Internal Audit | FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

Filed under: Best Practices,Compliance Champion,compliance programs,ERM,Ethics,Gap Analysis,Hotline,Human Resources,Internal Audit,Internal Controls,Training — tfoxlaw @ 5:34 am
Tags: best practices, compliance, compliance programs

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

March 28, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

Filed under: Best Practices,compliance programs,FCPA,Internal Audit,Internal Controls — tfoxlaw @ 4:32 am
Tags: best practices, compliance programs, FCPA, Foreign Corrupt Practices Act, Internal Controls

On this date in 1979, the worst accident in the history of the US nuclear power industry began when a pressure valve in the Unit-2 reactor at Three Mile Island fails to close. Cooling water, contaminated with radiation, drained from the open valve into adjoining buildings, and the core began to dangerously overheat. While plant workers were exposed to unhealthy levels of radiation, no one outside Three Mile Island had their health adversely affected by the accident. Nonetheless, the incident greatly eroded the public’s faith in nuclear power. In the more than two decades since the accident at Three Mile Island, not a single new nuclear power plant has been ordered in the United States.

One of the recognized aspects of a best practices compliance program is auditing. In many ways, auditing is thought of as one of the ways to avoid a compliance meltdown. However, in a recent article in the Texas Lawyer, entitled “How Forensic Accountants Differ from Auditors”, author Elizabeth M. Junell discussed how a forensic accountant can assist an in-house lawyer in a manner of different ways than auditors from a company’s internal audit function. I found that her article had some interesting points for the compliance practitioner.

Junell says that forensic accountants collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic accountant’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. Junell contrasts these areas with that of internal audit, which she believes more often looks at process to determine if it has been adhered to in a procedure. This leads to internal auditors examining evidence to determine whether people followed prescribed processes or internal controls; this occurs, for example, in an operational Sarbanes-Oxley (SOX) or Foreign Corrupt Practices Act (FCPA) compliance audit.

Junell writes that forensic accounting differs from auditing in both its objective and skill sets. The objective of a forensic accounting assignment is to collect, analyze and report on the evidence or facts surrounding a particular act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, she argues that a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered.

From there Junell believes that management should determine if further investigation is warranted. If further investigation is decided upon by management, then Junell considers that “this is where objective shifts and one of the forensic accountant’s strongest skills comes in: an investigative mind that drives him or her to answer questions about what occurred, when and how it happened, and who was involved.” She expects that, at times, a forensic accountant will be required to gather facts about why an event may have occurred so that they look for answers to such questions or for other red flags in the evidence.

One of the discussions that I found interesting in her article was how a compliance practitioner might use a forensic accountant. On the initial level, a decision should be made about whether a forensic accountant should be retained as an outside consultant or hired as an employee. Junell articulates that if such professional is brought in as an employee, the position should sit in the legal department rather than the company’s internal audit department. She recognizes that in the past, many companies have used existing internal auditors to do forensic accounting work as a way to reduce costs and because the perceived similarities in the skill set and work product. She believes that this view is becoming outdated and that more companies are placing the forensic accountant position into the legal and compliance department because of the legal implications surrounding the work. Further, by placing the forensic accountant in the compliance department, it allows the maintenance of an objective approach to any assignment, since, as Junell believes, “he or she will not be governed by management or influenced by potential biases within” a company.

Lastly is the issue of privilege. If a forensic accountant is assigned to the internal audit group, you can kiss away even the chance of claiming privilege. Junell argues that by assigning the forensic accountant to the legal and compliance department one might have “more privilege protection than assigning him or her to internal audit or another department.”

I found Junell’s article to have some interesting points about how a compliance practitioner and compliance department can use a forensic accountant to help create a best practices program. It might be something that you would like to consider for your compliance regime. The lesson from Three Mile Island is not that it just might keep you from having a compliance meltdown but that since that time, think about the number of nuclear plants which have been built.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

January 10, 2013

Internal Audit Review of Charitable Donations Under the FCPA

When is a rose not a rose? When it is a charitable donation not made for philanthropic purposes and it violates the Foreign Corrupt Practices Act (FCPA). I thought about that concept when reviewing the Eli Lilly and Company (Lilly) FCPA enforcement action brought by the Securities and Exchange Commission (SEC) late last month. The Lilly enforcement action discussed a bribery scheme utilized by Lilly in Poland. The scheme and FCPA violations mirrored an earlier FCPA enforcement action, also brought by the SEC as a civil matter, rather than by the Department of Justice (DOJ) as a criminal matter, against another US entity Schering-Plough, for making charitable donations in Poland which violated the FCPA. One of the remarkable things about both of these enforcement actions, brought almost eight years apart, was that they involved improper payments to the same Polish charitable foundation to wrongfully influence the same Polish government official to purchase products from both of these companies.

