This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including: 

1. Will Canada approve DPAs for use in anti-corruption prosecutions? TI-Canada recommends they come into use. See article in Corporate Compliance by clicking here. Also see interview with RCMP Superintendent Denis Desnoyers in GIR.
2. Midyear FCPA enforcement report by Stanford Law Journal. See article in WSJ.
3. The first half of 2017 has brought the final resolutions of only two FCPA matters from the new administration, but they were both declinations. Both declinations have significantly strengthened the FCPA Pilot Program as a clear path forward for every company that finds itself in FCPA hot water. See Tom’s article in Compliance Week.
4. Are Mexican anti-corruption efforts moving forward or not. See pro see article entitled, New Mexican Anti-Corruption Law Enters into Force Global Compliance News. For con see article by Juan Montes Mexican Antigraft Efforts Falter, in WSJ.
5. With the departure of Walter Shaub from the US Office of Governmental Ethics and Hui Chen as the Compliance Counsel, who will lead the US ethics and compliance efforts. See Jaclyn Jaeger’s article in the Compliance Week.
6. Everything Compliance-Episode 14 is out. Topics include Walter Shaub’s departure from OGE and does it even matter? Jesse Eisinger’s book The Chickenshit Club; the SFO, UK Bribery Act and the Rolls-Royce enforcement action; differences in DPA practice in the US & UK; Trump Administration & FCPA enforcement; EU’s GDPR; and Hui Chen’s departure from Justice Department; both her public rebuke of Trump, and the substance of how she believes her guidance has been mis-interpreted. Episode 15 will go up on July 27.
7. Former Haitian Telco exec pleads guilty, Dick Cassin reports in the FCPA Blog. Dmitrij Harder jailed five years for FCPA offenses. See article by Dick Cassin the FCPA Blog.
8. The twins are back home from summer camp. What does it mean for the Rosen household?
9. Jay previews his weekend report.

Last year, one of the most interesting non-Foreign Corrupt Practices Act (FCPA) enforcement actions was announced by the Securities and Exchange Commission (SEC). It involved a clear quid pro quo benefit paid out by United Airlines to David Samson, the former Chairman of the Board of Directors of the Port Authority of New York and New Jersey, the public government entity which has authority over, among other things, United Airlines operations at the company’s huge east coast hub at Newark, NJ.

The reason that it is so interesting from an enforcement prospective is that it is not foreign corruption but domestic corruption, therefore not subject to the FCPA. However, the actions of United’s former Chief Executive Officer (CEO), Jeff Smisek, in personally approving the benefit granted to favor Samson violated the company’s internal controls around gifts to government officials. That sounds suspiciously like a books and records violation of the FCPA. The $2.4 million civil penalty levied on United was in addition to the Non-Prosecution Agreement (NPA) settlement with the Department of Justice (DOJ), which resulted in a penalty of $2.25 million. Chairman Samson has also pled guilty in July for putting pressure on United to reinstitute a flight service which was near his weekend residence.

The scandal also cost the resignation of Smisek and two high-level executives from United. In a Press Release at the time of the resignation, the company stated, “The departures announced today are in connection with the company’s previously disclosed internal investigation related to the federal investigation associated with the Port Authority of New York and New Jersey. The investigations are ongoing and the company continues to cooperate with the government.”

Adding another twist to this also fascinating case was that it all came out of the Bridgegate scandal from New Jersey, although it was not related to the original claim that the New Jersey Governor’s office ordered the closing of certain traffic lanes around Fort Lee, NJ to punish the mayor for not supporting the Governor. The entire affair involved a flight from Newark to Columbia, South Carolina. The flight was reported to be a money-losing route, yet it was reinstated by United at either the request of the Chairman of the Port Authority of New York and New Jersey, Samson, or was reinstated by United to obtain a benefit from Samson.

It turned out Samson had a weekend home at Aiken, which is near Columbia, SC and was not happy there was no direct flight service from Newark. So he got a direct flight. The flight was money loser it was derisively named “the chairman’s flight.” The SEC Cease and Order (Order) said that United lost some $945,000 on the flight.

However, at the time United was in the midst of trying to renegotiate its lease at Newark airport with the Port Authority. The flight from Newark to Columbia was cancelled after Samson resigned his post as Chairman.

According to the Order, “In the summer and fall of 2011, representatives of United and the Port Authority’s Aviation Department (which manages Newark Liberty) negotiated a proposed agreement that the Port Authority would lease approximately three acres of land at Newark Liberty to United for the construction and operation of a wide-body aircraft maintenance hangar (the “Hangar”). The Hangar would facilitate United’s ability to perform maintenance on its incoming fleet of wide-body aircraft at Newark Liberty, rather than having to perform such maintenance at a suitable United facility at another airport. Based on preliminary assessments and using information available at the time, United estimated that the Hangar would result in efficient routings that would drive $47.5 million in value to the United network on an annual basis post-construction. 

