-in-three chance of a compliance failure occurring, which a company knew that in advance; the executive committee probably almost stop the activity before there was a compliance failure and possible legal violation. This is how the risk management process can work to fulfill the three prongs of a compliance program, prevent, detect and remediate. You are using your risk forecast and you have a contingency in place, which you execute upon. In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into a process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.

Three Key Takeaways

  1. The risk management process is an important backbone of operationalizing compliance.
  2. You should be able monitor and measure both known and unknown risks.
  3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Dec 31, 2017

2017 was a very significant year for every compliance practitioner and compliance program. The year brought two important documents on compliance programs. It began with the Evaluation of Corporate Compliance Programs (Evaluation) released in February 2017 and ended with the Department of Justice (DOJ) announcing a new Policy regarding Foreign Corrupt Practices Act (FCPA) enforcement in November 2017. Building upon the Ten Hallmarks of an Effective Compliance Program, as first articulated in the 2012 FCPA Guidance, there are now specific points, issues and questions a compliance professional can use to more fully operationalize your compliance program. 

In November 2017, Deputy Attorney General Rod Rosenstein announced the new FCPA Corporate Enforcement Policy. This new Policy incorporated the Ten Hallmarks of an Effective Compliance Program through reference to the 2012 FCPA Resource Guide as continued best practices and added new information on the DOJ’s expectations for more fully operationalizing compliance. The DOJ further incorporated language and concepts from a variety of sources, including the 2016 FCPA Pilot Program and the 2017 Evaluation.

Three Key Takeaways 

  1. 2017 brought two key DOJ documents forward for use by the compliance practitioner, the Evaluation and new FCPA Corporate Enforcement Policy
  2. You must work to more fully operationalize your compliance program
  3. Always remember the three most important things in any compliance program are: Document, Document, and Document
Dec 29, 2017

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party management.

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

 Step 1 - Business Justification

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed.   The Business Justification should be completed by the Business Sponsor, who will be the company’s primary business contact with the third-party going forward.

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party.

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses.

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence required under the FCPA. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner.

Our British compliance cousins of course are subject to the UK Bribery Act. In its Six Principles of an Adequate Procedures compliance program, the UK MOJ stated, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of this principle is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from bribing on their behalf. The MOJ recognized that due diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique.

After you have completed Steps 1-3 and then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the 2012 FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted.

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these Red Flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship.

I continually give my Mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 28, 2017

From the information provided by the Justice Department in Opinion Releases and in enforcement actions, there are several different insights which may be drawn on what should go into your policy on facilitation payments:

  1. Size of payment - Is there an outer limit? No, there is no outer limit but there is some line where the perception shifts. If a facilitating payment is over $100 you are arguing from a point of weakness. The presumption of good faith is against you. You might be able to persuade the government at an amount under $100. But anything over this amount and the government may well make further inquiries. So, for instance, the DOJ might say that all facilitation payments should be accumulated together and this would be a pattern and practice of bribery.
  2. What is a routine governmental action? Is the company entitled to this action, has it met all of requirements to obtain the requested permit, license or action or is it asking the government official to look the other way on some requirement? Is the company asking the government official to give us a break? The key question here is whether you are entitled to the action otherwise.
  3. Does the seniority of the governmental official matter? This is significant because it changes the presumption of whether something is truly discretionary. The higher the level of the governmental official involved, the greater chance his decision is discretionary.
  4. Does the action have to be non-discretionary? Yes, because if it is discretionary, then a payment made will appear to be obtaining some advantage that is not available to others.
  5. What approvals should be required? A facilitation payment is something that must be done with an appropriate process. The process should have thought and the decision made by people who are the experts within the company on such matters.
  6. Risk of facilitation payments and third parties? Whatever policy you have, it must be carried over to third parties acting on your behalf or at your direction. If a third party cannot control this issue, the better compliance practice would be to end the business relationship.
  7. How should facilitation payments be recorded? Facilitation payments must be recorded accurately. You should have a category entitled “Facilitation Payments” in your company’s internal accounting system. The labeling should be quite clear and they are critical to any audit trail so recording them is quite significant.
  8. Monitoring programs? There must always be ongoing monitoring programs to review your company’s internal controls, policies and procedures regarding facilitation payments. 

Also remember that the defense of facilitation payments is an exception to the FCPA prohibition against bribery. Any defendant which wishes to avail itself of this exception at trial would have to proffer credible evidence to support its position, but at the end of the day, it would be the trier of fact which would decide. So much like any compliance defense, the exception is only available if you use it at trial and it would be difficult to imagine that any company would want this matter to ever see the light of a courtroom.

After answering the above questions and your organization decides it desires to allow facilitation payments, you should draft a policy permits the company to make Facilitating Payments with (1) prior approval of the Compliance Department, (2) prior approval from Company management, and (3) proper financial recording. It may be difficult to distinguish a legal facilitation payment from a request that could be viewed as an illegal bribe or kickback; therefore, Facilitating Payments should be strictly controlled, and every effort should be made to eliminate or minimize such facilitating payments.

Do not forget that facilitation payments must be accurately shown on the books and records of your company. In all cases the employee who requested permission to make the facilitation payment must be responsible for obtaining all required approvals and forwarding a copy of the approvals and any other relevant supporting documentation as required, so that the it is recorded as a facilitation expense in the books and records maintained in a central file. Facilitation payments should not be recorded as consulting fees, entertainment expenses, or other types of expenses that may misrepresent the true nature of the payments.

There may be emergency situations when it will be difficult or impossible for employees to obtain approvals from immediately before having to decide whether or not to pay a facilitation payment. If the facilitation payment is made in an emergency, the employee reports the Facilitating Payment to the Compliance Department and explain the emergency as soon as practical after making the facilitation payment.

Three Key Takeaways

  1. What was the amount of the facilitation payment?
  2. Was the action truly routine?
  3. How high up was the government official who received the facilitation payment? Was his or her decision discretionary?

