FCPA Compliance and Ethics Blog

October 21, 2014

Carlton Fisk, The Homer and Oversight of a Profitable Subsidiary

Fisk HomerToday we celebrate one of the great moments in World Series history. At approximately at 12:34 AM on this date in 1975, Carlton Fisk came to bat at the bottom of the 12th, in Game 6 of the World Series between the Boston Red Sox and Cincinnati Reds. He hit a pitch down the left field line. He stood at the plate, bouncing up and down and flailing at the ball as though he was helping an airplane land on a dark runway. “I was just wishing and hoping,” he said at a ceremony some years later. “Maybe, by doing it, you know, you ask something of somebody with a higher power. I like to think that if I didn’t wave, it would have gone foul.” Whether or not the waving was responsible, the ball bounced off of the bright-yellow foul pole above the Green Monster for a home run. Fenway’s organist played the Hallelujah Chorus from Handel’s Messiah while Fisk rounded the bases. One for the ages indeed as it appeared the Baseball Gods might finally be smiling on the Red Sox nation. Alas, they lost the next game and it was not to be for another 30 years.

I thought about Fisk’s homer and the ultimate heartbreak of Red Sox nation once again in 1975 when I read about several recent issues involving corruption and corporate responsibility for oversight, or perhaps more appropriately, the lack thereof. The first was an article in the New York Times (NYT), entitled “Another Scandal Hits Citigroup’s Moneymaking Mexican Division”, by Michael Corkery and Jessica Silver-Greenberg. Their article spoke about the continuing travails of Citigroup’s Mexican subsidiary Banamex. Back in February, the company revealed “a $400 million fraud involving the politically connected, but financially troubled, oil services firm Oceanografía.”

However, company investigators have unearthed another problem at the Mexico unit. The article reported “An internal investigation, begun by Citigroup in July, found evidence that the security unit was overcharging vendors and may have been taking kickbacks, a person briefed on the investigation said. The internal inquiry also found shell companies that had been set up to look like vendors and receive payments from the Banamex unit.” In a statement reported in the piece, Citigroup’s Chief Executive Officer (CEO) Michael L. Corbat “called the conduct of the individuals in the security unit ‘appalling’”.

What I found most interesting in the article was the response of Citigroup and what its implications might mean for the compliance practitioner, particularly one whose company is under scrutiny for a Foreign Corrupt Practices Act (FCPA) violation by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). The NYT piece made clear that the Mexico unit is so profitable that it figuratively “mints money” for the company. Moreover, “despite the latest headline-grabbing turmoil at Banamex, Citigroup does not want to cede any ground in Mexico where it dominates a large portion of the retail market.”

What is the responsibility for a US corporate parent when a foreign subsidiary ‘mints money’ for the company? Should the corporate parent pay closer attention to make sure the subsidiary is doing business in compliance with the FCPA and other relevant laws? In the past few posts, I have discussed some of the specific internal controls a compliance practitioner might consider for a company’s international operations. One of the problems Citigroup is facing with the conduct of its Mexico subsidiary is the company’s concern of “lax controls and oversight”. Moreover, there is concern that some part of the ongoing troubles in the Mexico unit relates to its head, Manuel Medina-Mora. Citigroup Chairman Michael O’Neill, was said to have “privately expressed concerns to board members that Mr. Medina-Mora, who is also co-president of the parent company, has not always relayed problems in the region to executives at the bank’s headquarters on Park Avenue, according to the people briefed on the matter. Instead of looping in executives in New York, Mr. Medina-Mora has at times chosen to handle the issues himself.”

How much oversight should a parent corporation have over a subsidiary? At a basic level it would seem that oversight should be enough to prevent and detect illegal conduct. Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and SEC filings.

While a CCO should expect (and the DOJ & SEC for that matter) that internal controls at locations outside the US are of the same effectiveness as internal controls in US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. The Citigroup situation with its Mexican subsidiary would seem to be a clear example of the oft-cited reason that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than US corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability, especially one that ‘mints money’.

The second example is one a bit closer to home and it is that of the General Motors (GM) legal department. In an article in the Wall Street Journal (WSJ) entitled “GM Says Top Lawyer to Step Down”, John D. Stroll and Joseph B. White, with contributions from Christopher Matthews and Joann S. Lublin, reported that GM General Counsel (GC) Michael Millikin will retire early next year. Millikin was criticized after the GM internal investigation found that he ran the GM legal department in such a hands off manner that he did not know about his legal department’s own settlements for product liability claims involving faulty ignition switches until February of this year. His defense was that his own lawyers “left him in the dark” even though there was evidence that he had been repeatedly warned, “GM could face punitive damage awards related to its failure to address the safety defect.” Missouri Senator Claire McCaskill summed up sentiment about Milliken with her statement “This is either gross negligence or gross incompetence.” In other words if you are a GC or CCO you had better know what is going on in your own department. What would it say about a CCO who did not know that compliance department members were dealing with violations of the FCPA without informing him or her? It would say that the CCO failed to exercise leadership and oversight.

And while you are watching things closely, you may want to check out a clip of Carlton Fisk’s famous homer by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 20, 2014

Internal Controls Outside the US – Part IV

NavigatingThis post will conclude a short series I have presented on the issue of internal controls outside the US. I want to conclude by raising some ways in which a compliance professional can work to implement internal controls in a multi-national organization. As with my entire series on internal controls, I rely on internal controls expert Henry Mixon for guidance on this topic. 