During this time period, Samson was communicating to a third party his desire that United reinstate the Chairman’s Flight. This culminated in a dinner meeting between Smisek, his senior team and Samson. Samson once again pressured for a reinstitution of the route, “Samson stated that Continental Airlines used to have a non-stop route between Newark Liberty and Columbia, South Carolina and asked the CEO to consider re-establishing that non-stop route.”

United’s “Network Planning Group analyzed the projected financial performance of the South Carolina Route… United’s standard process for initiating new routes generally included: the preparation and consideration of financial forecasts and other market data of how the route could be expected to perform, review and approval by several levels of United’s Network Planning Group, including approval by the Chief Revenue Officer (“CRO”) or his staff, and thereafter presentation of the route and its details to a group of senior United executives at a regularly scheduled marketing meeting.”

This review determined that the Chairman’s Flight would likely be a money loser and, indeed, when it was previously operated by Continental Airlines, prior to its merger with United, the route “was continually one of the hubs poorest performing markets”. (Recall the Order reflected the flight did lose United $945K.) However, after United declined to reinstitute the Chairman’s Flight, Samson pulled the proposal from consideration by the full Board, effecting scuttling the arrangement. Shortly after this development, “the CEO (Smisek) approved the establishment of the [Chairman’s]route.” On the same day, United’s contract for the new hangars was approved by the Port Authority.

At the time United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to improperly influence the recipient.” Only the United Board of Director’s could grant a waiver to the Code and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s Policies.”

Mike Volkov has often worried that if that companies create internal controls and then do not follow those internal controls, will be prosecuted for such action (or perhaps inaction). This is the situation which led to the SEC enforcement action against United. The company had a Code of Conduct, it was not followed but was violated by the CEO and this caused the company to violate Section 13 of the Securities Exchange Act of 1934. It would be easy enough to see this resolution in the FCPA context but this was all domestic conduct and jurisdiction. This may be the first time the violation of a Code of Conduct resulted in an enforcement action by the SEC around domestic bribery and corruption.

Yet the company was also sanctioned for not having internal controls in place to prevent such actions as those taken by Smisek, with the SEC also finding this was a violation of Section 13. This was in the face of detailing the protocol for United instituting or reinstituting a route. The Order stated, “In particular, United had insufficient internal accounting controls in place to prevent approval of the South Carolina Route in derogation of United’s Policies.”

All the underlying facts, enforcement theories and remediation points towards the use of failure of internal controls when domestic bribery corruption occurs. This might well be a new enforcement theory to use inside the United States, for domestic bribery allegations. Imagine if United’s profit estimates of $47.5 million had been used as the basis of a profit disgorgement order.

Three Key Takeaways

1. It is very unusual for the FCPA to form the basis of a domestic bribery violation.
2. A Code of Conduct can be an internal control.
3. Even a CEO must follow internal controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).”

Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation.

A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

1. Corporate Compliance Policy and Code of Conduct - A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
2. Risk Assessment - A Board should assess the compliance risks associated with its business.
3. Implementing Procedures - A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
4. Training - There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
5. Monitor Compliance - A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger. 

There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.

Three Key Takeaways

1. GTE compliance internal controls are low hanging fruit, pick them.
2. Compliance internal controls can be both detect and prevent controls.
3. Good compliance internal controls are good for business.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Show Notes for Everything Compliance-Episode 14

Topics from Matt:

1. Trump Administration & FCPA enforcement— we have two declinations now; maybe a compare-and-contrast, and speculation on what a tough Trump Admin enforcement WOULD look like;

2. EU’s GDPR— Do EU regulators really know what they want to do with enforcement of this law; although if they follow the lead of the anti-competition people whacking Google, it could be a big deal; 

3. Hui Chen’s departure from Justice Department; both her public rebuke of Trump, and the substance of how she believes her guidance has been mis-interpreted; and

4. Ethical leadership and the lack thereof; the menace of abusing perks and privilege, connecting my posts about Uber’s leaders and Chris Christie vacationing on a closed beach.

Topics from Jay:

1. How do the Campaign Finance Laws mirror/or differ from the FCPA?

2. Will the Russian Collusion Investigation reveal the ultimate FCPA violation?

3. Regarding Walter Shaub’s departure from Office of Governmental Ethics (OGE), does it matter? What is OGE supposed to do and why did it work for the past 40+ years, but fell on deaf ears with the Trump administration?

4. Dovetailing with Matt’s question about a slow H1 for FCPA enforcement and in light of the just released Gibson Dunn FCPA Mid-Year Report, does the current climate (and lack of vigorous enforcement) provide a perfect storm for companies to look the other way if they fall off the E&C wagon, or do we think that companies are still being vigilant in spite of a perception of decreased enforcement?

Rants are at the end of this week’s episode.

Joe Howell, EVP of Workiva, Inc. as noted that it is reasonable to expect that internal controls over gifts, travel and entertainment (GTE) be designed to ensure that all satisfy the criteria as defined in company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?

The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. In considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

The key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. There are four issues to evaluate.