I. The Bribery Schemes

Both companies were involved in negotiations for the sale of products with the Director of the Silesian Health Fund (Health Fund). He had also established a charitable foundation, the Chudow Foundation to engage in restoration of ancient castles in Poland. Both companies made donations to the Chudow Foundation at or near the time decisions were made regarding the purchase of their respective products by the Health Fund. The FCPA books and records violations for the donations stated that they were all mischaracterized on the respective company’s books. The donations were made by each company with the description for the donations as follows:

LILLY BOX SCORE OF DONATIONS MADE TO CHUDOW FOUNDATION

	Date	Amount of Donation	Listed Reason for Donation
1	6/21/2000	$2,730	Purchase of computers
2	11/13/2000	$1,855	To support the foundation in its goal to develop activities in [Chudow Castle]. It was also noted that the ‘value of the request’ was indirect support of educational efforts of foundation settled by Silesian [Health Fund]
3	5/22/2001	$8,019	Rental of castle for conferences
4	11/05/2001	$2,438	Rental of castle for conferences
5	3/27/2002	$7,779	Rental of castle for conferences
6	6/14/2002	$7,434	Rental of castle for conferences
7	11/20/2002	$5,112	Rental of castle for conferences
8	1/29/2003	$2,622	Rental of castle for conferences
	Total	$37,989

Although all of these donations were approved by a team within Lilly, the “Medical Grant Committee [MGC]”, who reviewed the request for such donations, the MGC’s approval was “largely based on the justification and description in the submitted paperwork.” While Requests 1 & 2 may have had tangential value to the stated purpose of the Chudow Foundation to restore castles in Poland, even Request 3 was clearly a quid pro quo as an action to obtain business. Just as clearly, ‘rental of castle’ is not a charitable donation but an expenditure, even with that understanding, the SEC Complaint noted that Lilly held no conferences at any castles so it was an outright misrepresentation.

SCHERING-PLOUGH BOX SCORE OF DONATIONS MADE TO CHUDOW FOUNDATION

	Date	Amount of Donation	Listed Reason for Donation
1	2/23/1999	$777	Covering fight against viral hepatitis
2	3/17/2000	$4,909	Support of health campaign within county of Gliwice
3	7/19/2000	$8,065	Financing second stage of health prevention campaign in Gliwice
4	11/8/2000	$8,766	Financing for the Foundation
5	12/20/2000	$9,292	Financing second stage of research
6	3/19/2001	$4,340	Financing lung cancer prevention program
7	3/22/2001	$4,854	Financing screening examinations to detect skin cancer
8	4/25/2001	$4,958	Support of lung cancer prevention program
9	6/4/2001	$5,019	Support of lung cancer prevention program
10	10/29/2001	$4,878	Support of a coronary disease prevention program and promote the image of the company in the medical community
11	12/18/2001	$10,067	Support of an anti-chain smoking health program and promote the company as one that cares about the people of Silesia
12	12/19/2001	$5,067	Financing of Foundation
13	3/25/2002	$4,868	Support actions of Foundation in preventing infectious diseases of the liver
	Total	$75,860

The Schering-Plough SEC Complaint noted that the company Manager involved in the payment scheme, “provided false medical justifications for most of the payments on the documents that he submitted to the company’s finance department.” Additionally, he structured the payments so that they were at or below his approval limit so that he did not have to ask for permission to make the improper payments. The Manager in question viewed the donations as “dues that were required to be paid for assistance from the Director.”

II. The Red Flags for Charitable Donation

a. Schering-Plough

What were the factors which should become red flags for the review of charitable donations under the FCPA? The Schering-Plough SEC Complaint listed several items which it deemed indicia of red flags.

1. No due diligence. The first is that no due diligence was performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.

2. Donations not related to health care. While the company permitted donations to healthcare related programs there was no follow up to determine the purposes or uses of the donated funds.

3. Outside normal range of donation. The next red flag was that the donations made to this single charitable foundation approximately 40% of the company’s promotional budget in 2000 and 20% in 2001.

4. Disproportionate sales. The company’s sales increased disproportionately compared with its own sales of the same products in other areas of Poland. Up to 53% of one product was sold in the region run by the Director of the Silesian Health Fund.

b. Lilly

The Lilly SEC Complaint listed several items which it deemed indicia of red flags.

1. No due diligence. Once again there was no due diligence performed on the charity to identify the Director of the Silesian Health Fund as the founder or his role in the Chudow Foundation.

2. Donations not related to health care. Unlike Schering-Plough, the reasons listed for the charitable donations did not relate to health care. Moreover, they were approved by a Lilly committee specifically tasked with reviewing such requests failed to investigate beyond the submitted paperwork, which was apparently not correct.

3. Outside normal range of donation. The SEC Complaint quoted an email from a Lilly manager who said that he had decided to commit 70-75% of the [charitable donation] budget and the Director of the Silesian Health Fund was given a “free hand to manage the Lilly investment, emphasizing the fact we only doing this for him…”

4. Suspicious Timing. The donations were made at or near the time that decisions on the purchase of Lilly products were made by the Director of the Silesian Health Fund. One donation was made two days are the Director of the Silesian Health Fund agreed to make a purchase of Lilly products.

Here Lilly used charitable donations to a charitable foundation which was, as stated in the SEC Complaint, “founded and administered by the head of one of the regional government health authorities at the same time that the subsidiary was seeking the official’s support for placing Lilly drugs on the government reimbursement list.” There were a total of eight payments made to the charitable foundation. In addition to the charitable donations made, Lilly “falsely characterized the proposed payments”. Lilly had a group which reviewed the request for such donations called the “Medical Grant Committee [MGC]” which approved the payments “largely based on the justification and description in the submitted paperwork.”

III. The Role of Internal Audit

Jon Rydberg, Principal of Orchid Advisors, has categorized the Lilly situation as one of a failure of internal controls. I would add that there was also a failure of internal audit. What does internal audit need to review in the context of charitable donations under the FCPA? Internal audit needs to start with the DOJ FCPA Guidance regarding charitable donations. Internal audit should begin by asking the following five initial questions:

(1) What is the purpose of the payment?