Mixon advises that the first step is to convert your company’s Foreign Corrupt Practices Act (FCPA) risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

Mixon provided an example of how the process might work in the situation where the FCPA risk is that a third party representative may be paid for an invoiced amount before that third party representative has gone through your company’s full third party approval process. Mixon began by noting that your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Mixon suggests that the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and will be told the controls are too burdensome and also make operations less efficient? I inquired from Mixon how he might suggest this situation be dealt with going forward. Fortunately for us, this is something that Mixon has observed many times and is very familiar with the issue as many employees see internal controls only as an added burden. Moreover, many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of an FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Mixon also advises that the premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, Mixon believes that it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

  • Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
  • Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
  • With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
  • As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
  • It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

Mixon believes that there are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Mixon cited to the example of internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

I hope that you have benefited from these posts on internal controls outside the US. I clearly believe that the price for noncompliance can easily be substantially greater than the cost to assess and implement good internal controls. But good FCPA internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 17, 2014

The Mummy and Internal Controls in Locations Outside the US – Part III

The Mummy-Hammer FilmsToday we celebrate Hammer Film’s version of The Mummy. This was the first film that the Hammer studios made under a license agreement with Universal Pictures, the holder of the copyright of its classic monsters from the 1930s and 1940s. This version starred the duo of Peter Cushing and Christopher Lee. Changing the storyline from the original Universal Picture version, the Hammer version brought the Mummy back to England from Egypt where his apparent sole purpose was to wreak havoc and kill those who violated the tomb of his beloved Princess Anck-es-en-Amon. This is somewhat confusing as the movie makes clear that Cushing did not desecrate the tomb because he was laid up with a broken leg at the time, which caused him to limp the remainder of the movie. It was Cushing’s father and uncle, who did come to grief at Lee’s hand back in jolly old England, who initially entered the tomb. But one thing about Hammer Films, internal consistency was never allowed to get in the way of a good story.

Perhaps as Hammer Films got carried away, I did as well (yet again). I know I said I was going to put together a three-part series on internal controls for locations outside the US but it has turned into a four-part series. In parts I & II I reviewed some of the risk considerations that a compliance professional should contemplate regarding business units outside the US. I also discussed how to perform a Location Risk Assessment. In Part II, I will review how to use this assessment as a tool to provide a structured approach to establishing effective internal controls. I will conclude with Part IV where I will discuss how to implement worldwide controls in a company where each foreign location has a distinct set of operations issues and uses different ERP / accounting software systems. Once again, I rely on internal controls expert Henry Mixon for guidance in this area.

After preparation of Location Risk Assessments, the next step is to prioritize the listing of the risks and which locations they are common to. Mixon advises the need to map existing internal controls to risks and then assess whether the internal controls are sufficient to mitigate the risks. To help with consistency in this evaluation process, it may be useful to assign a risk weight to each of the elements in the Location Risk Assessment. For example, a construction company might assign a higher weight to the presence of movable fixed assets while a company which sells exclusively through local distributors, might assign a higher weight to the sales function than one that exclusively uses company employees for sales activities. However it is structured, the assessment should result in the assignment of individual risk scores and a composite risk score for each location. These scores can then be used to prioritize the locations in terms of dealing with control risks.

 One of the biggest risks under the Foreign Corrupt Practices Act (FCPA) is where sales are conducted through third parties. If your company is moving to new geographic markets or new products and does not plan to use an internal sales team to facilitate these new efforts it presents a high FCPA compliance risk. The recent Securities and Exchange Commission (SEC) FCPA enforcement action against Smith & Wesson (S&W) was just such a situation, where a newly emerging international sales operation was executed through third party agents. The compliance function should understand the corporate or business unit controls over the international business generally, in addition to the necessary controls over agents we previously discussed. Some of the questions you might consider are the following. Is there a US based International Sales Manager who is responsible for growing the international business? What is the incentive compensation plan? How good are the segregation of duties (SODs)? In other words, can the International Sales Manager unilaterally make high-risk decisions, or must a senior officer of the business unit or corporate be part of the approval process? Finally, and in a point not to be forgotten or dismissed, how are all of these internal controls documented?

What about a situation in opposite to the above scenario, where your company’s primary sales channel uses a US based sales force which only travels to locations outside the US for temporary visits of generally short duration. This situation minimizes some compliance risks, retains some compliance risks, and shifts some other compliance risks. The minimized compliance risks come from the lessening on the reliance of third parties so that a company, at least in theory, would have more control over its own work force than those employed outside your company. The retained risks are the risks associated with gifts, entertainment, hospitality, and travel, approval of credit terms to customers, product pricing, special arrangements with customers such as providing product samples, knowing who the ultimate customer is and where the goods are ultimately shipped, and use of freight forwarders and customs agents. The shifted risks are created if there is no physical location outside the US because the accounting must be done in the US. This means that compliance risks regarding the accounting function simply shift to the US accounting department where transactions are processed and recorded and where the financial statements are prepared.

 These identified risks need to be subject to appropriate internal controls because it is well established that the issuance of a Code of Conduct and/or FCPA compliance policy and training of said policy’s requirements is a good practice, but it does not provide reasonable assurance that employees will comply with the policies. What is needed are written procedures and work instructions, in the native language of the respective employees, that defines exactly what the procedures to be performed are and how they will be evidenced. As difficult as it is for US employees to translate, by themselves, what it means to comply with policies, it may be significantly more difficult for employees outside the US, not only due to language but also due to traditional local business practices, cultures and customs. Think of a business unit in a geographic area such as the Far East where there is a significant amount of deference to supervisors in the local culture; such that, even if an employee saw inappropriate behavior it would not be expected that the employee would make any report or comment. Such situations can have huge impact on your internal controls environment.