• Is the correct level of person approving the payment / reimbursement for the gift?
• Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
• Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
• If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

 While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

Consider the format itself of an expense report, which can be a prevent control. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

Next consider the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts.  Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Some companies have two basic forms of expense reports. One pertains to US locations and does not involve any expenses incurred outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Howell believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Howell ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.

Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Howell has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. The bottom line is good internal controls make for good business processes; if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.   

Three Key Takeaways

1. GTE compliance internal controls are low hanging fruit, pick them.
2. Compliance internal controls can be both detect and prevent controls.
3. Good compliance internal controls are good for business.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, Matt Kelly and I discuss the recent Second Circuit Court of Appeals decision in HSBC v. Moore. In this case a federal district court had ordered the release of redacted monitor’s report in the HSBC money-laundering Deferred Prosecution Agreement (DPA), based upon the request of an interested citizen. Both the Department of Justice (DOJ) and HSBC appealed the order and the Court of Appeals supported their position in overturning the trial court’s decision. The case is about a hook, line and sinker overturning of any trial court jurisdiction as one can have. The district court tried to claim it did not have the same role as a “potted plant” but the Court of Appeals left no doubt that is the only role it sees for any district court where a DPA is filed. We discuss the implications for the compliance practitioner, FCPA enforcement and any potential changes going forward. 

For additional reading, see my blog post on this case by clicking here.

In this episode, I consider the leadership lessons which can be drawn from our 7th President Andrew Jackson. I focus largely on the crisis surrounding the charter of the Second National Bank of the United States, which played out over 5 years from 1831 to 1836. This conflict pitted Jackson against most the nation’s political and financial elites, most prominently Nicolas Biddle, the President of the Bank. However, the great politicians of the day, including Henry Clay and Daniel Webster were lined up against President Jackson as well.

The crisis came to a head in the summer of 1832 when both the House and Senate passed a bill renewing the Charter of the Second Bank of the US early. Not only did Jackson veto the bill and give one of the most memorable veto addresses of any President, he then took on Biddle directly by removing first removing persons in the administration and government who were pro-Bank and pro-Biddle. In the coup de grace for the Bank, Jackson the gold species from the Bank and moving into state banks across the country. Jackson won the battle completely. His actions were not without negative consequence as the distribution of the species across the country led to rampant inflation and the Panic of 1837. However, by that time, Jackson had departed the Presidency and the fallout was left to his successor Martin Van Buren.

 Today I want to look at internal controls for third parties. One of the questions that GSK faced during the bribery and corruption investigation of its Chinese operations is how an allegedly massive bribery and corruption scheme occurred? The dollars paid out went upwards of $500MM, which coincidentally was the amount of the fine levied by the Chinese court on GSK. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers (PwC) as its outside auditor in China. Nevertheless, he noted, “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Where were the appropriate internal controls? You might think that a company as large as GSK and one that had gone through the ringer of a prior Department of Justice (DOJ) investigation resulting in charges for off-label marketing and an attendant Corporate Integrity Agreement (CIA) might have such controls in place. It was not as if the types of bribery schemes in China were not well known. In an article in the Financial Times (FT), entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. The authors quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China”, for the following “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they must give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article discussed the two primary methods of paying bribes in China: the direct incentives and indirect incentives method. Anderlini and Mitchell reported, “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.””

It would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a Compliance Officer to finalize and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow from such definition or criteria set by the company. These criteria would include the amount of the spend, localized down into increased risk such the higher risk recognized in China. Within this context, there are four general internal controls to consider. (1) Is the correct level of person approving the payment / reimbursement? (2) Are there specific controls (and signoffs) that the gift had proper business purpose? (3) Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls? (4) If controls are not followed, is that failure detected?

Below are 10 specific inquires you can make regarding your compliance internal controls specific to third parties.

1: Prior to entering the relationship, did management: confirm alignment with business strategy; analyze strategic risk; perform risk/reward analysis; and review its ability to provide adequate oversight and management on an ongoing basis?

2: Can the third-party’s activities be viewed as predatory, discriminatory or abusive?

3: Does your compliance regime include: policies and procedures to help manage third-party relationships; proper internal controls; training; monitoring; and auditing procedures to ensure consistent and ongoing compliance?

4: Was adequate due diligence conducted that included a review of all available information about the third-party (e.g. financial condition, reputation, knowledge of laws, complaints, operations and controls, internal controls and marketing materials?

5: Are expectations and obligations of both the company and the third-party outlined in a written contract prior to entering the relationship?

6: Does the board of director’s review and approve any material third-party relationships?

7: Does the contract outline fees to be paid, management information reports, audit rights, limit use of consumer information, exclusivity language, complaint management process, specifies circumstances that constitute default, dispute resolution process, and provides indemnification provisions?

8: Did the board initially approve the third-party relationship and does it review each significant third-party relationship on at least an annual basis?

9: Is there a process to verify the third-party’s operations are consistent with the written agreement and that risks are being controlled?

10: Does management allocate sufficient qualified staff to monitor significant third-party relationships and provide necessary oversight (and are these activities reported to the board of directors or designated committee)? What is the frequency of exceptions and how are they analyzed/documented/reported to management? When applicable, are you comparing and analyzing the third-party’s sales patterns?