(2) Is the payment consistent with the company’s internal guidelines on charitable giving?

(3) Is the payment at the request of a foreign official?

(4) Is a foreign official associated with the charity and, if so, can the foreign official make decisions regarding your business in that country?

(5) Is the payment conditioned upon receiving business or other benefits?

Next internal audit should make inquiries based upon the DOJ Opinion Releases issued regarding charitable donations. Some of the protections a company can do to comply with the FCPA regarding charitable donations are as follows:

1) Have the donation recipients certified that they or the entity will comply with the requirements of the FCPA;

2) Has the recipient provided audited financial statements; and

3) Has the recipient restricted the use of the donated funds to humanitarian or charitable purposes only;

4) Were the funds transferred to a valid bank account; and

5) Ongoing auditing and monitoring of the efficacy of the charitable donation program.

Based upon the Schering-Plough and Lilly SEC enforcement actions, there are some additional inquiries that internal audit should make, they are as follows:

a. What was the timing of the charitable donation or promise to make a donation in relation to the obtaining or retaining of business?

b. Did the company follow its normal protocol for requesting, reviewing and making a charitable donation or is there a pattern of unusual donations outside the protocol?

c. Did any one person make multiple donations just below their authority level so that it did not have to go up the line for review?

d. Was the total amount donated to one charitable foundation out of proportion to the rest of the country or region’s charitable donation budget?

e. Did the sales in one area, region or country spike after a pattern of charitable donations?

The information on the red flags from the prior Opinion Releases and the best practices, as set out in the FCPA Guidance, have been available for some time. I think that the information found in both the Schering-Plough and Lilly enforcement actions have a different focus for internal audit. In addition to looking at the timing of charitable donations to see if they are at or near the time of the awarding of new or continued business, I think that internal audit may now need to look at overall increases in sales to determine if they are tied to a pattern of charitable donations. I once heard my colleague Henry Mixon explain how the award of a contract may be the product of fraud or corruption. By looking at the timing and quantum of charitable donations, internal audit may be able to ascertain that a spike in sales is tied to corrupt conduct. This may not be something that is on the current radar of auditors when they review charitable donations, but may now be something they need to consider.

© Thomas R. Fox, 2013

Comments (1)

September 9, 2012

The Five Essential Elements of a Corporate Compliance Program – Part II

Filed under: Adequate Procedures,Best Practices,Books and Records,Bribery Act,Communication,compliance programs,Department of Justice,FCPA,Internal Audit,OECD,Stephen Martin,Training,Uncategorized — tfoxlaw @ 1:10 pm
Tags: Bribery Act, compliance, Department of Justice, DOJ, FCPA, OECD, Risk Assessment

Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago, I hope that you can join us for this presentation. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. In Part I, I discussed the background to the development of the five essential elements. In today’s installment, Part II, I will detail the remaining elements in the five elements of an essential compliance program.

III. Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV. Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

Thirdly, you should tailor your training to each country. This means that employing a generic script for compliance training is a mistake. To be effective, training programs should be customized by region, country, industry, areas of compliance and types of employee. In addition to Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and OECD guidelines, focus on compliance risks in the country where the employees being trained are working. For example: In China, address the many corruption risks involved in dealing with state-owned entities.

V. Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with the recent Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

Finally, and consistent with Stephen Martin’s Baker & McKenzie partner Paul McNulty’s Maxim Three (What did you do about it?), is your remediation efforts. Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if companies are policing themselves on compliance-related issues, the government won’t have to do it for them. Remediation, then, is an important component of oversight. If your company’s sales force in Thailand is engaged in potentially improper activity due to a lack of adequate training, remediate the deficiency and schedule that training now. In the end, it’s not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event this week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

© Thomas R. Fox, 2012

Leave a Comment

July 22, 2012

Bradley Wiggins, the Tour de France and Internal Audit under the FCPA

Filed under: Audit,compliance programs,FCPA,Internal Audit — tfoxlaw @ 4:10 pm
Tags: PCAOB

Today is a great day for Brits everywhere. Not only did Bradley Wiggins become the first Brit to win the Tour de France but fellow Team Sky rider Christopher Froome came in second making it the first British 1-2 finish in the 99 year history of the Tour as well. Wiggins ended his masterful three weeks of cycling by leading in yet another Team Sky member, Mark Cavendish, the “Mann Manx”, to his fourth consecutive win on the final day of the Tour, down the Champs-Elysees. It was a fabulous finish to an incredible 20 stages of riding. So a tip of my cycling helmet to Mr. Wiggins and to all of Team Sky.

One question which I sometimes ask in conjunction with the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act is what are some of the specific questions that should be reviewed by auditors in an internal audit which focuses on bribery, corruption and fraud? Last October the US Public Company Accounting Oversight Board (PCAOB) issued “Staff Audit Practice Alert No. 8 Audit Risks in Certain Emerging Markets” (Staff Alert No. 8). While Staff Alert No. 8 “focuses on risks of misstatement due to fraud that auditors might encounter in audits of companies with operations in emerging markets” I found it to be a useful guide for auditors who are also tasked with anti-bribery and anti-corruption focused audits, particularly internal auditors who may be asked to review such practices in the ongoing internal audits. Staff Alert No. 8 begins with a list of “conditions and situations indicating a heightened fraud risk”, which I cite in full because it is an excellent list of Red Flags.