Next week I will conclude this series on internal controls for your business locations outside the US with some thoughts on how a compliance practitioner might go about implementing these controls and responding to the inevitable pushback you will receive.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 16, 2014

Implementing compliance programme at the emerging markets of the former Soviet Union

Filed under: Uncategorized — tfoxlaw @ 12:01 am

TimurEd. Note-today we have a guest post from Timur Khasanov-Batirov, Chief Compliance Officer at DTEK and Co-Chairman at Compliance Club of the American Chamber of Commerce in Ukraine. He can be reached at tkhasanovbatirov@gmail.com. 

It will be a challenge. I mean to build a program that will give you at least certain level of comfort in the Russian, Kazakh or Ukrainian business reality. Obstacles are well known-high level of corruption, transforming economies, ambiguous laws. And here goes the main problem-do people (including you) believe that it is possible to act ethically at these markets? There are some thoughts below which hopefully could give an idea about ways to manage risks of those profitable but extremely risky jurisdictions.

Define the Scope of the Programme

In-house rule of the games traditionally incorporated in the Code of Ethics and anticorruption norms is a must have minimal standard. It is a pretty obvious custom. You should also think about compliance with sanctions regime imposed by the USA/EU on both Russians and Ukrainians. There is always a risk that your business is dealing with an entity ‘controlled’ by a blacklisted person. Considering a pretty wide interpretation of   the ‘control’ concept by the Western regulators just be sure that there is at least minimal control aiming on checking if those bad guys are among your current counterparties and system on preventing cooperation with them.

Who is in the Ethics Dream Team?

There is always someone who support ethical behavior and few that say it is impossible to implement ethical behavior in a local business reality. Just probably in many other countries. Tone at the Top is critical for success here. Unless you have it you have been playing Russian roulette. Here is the reason. Locals are used to face corruption and fraud both in their daily and professional lives in many spheres. They know that often rights words of their managers are not supported by real actions. Thus they might find natural to participate or not to report unethical acts which could lead to regulatory enforcement again your company and sometimes you personally. So find out in your team who is really devoted to ethics on different levels of the corporate hierarchy to support you compliance efforts. It will facilitate the process and allow winning hearts of your employees. Just have in mind that out there folks are used to follow people they trust rather than follow written instructions.

Risks Are Everywhere

Emerging markets are risky markets. Risk based approach is a platform for decision making process. You may accept compliance risk, transfer it to the third party, mitigate it but in any case be sure that   it is a well informed decision. In the reality of Russia and Ukraine specifically consider compliance risks in the areas relating to obtaining licenses, taxation (see for example Archer Midland case of 2013 in Ukraine), customs clearance, occupational fraud (mainly kickbacks in bidding). Local consultants offering services on obtaining governmental permits in the majority of cases are tied with the officials from the governmental bodies responsible of issuance of such permissions. Just have it in mind. The US criminal enforcement is not excusing those managers who are not asking questions. Thus ‘willful blindness’ is also punished.

Devoted Compliance Personnel

A few criteria for selection right safeguards of your corporate integrity in the oil reach Kazakhstan, Russia or Ukraine. They should really care about what they have been doing, have access to the senior managers, know anticorruption rules, wish to solve the problems, help employees who approach them. And to say ‘No’ when it should be said ‘No’.

Is It Really Allowed to Raise Concern?

Here the corporate culture comes into the light. By default your employees in Russia, Kazakhstan or Ukraine will not ring the corporate bell even if they clearly see the misconduct. Not used too. There is a recipe to minimize risks of corruption or unethical acts in this particular region. First, duly investigate raised concerns. Investigation reports should be escalated to the senior management level for consideration (for example, to the Compliance/HR committee or regional director). It is very important to ensure that viable and clear corporate ‘verdict’ becomes an outcome of such consideration. Double check whether it was enforced by your subsidiaries at that region.

Second, show people that you have cured the problem. It is not about naming bad guys but rather indicating in the corporate mass media typical types of bad behavior which were detected and stopped. To ensure your staff in this region will be raising concerns protect the whistleblowers. It will be the biggest difficulty. The local culture is not tolerating them. Unless you give level of comfort to whistleblowers you will not fully control the company and might face violations which lead to investigations, dismissals and penalties.

While it is impossible to predict all compliance risks generated by the CIS markets for sure a trustworthy corporate atmosphere along with genuine will of the key managers to make right things   could significantly mitigate risk exposure.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

October 15, 2014

Tommy Lewis, Dicky Maegle and the DOJ Call for Individual Prosecutions

Lewis and off the bench tackleTommy Lewis died this week. For those of you uninitiated in college football, Lewis was an Alabama football player who jumped up off the Alabama bench to tackle Rice University halfback Dicky Maegle, who was scampering untouched down the sideline for a touchdown in the 1954 Cotton Bowl. Lewis’ off the bench tackle led to a flag and the referees’ awarding Maegle a 95-yard touchdown on the play. Why did Lewis do it? As reported in his obituary in the Houston Chronicle, Lewis always maintained he was “too full of Alabama”. Maegle, perhaps more charitably, said, “He was a good guy who got caught up in the moment and the excitement.”

I thought about Maegle and Lewis when I was re-reading and considering the recent remarks of Assistant Attorney General for the Criminal Division Leslie R. Caldwell at the recent Ethics and Compliance Officers Association (ECOA) Conference. As Mike Volkov said in his post on Tuesday, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) communicate quite clearly what their enforcement priorities are; one does not have to read tea leaves, it is out there in black and white for all to see and hear. Caldwell’s remarks would seem to follow this observation of Volkov.