Obviously, the use of third-parties can be a powerful and effective way for a business to achieve its strategic goals. This may be one of the key reasons why third-parties are still one of the leading indicia of bribery and corruption. Every compliance program should regularly review its third-party service providers and evaluate internal policies and procedures to ensure compliance.

Three Key Takeaways

1. GSK in China continues to be an example of the lack of internal controls for an effective compliance program.
2. General areas of review for compliance internal controls.
3. Third parties are still the highest risk of corruption related issues.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Kara Brockmeyer, the former Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point. 

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Do any personnel from accounts payable review and approve that expenses have the requisite receipts attached? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those recipients of any such gift, travel or entertainment identified on the expense reimbursement form? Was the business purpose of the meal, gift or entertainment recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Internal Controls Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

 As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Three Key Takeaways 

1. Learn the internal controls your company currently has in place.
2. Map your compliance internal controls to the COSO 2013 Framework,
3. Use your gap analysis as a basis for remediation.

In this episode, I visit with Melanie Johnson, co-founder of Elite Online Publishing, which aids entrepreneurs, business leaders, and professional athletes to create, publish, and market their books, to build their business and brand. Melanie talks about her professional journey which led to this venture and how her career in broadcasting gave her a unique understanding for the world of online publishing. She discusses using your skills and passion to develop your own business. 

This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:

1. HSBC monitor report protected from release. See article in Reuters by clicking here.
2. The Odebrecht scandal continues to resonate across South America. See Dick Cassin’s post in the FCPA Blog.
3. The first half of 2017 has brought the final resolutions of only two FCPA matters from the new administration, but they were both declinations. Both declinations have significantly strengthened the FCPA Pilot Program as a clear path forward for every company that finds itself in FCPA hot water. See Tom’s article in Compliance Week.
4. Roy Snell says it’s not who’s who but who gets it. See article in SCCE Compliance and Ethics Blog.
5. Tom announces the rollout of the Compliance Podcast Network. It includes This Week in FCPA, FCPA Compliance Report, Compliance Report-International Edition, 12 O’Clock High, Unfair and Unbalanced, Compliance into the Weeds, Across the Board, Everything Compliance, One Month to a More Effective Compliance Program. See Tom’s article in the FCPA Compliance and Ethics Blog.
6. The next Everything Compliance podcast is in production. Topics include Walter Shaub’s departure from OGE and does it even matter? Jesse Eisinger’s book The Chickenshit Club; the SFO, UK Bribery Act and the Rolls-Royce enforcement action; differences in DPA practice in the US & UK; Trump Administration & FCPA enforcement; EU’s GDPR; and Hui Chen’s departure from Justice Department; both her public rebuke of Trump, and the substance of how she believes her guidance has been mis-interpreted. Part I will go up on Thursday, July 20.

A gap analysis is a method of assessing the differences in performance between a business' internal controls to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. Moreover, it is a determination of the degree of conformance of your organization to the requirements of an internal controls standard. A gap analysis is mainly a document review or a “show me the evidence” type activity, evidence which usually will come in the form of a record or document. During a gap analysis, there is some auditing accomplished, through key stakeholders providing the evidence they may have –or not- for each of the requirements set forth in the relevant internal controls standard.

Gap analysis are very often conducted at the beginning of the journey of an organization seeking compliance to an internal controls standard or it can be used as the basis for internal controls enhancement. Interestingly this can lead to more or even less internal controls, as sometimes in the realm of internal controls, less is more. The primary reason why a gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where they stand regarding meeting the relevant internal controls standard and they want to know specifically what they need to do to close the gaps. Companies need to understand where their gaps in internal controls are located, how large those gaps might be and what they need to do to close those holes and get closer to fully meeting the requirements of the chosen specification or standard.

Gap analysis is a technique that can be used to assess if an enterprise can meet its needs using its present capabilities. The capabilities that may be examined for improvement include staff competencies, facilities, applications, technical infrastructure, processes and lines of business; all with an eye towards (1) improving the compliance environment and (2) operationalizing compliance into the functional business units. 

Miriam Boudreaux posed the following, “Imagine a situation where you have been asked to improve the performance or efficiency of a particular unit of an organization. You have no clue whatsoever as to what set of factors is the real cause of the degraded performance you have been asked to improve. Identifying the gap between what is expected and what you are delivering, that is, the difference between the current state and the future state, is referred to as “Gap Analysis”.” 

She goes on to state that a “gap analysis can be defined in a number of ways, which more or less point towards the same meaning: 

1. It is the process through which a company compares its current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. 

2. It is a technique that businesses use to determine what steps need to be taken in order to move from their current states to their desired future states. 

From both definitions, it is evident that gap analysis is a technique that can help a business reach its peak eventually. By defining and analyzing gaps, a project team can create an action plan to move the business forward and fill performance gaps.” 