Existence of two separate and different sets of financial books and records;
Discrepancies between the company’s financial books and records and audit evidence obtained with respect to the existence and accuracy of cash balances, accounts receivable, and revenues;
Auditor difficulties in confirming cash balances, including when requesting to visit the offices of the company’s bank, or questions about the authenticity of bank statements provided to the auditor;
Auditors’ follow-up visits to bank offices indicating serious discrepancies between bank confirmations provided to the auditor and the bank’s actual records, such as previously undisclosed material borrowings and no record of or significant differences regarding certain transactions;
Attempts by management to intercept or alter confirmation requests or responses;
Irregularities in sales contracts, such as a company-specific seal affixed on the sales contract that does not belong to the purported customer named in the contract;
Recognizing revenue from contracts or customers whose existence could not be corroborated;
Recording sales of products shipped to warehouses or freight forwarders where no customer is identified;
Undisclosed material facts surrounding acquisition transactions, sales transactions, and off-balance-sheet transactions with related parties;
Recording of assets for which evidence of control, ownership, or title is either unclear or difficult to corroborate;
Potential double counting of fixed assets;
Recording of uncorroborated operating expenses for which the business purpose is unclear;
Manipulation of the accounting records to mischaracterize or conceal payment of bribes or other improper payments;
Significant unexplained discrepancies between amounts included in the financial statements in SEC filings and amounts included in financial reports to other regulators, such as local authorities;
Use of personal-type bank accounts held in the name of corporate officers or employees instead of corporate-type bank accounts for company business; and
Unusual delays by management in the production of routine documents requested by the auditor.

Staff Alert No. 8 makes clear that an auditor cannot accomplish a task unless he or she understands both the company and its environment. An auditor should have an understanding of the following:

The relevant industry and regulatory factors, including the legal, and political environment, which may include matters such as:
- The company’s significance in the regional or local economy and its level of influence over its industry, and regional or local government, and
- Cultural norms in the business and regulatory environments;
The company’s objectives, strategies, and related business risks; its organizational structure; and sources of funding of the company’s operations;
The company’s significant investments, including equity method investments, joint ventures, and variable interest entities;
The sources of the company’s earnings, including the relative profitability of key products and services; and
The company’s key supplier and customer relationships.

From these factors, Staff Alert No. 8 advises that “incentives, pressures and opportunities” may lead to a heightened risk of corruption. Regarding incentives and pressures, the Staff Alert warns that companies which are looking to raise money for international markets may have an incentive to “manipulate financial statements rather than report poor results”. Providing a more detailed example the Staff Alert says that one technique used to accomplish such fraud would be consolidating the financial reports of a joint venture with a foreign state-owned enterprise, even if the company does not have a controlling interest in the partnership. Another example the Staff Report provides is the situation where a company repatriates large amounts of cash back to the US. Such foreign legal requirements can create a situation which could lead to bribery or corruption.

In the areas of opportunities, Staff Alert No. 8 focuses on weak internal controls as such deficiencies can provide opportunities for management or employees in such foreign jurisdictions to engage in bribery and corruption. In circumstances where a company is a dominant player in a geographic region, management might be able to dictate terms or conditions to local suppliers or customers, which might result in non-arm’s length transactions. Another example may well be where management could “pressure personnel of a local bank or other third parties to provide fraudulent information to the auditor.” Lastly, the PCAOB noted that there may be situations where employees are “not be willing to report instances of fraud for cultural reasons or fear of retribution from management” even where the company has a whistleblower program. The Staff Alert cautions that auditors should look for evidence of “undisclosed side agreements” and other evidence of collusion with third parties to “create false documentation to support fictitious transactions.”

Staff Alert No. 8 specifies that an auditor must exercise professional skepticism which requires an auditor to obtain and critically evaluate independent evidence from outside sources, rather than simply relying on “management representations about the company’s performance.” To accomplish this, the Staff Alert speaks to receipt of and review of independent confirmations and test and review revenue to ascertain that it is recognized correctly. Particular attention should be paid to transactions with related parties and to identify their materiality to financial statements.

I found Staff Alert No. 8 a very useful piece of guidance. Not only does it speak to the auditor looking at FCPA or Bribery Act issues but it is important for the compliance practitioner to understand what a regulator might expect to see. As most people you have heard me speak and know my FCPA and Bribery Act mantra is “Document Document Document”. This Staff Alert No. 8 lists what documentation a company should keep in order to help prove that it is doing business in compliance with these anti-bribery and anti-corruption laws.

So, congratulations, once more, to Bradley Wiggins. And for those of you cycling fans out there, seven of this year’s Tour de France stage winners will be riding in the London Olympics beginning this weekend. It should be great.

———————————————————————————————————————————————————————-

The FCPA Blog and ethiXbase are offering a cool deal to help dispell that summer heat wave by offering readers of the FCPA Blog a free download of the Anti-Corruption Compliance Benchmarking Survey. Normally valued at $295, the survey can be downloaded at no cost for a limited time with email registration here.

———————————————————————————————————————————————————————

© Thomas R. Fox, 2012

Leave a Comment

June 28, 2012

2012 First Half FCPA Enforcement Round-Up: Part II

Filed under: Biomet,DS&S,Due Diligence,Enforcement Actions,FCPA,Internal Audit,Mergers and Acquisition,Morgan Stanley — tfoxlaw @ 1:01 am
Tags: compliance programs, Department of Justice, DOJ, Due Diligence, ethics and compliance, FCPA, FCPA Blog, FCPA Professor, M&A

In yesterday’s post we reviewed three of the most significant enforcement actions so far for 2012. In today’s post we conclude with the final three enforcement actions that I believe provide the best or most recent insights for the compliance practitioner.