Caldwell made clear that the DOJ will prosecute individuals for violations of the Foreign Corrupt Practices Act (FCPA). In her remarks she said, “When criminal misconduct is discovered, a critical factor in the department’s prosecutorial decision making is the extent and nature of the company’s cooperation. The department’s Principles of Federal Prosecution of Business Organizations provides that prosecutors should consider “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents.””

Recognizing that “Corporations do not act, but for the actions of individuals” Caldwell then laid down some quite strong prescriptions which compliance practitioners need to be cognizant about. Caldwell stated, “Now let me flesh out the often discussed, but sometimes poorly understood, concept of cooperation. Most companies now understand the benefits of voluntarily disclosing the misconduct before we come asking, and the benefits of conducting an internal investigation and providing facts about the misconduct to the government. But companies all too often tout what they view as strong cooperation, while ignoring that prosecutors specifically consider “the company’s willingness to cooperate in the investigation of its agents.””

She went on to add, “In all but a few cases, an individual or group of individuals is responsible for the corporation’s criminal conduct. The prosecution of culpable individuals – including corporate executives – for their criminal wrongdoing continues to be a high priority for the department. For a company to receive full cooperation credit following a self-report, it must root out the misconduct and identify the individuals responsible, even if they are senior executives.”

Fortunately the DOJ is not asking for undercover corporate sting operations because, as Caldwell explained, “We are not asking that you become surrogate FBI agents or prosecutors, or that you use law enforcement tactics like body wires.  And we do not need to hear you say that executive A violated a particular criminal law. All we are saying is that we expect you to provide us with facts. We will take it from there. But a company that interviews its employees in an effort to whitewash the facts or spread the company’s narrative spin risks receiving any cooperation credit.”

This is about as clear a warning as you can expect to receive. But the difficulty it puts company’s in is in regard to their internal investigations. Last week Joel Schectman, writing in the Wall Street Journal (WSJ) article entitled, “Are Internal Bribery Probes Private?”, explored the issue of whether such investigations are privileged, in the context of a current individual FCPA prosecution. In the matter of Joseph Sigelman, the former Chief Executive Officer (CEO) PetroTiger Ltd. Co., Schectman reported that “Prosecutors say the payments of approximately $333,500 to the wife for “consulting services” was actually a bribe to her husband to win a contract for PetroTiger worth around $39.6 million.”

Some or all of the underlying facts were turned over to the DOJ by PetroTiger’s internal investigation. The Defendant Sigelman wants to obtain copies of whatever PetroTiger turned over to the DOJ, arguing that the company waived any claim of attorney/client privilege “when it divulged the investigation’s findings to third parties, including officials of the United States.” The company has refused to hand over its internal investigation to the defendant based on this claim of attorney/client privilege.

What happens if a company, or its law firm gets the investigation wrong and falsely accuses an individual? Should the company be protected? That is the issue currently before the Texas Supreme Court in a libel case styled, Shell v. Writt. It involves our old friend Panalpina Inc. and its customer Royal Dutch Shell. David Smyth, in a post entitled Texas Court of Appeals Has Put Some FCPA Internal Investigations in an Awkward Spot”, said the DOJ contacted Shell about its dealings with Panalpina. Sometime later, “Shell agreed to conduct an internal investigation into its dealings with Panalpina.” Smyth noted that, “Shell submitted an investigative report that pointed the finger at Writt.  Specifically, Shell said Writt had been involved in illegal conduct in a Shell Nigerian project by recommending that Shell reimburse contractor payments he knew to be bribes and failing to report illegal contractor conduct he was aware of.”

Writt sued Shell for libel and Shell defeated Writt at the trial court on the basis that it had an “absolute privilege to say what it did in its investigative report to the DOJ.”

However, a Texas Court of Appeals reversed the trial court ruling holding that absolute privilege does not apply where a party voluntarily turns over information to a prosecutor before a judicial proceeding is initiated or contemplated. As Smyth explained, “In the court’s view, DOJ was acting purely in a prosecutorial and non-judicial capacity.” Shell has appealed this matter to the Texas Supreme Court, which has accepted the case for review.

There are several difficult issues from the facts of this case. Smyth points to one when he ended his piece, “FCPA investigations these days are a different animal, and probably deserving of different treatment by the courts. As of now, a company conducting an internal FCPA investigation in Texas has to ask, what do we do if one of an investigation reveals one of our employees as a bad actor? Do we say as much in the report we turn over to the government, as the government surely expects? If we do, are we signing on for libel litigation by the employee?” But now Caldwell has made clear that the DOJ expects companies to “identify the individuals responsible, even if they are senior executives”. If you are one of the individuals so identified, are you entitled to know what the accusations against you might be? What if the company’s lawyers got it wrong? Should they have a duty?

Moreover, there are a plethora of procedural protections available to criminal defendants not available to civil defendants or even those who are the subject of internal corporate investigations. Should a Miranda warning now be given during internal corporate investigations? Is the right to remain silent and not self-incriminate oneself available in such an investigation? In paper entitled “Navigating Potential Pitfalls in Conducting Internal Investigations: Upjohn Warnings, “Corporate Miranda,” and Beyond” Craig Margolis and Lindsey Vaala, of the law firm Vinson & Elkins LLP, explored the pitfalls faced by counsel, both in-house and outside investigative, and corporations when an employee admits to wrong doing during an internal investigation, where such conduct is reported to the US Government and the employee is thereafter prosecuted criminally under a law such as the FCPA.