After the completion of the gap analysis there should be a report which presents a clear summary or where the major gaps exist between the company’s documentation and the internal controls requirements. It also should show a detail recount of each requirement and the degree of compliance, with corresponding actions that need to be taken to close these gaps. Here lies a major difference between an Audit report for example and a gap analysis report: the gap analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. 

Another way to consider a gap analysis is the steps you should take. These include: 

1. Accurately defining the future goals: If you are not clear about the organization’s goals, all your efforts will be in vain. The first and foremost thing to be done is to identify what exactly the goals of the business are and the changes needed to achieve these goals. If the goal is not clear, the improvement exercise will keep on deviating from its desired path. 

2. Identifying the current scenario and associated issues: To reach the place you desire, you should first assess where you are located in your internal controls regime. For example, a failure to see the real reason behind the poor compliance performance of your business units may affect profit and growth on the long run. At this stage, the analyst may organize brainstorming sessions, employee interviews, document review sessions to gain insight into present challenges. Only after a comprehensive definition of present challenges can one get a clear picture of the situation. 

3. Devising the action plan: Now that you know the present and future expectations, you can think of the how factor, which is in form of a plan. How will you implement the action plan to close the identified gaps? The solutions may include several steps like hiring more employees, procuring extra machines and equipment, offering perks and incentives to get the best out of employees and so on. 

4. Report: Finally, you will want to report your findings with the appropriate data and analysis presented. To do this, you may wish to use our gap analysis report template. In your report, you will include things like the background of the company and analysis, problems that have occurred, and even reasons for undertaking the analysis. Then, you will present your findings, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. If the situation is unacceptable, you will present a course of action for improvement. Finally, all your analysis will be backed up with the data gathered during the analysis.

Three Key Takeaways

1. Be prepared to require evidence from key stakeholders.
2. Use a multistage approach to a gap analysis.
3. To get to where you want to be, you have to know where you are.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Today, I consider some ways in which a compliance professional can work to implement internal controls in a multi-national organization. The first step is to convert your company’s compliance risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process. 

One example of how the process might work in the situation where the compliance risk is that a third-party representative may be paid for an invoiced amount before that third-party representative has gone through your company’s full third party approval process. Here your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made. 

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Then the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request. 

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls.  What happens when the compliance function receives push back and is told the controls are too burdensome and will also make operations less efficient? Many business development types will raise the hue and cry that internal controls prevent them from effectively running the business.  Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money. 

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However, this can be expanded into solid presentations about why it is important to assess and mitigate compliance risks using your corporate peers that have been the subject of a Foreign Corrupt Practices Act (FCPA) enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions. 

The premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, then it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs. 

Another key factor, as with all compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for compliance-focused internal controls to your company’s Executive Leadership Team, Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating compliance and fraud risks. Some of these might include the following: 

• Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
• Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
• With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
• As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
• It may be possible to build in more electronic controls, which can replace existing manual controls. 

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

There are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Another example is internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement. 

Good compliance internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls. 

Three Key Takeaways

1. Convert your compliance risks into internal control objectives.
2. As with many components of a best practices compliance program, tone at the top is critical.
3. If you receive pushback from the business folks, always remember, good internal controls make for a better run, more efficient and more profitable business.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode I visit with Carlos Ayers on steps you can take to make your compliance program more effective to employees in Latin America. This includes such things are localizing your training and presentations, consideration of local laws, use of language and regionalizing your approach. 

Next, I will review how to use the risk assessment you have performed as a tool to provide a structured approach to establishing effective internal controls. After preparation of the risk assessment, the next step is to prioritize the listing of the risks and which locations they are common. This begins by mapping existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks. 

To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the risk assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.    

One of the biggest risks under the FCPA is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high compliance risk. The Securities and Exchange Commission FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents. 

The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or the corporate home office be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented? 

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company. 

The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared. 

These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs. 

You can also utilize the COSO 2013 Internal Controls Framework, which created a more formal structure to design or assess the effectiveness of internal control within the five COSO components. A companion document, Internal Control over External Financial Reporting: A Compendium of Approaches and Examples, catalogued possible approaches and examples in the context of internal control over financial reporting, and could be useful for companies complying with compliance internal controls under the FCPA. COSO has also published an additional companion document, Illustrative Tools for Assessing Effectiveness of a System of Internal Control, which provides templates that may be used to support an assessment of internal control and includes various scenarios which illustrate several practical examples of how the templates may be used. 

Finally, consider a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment. 

Three Key Takeaways

1. Third party risks are still your highest risks under the FCPA so use your internal controls appropriately to help prevent this risk from becoming a violation.
2. Use mapping and a gap analysis to collate risks to existing controls.
3. Always consider the regional and geographic variances.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In an article entitled, 12 Leadership Qualities of An Often-Overlooked President, Matt Myatt, writing in forbes.com online reviewed the leadership qualities of John Adams as laid out in David McCullough’s Pulitzer Prize winning biography, appropriately entitled John Adams. Adams presidency was glossed over with little more than a brief mention, most probably because he was President between two of our more memorable presidents – Washington and Jefferson. Samuel Eliot Morrison once said that history teaches us how to behave and Adams provides a great example on it. The following list contains 12 qualities that made him a great man and a great leader: 

1. He valued education. He began his education at college when he was fifteen and he never lost his curiosity. He passed this tenet to his children, stressing education to his children and played a large role in their learning. The more Adams thought about the future of America, the more he was convinced it was through education. 