IV. Biomet

A. Bribery and Corruption Facts

The Company engaged in an eight (8) year scheme to bribe and corrupt doctors in the countries of Argentina, Brazil and China to induce the physicians to purchase Biomet products. The SEC Complaint reported that “2000 to August 2008, Biomet Argentina employees paid bribes to doctors employed by publicly owned and operated hospitals in Argentina in exchange for sales of Biomet’s medical device products. The doctors were paid approximately 15-20 percent of each sale.” In Brazil, the SEC Compliant reported that from 2001 until 2008, Biomet’s “Brazilian Distributor, paid bribes to doctors employed by publicly owned and operated hospitals to purchase Biomet’s implants. Brazilian Distributor paid the doctors bribes in the form of “commissions” of 10-20 percent of the value of the medical devices purchased.” In China, Biomet subsidiaries and its Chinese distributor paid from 5% up to 25% commissions to doctors for the sale of its products which were used during surgeries and also paid for Chinese surgeons to travel for training “including a substantial portion of the trip being devoted to sightseeing and other entertainment at Biomet’s expense.”

B. Internal Audit Failures

The SEC Compliant reported that the Company’s Internal Audit was not only aware of the bribery program but discussed it in Memorandum to the Company’s home office, including the head of the Company’s Internal Audit Department. For instance in Argentina, the Company’s head of Internal Audit noted, as early as 2003, they “circulated an internal audit report on Argentina to Senior Vice President and others in Biomet in Indiana in which he stated, “[R]oyalties are paid to surgeons if requested. These are disclosed in the accounting records as commissions.” The Internal Audit report described the payments to surgeons, but only in the context of confirming that the amount paid to the surgeon was the amount recorded on the books.” However, the Company’s Internal Audit Department, took no steps to determine why royalties were paid to doctors or why the payments to the doctors were 15-20% of sales. Internal Audit did not obtain any evidence of services which the doctors might have performed entitling them to the payments. The SEC Complaint noted that Internal Audit “concluded that there were adequate controls in place to properly account for royalties paid to surgeons without any supporting documentation” and Internal Audit’s only recommendation was to change the journal entry from “commission expenses” to “royalties.”

The SEC Complaint also noted that “Biomet’s books and records did not reflect the true nature of those payments. The Company’s payments were improperly recorded as “commissions,” “royalties”, “consulting fees”, “other sales and marketing”, “scientific incentives”, “travel” and “entertainment.” The SEC Compliant concluded with the following “False documents were routinely created or accepted that concealed the improper payments.”

C. Lessons Learned for Internal Audit

The SEC Complaint had some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices Foreign Corrupt Practices Act (FCPA) compliance program. First, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review the evidence that such commission payments have been earned. Another role delineated in the SEC Complaint for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses. As noted, the Director of Internal Audit instructed that bribes paid during clinical trials of the Company’s products should be reclassified as ‘expenses’.

Key Takeaway: This enforcement action lists the specific role of Internal Audit in a FCPA compliance program.

V. Morgan Stanley and Garth Peterson

This is the first instance of the public release of a Declination to Prosecute a company under the FCPA, where an employee agreed to an underlying FCPA violation. Morgan Stanley Managing Director Garth Peterson conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official. Peterson encouraged Morgan Stanley to sell an interest in a Chinese real-estate deal to Shanghai Yongye Enterprise (Yongye) a state-owned and state-controlled entity through which Shanghai’s Luwan District managed its own property and facilitated outside investment. However, the DOJ declined to prosecute Morgan Stanley and noted in its Press Release, “After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct. The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.”

A. Declination to Prosecute

Both the DOJ and SEC went out of their way to praise the Morgan Stanley compliance program. This written praise demonstrated that not only do company’s receive credit from the DOJ for having a compliance program in place but also gave solid information as to why the DOJ declined to prosecute Morgan Stanley. In other words, it was a very public pronouncement of a declination to prosecute.

The SEC Complaint detailed the compliance program it had in place and how it directly related to Peterson.

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests.

(8) Morgan Stanley had policies to conduct due diligence on its foreign business partners, conducted due diligence on the Chinese Official and Yongye before initially conducting business with them, and generally imposed an approval process for payments made in the course of its real estate investments.

B. Compliance Program as Compliance Defense

If it was not clear that a company receives credit for having a best practices compliance program it is now. Recognizing that a compliance program is not available as a formal affirmative defense, it is clear that Morgan Stanley was able to use not only their written compliance program, but its ongoing maintenance, communication and due diligence aspects to shield the employer from liability. The bottom line is what the DOJ and SEC representatives have been saying all along and that is that companies with best practices compliance programs receive credit in negotiating with the government.

Key Takeaway: The compliance defense is alive and well.

Key Takeaway II (for the DOJ): Publicize Declinations to Prosecute. It is solid information for the compliance practitioner to use and it will help companies do business in compliance with the FCPA.

VI. DS&S

Last, but certainly not least, we end our Top 6 of 2012, to date, with the Data Systems & Solutions LLC (DS&S) case.

A. The Bribery Scheme

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid out in the Information reflected the following techniques used:

Payment of bribes by Subcontractors to Officials on behalf of DS&S;
Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
Creation of fictional invoices from the Subcontractors to fund the bribes;
Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose;

and last but not least…

Purchase of a Cartier watch as a gift.