Employees who are subject to being interviewed or otherwise required to cooperate in an internal investigation may find themselves on the sharp horns of a dilemma requiring either (1) cooperating with the internal investigation or (2) losing their jobs for failure to cooperate by providing documents, testimony or other evidence. Many US businesses mandate full employee cooperation with internal investigations or those handled by outside counsel on behalf of a corporation. These requirements can exert a coercive force, “often inducing employees to act contrary to their personal legal interests in favor of candidly disclosing wrongdoing to corporate counsel.”  Moreover, such a corporate policy may permit a company to claim to the US government a spirit of cooperation in the hopes of avoiding prosecution in “addition to increasing the chances of learning meaningful information.”

Where the US Government compels such testimony, through the mechanism of inducing a corporation to coerce its employees into cooperating with an internal investigation, by threatening job loss or other economic penalty, the in-house counsel’s actions may raise Fifth Amendment due process and voluntariness concerns because the underlying compulsion was brought on by a state actor, namely the US Government. Margolis and Vaala note that by utilizing corporate counsel and pressuring corporations to cooperate, the US Government is sometimes able to achieve indirectly what it would not be able to achieve on its own – inducing employees to waive their Fifth Amendment right against self-incrimination and minimizing the effectiveness of defense counsel’s assistance.

All of the above would seem to make clear the need for company’s to get their internal investigations done right. If you are going to receive credit from the DOJ going forward, your investigations must be done thoroughly, in a timely manner and provide to the DOJ the information that Caldwell has laid out that they want. At least currently in Texas, a company has to get it right or risk being sued if they mis-identify a potential criminal actor.

Tommy Lewis and Dicky Maegle? Lewis made a mistake, probably carried away in the heat of the moment. What did Maegle have to say about him on the occasion of his death? “He was very remorseful, and I thought he was sincere. I liked him. We became friends.” Let’s hope your employees still like your company at the end of an internal investigation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

October 14, 2014

Steve Bartman and Internal Controls Outside the US, Part II

BartmanToday, we note that 11 years ago, Steve Bartman entered the Chicago Cubs Hall of Infamy. For every baseball fan, if there was ever a but for the grace of God, go thee moment the sad saga of Bartman is it. The Chicago Cubs, who at that point had not played in World Series appearance in 58 years were five outs away from going to the 2003 Fall Classic. Bartman interfered with a ball he thought was in foul territory on the left field line but was in fact playable and about to be caught by Left Fielder Moisés Alou. His interference allowed the at-bat to continue and the batter got a hit. The Cubs fell apart and lost the game. Bartman was escorted from Wrigley Field by security guards as bloodthirsty fans hurled beer cans and other debris at his head. The next day, he went into hiding—but not before he told the press that “I’ve been a Cub fan all my life and fully understand the relationship between my actions and the outcome of the game – I am so truly sorry from the bottom of this Cubs fan’s broken heart.” Bartman lives in hiding to this day. Why is it a but for the grace of God moment? Because probably every baseball fan in the universe would have done what Bartman did and interfere by catching the ball, or at least trying to catch it.

Bartman’s story provides the starting point for today’s post. Last week, in Part I of this three-part series on internal controls for US company-business units which are located outside the US, I discussed some of the reasons why there might be such differences and provided a framework for thinking through how to assess the risk they might pose a company subject to the Foreign Corrupt Practices Act (FCPA). The framework I introduced in Part I was a Location Risk Assessment; today, I will discuss how to perform this assessment. Once again, I will rely on internal controls expert Henry Mixon for guidance in this area.

It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how the financial and operation structure outside the US is integrated with the corporate headquarters, or the US business unit’s financial and operation structure, if the foreign operation is part of a US business unit. Mixon suggested that you could begin with the Transparency International (TI) Corruption Perceptions Index (CPI) to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your operations at a location outside the US. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third party representatives are coming into a commercial relationship with your company through your supply chain.

Other areas of inquiry, which could be considered, include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the US and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which local disbursements are made in local currency and, of course, is there a local petty cash fund?

As with many other areas around internal controls, it is important to consider the local Delegation of Authority (DOA) and whether it is consistent with your corporate DOA. Mixon suggested that some of the considerations regarding the local DOA should extend to which corporate or US business unit approvals are required for transactions initiated locally, such as: (1) Approval of vendor invoices, (2) Disbursements of funds, including wire transfers; (3). Execution of facilities leases; (4) Execution of contracts with agents; and (5) Approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate segregation of duties at the local business unit level.

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment of customers? Are products drop shipped from US directly to the customers of the local operation? Are products drop shipped to distributors for delivery to the ultimate customer?

Hopefully you are already doing the above but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and if so, what were the results of the investigation? In the area of customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Mixon believes that some of these considerations would be an inadequate segregation of duties because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there is internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms, and update applications. This means that an employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.

It is not necessary to prove a bribe to have been paid in order to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. In the recent Securities and Exchange Commission (SEC) enforcement action against Smith & Wesson, that was the situation. The lack of effective internal controls, not the payment of a bribe, was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.

Mixon said that such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a Country Manager provides a true control as an approver; or where the Country Manager or the local Finance Manager has ability to conceal the true nature of transactions without detection by anyone else.

Another important area involves sales and compensation for the international business unit in question. On the sales side of the equation, Mixon suggested you review the three-year historical sales for the location and what are the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as what is the sales incentive compensation plan for local sales personnel and for the Country Manager; as this inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe in order to win a contract which results in a large sales incentive compensation to the employee.

All of these reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the Fraud Triangle, which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization – a fraud perpetrator always rationalizes that he / she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity – the perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment.