2. He strove for a good reputation. As a young lawyer, Adams knew he would get nowhere without a good reputation. The same is even more so today. 

3. He loved his wife. McCullough’s book made clear the love story that was of John and Abigail Adams. As much as he was apart from his wife, the more he sought her counsel. The benefit for the historian and for us is that such counsel came through correspondence preserved for posterity. Adams never operated in a bubble and neither should you. 

4. He fought for what was right. Adams knew that defending the British soldiers involved in the Boston Massacre would harm his reputation and it did but it was also the right thing to do. 

5. He was a great communicator. This surprised me a bit as I had always thought this was a weakness of Adams. Yet he made himself into both a great writer and speaker, through study of the Classics. 

6. He recognized his weaknesses and brought in others to fill those talent gaps. When Adams found himself in a situation where he felt inadequate, he did one of two things: recommend someone else, and if that was not possible; he would learn what he had to, and then work diligently to achieve the desired outcome. 

7. He could spot talent. This is perhaps where Adams shined the brightest, as Adams was the first to submit George Washington’s name for general of the Continental Army, a post being clamored for by many. He also recruited the pen of Thomas Jefferson to draft the Declaration of Independence and the wisdom of Benjamin Franklin to help edit it.

8. Physical courage. Leaders should always stand up for others and exhibit courage in the face of danger and Adams was exception. Particularly during the revolutionary years, Adams demonstrated great personal courage.
9. He had unwavering integrity. Many people disliked Adams for his political views, but they never could say that he was not a man of integrity. He was loyal to a fault to those he called friends. 

10. He had perseverance. Adams was in the long line of hearty and dogged New Englanders. Yet when he was a diplomat he found it did not suit him but he preserved and helped negotiate favorable treaties for the colonies and later United States. 

11. He had the ‘vision thing’. Long before it was so articulated, Adams was able to articulate a vision for the fledgling colonies as an independent nation that many others could not. Being able to see the bigger picture is a trait that leaders must possess if they are going to be successful in the long-run. 

12. He was a true public servant. The public career of John Adams can be described as nothing other than service beyond self. Adams believed in something bigger – he literally gave his life so that every American might have the freedom and liberty to live the life we choose.

Today, I want to discuss how to assess for your internal controls regime for international operations. It is incumbent that you need to review as much information so you can to understand the financial and operational structure of an entity and how the financial and operation structure outside the US is integrated with the corporate headquarters, or the US business unit’s financial and operation structure, if the foreign operation is part of a US business unit. 

You could begin with the Transparency International (TI) Corruption Perceptions Index (CPI) to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your operations at a location outside the US. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third party representatives are coming into a commercial relationship with your company through your supply chain. 

Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the US and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which local disbursements are made in local currency and, of course, is there a local petty cash fund. 

As with many other areas around internal controls, it is important to consider the local Delegation of Authority (DOA) and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or US business unit approvals are required for transactions initiated locally, such as: (1) Approval of vendor invoices, (2) Disbursements of funds, including wire transfers; (3) Execution of facilities leases; (4) Execution of contracts with agents; and (5) Approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate segregation of duties at the local business unit level. 

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment to customers? Are products drop shipped from US directly to the customers of the local operation? Are products drop shipped to distributors for delivery to the ultimate customer? 

Hopefully you are already doing the above but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and if so, what were the results of the investigation? In the area of customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities. 

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Some of these considerations would be an inadequate segregation of duties because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there is internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms, and update applications. This means that an employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises. 

It is not necessary to prove a bribe to have been paid in order to have an enforcement action against a company for violation of the internal controls provisions of the FCPA.  In the SEC enforcement action against Smith & Wesson, that was the situation. It was this lack of effective internal controls, not the payment of a bribe, which was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals. 

Such a situation could arise in several different scenarios. The first is where an account manager's signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a Country Manager provides a true control as an approver; or where the Country Manager or the local Finance Manager has ability to conceal the true nature of transactions without detection by anyone else. 

Another important area involves sales and compensation for the international business unit in question. On the sales side of the equation, you review the three-year historical sales for the location and what are the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as what is the sales incentive compensation plan for local sales personnel and for the Country Manager; as this inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe in order to win a contract which results in a large sales incentive compensation to the employee.  

All of these reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the Fraud Triangle, which lays out breeding ground for fraud in the corruption context: 

• Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
• Rationalization – a fraud perpetrator always rationalizes that he / she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
• Opportunity – the perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment. 

Three Key Takeaways

1. You must understand the financial and operational structure of your company and how the financial and operation structure outside the US is integrated with the corporate headquarters.
2. Are your financial statements and reporting systems integrated?
3. Always consider the fraud triangle?