B. The Discounted Fine

DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines, which specified a fine between $25MM down to $12.6MM. The ultimate fine paid by DS&S was only $8.82MM, which the Deferred Prosecution Agreement (DPA) states is “an approximately thirty-percent reduction off the bottom of the fine range…” In addition to its real-time internal investigation and extraordinary cooperation, the DPA reports that DS&S took the following extensive remediation steps:

Termination of company officials and employees who were engaged in the bribery scheme;
Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
Instituting a rigorous compliance program in this newly constituted subsidiary;
Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
Strengthening of company ethics and compliance policies;
Appointment of a company Ethics Representative who reports directly to the CEO;
The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
A heightened review of most foreign transactions.

C. Mergers & Acquisitions

There were two new additions are found on items 13 & 14 on Schedule C of the DPA that dealt with mergers and acquisitions (M&A). They draw from and build upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. The five keys under these new items are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

Key Takeaway: Minimum best practices evolve so you should stay abreast of them. IN the M&A arena, the DOJ continues to listen to comments on ‘buying a FCPA violation’ and provide guidance to manage the risk.

Leave a Comment

June 27, 2012

2012 First Half FCPA Enforcement Round-Up: Part I

Filed under: FCPA,Distributors,Foeign Business Partner,Agents,Deferred Prosecution Agreement,JGC Corporation,Enforcement Actions,Internal Audit,Corporate Social Resonsibility,Foreign Official,Aon — tfoxlaw @ 4:44 am
Tags: FCPA, FCPA Blog, DOJ, Department of Justice, FCPA Professor, compliance programs, Aon

The first half of 2012 is reaching to a close and we have had several significant enforcement actions so far this year. So to commemorate all those June Bride and Bride-Grooms out there, including my parents who celebrate their 56^th wedding anniversary on June 30, I have put together a couple of posts reviewing my top 6 Foreign Corrupt Practices Act (FCPA) enforcement actions for the first 6 months of 2012. At this point I cannot see any clear trends but there are some key points that provide solid advice for the compliance practitioner going forward. In today’s blog, we take up the first three, in chronological order.

I. Aon

We begin with a Non-Prosecution Agreement (NPA) issued in the last week of 2011 where the insurance giant Aon received a NPA from the Department of Justice (DOJ) in settling enforcement actions against it by the DOJ and Securities and Exchange Commission (SEC). Aon agreed to total fines and penalties in an amount of $16.3 MM. This is in addition to a fine previously paid to the UK Financial Services Authority (FSA) in January, 2009, of £5.25 MM (approximately $8.2 MM at today’s exchange rate).

A. Aon’s Remedial Actions Which Led to the NPA

The DOJ stated that it entered into the NPA based “in part, on the following factors: (a) Aon’s extraordinary cooperation with the Department and the U.S. Securities and Exchange Commission (“SEC”); (b) Aon’s timely and complete disclosure of the facts described in Appendix A as well as facts relating to Aon’s improper payments in Bangladesh, Bulgaria, Egypt, Indonesia, Myanmar, Panama, the United Arab Emirates and Vietnam that it discovered during its thorough investigation of its global operations; (c) the early and extensive remedial efforts undertaken by Aon, including the substantial improvements the company has made to its anti-corruption compliance procedures; (d) the prior financial penalty of £5.25 million paid to the United Kingdom’s Financial Services Authority (“FSA”) by Aon Limited, a U.K. subsidiary of Aon, in 2009, covering the conduct in, Bangladesh, Bulgaria, Indonesia, Myanmar, the United Arab Emirates and Vietnam; and (e) the FSA’s close and continuous supervisory oversight over Aon Limited.”

B. Non-Bona Fide Travel and Educational Expenses

The primary activity for which Aon was sanctioned was a travel and education fund, initially designed to provide funds for foreign government employees involved with insurance to travel to educational conferences. However, the funds evolved into personal use for entertainment of the officials, their wives and families. In one instance, involving a fund in Costa Rica, travel was booked through a travel agency which was owned or managed by the Costa Rican officials who were entertained with monies from the educational and training funds.

C. Books and Records

The largest portion of the Aon fine involved violations of the FCPA’s books and records requirements. The NPA noted, “With respect to the Costa Rican training funds, although Aon Limited maintained accounting records for the payments that it made from both the Brokerage Fund and the 3% Fund, these records did not accurately and fairly reflect, in reasonable detail, the purpose for which the expenses were incurred. A significant portion of the records associated with payments made through tourist agencies gave the name of the tourist agency with only generic descriptions such as “various airfares and hotel.” Additionally, to the extent that the accounting records did provide the location or purported educational seminar associated with travel expenses, in many instances they did not disclose or itemize the disproportionate amount of leisure and non-business related activities that were also included in the costs. In short, there was either no bona fide educational expense or not one which could be documented from Aon’s internal records.

Key Takeaway: You must completely document, document and document the basis of your expenditures. If there is no explanation, the assumption will be the payments are made for corrupt purposes.

II. Smith & Nephew

The landscape of the FCPA world is littered with cases involving both agents and resellers, who are most clearly acting as representatives of the companies whose goods or services they sell in foreign countries. Many US businesses believe that the legal differences between agents/resellers and distributors insulate them from FCPA liability should the conduct of the distributor violate the Act. Under this same analysis, many US companies believe that the FCPA risk has also shifted from the US company to the foreign distributor. However, such belief is sorely miss-placed as was shown in the Smith & Nephew (SNN) enforcement action.