Steve Bartman has never spoken publicly about the event to this day. There has been no catharsis for him like the Red Sox fans gave Bill Buckner. But in the FCPA universe for your operations outside the US, you do not have to be a Bartman. In Parts I & II of this series, I have reviewed what some of the risks might be in your international locations that you do not have in your US domestic operations. In Part III, I will discuss how to use the Location Risk Assessment as a tool to provide a structured approach to establishing effective internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 13, 2014

Ringo, Sir Paul and an Effective Compliance Program

Paul McCartneySometimes the universe converges in ways that are beyond my simple comprehension. This past weekend was one of them. It began a few months ago when I saw an advertisement from StubHub that showed Ringo Starr playing in Houston on October 10 and Sir Paul McCartney playing in New Orleans on October 11. I figured if the two surviving members of the greatest rock and roll band in the history of the world were going to play on two consecutive nights it was a sure sign from the Oracle of Rock ‘N Roll that I was intended to attend both, lest I tempt a fate worse than going against an entity nearly as powerful as the Oracle of Delphi. Moreover, the Friday concert coincided with the birthday of my little sister who happened to be in town and one of the planets biggest Beatles fans, it made the convergence complete. Ringo Starr

I also learned two completely new and unrelated facts this weekend. The first is that a native of Liverpool, England, is called a ‘Scouser’. That comes from my Liverpudlian friend Pam, who also introduced me to the Liverpool Football Club. The second is that my wife is a closet Mr. Mister uber fan, who rocked out as a teenager to this group in the early days of MTV. On reflection that is perhaps the more odder convergence.

While there is clearly a reason Ringo Starr tours with true musical all-stars and Sir Paul McCartney has been raised to the peerage for his musical prowess, in many ways the Ringo Starr concert was the bigger revelation. I had wondered how Ringo would fill out an entire concert. He did it by surrounding himself with musicians fabulous in their own right. They included: Steve Lukather, former lead singer from Toto on vocals, lead and rhythm guitar; Gregg Rolie, former keyboardist from Santana and Journey on vocals, organ, keyboards; Richard Page, former lead singer from Mr. Mister, on vocals and bass guitar; and finally, best and certainly not least, Todd Rundgren on vocals, lead and rhythm guitar, bass guitar, percussion, harmonica and, occasionally, even keyboards.

So in addition to Ringo singing his standards of Photograph, It Don’t Come Easy, Yellow Submarine and (of course) With a Little Help From My Friends. We also got to hear songs first released by Santana, Toto, Mr. Mister and some great Todd Rundgren hits. The group clearly loved playing and jamming with each other. Further, these other groups’ songs were great fun to hear and as they may never reform, I would not otherwise have the chance to hear them performed lived.

Sir Paul McCartney. You really do not have to say much more. His concert did not exceed my expectations because they were about as high as expectations could have been. He seriously rocked out for over three hours, playing everything from the earliest Beatles songs up to a ballad for his latest wife. I cannot remember ever attending a concert where everyone one in attendance knew the words to every song but we all did and we all sung them all the way through the entire show.

What is the compliance angle to all of this? Just as there is more than one way to put on a great concert, there is more than one way to have an effective compliance program. This continual message from the Department of Justice (DOJ) came again earlier this month through remarks by Assistant Attorney General for the Criminal Division, Leslie R. Caldwell, at the 22nd Annual Ethics and Compliance Conference, where she made clear that while the FCPA Ten Hallmarks of an Effective Compliance Program is one set of guidelines for an effective compliance program, there is no “one-size fits all” compliance program. She laid out another way to think through, review and analyze your compliance program. 

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  1. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do–or not do–when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
  1. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
  1. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources. And they need to have teeth and respect within the company.
  1. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  1. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
  1. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
  1. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. Further, the response to a violation must be even-handed. People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
  1. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners. This cannot be emphasized strongly enough.
  2. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

Caldwell also emphasized that as important as the compliance program itself; the implementation is also reviewed and evaluated by the DOJ. When the DOJ investigates a case, they look at the messages about compliance that are given to employees; they look at what employees are told in their day-to-day work. This means the DOJ will look at emails, chats, and recorded phone calls. They will interview witnesses about the messages they received from their supervisors and management to determine if they received messages about compliance, or about making money at all costs.

Another consideration for the DOJ is incentives. The DOJ will examine the incentives that a company provides to encourage compliant behavior – or not. This means that if a company is actually encouraging compliance, if its values are to be ethical and within the law, this message must be conveyed to employees in a meaningful way. If not, it is likely that the DOJ will not view the compliance program as credible. Interestingly, Caldwell said that sometimes the effective implementation of a compliance program means standing apart from the other companies in your industry.

Just as Ringo and Sir Paul ably demonstrated, there is more than one way to put on a great concert. They both assessed their strengths and weaknesses and used that information to put great bands around them illustrated their strengths. The same is true in the world of Foreign Corrupt Practices Act (FCPA) compliance. The key is to review and assess your compliance risks and then manage them. And, as always, Document, Document, and Document whatever you do so that if a regulator comes knocking, you can demonstrate evidence of the above.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

 

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 9, 2014

Tribute to Jim McGrath

Filed under: Jim McGrath — tfoxlaw @ 6:14 am
Tags:

Jim McGrathEd. Note-Jim McGrath died this week. He was a good friend and a trusted  colleague. My thoughts are with his wife, sister and her family and his parents and the rest of us who were privileged to know Jim. Jim was a grizzly bear of a man, having played college football at Marquette and tried out for the New England Patriots. He later became a lawyer, helped run a federally funded drug task force, worked in local government and then used all of this experience to move into the the specialty of corporate investigations. The articles he posted on his blogsite, Internal Investigations Blog, were packed with facts, tips, witticisms and insights for the compliance practitioner around the issue of internal investigations. Jim’s generosity was well-known. He was one of the very few people I know that everyone liked and in no small feat had earned the very Southern sobriquet that he was a ‘great guy’. Two years ago this month, I published an interview with Jim, which I repost below as a tribute to my good friend. 