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 27, 2017

One of the more confusing areas of the FCPA is in that of facilitation payments. Facilitation payments are small bribes but make no mistake about it, they are bribes. For that reason, many companies feel they are inconsistent with a company culture of doing business ethically and in compliance with laws prohibiting corruption and bribery.  Further, the 2012 FCPA Guidance specifies, “while the payment may qualify as an exception to the FCPA’s anti-bribery provisions, it may violate other laws, both in Foreign Country and elsewhere. In addition, if the payment is not accurately recorded, it could violate the FCPA’s books and records provision.” Finally, the 2012 FCPA Guidance states, “Whether a payment falls within the exception is not dependent on the size of the payment, though size can be telling, as a large payment is more suggestive of corrupt intent to influence a non-routine governmental action. But, like the FCPA’s anti-bribery provisions more generally, the facilitating payments exception focuses on the purpose of the payment rather than its value.” [emphasis in original text]

In addition to these clear statements about whether the FCPA should continue to allow said bribes; you should also consider the administrative nightmare for any international company. The UK Bribery Act does not have any such exception, exemption or defense along the lines of the FCPA facilitation payment exception. This means that even if your company allows facilitation payments, it must exempt out every UK Company or subsidiary from the policy. Further, if your company employs any UK citizens, they are subject to the UK Bribery Act no matter who they work for and where they may work in the world so they must also be exempted. Finally, if your US Company does business with a UK or other company subject to the UK Bribery Act, you may be prevented contractually from making facilitation payments while working under that customer’s contract. As I said, an administrative nightmare.

Interestingly, one of the clearest statements about facilitation payments comes not from a FCPA case about facilitation payments but the case of Kay v. Rice, 359 F.3d 738, 750-51 (5th Cir. 2004). This case dealt with whether payment of bribes to obtain a favorable tax ruling was prohibited under the FCPA. In its opinion, the Fifth Circuit commented on the limited nature of the facilitating payments exception when it said:

A brief review of the types of routine governmental actions enumerated by Congress shows how limited Congress wanted to make the grease exceptions. Routine governmental action, for instance, includes “obtaining permits, licenses, or other official documents to qualify a person to do business in a foreign country,” and “scheduling inspections associated with contract performance or inspections related to transit of goods across country.” Therefore, routine governmental action does not include the issuance of every official document or every inspection, but only (1) documentation that qualifies a party to do business and (2) scheduling an inspection—very narrow categories of largely non-discretionary, ministerial activities performed by mid- or low-level foreign functionaries.

Enforcement Actions 

Con-way

The FCPA landscape is littered with companies who sustained FCPA violations due to payments which did not fall into the facilitation payment exception. In 2008, Con-way Inc., a global freight forwarder, paid a $300,000 penalty for making hundreds of relatively small payments to Customs Officials in the Philippines. The value of the payments Con-way was fined for making totaled $244,000 and were made to induce the officials to violate customs regulations, settle customs disputes, and reduce or not enforce otherwise legitimate fines for administrative violations.

Helmerich and Payne

In 2009, Helmerich and Payne, Inc., paid a penalty and disgorgement fee of $1.3 million for payments which were made to secure customs clearances in Argentina and Venezuela. The payments ranged from $2,000 to $5,000 but were not properly recorded and were made to import/export goods that were not within the respective country’s regulations; to import goods that could not lawfully be imported; and to evade higher duties and taxes on the goods.

Panalpina

Finally, there is the Panalpina enforcement action. This matter was partly resolved with the payment by Panalpina and six of its customers of over $257 million in fines and penalties. Panalpina, acting as freight forwarder for its customers, made payments to circumvent import laws, reduce customs duties and tax assessments and to obtain preferential treatment for importing certain equipment into various countries but primarily in West Africa.

Three Key Takeaways

  1. Do not forget the administrative nightmare of facilitation payments for international organizations.
  2. The Kay decision made clear how narrow the ‘routine government action’ exception is.
  3. Facilitation payments will usually be an add-on as they are symptomatic of an ineffective, paper compliance program.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 22, 2017

The original version of the FCPA, enacted in 1977, contained an exception for payments made to non-US officials who performed duties that were “essentially ministerial or clerical”. In 1988 Congress responded by amending the FCPA under the Omnibus Trade and Competitiveness Act to clarify the scope of the FCPA’s prohibitions on bribery, including the scope of permitted facilitation payments. An expanded definition of “routine governmental action” was included in the final version of the bill, reflecting the intent of Congress that the exceptions apply only to the performance of duties listed in the subcategories of the statute and actions of a similar nature. Congress also meant to make clear that “ordinarily and commonly performed actions”, with respect to permits or licenses, would not include those governmental approvals involving an exercise of discretion by a government official where the actions are the functional equivalent of “obtaining or retaining business for, or with, or directing business to, any person”.

The FCPA contains an explicit exception to the bribery prohibition for any “facilitation or expediting payment to a foreign official, political party, or party official for the purpose of which is to expedite or to secure the performance of a routine governmental action by a foreign official, political party, or party official”. “Routine government action” does not include any decision by a public official to award new business or continue existing business with a particular party. The statute lists examples of what is considered a “routine governmental action” including:

  • obtaining permits, licenses, or other official documents to qualify a person to do business in a country;
  • processing government papers, such as visas or work orders;
  • providing police protection, mail pick-up and delivery, or scheduling inspections associated with contract performance or transit of goods across country;
  • providing phone service, power and water supply, loading and unloading cargo, or protecting perishable products from deterioration; and
  • actions of a similar nature.

There is no monetary threshold for determining when a payment crosses the line between a facilitation payment and a bribe. The accounting provisions of the FCPA require that facilitation payments must be accurately reflected in an issuer’s books and records, even if the payment itself is permissible under the anti-bribery provisions of the law

Risks associated with relying on the “facilitation payments” exception

Facilitation payments carry legal risks even if they are permitted under the anti-bribery laws of a particular country. In the US enforcement agencies have taken a narrow view of the exception and have successfully prosecuted FCPA violations stemming from payments that could arguably be considered permissible facilitation payments. Violations of the accounting and recordkeeping provisions of the FCPA are also more likely when a company makes facilitation payments. Abroad, countries are increasingly enforcing domestic bribery laws that prohibit such payments. Companies that allow facilitation payments face a slippery slope to educate their employees on the nuances of permissible payments in order to avoid prosecution for prohibited bribes.