The FCPA violations revolved around a Greek distributor of SNN who paid bribes to Greek doctors so that they would purchase and use SNN products. SNN paid a monetary penalty of $16.8MM to the DOJ and $5.4MM to the SEC as a civil penalty, all for a total of $22.2MM in fines and penalties.

Entity Designation	Domicile of Entity	Commission Rate	Services Provided	Actual Services
Shell Company A	UK	40% of sales of Greek distributor	Marketing	Did not perform any services
Shell Company B	UK	26% of sales of Greek distributor	Marketing	None listed
Shell Company C	UK	35% of sales of Greek distributor	Marketing	Did not perform any true services

A quick review of the above chart shows the FCPA problems; very high commissions were paid with no actual services provided. Or as stated by the FCPA Professor, SNN “falsely recorded or otherwise accounted for the payments to the shell companies on its books and records as ‘marketing services’ in order to conceal the true nature of the payments in the consolidated books and records of S&N.”

Key Takeaway: If your company uses a distributor model in its sales chain, I would suggest that you review and reassess your pricing structure in light of this enforcement action.

III. BizJet

In the bribery and corruption world, the facts of this enforcement action are about as bad as it can get. It was reported the senior company personnel had actual knowledge or approved of the payment of cash to bribe foreign governmental officials to obtain or retain business. There was also a deliberate attempt to hide the true nature of the payments. But even with these damaging facts, the company was able to receive a significant reduction on the low end of the fine range as suggested under the US Sentencing Guidelines. So how did the company achieve this?

A. Bribery Scheme

In this case, the company made a number of corrupt payments which were characterized as “commission payments” and “referral fees” on their books and records. Payments were made from both international and bank accounts here in the United States. In other words, this was as clear a case of a pattern and practice of bribery, authorized by the highest levels of the company, paid through US banks and attempts to hide all of the above by mis-characterizing them in their books and records.

BizJet Bribery Box Score

BizJet Executive or Employee Named	Payment Made To	Amount of Payment	Others Involved
Sales Manager A	Official 6	Cell Phone and $10K	Executive B and C
Sales Manager A	Official 3	$2K	Executive B
Executive B, C and Sales Manager A	Official 2	$20K
Executive C	Official 2	$30K	Sales Manager A
Executive B	Mexican Federal Police Chief	$10K	Executive C and Sales Manager. A
Executive C	Official 5	$18K	Sales Manager A
Sales Manager A	Official 4	$50K
Sales Manager A	Mexican Federal Police	$176	Executive C
Sales Manager A	Official 4	$40K
Sales Manager A	Mexican Federal Police	$210K	Executive C
Sales Manager A	Official 5	$6K	Executive C
Executive C	Official 5	$22K

B. Reduction in Monetary Fine

I set out these facts in some detail to show the serious nature of enforcement action. However, the clear import is that a company can make a comeback in the face of very bad facts. The calculation of the fine, based upon the factors set out in the US Sentencing Guidelines, ranged between a low of $17.1MM to a high of $34.2MM. The final agreed upon monetary penalty was $11.8MM. This is obviously a significant reduction from the suggested low or high end, or as was noted by the FCPA Blog “BizJet’s reduction was 30% off the bottom of the fine range, and a whopping 65% off the top of the fine range.”

How did BizJet achieve this reduction and avoid an external monitor? As reported by the FCPA Professor, the following were factors:

(a) following discovery of the FCPA violations during the course of an internal audit of the implementation of enhanced compliance related to third-party consultants, BizJet initiated an internal investigation and voluntarily disclosed to the DOJ the misconduct …;

(b) BizJet’s cooperation has been extraordinary, including conducting an extensive internal investigation, voluntarily making US and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the DOJ;

(c) BizJet has engaged in extensive remediation, including terminating the officers and employees responsible for the corrupt payments, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for all BizJet contracts;

(d) BizJet has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in the” corporate compliance program set forth in an attachment to the DPA; and

(e) “BizJet has agreed to continue to cooperate with the DOJ in any ongoing investigation of the conduct of BizJet and its officers, directors, employees, agents, and consultants relating to violations of the FCPA.

C. Reports to the DOJ

The company avoided an external monitor. However, it agreed that it would report “at no less that twelve-month intervals during the three year term” [of the DPA] to the DOJ on “remediation and implementation of the compliance program and internal controls, policies and procedures” which were listed in Attachment C to the DPA (the DOJ guidelines for a minimum best practices compliance program). The initial report was required to be delivered one year from the date of the DPA and would also include BizJet’s proposals “reasonably designed to improve BizJet’s internal controls, policies and procedures for ensuring compliance with the FCPA and other applicable anti-corruption laws.”

Key Takeaway: What you do after you discover the bribery and corruption will go a long way towards determining your penalty. No matter how bad the facts are, if you provide ‘extraordinary cooperation’ to the enforcement agencies, you can significantly reduce your final monetary penalty.