————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————-

1.      Where did you grow up and what were your interests as a youngster?

I grew up in an inner ring suburb of Cleveland.  My Dad was an attorney and later a Common Pleas Court judge and so it was expected that my sister, brother, and I would go to college.  We were the only family with a college graduate as the head of our household in our neighborhood, to the best of my knowledge.  We were good kids and well thought of by the neighbors, because my father beat (mostly figuratively) honesty, respect, integrity, personal responsibility, hard work, and humility into us.

My interests were always sports, and primarily football, although I also played baseball (catcher), basketball, and soccer.  I always liked controlled violence and hitting or being hit.  That attitude was common in my youth and I was often the youngest kid in the pick-up game and so I had to be tough.  Even at 48 years of age, it still brings a smile to my face to remember that I never shied away from a hit, even with much bigger guys.  I think that I am still that way.

Just as importantly, I worked a lot as a kid. When I was 13, he got me a job washing dishes at a mom-and-pop pizza joint about a mile from home.  By the time I was 14, I was a cook.  That job taught me almost everything I know about working: the customer is always right; you have to be on time; you have to give your best effort; the boss has the final say (even if he is an idiot), how to balance school, work and extra-curricular, etc.  It has been a tremendous benefit to me to have had that job.  In college, started and ran my own house-painting business.  In law school, I clerked, worked at another pizza joint, and drove a dump truck (many times, all in one day) in order to pay my tuition.

2.      Where did you go to college and what experiences there led to your current profession?

I went to Marquette University in Milwaukee for my undergraduate education.  I wanted to go there because it was a Jesuit institution and although the Jesuits have a tendency to irk the Pope, they certainly can teach. Because my Dad was an attorney, I was exposed to the profession early.  It was a natural progression for me, I guess.  I used to go to his office with him on Saturdays when I was a kid and would bang out fake motions on the old typewriters.  Plus, it was “downtown”, which meant something here (as elsewhere) before the explosion of freeways, malls, and exurbs.  My Dad had been a prosecutor, as well, so I always wanted to do the same and “wear the white hat”.

3.      As we would say in Texas, you look like you played some ‘ball’ in your day? What positions did you play and did you play professionally?

I played ball and even had tryout offers with the New England Patriots and the New York Giants.  I went to Marquette for academics.  I guy already there mentioned me to the football coach and he contacted me and asked me to come out for the team.  Here was the rub: the program was not a varsity one.  Marquette had a club program. The team played varsity Division III teams in the Illini-Badger Conference and others.   As a sophomore through senior, I was the fullback.  More like Robert Newhouse than Earl Campbell.  I opened a lot of holes and caught swing passes. I loved it, especially the contact as a lead blocker.

I went to a tryout with the Patriots in 1987.  My goal was to not be the first running back sent home and I wasn’t.  Of course, I didn’t make it to training camp, either.   After I got cut, there was something there from the Giants.  It was a “heard you got cut, come on up and see us” wire.  I had to get back and get ready for law school and the Giants were coming off a Super Bowl win in January.  I figured that if I couldn’t stick with the Pats, who were on a downward trend, I surely wasn’t going to displace Maurice Carthon in New York.  And that was the end of my football career.

4.      You started your legal career in law enforcement. What can you tell us about that and how did it shape your professional career going forward?

A few years after getting out of law school, I got an offer to be an assistant prosecutor in another inner ring Cleveland suburb.  By age 29, I was the chief prosecutor and had my hands in everything from multiple-slaying homicides to mortgage frauds.  We did it all and at tremendous volume.

About the same time (age 29), I was asked to replace the former CLO of a regional narcotics unit that was run under the auspices of the DOJ and funded through a Byrne Grant.  I did that for almost 15 years and it was there that I got the chance to work with some truly excellent investigators.  I also had the opportunity to make a lot of very good and helpful contacts across a broad spectrum of law enforcement agencies and professionals, some of whom I am now able to tap for corporate internals.

Between both law enforcement gigs, I supervised and directed 3,000+ investigations of varying sizes and complexities.  It was a great training ground for what I am doing now.  The narcotics unit won an award as the undercover unit of the year from the Ohio Attorney General while I was there and we were excellent at what we did.  We used to sit in surveillance vehicles and dream about how we could turn these talents into careers in the private sector, and when the corporate landscape began to favor internal investigations by outside counsel, I decided to tab some of my former cohorts and launch this firm.

5.      Why did you start your Blogsite, what did you hope to achieve from it and what will be your focus going forward?

I started my blog site, as a means to gain exposure to readers as potential clients.  In addition, I have always enjoyed writing and felt that I had some worthwhile impressions to give on the lay of the investigative land.  The blog has netted me a tremendous network of readers and fellow C&E professionals that has translated and will continue to translate into business opportunities.  I enjoy writing the posts, although sometimes it is daunting when I get very busy.  If I could, and if there were a market for it, I would write full time on investigations or C&E issues, but I doubt that I would be able to make a living that way, given the relatively narrow focus of my writings.  It is being picked up and rolled into Dick Cassin’s ethiXbase consortium, which itself is an honor.  I intend to continue to write on my impressions on a wide variety of investigations facets across various sectors of the economy, business, and sports.

—————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————

Jim is the second friend I have lost in the past couple of months, quite suddenly, the other being RC Collins. They were both in the their 50s. So on a very personal note, if you are over 50, please, please, please, get an annual physical. I don’t know if would have helped Jim and RC but it might have and perhaps they would still be with us today. 