  1. US enforcement authorities construe the exception narrowly

Other than as discussed above, there is no definitive guidance on circumstances in which the facilitation payments exception applies. There may be less risk of enforcement by US authorities in cases involving bona fide facilitation payments that are made specifically for one of the purposes enumerated in the FCPA. However, companies still face the risk of at least facing a governmental inquiry to explain the circumstances surrounding the payments, possibly resulting in penalties based on an unanticipated restrictive interpretation of the exception. As noted by the FCPA Professor, the recent Noble Non-Prosecution Agreement noted that the payments made by Noble’s Nigerian customs’ agent Panalpina, to facilitate the importation of its rigs into Nigeria did “not constitute facilitation payments for routine governmental actions within the meaning of the FCPA"

2. Potential non-compliance with the FCPA’s accounting and record-keeping provisions

While the anti-bribery provisions of the FCPA permit facilitation payments, the accounting and recordkeeping provisions of the law nevertheless require companies making such payments to accurately record them in their books and records. Companies or individuals may be reluctant to properly record such payments, as it shows some semblance of impropriety and effectively creates a permanent record of a violation of local law. However, failure to properly record such expenditures may result in prosecution by the Securities and Exchange Commission (SEC) even if the underlying payments themselves are permissible. One example of prosecution resulting from the misreporting of seemingly permissible facilitation payments involves Triton Energy Corporation, which settled an investigation by the SEC involving multiple alleged FCPA violations, including the miss-recording of facilitation payments. An Indonesian subsidiary of the company had been making monthly payments, of approximately $1,000, to low-level employees of a state-owned oil company in order to assure the timely processing of monthly crude oil revenues. The SEC did not charge that these payments violated the anti-bribery provisions of the FCPA; however, these payments were miss-recorded in corporate books and therefore violated the FCPA’s accounting and recordkeeping provisions. Triton Energy consented to an injunction against future violations of the FCPA and was fined $300,000.

3. Increased enforcement of non-US laws that do not recognize an exception for facilitation payments

While the FCPA and certain other national anti-bribery laws contain exceptions for facilitation payments, such payments typically are considered illegal in the country in which they are made; there is not any country in which facilitation payments to public officials of that country are permitted under the written law of the recipient’s country. Accordingly, even if a particular facilitation payment qualifies for an exception of the FCPA, it, nevertheless, is likely to constitute a violation of local law – as well as under anti-bribery laws of other countries that also might apply simultaneously – and thus exposes the payer, his employer and/or related parties to prosecution in one or more jurisdictions. While enforcement to date in this area has been limited increased global attention to corruption makes future action more likely. Countries that are eager to be seen as combating corruption are prosecuting the payment of small bribes with greater frequency.

4. Corporate approaches to facilitation payments may exceed the legitimate scope and applicability of the exception

Businesses still struggle with how to address the facilitation payments exception in their compliance policy and procedures, if the subject is covered at all. Businesses should be wary of allowing employees to decide on their own whether a particular payment is permissible. Unless such payments are barred completely or each payment is subject to pre-approval (which in many cases would be unrealistic (e.g., passport control)), there is always the risk that an employee, agent or other person whose actions may be attributed to the company will make a payment in reliance on the exception when in fact the exception does not apply. In addition, the temptation to improperly record otherwise permissible facilitation payments has been discussed above.

Three Key Takeaways

  1. Many companies still struggle with facilitation payments.
  2. What are the five listed purposes for facilitation payments?
  3. The facilitation payment exception is narrowly construed by both the courts and the Justice Department.

Why are facilitation payment so problematic?

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 21, 2017

The FCPA states, “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories. Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.”

Government policies affect the commercial environment.  A company is subject to legislation and regulation that affects how it conducts its business and generates value for its investors.  Participating in the political process is part of a business strategy to protect a company’s interests.

Most international businesses have strategy to engage in the political process with a view to the long-term interests of the company and to promote and protect its interests. All political contributions and expenditures on behalf of the Company and management reports on these political contributions and expenditures should be reported to the Board of Directors annually.  No political contributions may be made or promised unless written pre-approval has been obtained from the corporate compliance function.

Among the factors that influence which candidates merit political donations include:

  • Candidate support for key company business and public policy priorities;
  • Candidate voting record and leadership position;
  • Candidate commitment to company’s industry growth, and ability to positively impact its goals; and
  • Company assets or employees in a region or state represented by the candidate.

All political contributions should be made in accordance with all applicable laws and regulations and disclosed as required by law. Any requests for contributions to a political candidate, committee, or party must be addressed to the corporate compliance function and must include an analysis of the four factors above, as well as business justification for the request to support the particular candidate, committee, or party. 

Additionally, no Company funds or other assets may be used for political contributions outside the U.S., unless expressly approved in writing by Government Affairs.  A Company employee seeking approval for political contributions outside the U.S. must present Government Affairs, in writing, with all relevant information to allow for a thorough and careful analysis.  Among the information required by compliance function should be:

  • The name of the candidate, committee, or political party;
  • The government agency(ies) with which the candidate is or has been affiliated (e.g., has the candidate served with the Ministry of Interior and in what period of time);
  • The candidate’s position on key issues that affect Company’s business (e.g., human rights, equality, labor laws, unionization, taxes, foreign investment, etc.);
  • The candidate’s voting record on the issues affecting the Company;
  • Whether Company does business with the government entity with which the candidate is seeking a position and the amount of such business in the preceding 24 months;
  • Any pending or recently awarded contracts with the government entity with which the candidate is affiliated or is seeking a position;
  • Any pending or recently awarded contracts overseen or managed by the committee, party, or political entity for which the political contribution is sought; and
  • The business justification for making the political contribution.

Your company policy should prohibit politically exposed persons (PEPs) from exerting pressure or undue influence over you employees, agents, consultants, or representatives to make personal political contributions. 

Your policy should prohibit use of your company’s resources or assets, including work time, to support candidates or campaigns personally. In the course of employment, PEPs should be prohibited from engaging in any activity on a company’s behalf that is intended to influence legislation, rulemaking, or governmental policy or engage lobbyists or others to do so, without pre-authorization of the corporate compliance function.

Political contributions shall not be used to disguise a payment that is prohibited by a company’s Code of Conduct, Anti-Corruption Policy, or other policies or procedures.  If your company’s policies prohibit the payment in another form, it should not be made under the guise of a political contribution.  No employee should utilize third parties or their own personal funds to make a payment that cannot be made under a company’s policies and procedures.   

Any exceptions to this policy should only be approved by the CCO, Compliance Oversight Committee or Board of Directors.