Comments (1)

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

Filed under: Best Practices,compliance programs,FCPA,Henry Mixon,Internal Audit,Internal Controls — tfoxlaw @ 3:48 am
Tags: Biomet, FCPA, Henry Mixon, Internal Audit, Internal Controls, prevention of corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter. The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further. Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this. Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure. Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com

———————————————————————————————————————————————————————-

Leave a Comment

March 27, 2012

The Biomet SEC Complaint: Lessons for Internal Audit

Filed under: Best Practices,Deferred Prosecution Agreement,Department of Justice,FCPA,FCPABlog,Internal Audit,Internal Controls — tfoxlaw @ 1:22 am
Tags: compliance programs, Department of Justice, DOJ, DPA, FCPA, FCPA Blog, SEC

On March 26, 2012, both the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) announced the resolution of enforcement actions against Biomet Inc. a US entity, which manufactures and sells global medical devices around the world. It is headquartered in Fort Wayne, Indiana. The Company admitted to a lengthy run of bribery and corruption of doctors to purchase its products. The FCPA Blog reported that the “company will pay a criminal fine of $17.3 million to resolve charges brought by the DOJ. It also agreed with the SEC to settle civil charges by paying $5.5 million in disgorgement of profits and pre-judgment interest.” In this post I will review the SEC Complaint and discuss the facts it posited regarding the Company’s internal auditors to draw out some lessons for an Internal Audit Department’s role in Foreign Corrupt Practices Act (FCPA) compliance programs.

Bribery and Corruption Facts

The Company engaged in an eight (8) year scheme to bribe and corrupt doctors in the countries of Argentina, Brazil and China to induce the physicians to purchase Biomet products. The SEC complaint reported that “2000 to August 2008, Biomet Argentina employees paid bribes to doctors employed by publicly owned and operated hospitals in Argentina in exchange for sales of Biomet’s medical device products. The doctors were paid approximately 15-20 percent of each sale.” In Brazil, the SEC Compliant reported that from 2001 until 2008, Biomet’s “Brazilian Distributor, paid bribes to doctors employed by publicly owned and operated hospitals to purchase Biomet’s implants. Brazilian Distributor paid the doctors bribes in the form of “commissions” of 10-20 percent of the value of the medical devices purchased.” In China, Biomet subsidiaries and its Chinese distributor paid from 5% up to 25% commissions to doctors for the sale of its products which were used during surgeries and also paid for Chinese surgeons to travel for training “including a substantial portion of the trip being devoted to sightseeing and other entertainment at Biomet’s expense.”

Biomet Bribery Box Score

Country	Bribe Rate	Total Amount Paid	Loss or Write Off
Brazil	10 to 20%	$1.1	$4.2MM
China	5 to 25%	Not reported	Not reported
Argentina	15 to 20%	$466,000	Not reported
Costs			Fine or Profit Disgorgement
DOJ Fine			$17.3MM
SEC Profit Disgorgement			$5.5 MM
Documented Cost			$29.7 MM

Internal Audit

The SEC Compliant reported that the Company’s Internal Audit was not only aware of the bribery program but discussed it in Memorandum to the Company’s home office, including the head of the Company’s Internal Audit Department. For instance in Argentina, the Company’s head of Internal Audit noted, as early as 2003, “circulated an internal audit report on Argentina to Senior Vice President and others in Biomet in Indiana in which he stated, “[R]oyalties are paid to surgeons if requested. These are disclosed in the accounting records as commissions.” The internal audit report described the payments to surgeons, but only in the context of confirming that the amount paid to the surgeon was the amount recorded on the books.” However, the Company’s Internal Audit Department, took no steps to determine why royalties were paid to doctors or why the payments to the doctors were 15-20% of sales. Internal Audit did not obtain any evidence of services which the doctors might have performed entitling them to the payments. The SEC Complaint noted that Internal Audit “concluded that there were adequate controls in place to properly account for royalties paid to surgeons without any supporting documentation” and Internal Audit’s only “recommendation was to change the journal entry from “commission expenses” to “royalties.”

Biomet’s Director of Internal Audit is reported to have “instructed an auditor to code improper payments being made to doctors [in China] in connection with clinical trials as “entertainment.” The Director of Internal Audit also reported that Biomet’s “Brazilian Distributor makes payments to surgeons that may be considered as a kickback. These payments are made in cash that allows the surgeon to receive income tax free . . . . In the consolidated financials sent to Biomet, these payments were reclassified to expense in the income statement.”

Lessons Learned for Internal Audit

The SEC Complaint had some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices FCPA compliance program. First and foremost, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review evidence that such commission payments have been earned. In other words, is there any evidence in the company’s books and records that the person or entity performed services which might have entitled them to such commission payments?

Another role delineated in the SEC Complaint for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses. As noted, the Director of Internal Audit instructed that bribes paid during clinical trials of the Company’s products should be reclassified as ‘expenses’. Further, while specifically stating that Biomet was assisting Brazilian physicians to evade the payment of taxes on income, he directed that such bribes be classified on the Company’s books and records once again as ‘expenses.’

Of course the costs in the Bribery Box Score listed above does not reflect the 3+ years of investigative costs, loss of sales in the three countries which it pulled out from or the anticipated cost of its upcoming three year monitorship. All I can say with certainty is that the cost for non-compliance is much higher than the cost of complying with the FCPA. The SEC Compliant gives clear guidance from what it expects from internal audit in a FCPA compliance program. I recommend that these steps be implemented much sooner rather than later.

Comments (1)

FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

March 28, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

January 10, 2013

Internal Audit Review of Charitable Donations Under the FCPA

September 9, 2012

The Five Essential Elements of a Corporate Compliance Program – Part II

July 22, 2012

Bradley Wiggins, the Tour de France and Internal Audit under the FCPA

June 28, 2012

2012 First Half FCPA Enforcement Round-Up: Part II

June 27, 2012

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

March 27, 2012

The Biomet SEC Complaint: Lessons for Internal Audit

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31