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, Matt Kelly and I take a deep dive into the 4th of July weekend use of the New Jersey beaches by Governor Chris Christie. Governor Christie had closed the beaches in a budget dispute but was still able, as Governor, to give himself and his family full access to the now wide open beaches on the recently passes holiday weekend. We consider Governor Christie’s example of undeserved privilege in the context of ethical leadership and tone at the top. Matt draws upon his Catholic school education to remind us that undeserved privilege is private law, as “privilege” comes from the Latin privus, private law; and lex, law. It’s a private law that benefits only one person, who doesn’t deserve it. 

Read more about the issue and Matt’s thoughts on his blog post Tone at the Top Gone Wrong: The Christie Example.

Next, I want to consider some of the issues around internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. However, this provides an opportunity to further operationalize your compliance program through internal controls more narrowly tailored to mirror your business practices. 

Every Chief Compliance Officer (CCO) should consider your entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. 

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. There may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability. 

A third situation may exist at locations outside the US that began simply as a sales office.  Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew.  Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for compliance risk. 

The next area for inquiry is where should a CCO begin in any of the above scenarios? The initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator. 

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated is performing a Location Risk Assessment, whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks. 

Three Key Takeaways

1. Modifying your internal controls can work to more fully operationalize your compliance program.
2. Check the effectiveness of your internal controls for your international locations.
3. Revisit your internal controls when a country or region experience large growth or other disruption.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

The issue of beneficial ownership is one which still bedevils many compliance professionals. Today, I visit with Brian Alster, Dun & Bradstreet’s Global Head of Supply and Compliance about the problem this issue continues to raise in the anti-corruption compliance space. Beneficial ownership is a critical inquiry for financial institutions and financial services companies but is becoming more important to non-financial commercial corporations. KYC is a well-worn phrase in the financial industry and Alster explains how it is becoming more important to the anti-bribery compliance specialist.

Alster discusses the new D&B service; D&B Beneficial Ownership, a solution that delivers quick and reliable data for actionable management of regulatory compliance. D&B Beneficial Ownership provides companies a fast and comprehensive picture of corporate hierarchy with entity and individual level share ownership based on Dun & Bradstreet’s 265 million verified business records. D&B Beneficial Ownership capabilities can be easily embedded into companies’ current workflows to help accelerate due diligence and ensure regulatory compliance. 

You can learn more about this service, D&B Beneficial Ownership by visiting: http://www.dnb.com/products/corporate-compliance/beneficial-ownership.html

This week, Jay and I return for a wide-ranging discussion on some of the week’s top compliance related stories, including: 

1. U.S. charges top Colombia anti-graft prosecutor with money laundering. See article by Dick Cassin the FCPA Blog.
2. US Supreme Court may finally settle one of the fiercest debates arising from the Dodd-Frank Act: What is a whistleblower and when are they protected against corporate retaliation? See Joe Mont’s article in Compliance Week.
3. Alstom obtains ISO 37001 certification but does it mean anything?
4. Benefits of FCPA Pilot Program becoming clear after two 2017 declination. See article by Jaclyn Jaeger in Compliance Week.
5. Head of federal government ethics office to step down. See article in The Hill.
6. At nearly the half-way mark, the Astros lead the majors with the best record. See Tom’s article on how and why in the FCPA Compliance Report.
7. New eBook on Trump and Compliance: the First 100 Days is out. It collects the musings from the four amigos on the Everything Compliance podcast (+1). You can download your copy by clicking here.

There are four significant controls that he would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency. 

Your DOA should reflect the impact of compliance risk including both transactions and geographic location so that a higher level of approval for matters involving third parties, for fund transfers and invoice payments to countries outside the US would be required inside your company. While it is quite often true that a DOA is prepared without much thought given to compliance risks, once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or does not define authority in a way even the approvers could understand it. Therefore, it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this, you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid. 

Furthermore, if a DOA is properly prepared and enforced, it can be a powerful preventive tool for compliance. Consider the following example: A wire transfer between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of the same amount to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Finally, a DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US. 

The vendor master file, can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted. 

Near and dear to my heart as a lawyer, contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. I would caution that for contracts to provide effective internal controls, relevant terms of those contracts, including for instance the commission rate, reimbursement of business expenses, use of subagents, etc.,) should be made available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, are present in a contract, the terms must be approved not only by the original approver but also by the person so delegated in the DOA. Unfortunately, contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room. 

The Hewlett-Packard FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. All situations where funds can be sent outside the US, including such methods AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances; should all be reviewed from the compliance risk standpoint. This means you need to identify the ways in which a country manager or a sales manager, could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.  

To prevent these types of activities internal controls, need to be in place. This means all wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose. 

The bottom line is that internal controls are just good financial controls. The internal controls that detailed for third party representatives in the compliance context will help to detect fraud, which could well lead to bribery and corruption. 

Three Key Takeaways

1. Remember the top four internal controls for an effective compliance program.
2. Effective internal controls should do more than protect but also prevent internal program violations.
3. Effective internal compliance controls are good financial controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Today, New York Times columnist David Brooks’ thoughts on building and maintaining order inform our discussion on internal controls. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increased operationalization around the internal controls a company should consider including gifts, travel and entertainment (GTE). 