Three Key Takeaways

  1. Political candidates are covered by the FCPA.
  2. What is the business purpose for the contribution?
  3. Do not make contributions towards candidates who can award your company business.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 20, 2017

What should your compliance policy and procedures on charitable donations look like? What should you prohibit or even caution against? The starting point is the 2012 FCPA Guidance regarding charitable donations. Your policy should begin by asking the following five initial questions:

  • What is the purpose of the donation?
  • Is the payment consistent with the company’s internal guidelines on charitable giving?
  • Is the payment at the request of a foreign official?
  • Is a foreign official associated with the charity and, if so, can the foreign official make decisions regarding your business in that country?
  • Is the payment conditioned upon receiving business or other benefits?

There are additional inquiries based upon the DOJ Opinion Releases issued regarding charitable donations. Some of the protections a company can do to comply with the FCPA regarding charitable donations are as follows:

  • Will the donation recipients certified that they or the entity will comply with the requirements of the FCPA;
  • Will the recipient provided audited financial statements; and
  • Will the recipient restrict the use of the donated funds to humanitarian or charitable purposes only;
  • Will the funds transferred to a valid bank account; and
  • Will the recipients, allow ongoing auditing and monitoring of the efficacy of the charitable donation program.

 

Based upon the Schering-Plough and Lilly SEC enforcement actions, there are some additional inquiries that should be specified:

  1. What was the timing of the charitable donation or promise to make a donation in relation to the obtaining or retaining of business?
  2. Did the company follow its normal protocol for requesting, reviewing and making a charitable donation or is there a pattern of unusual donations outside the protocol?
  3. Did any one person make multiple donations just below their authority level so that it did not have to go up the line for review?
  4. Was the total amount donated to one charitable foundation out of proportion to the rest of the country or region’s charitable donation budget?
  5. Did the sales in one area, region or country spike after a pattern of charitable donations?

The information on the red flags from the prior Opinion Releases and the best practices, as set out in the 2012 FCPA Guidance, have been available for some time. From the Schering-Plough and Lilly enforcement actions, your policy should consdier the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business. Finally in managing the relationship, you now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct.

Three Key Takeaways

  1. What are the basic inquiries to make around charitable donations?
  2. Use all of the communication tools the DOJ has provided; written guidance, enforcement actions and Opinion Releases to inform your charitable donation policy.
  3. Document Document Documents the basis of your charitable donations risk assessment.

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 20, 2017

In this episode, Matt Kelly and I take a deep dive into a report from the Financial Stability Oversight Council on the cybersecurity risk of third party technology providers in the financial industry. We discuss some of the specific risks and recommendations laid out in the report. We use this as a jumping off point to explore how such issues are becoming more and more the purview of the compliance practitioner. Some of the solutions Matt discusses are directly in the wheelhouse of the compliance professional. Finally we note the potential for more regulatory scrutiny from both the SEC and PCAOB going forward into 2018.

For addition information on this topic see some of Matt’s writings in this area see

 

Feds Eye Cybersecurity Risks of Tech Providers

The Fine Art of Scoping a SOC 2 Audit

NIST Standards and Why They Matter

Dec 19, 2017

Opinion Releases can provide valuable information for the compliance practitioner. I agree with the statement found in the 2012 FCPA Guidance that “DOJ’s opinion procedure is a valuable mechanism for companies and individuals to determine whether proposed conduct would be prosecuted by DOJ under the FCPA. Generally speaking, under the opinion procedure process, parties submit information to DOJ, after which DOJ issues an opinion about whether the proposed conduct falls within its enforcement policy.” 

In the areas of charitable donations, the DOJ has provided several Opinion Releases which give solid guidance on this tricky issue. There have been four Opinion Releases in the area of charitable donations under the FCPA. In each Opinion Release, the DOJ indicated that it would not initiate prosecutions based upon the fact scenarios presented to it.

95-01

This request was from a US based energy company that planned to operate a plant in South Asia, in an area where was no medical facilities available. The energy company planned to donate $10 million for equipment and other costs to a medical complex that was under construction nearby. The donation would be made through a US charitable organization and a South Asian LLC. 

The energy company stated it would do three things with respect to this donation.

  1. Before releasing funds, the energy company said it would require certifications from the officers of all entities involved that none of the funds would be used in violation of the FCPA.
  2. It would ensure that none of the persons employed by the charity or the LLC were affiliated with the foreign government.
  3. The energy company would require audited financial reports detailing the disposition of the funds.

97-02

This request was from a US based utility company that planned to operate a plant in Asia, in an area where there was no primary-level school. The utility company planned to donate $100,000 for construction and other costs to a government entity that proposed to build an elementary school nearby. Before releasing funds, the utility company said it would require certain guarantees from the government entity regarding the project, including that the funds would be used exclusively for the school. 

06-01

This request was from a Delaware company doing business in Africa. The company desired to initiate a pilot project under which it would contribute $25,000 to the Ministry of Finance in the country to improve local enforcement of anti-counterfeiting laws. The contribution would fund incentive awards to local customs officials, which was needed because this African country was a major transit point for illicit trade and the local customs officials have no incentive to prevent the contraband. 

The company said that along with the contribution, it would execute an agreement with the Ministry to encourage exchange of information and establish procedures and criteria for incentive awards. The company said that if the program is successful, the awards would continue to be funded as needed, and the company will seek the participation of its competitors in this program. 

The company would implement at least five safeguards to ensure the funds would be used as intended, including:

  1. Payments to a valid government account, subject to internal audits.
  2. Payments only upon the confirmation that goods seized were in fact counterfeit.
  3. The Ministry would identify award candidates without input from the company and would provide evidence that funds were used properly.
  4. The company would monitor the program’s effectiveness.
  5. Records will be required to be kept and be available for inspection for a period of time. 