October 8, 2014

GSK as a Watershed in the International Fight Against Bribery and Corruption

Lifting WeightsGlaxoSmithKline PLC (GSK) may well be a watershed in the global fight against bribery and corruption. Behavior and conduct, which was illegal under Chinese law but previously tolerated and even accepted by Chinese government officials, quickly became a quagmire that the company was caught in when charges of corruption were leveled against them last year. Many westerners were skeptical about the claims made against GSK and its head of China operations, Mark Reilly. That is one of the problems in paying bribes to government officials; it is always illegal under domestic law. David Pilling, writing an article in the Financial Times (FT) entitled “Why corruption is a messy business”, said “Multinationals are discovering that there is only one thing worse than operating in a country where corruption is rampant: operating in one where corruption was once rampant – but is no longer tolerated.”

When it began, it was not it clear why China’s Communist Party Chief Xi Jinping began his anti-corruption push. Some speculated that it was an attack on western companies for more political reasons that economic reasons. Others took the opposite tack that the storm, which broke with the bribery and corruption investigation of GSK, was China’s attack on western companies to either hide or help fix problems endemic to the Chinese economic system. My take is that his campaign has a different purpose but incorporates both political and economic reasons. That purpose is that Xi has recognized something that the US government officials and most particularly the Department of Justice (DOJ) have been preaching for some time. That is, the insidiousness of corruption and its negative effects on an economic system.

Xi and China have realized that corruption is a drain on the Chinese economic system. Publications as diverse as the Brookings Institute to the Wall Street Journal (WSJ) have noted that one of the reasons for the anti-corruption campaign is to restore the Chinese public’s faith in the ruling Communist Party. Bob Ward, writing in the WSJ article entitled “The Risks in China’s Push to Root Out Wrong”, said, “China’s anticorruption drive began in late 2012 as a way to cleanse the ruling Communist Party and convince ordinary Chinese that the system isn’t rigged against them. Investigators are targeting some of China’s most powerful officials and disciplining tens of thousands of lower-echelon officials who party investigators contend got used to padding their salaries.” Cheng Li and Ryan McElveen, writing online for Brookings, in an article entitled “Debunking Misconceptions About Xi Jinping’s Anti-Corruption Campaign”, wrote, “If there were ever any doubts that Xi could restore faith in a party that had lost trust among the Chinese public, many of those doubts have been dispelled by the steady drumbeat of dismissals of high-ranking officials since he took office.”

But the economic reasons behind the anti-corruption campaign are equally important. One of the more interesting articulations came from one disgraced former Chinese government official, who was one of the earliest senior officials to be charged with corruption. In a WSJ article by James T. Areddy, entitled “Chinese Ex-Official Admits to Corruption”, he wrote about the trial of Liu Tienan, the “former head of the National Energy Administration and senior director in the National Development Reform Commission” who had been arrested in May 2013. His trial finally came around in September 2014. At his trial he made some rather extraordinary statements. Areddy wrote that “Liu testified that reducing official power is key to curbing corruption: “The major point, which is based on my own experience, is to give the market a great deal of power to make decisions.”” But Liu did not end there, “as he explained his view that China’s state bureaucracies are too powerful and entrepreneurs are too weak. “Approvals should be developed in a system, rather by an individual’s actions. This would help prevent abuse of power for personal self-interest.””

Whether or not Liu thought those statements up on himself, a smart defense lawyer suggested he make them to reduce his sentence, or the Chinese government told him to say it as his role in the well-known show trials of the Chinese justice system; it really does not matter. That is one of the most incredible statements I have ever heard of coming out of anything close to an official Chinese statement or proceeding. Think about it; first Liu is saying that the Adam Smith’s ‘invisible hand’ of the market should be governing market decisions. Next, he speaks against the arbitrary nature in China for entrepreneurs in giving approval about how businesses can expand and grow in China. This arbitrary process should be replaced with objective criteria. It is almost if Lui is channeling his inner FCPA Professor when he speaks against artificial barriers to market entry. Finally, Liu attacks the small-mindedness of bureaucratic mentality in their use of power for self-interest.

There have already been demonstrated economic benefits to China’s anti-corruption campaign. In September, Bloomberg reported that China’s fight against bribery and corruption could boost economic growth, generating an additional $70 billion for the budget, in summarizing economists’ forecasts. An article in the online publication Position and Promotions, reported that the bribery “could trigger a 0.1-0.5 percent increase in the world’s second-biggest economy, equivalent to $70 billion dollars.” This crackdown should also be welcomed by western companies, as “it could also benefit foreign companies operating on the Chinese market, who have experienced the negative effects of the omnipresent palm-greasing, according to Joerg Wuttke, president of European Chamber of Commerce in China.” He was further quoted as saying, “It takes the stress away. You’re not afraid that somebody gets an order because he found a better champagne or something like that. It’s not Singapore yet, but it’s a very positive development”.

As we close this phase of GSK’s saga, I think some time for reflection is appropriate. For the compliance practitioner there have been many specific lessons to be learned from GSK’s missteps. However I think the clearest lesson is that the only real hope that a company has into today’s world is an effective, best practices anti-corruption compliance program. Whether it is designed to help a company comply with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption legislation, it really does not matter. It is the only, and I mean only, chance your company will have when an issue in some far-flung part of the world splashes your company’s name across the world’s press.

But there may also be cause for celebration to those who have long preached against the evils of corruption, whether it is for economic reasons or for those who view the fight against anti-corruption as a part of the fight against terrorism. For if China is attacking domestic corruption, I believe that will lead other countries to do so as well. We are already seeing stirrings in India under new President Modi. So while GSK may well suffer going forward, the fight against global bribery and corruption may just have moved a few feet forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,725 other followers