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. The Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer.  However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense. 

Petty cash disbursements in locations outside the US have unique control issues. Some petty cash funds outside the US have small balances but substantial throughput of transactions. Your DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US. 

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) corruption enforcement action in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. You should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place. 

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. If your company uses procurement cards, assume this to be a very high-risk area, not just for bribery and corruption but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements. 

If the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which would be subject to stringent controls. In such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the GTE items to the appropriate level of review and requires appropriate documentation. 

One question I am often asked is why does a company need internal controls in place regarding gifts because in many companies, where there internal audits of these expense reports are common. It is important to keep in mind that, with respect to GTE, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations.  So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies. 

David Brooks’ has said, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Howell has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring. 

Three Key Takeaways

1. You must maintain rigor around your internal controls.
2. Controls against fraud can also help to prevent corruption.
3. Building and maintaining good internal controls requires rigor. 

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, I visit with Patrick Henz, a compliance practitioner and author of Access Granted: Tomorrow’s Business Ethics. Henz has written one of the most fascinating books on compliance going forward into the future that I have recently read. His book analyzes actual and future technological developments to discuss how these will affect tomorrow's business reality and its impact on the human. Henz believes that robotization and the implementation of Artificial Intelligence will change companies and societies. This does not mean automatically a shift for the better or worse, but life will be different, and it is in our hands to use technology for the first.

Artificial Intelligence, robots, 3D printing, micro-learnings, virtual reality, self-driving cars and all other autonomous software and machines will be a part of tomorrow's business. We should start thinking about the consequences. A chance and challenge for management, where the Ethics & Compliance function can position itself as a key-player and include AI inside its responsibilities.

In addition to the above, we discuss the role of gamification of training going forward. How will AI impact compliance. We also consider how the German electro-rock group Kraftwerk influences compliance to this day. Finally, we consider how the movie Minority Report and Asimov’s Three Laws of Robotics will inform your compliance program going forward. 

Patrick Henz can be reached at Patrick.Henz@primemetals.com.

You can check out his book Access Granted on amazon.com.

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. The starting point is the FCPA itself, requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences …. 

The Justice Department (DOJ) and Securities and Exchange Commission (SEC), in their 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

Aaron Murphy, Assistant Solicitor General in the Office of the Attorney General for the state of Utah and the author of “Foreign Corrupt Practices Act: A Practical Resource for Managers and Executives”, said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.” 

Internal controls expert Joe Howell, EVP at Workiva, Inc. has said that internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Howell adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Howell also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets. 

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its 2013 Internal Controls Framework defined internal controls, in its publication entitled “Internal Controls – Integrated Framework”, as follows: 

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance. This definition reflects certain fundamental concepts. Internal control is: 

• Geared to the achievement of objectives in one or more categories—operations, reporting, and compliance
• A process consisting of ongoing tasks and activities - a means to an end, not an end in itself
• Effected by people - not merely about policy and procedure manuals, systems, and forms, but about people and the actions they take at every level of an organization to affect internal control
• Able to provide reasonable assurance - but not absolute assurance, to an entity’s senior management and board of directors
• Adaptable to the entity structure - flexible in application for the entire entity or for a particular subsidiary, division, operating unit, or business process.

The Integrated Framework goes on to note, “This definition is intentionally broad. It captures important concepts that are fundamental to how organizations design, implement, and conduct internal control, providing a basis for application across organizations that operate in different entity structures, industries, and geographic regions.”

Why are internal controls important in your compliance program? Two FCPA enforcement actions demonstrate the reason. The first came in late 2013 when the DOJ obtained a criminal plea from Weatherford International (WFT). There were three areas where WFT failed to institute appropriate internal controls. First, around third parties and business transactions, limits of authority and documentation requirements. Second, on effectively evaluating business transactions, including acquisitions and joint ventures (JVs), for corruption risks and to investigate those risks when detected. Finally, around excessive gifts, travel, and entertainment, where such expenses were not adequately vetted to ensure that they were reasonable, bona fide, and properly documented. 

The second case involved the gun manufacturer Smith & Wesson (S&W). The case did not include a criminal charge filed by the DOJ but a civil matter was prosecuted administratively by the SEC. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Moreover, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization”. 

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe. 

As an exercise, I suggest that you map your existing internal controls to the Ten Hallmarks of an Effective Compliance Program or some other well-known anti-corruption regime to see where control gaps may exist. This will help you to determine whether adequate compliance internal controls are present. From there you can move to see if they are working in practice or ‘functioning’.  Internal controls will only become more important in FCPA enforcement. This month you will learn how to get ahead of the curve. 

Three Key Takeaways

1. Effective internal controls are required under the FCPA.
2. Internal controls are a critical part of any best practices compliance program.
3. The Weatherford and Smith & Wesson FCPA enforcement actions demonstrate the enforcement spotlight on internal controls.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.