10-02 

A US Company desired to move from a charitable entity model to a for profit model in the area of micro-financing. To do so it was required to make a large cash donation to a charity in the country in question. The company engaged in three rounds of due diligence in which it determined that the most favorable candidate had a government official on its Board of Directors but that under the laws of the country in question, the government official could not receive compensation to sit as a Board member. After initially listing the 3 levels of due diligence in which the company had engaged prior to finalizing its choice of local entity to receive the donation; the DOJ noted that the donation ‘requested’ of the US Company would be subject to the following controls: 

  1. Payments of the donations would be staggered over a period of eight quarters rather than in one lump sum.
  2. Ongoing monitoring and auditing of the funds use for a period of five years.
  3. The donations would be specifically utilized for the building of infrastructure.
  4. The funds could not be transferred to either the charities parent or any other affiliated entity.
  5. The funds would not be paid to the parent of the organization receiving the grant and there was an absolute prohibition on compensating Board Members.
  6. The proposed grant agreement under which the funds would be donated had significant anti-corruption provisions which included a requirement that the local organization receiving the funds adopt an anti-corruption policy and that company making the donation shall receive full access to the local organization’s books and records.
  7. Right to terminate the agreement and recall the funds if evidence was found that “reasonably suggests” a breach of compliance provisions. 

Mendelsohn Guidance 

Dick Cassin, writing in the FCPA Blog, in a posting entitled “When is Charity a Bribe?”, cited to the then Deputy Chief of the Criminal Division’s Fraud Section at the DOJ Mark Mendelsohn.  Mendelsohn was asked about the guidelines regarding requests for charitable giving and the FCPA and said that any such request must be evaluated on its own merits. He advocated a “common sense” approach in identifying and clearing Red Flags. Some of the areas of inquiry would include answers to the following questions. 

  1. Is there a nexus between the charity and any government entity from which the company is seeking a decision?
  2. If the governmental decision-maker holds a position at the charity, that's a red flag.
  3. Is the donation consistent with the company's overall pattern of charitable donations?
  4. If one donation or a series of them is more than the company has made to any other charity in the past five years, that would also be a red flag.
  5. Who made the request for the donation and how was that request made? 

Three Key Takeaways

  1. You can utilize the Opinion Release process for a wide variety of issue.
  2. You must manage your charitable donations program even after the money has been donated.
  3. Never forget the Mendelsohn common sense approach to charitable donations.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

When is a rose not a rose? When it is a charitable donation not made for philanthropic purposes and violates the FCPA. This was a feature of the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission in 2012, involving a bribery scheme utilized by Lilly in Poland. The scheme and FCPA violations mirrored an earlier FCPA enforcement action, also brought by the SEC as a civil matter, rather than by the Department of Justice as a criminal matter, against another US entity Schering-Plough, for making charitable donations in Poland which violated the FCPA. One of the remarkable things about both of these enforcement actions, brought almost eight years apart, was that they involved improper payments to the same Polish charitable foundation to wrongfully influence the same Polish government official to purchase products from both of these companies.

The Bribery Schemes

Both companies were involved in negotiations for the sale of products with the Director of the Silesian Health Fund (Health Fund). He had also established a charitable foundation, the Chudow Foundation to engage in restoration of ancient castles in Poland. Both companies made donations to the Chudow Foundation at or near the time decisions were made regarding the purchase of their respective products by the Health Fund. The FCPA books and records violations for the donations stated that they were all mischaracterized on the respective company’s books. The donations were made by each company with the description for the donations as follows:

Although all of these donations were approved by a team within Lilly, the “Medical Grant Committee [MGC]”, who reviewed the requests for such donations, the MGC’s approval was “largely based on the justification and description in the submitted paperwork.” While Requests 1 & 2 may have had tangential value to the stated purpose of the Chudow Foundation to restore castles in Poland, even Request 3 was clearly a quid pro quo as an action to obtain business. Just as clearly, ‘rental of castle’ is not a charitable donation but an expenditure, even with that understanding, the SEC Complaint noted that Lilly held no conferences at any castles so it was an outright misrepresentation.

The Schering-Plough SEC Complaint noted that the company Manager involved in the payment scheme, “provided false medical justifications for most of the payments on the documents that he submitted to the company’s finance department.” Additionally, he structured the payments so that they were at or below his approval limit so that he did not have to ask for permission to make the improper payments. The Manager in question viewed the donations as “dues that were required to be paid for assistance from the Director.”

The Red Flags for Charitable Donation

A.Schering-Plough

What were the factors which should become red flags for the review of charitable donations under the FCPA? The Schering-Plough SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. The first is that no due diligence was performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. While the company permitted donations to healthcare related programs there was no follow up to determine the purposes or uses of the donated funds.
  3. Outside normal range of donation. The next red flag was that the donations made to this single charitable foundation approximately 40% of the company’s promotional budget in 2000 and 20% in 2001.
  4. Disproportionate sales. The company’s sales increased disproportionately compared with its own sales of the same products in other areas of Poland. Up to 53% of one product was sold in the region run by the Director of the Silesian Health Fund.

B. Lilly

The Lilly SEC Complaint listed several items which it deemed indicia of red flags.

  1. No due diligence. Once again there was no due diligence performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.
  2. Donations not related to health care. Unlike Schering-Plough, the reasons listed for the charitable donations did not relate to health care. Moreover, they were approved by a Lilly committee specifically tasked with reviewing such requests failed to investigate beyond the submitted paperwork, which was apparently not correct.
  3. Outside normal range of donation. The SEC Complaint quoted an email from a Lilly manager who said that he had decided to commit 70-75% of the [charitable donation] budget and the Director of the Silesian Health Fund was given a “free hand to manage the Lilly investment, emphasizing the fact we only doing this for him…”
  4. Suspicious Timing. The donations were made at or near the time that decisions on the purchase of Lilly products were made by the Director of the Silesian Health Fund. One donation was made two days are the Director of the Silesian Health Fund agreed to make a purchase of Lilly products.

Here Lilly used charitable donations to a charitable foundation which was, as stated in the SEC Complaint, “founded and administered by the head of one of the regional government health authorities at the same time that the subsidiary was seeking the official’s support for placing Lilly drugs on the government reimbursement list.” There was a total of eight payments made to the charitable foundation. In addition to the charitable donations made, Lilly “falsely characterized the proposed payments”. Lilly had a group which reviewed the request for such donations called the “Medical Grant Committee [MGC]” which approved the payments “largely based on the justification and description in the submitted paperwork.”

Three Key Takeaways

  1. Every compliance practitioner should study both the Lilly and Schering-Plough enforcement actions.
  2. What is the purpose of the charitable entity you are making a donation to?
  3. Document Document Documents your due diligence around donees.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 18, 2017

In this episode, I visit with Brian Platz who discusses blockchain and his new company Fluree, a new Public Benefit Corporation that has introduced a scalable blockchain database for decentralized applications. Fluree is not healthcare specific, but there is a lot of potential for blockchain. 

In this podcast interview we covered the following:

  • What is a scalable blockchain database and why is it important?
  • What are some of the healthcare use cases for Fluree?
  • Transparency and consensus as key attributes of block chain. Does that contradict healthcare’s needs for privacy and security?
  • Who will leverage this technology in healthcare? What are its uses in the broader compliance context?
  • What impact will healthcare consumers and patients see as a result of Fluree?
  • Fluree organized as a Public Benefit Corporation. What does that mean for the company going forward?
Dec 15, 2017

 

Opinion Releases

Prior to the 2012 FCPA Guidance, the Justice Department issued two 2007 Opinion Releases which offered guidance to companies considering whether to, and if so how to, incur travel and lodging expenses for government officials. Both Opinion Releases laid out the specific representations made to the DOJ, which led to the Department to approve the travel to the US by the foreign governmental officials. These facts provided strong guidance to any company which seeks to bring such governmental officials to the US for a legitimate business purpose. In Opinion Release 07-01, the Company was desired to cover the domestic expenses for a trip to the US for a six-person delegation of the government of an Asian country for an educational and promotional tour of one of the requestor's US operations sites. In Opinion Release 07-01 the representations made to the DOJ were as follows:

  • A legal opinion from an established US law firm, with offices in the foreign country, stating that the payment of expenses by the US Company for the travel of the foreign governmental representatives did not violate the laws of the country involved;
  • The US Company did not select the foreign governmental officials who would come to the US for the training program;
  • The delegates who came to the US did not have direct authority over the decisions relating to the US Company’s products or services;
  • The US Company would not pay the expenses of anyone other than the selected official;
  • The officials would not receive any entertainment, other than room and board from the US Company;
  • All expenses incurred by the US Company would be accurately reflected in this Company’s books and records.

The response from the DOJ stated: “Based upon all of the facts and circumstances, as represented by the requestor, the Department does not presently intend to take any enforcement action with respect to the proposal described in this request. This is because, based on the requestor's representations, consistent with the FCPA's promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the requestor's] products or services."

In Opinion Release 07-02 the Company desired to pay certain domestic expenses for a trip within the US by approximately six junior to mid-level officials of a foreign government for an educational program at the Requestor's US headquarters prior to the delegates attendance at an annual six-week long internship program for foreign insurance regulators sponsored by the National Association of Insurance Commissioners (NAIC).

In Opinion Release 07-02 the representations made to the DOJ were as follows:

  • The US Company would not pay the travel expenses or fees for participation in the NAIC program.
  • The US Company had no “non-routine” business in front of the foreign governmental agency.
  • The routine business it did have before the foreign governmental agency was guided by administrative rules with identified standards.
  • The US Company would not select the delegates for the training program.
  • The US Company would only host the delegates and not their families.
  • The US Company would pay all costs incurred directly to the US service providers and only a modest daily minimum to the foreign governmental officials based upon a properly presented receipt.
  • Any souvenirs presented would be of modest value, with the US Company’s logo.
  • There would be one four-hour sightseeing trip in the city where the US Company is located.
  • The total expenses of the trip are reasonable for such a trip and the training which would be provided at the home offices of the US Company.

As with Opinion Release 07-01, the DOJ ended this Opinion Release by stating, “Based upon all of the facts and circumstances, as represented by the Requestor, the Department does not presently intend to take any enforcement action with respect to the planned educational program and proposed payments described in this request. This is because, based on the Requestor's representations, consistent with the FCPA's  promotional expenses affirmative defense, the expenses contemplated are reasonable under the circumstances and directly relate to "the promotion, demonstration, or explanation of [the Requestor's] products or services."

Travel and Lodging for Governmental Officials

What can one glean from these two 2007 Opinion Releases? Based upon them, a US company can bring foreign officials into the US for legitimate business purposes. A key component is that the guidelines are clearly articulated in a compliance policy. Based upon Releases Opinions 07-01 and 07-02, the following should be incorporated into a compliance policy regarding travel and lodging:

  • Any reimbursement for air fare will be for economy class.
  • Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
  • Only host the designated officials and not their spouses or family members.
  • Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
  • Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
  • Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
  • The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

Incorporation of these concepts into a compliance program is a good first step towards preventing any FCPA violations from arising, but it must be emphasized that they are only a first step. These guidelines must be coupled with active training of all personnel, not only on the compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and entertainment. Lastly, it is imperative that all such gifts and entertainment are properly recorded, as required by the books and records component of the FCPA.

The 2012 FCPA Guidance does specify some types of examples of improper travel and entertainment

  • $12,000 birthday trip for a government decision maker from Mexico that included visits to wineries and dinners;

$10,000 spent on dinners, drinks, and entertainment for a government official;

  • A trip to Italy for eight Iraqi government officials that consisted primarily of sightseeing and included $1,000 in “pocket money” for each official;
  • A trip to Paris for a government official and his wife that consisted primarily of touring activities via a chauffeur-driven vehicle.

However, you can use the matter as a good reason to review not only your company’s procedures but to test to determine if they are being followed or if there are issues which you might need to take a closer look at. When a Wal-Mart, News Corp or GSK is in the news for alleged FCPA violations, it provides you a good reminder to review your compliance program.  

Three Key Takeaways

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

Payment for travel expenses is appropriate it there is a legitimate business purpose. 

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 15, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this concluding episode, we consider what does it all mean.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction;

Part 2: What the logic of your transaction price?;

Part 3: Shaking up software revenue recognition;

Part 4: Auditors need to pay attention; and

Part 5: What does it all mean for compliance (and everyone else)?

As you might expect from the Compliance Evangelist, I see most issues through the lens of compliance practitioner. A key reason this is so important in the compliance area is because the internal controls over financial reporting involved in implementing this new standard are critical to effective implementation. The Securities and Exchange Commission (SEC) has said explicitly in several public statements, and through their early comment letters on disclosures made in advance of implementation, that companies must inform the SEC about the accounting policies that they are changing, and how this new standard will affect a company’s accounting processes, and finally how those effects are going to be managed. This makes it clear to me that this is a really a compliance issue.

Moreover, the SEC has indicated that these disclosures are central to the new revenue recognition standard. This is because if a company has some sort of failure in their disclosures for an accounting standard, they are treated under section Sarbanes-Oxley (SOX) Section 302 of the SEC rules, and that has a level of significance or liability, which is much lower than the liability that a company might face under SOX Section 404, which has to do with the actual internal controls over financial reporting. While disclosure of internal controls might not typically bring Section 404 scrutiny, under the new revenue recognition standard, they may now do so. Kelly stated, the SEC has made it “clear that it will be watching this first year of financial statements under the new standard closely.”

This new revenue recognition standards intertwines two concepts. This first is the convergence and overlap between the compliance profession, compliance programs and compliance practitioners with internal controls. While largely seen as financial in nature, compliance internal controls are in place to both detect and prevent. Now compliance internal controls can also be used to gather the information which will be presented to auditors under the new revenue recognition standard. Many professionals are focused on the new revenue recognition from the auditing and implementation perspective. However, if you are a Chief Compliance Officer (CCO), you might want to go down the hall and have a cup of coffee with your Chief Financial Officer (CFO) and find out what internal controls might be changing or that they might be adding and consider how that will impact compliance in your organization.

The second concept is the continued operationalization of compliance. During my tenure in compliance, you rarely heard a CCO consider revenue recognition as a compliance related issue. By going into detail, we have shown how this new revenue recognition standard can change the manner in which a company might recognize revenue, leading to a greater risk of the obfuscation of payments for bribery by corrupt employees. This means as a CCO you must not only be aware of the risk to manage it but you also must take active steps to mitigate against it. 

Kelly believes this new revenue recognition standard means a lot of work for probably the next 12 months; particularly in the next six months or so, from the end of this year until about May or June 2018. This is when most large companies publish their first annual reports, under the new revenue recognition rule. It is difficult to say how many companies will go through all of this to find that actually their numbers will not change to any material amount. However, for many companies, they may not be able to quantify it but their internal mechanisms are going to get a lot more scrutiny. There will be pressure on the internal financial controls and processes to determine how a business is justifying what is being audited and reported to investors.

Kelly concluded by adding that, at the end of the day, “revenue recognition is a financial process. It is a financial issue. This standard really gets to how are you justifying the process of putting forth these numbers. It is about documenting your judgment. It is about making sure the processes you use are full and complete and sound. Who is the one who makes sure that people understand what the process is the process is well thought out and correct and sturdy.”

Matt and I are preparing a white paper based upon our writings on revenue recognition and this podcast series. It will be available through JDSupra when released.

Dec 14, 2017

If one were to reflect upon the providing of gifts and business entertainment to foreign governmental officials, one might reasonably conclude that after 40 years of the FCPA, companies might follow its prescriptions regarding gifts and business entertainment. However, there have been some notable FCPA enforcement actions in this area.

The 2012 Guidance clearly stated the FCPA does not ban gifts and entertainment. Indeed, the Guidance specified that “A small gift or token of esteem or gratitude is often an appropriate way for business people to display respect for each other. Some hallmarks of appropriate gift-giving are when the gift is given openly and transparently, properly recorded in the giver’s books and records, provided only to reflect esteem or gratitude, and permitted under local law. Items of nominal value, such as cab fare, reasonable meals and entertainment expenses, or company promotional items, are unlikely to improperly influence an official, and, as a result, are not, without more, items that have resulted in enforcement action by DOJ or SEC.”

What does the FCPA Itself Say? 

While prohibiting payment of any money, or thing of value, to foreign officials to obtain or retain business, the FCPA arguably permits incurring certain expenses on behalf of these same officials. There is no de minimis provision. The presentation of a gift or business entertainment expense can constitute a violation of the FCPA if this is coupled with the corrupt intent to obtain or retain business. Under the FCPA, the following affirmative defense regarding the payment of expenses exists:

[it] shall be an affirmative defense [that] the payment, gift, offer or promise of anything of value that was made, was a reasonable and bona fide expenditure, such as travel and lodging expenses, incurred by or on behalf of a foreign official, party, party official, or candidate and was directly related to…the promotion, demonstration, or explanation of products or services; or…the execution or performance of a contract with a foreign government or agency thereof. 

As with most matters under the FCPA, there is little direct guidance on what conduct may step over the line set out above. Of course, there is always the gut check test, which simply measures “if it feels wrong in your gut, it probably is wrong”. It is something good to always keep in mind in any circumstance.

Opinion Releases 

Somewhat surprisingly, there are not any recent DOJ Opinion Releases from the past 10 years dealing with the values for gifts and business entertainment under the FCPA. However, there are three Opinion Releases from the early 1980s which can provide some guidance to current practitioners.

In Opinion Release 82-01, the DOJ approved the gift of cheese samples made to Mexican governmental officials, by the Department of Agriculture of the State of Missouri to promote the state of Missouri’s agricultural products. However, the value of the cheese to be presented was not included in the Opinion Release. In Opinion Release 81-02, the DOJ approved a gift of its packaged beef products from the Iowa Beef Packers, Inc to officials from the Soviet Ministry of Foreign Trade. The total value of all the samples presented was estimated to be less than $2,000 and the Iowa Beef Packers, Inc averred that the individual sample packages would not exceed $250 in value.

The final Opinion Release relating to gifts is 81-01. In this release, Bechtel sought approval to use the SGV Group, a multinational organization headquartered in the Republic of the Philippines and comprised of separate member firms in ten Asian nations and Saudi Arabia, which provide auditing, management consulting, project management and tax advisory services. The SGV Group desired to solicit business on behalf of Bechtel who had proposed to reimburse the SGV Group for gift expenses incurred in this business solicitation. Regarding the reimbursement of gift expenses by Bechtel to the SGV Group the DOJ stated:

(d) Expenses for gifts or tangible objects of any kind incurred without Bechtel's prior written approval will be reimbursed only where such expenditures are permitted under the local laws, the ceremonial value of the item exceeds its intrinsic value, the cost of the gift does not exceed $500 per person, and the expense is commensurate with the legitimate and generally accepted local custom for such expenses by private business persons in the country.

Policies and Procedures for Gifts and Business Entertainment

 Gifts to Governmental Officials 

Based upon the FCPA language and relevant Opinion Releases and allowing for inflation over the past 30 years, it would appear reasonable that a Company can provide gifts up to a value of $500. Below are the guidelines which the Opinion Releases would suggest incorporating into a compliance policy regarding gifts:

  • The gift should be provided as a token of esteem, courtesy or in return for hospitality.
  • The gift should be of nominal value but in no case greater than $500.
  • No gifts in cash.
  • The gift shall be permitted under both local law and the guidelines of the employer/governmental agency.
  • The gift should be a value which is customary for country involved and appropriate for the occasion.
  • The gift should be for official use rather than personal use.
  • The gift should showcase the company’s products or contain the company logo.
  • The gift should be presented openly with complete transparency.
  • The expense for the gift should be correctly recorded on the company’s books and records.

Business Entertainment of Governmental Officials 

Based upon FCPA language (there are no Opinion Releases on this point), there is no threshold that a Company can establish a value for business entertainment. However, I believe there are clear guidelines which should be incorporated into your business expenditure policy, which should include the following:

  • A reasonable balance must exist for bona fide business entertainment during an official business trip.
  • All business entertainment expenses must be reasonable.
  • The business entertainment expenses must be permitted under (1) local law and (2) customer guidelines.
  • The business entertainment expense must be commensurate with local custom and practice.
  • The business entertainment expense must avoid the appearance of impropriety.
  • The business entertainment expense must be supported by appropriate documentation and properly recorded on the company’s book and records.

The incorporation of these concepts into a compliance policy is a good first step towards preventing potential violations from arising, but it must be emphasized that they are only a first step. There must be procedures to implement these policies. At a minimum, you must require a business justification from the business representative requesting to provide the gift or business entertainment. Next it should be reviewed and approved by a front-line compliance professional. Then, depending on the amount and nature of the request, it may need CCO approval. Finally, if there is a Compliance Oversight Committee it should go to that Committee for a final check to make sure everything is in order.

These guidelines must be coupled with active training of all personnel, not only on a company’s compliance policy, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts and business entertainment. Lastly, it is imperative that all such gifts and business entertainment be properly recorded, as required by the books and records component of the FCPA.  

And, as always, do not forget the gut check test.

Three Key Takeaways

  1. Gifts and business entertainment continue to plague companies for compliance violations.
  2. The key is not the amount but of having a policy and procedure and following it.
  3. Always remember to record gifts and business entertainment expenses correctly.

There continue to be significant FCPA enforcement actions around the area of gifts. 

This month’s sponsor is the Doing Compliance Master Class. In 2018 I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 14, 2017

In May 2014, the Financial Accounting Standards Board (FASB) issued Accounting Standards Update No. 2014-09, Revenue from Contracts with Customers (Topic 606) for public business entities, certain not-for-profit entities, and certain employee benefit plans. It becomes effective for public entities for annual reporting periods beginning after December 15, 2017. In addition to changing things dramatically in the accounting and financial realms, this new revenue recognition standard which may significantly impact the compliance profession, compliance programs and compliance practitioners going forward. In this episode, we consider auditors and the new revenue recognition standard, including disclosures, the ICFR and PCAOB guidance on the new revenue recognition standard.

Matt Kelly and I have put together a five-part podcast series where we explore implications of this new revenue recognition standard. Each podcast is short, 11-13 minutes and deals with one topic on the new revenue recognition standard. The schedule for this week is:

Part 1: Introduction;

Part 2: What the logic of your transaction price?;

Part 3: Shaking up software revenue recognition;

Part 4: Auditors need to pay attention; and

Part 5: What does it all mean for compliance (and everyone else)?

Kelly identified three areas where he sees immediate auditor impact. The first is that the audit firms’ regulator, the Public Company Accounting Oversight Board (PCAOB) has clearly communicated to auditors they must pay attention to this new revenue recognition standard. One of the clear themes throughout this podcast series has been the increased amount of judgment which will come into these calculations going forward. This means companies will need to have more complete documentation which can then be reviewed and tested by their auditors. Add to this PCAOB auditing standards and there may well be a time for some sorting out of what will be required going forward.

Secondly, with this new emphasis on judgment, auditors will have a renewed emphasis on fraud detection. There may be some incentives for sales executives to manipulate the numbers a bit or to close the deal more quickly to hit a bonus. Such pressure could transgress into fraud and as Kelly noted “auditors will be looking more closely at fraud risk because there could well be circumstances where sales commissions could be higher because of the new revenue standard; that would let some firms recognize more of a transaction more quickly.” Finally, Kelly also noted the International Controls for Financial Reporting will have renewed focus from auditing firms.

Kelly pointed to the straightforward issue of whether a contract exists and then posed some of the questions auditors may be asking going forward: How do we know the organization’s contracts are complete and accurate? How does a company demonstrate its contract management system has not be tampered with after execution? What are the controls around these programs you might use to manage your financial transactions? Are we capturing all of the contracts that our employees are generating and that employees are not generating some contracts, have not informed management or that the company’s contract management system has not captured them? Finally, is there contract system security to insure there is no manipulation after the contract is signed?

Another key area for auditing will be whether the pattern and practice of doing business is the same as the contract performance terms and conditions. One immediate area is payment terms. Most contracts specify 30 days net payment terms. However often this date may slip 30, 60 days or even longer. Now take this same concept into the FCPA realm around vague deliverables in third party agent’s agreement and you begin to see some additional issues. If the performance deliverable terms are so vague as to render them meaningless, how will that be handled under this new revenue recognition standard.

My observation is there is a continuum, working backward from the PCAOB, to auditors and audits to the disclosures companies may have to make. Under GAAP, a disclosure may only need to be made if it is material. Yet in the FCPA world there is no materiality standard. At what point does the lack of materiality of a contract outside the United States make your books and records not correct leading to a potential exposure under a law unrelated to traditional revenue recognition; IE., the FCPA? Kelly concluded by noting that companies need to be (or have been in) discussions with their audit firm for to plan these things out as “these sorts of complexities are not to be dismissed because we don't know when they might boil up and suddenly grab you in the rear end. And when that happens it will happen at the least convenient time and cause the most pain.” (ouch!)

I hope you will continue to join us for our exploration this week. Tomorrow in Part V, we will conclude with what it all means going forward.

1 « Previous 4 5 6 7 8 9 10 Next » 19