Internal Controls | FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

Filed under: Best Practices,Compliance Champion,compliance programs,ERM,Ethics,Gap Analysis,Hotline,Human Resources,Internal Audit,Internal Controls,Training — tfoxlaw @ 5:34 am
Tags: best practices, compliance, compliance programs

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

March 28, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

Filed under: Best Practices,compliance programs,FCPA,Internal Audit,Internal Controls — tfoxlaw @ 4:32 am
Tags: best practices, compliance programs, FCPA, Foreign Corrupt Practices Act, Internal Controls

On this date in 1979, the worst accident in the history of the US nuclear power industry began when a pressure valve in the Unit-2 reactor at Three Mile Island fails to close. Cooling water, contaminated with radiation, drained from the open valve into adjoining buildings, and the core began to dangerously overheat. While plant workers were exposed to unhealthy levels of radiation, no one outside Three Mile Island had their health adversely affected by the accident. Nonetheless, the incident greatly eroded the public’s faith in nuclear power. In the more than two decades since the accident at Three Mile Island, not a single new nuclear power plant has been ordered in the United States.

One of the recognized aspects of a best practices compliance program is auditing. In many ways, auditing is thought of as one of the ways to avoid a compliance meltdown. However, in a recent article in the Texas Lawyer, entitled “How Forensic Accountants Differ from Auditors”, author Elizabeth M. Junell discussed how a forensic accountant can assist an in-house lawyer in a manner of different ways than auditors from a company’s internal audit function. I found that her article had some interesting points for the compliance practitioner.

Junell says that forensic accountants collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic accountant’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. Junell contrasts these areas with that of internal audit, which she believes more often looks at process to determine if it has been adhered to in a procedure. This leads to internal auditors examining evidence to determine whether people followed prescribed processes or internal controls; this occurs, for example, in an operational Sarbanes-Oxley (SOX) or Foreign Corrupt Practices Act (FCPA) compliance audit.

Junell writes that forensic accounting differs from auditing in both its objective and skill sets. The objective of a forensic accounting assignment is to collect, analyze and report on the evidence or facts surrounding a particular act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, she argues that a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered.

From there Junell believes that management should determine if further investigation is warranted. If further investigation is decided upon by management, then Junell considers that “this is where objective shifts and one of the forensic accountant’s strongest skills comes in: an investigative mind that drives him or her to answer questions about what occurred, when and how it happened, and who was involved.” She expects that, at times, a forensic accountant will be required to gather facts about why an event may have occurred so that they look for answers to such questions or for other red flags in the evidence.

One of the discussions that I found interesting in her article was how a compliance practitioner might use a forensic accountant. On the initial level, a decision should be made about whether a forensic accountant should be retained as an outside consultant or hired as an employee. Junell articulates that if such professional is brought in as an employee, the position should sit in the legal department rather than the company’s internal audit department. She recognizes that in the past, many companies have used existing internal auditors to do forensic accounting work as a way to reduce costs and because the perceived similarities in the skill set and work product. She believes that this view is becoming outdated and that more companies are placing the forensic accountant position into the legal and compliance department because of the legal implications surrounding the work. Further, by placing the forensic accountant in the compliance department, it allows the maintenance of an objective approach to any assignment, since, as Junell believes, “he or she will not be governed by management or influenced by potential biases within” a company.

Lastly is the issue of privilege. If a forensic accountant is assigned to the internal audit group, you can kiss away even the chance of claiming privilege. Junell argues that by assigning the forensic accountant to the legal and compliance department one might have “more privilege protection than assigning him or her to internal audit or another department.”

I found Junell’s article to have some interesting points about how a compliance practitioner and compliance department can use a forensic accountant to help create a best practices program. It might be something that you would like to consider for your compliance regime. The lesson from Three Mile Island is not that it just might keep you from having a compliance meltdown but that since that time, think about the number of nuclear plants which have been built.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

October 19, 2012

Frankenstein, Lance Armstrong and FCPA/Bribery Act Compliance

Filed under: Best Practices,Bribery Act,compliance programs,Department of Justice,Ethics,FCPA,FCPABlog,Financial Times,Internal Controls — tfoxlaw @ 1:06 am
Tags: Bribery Act, compliance programs, Department of Justice, DOJ, ethics, ethics and compliance, FCPA, FCPA Blog

We continue our series focusing on the classic Hollywood monsters from the Universal Pictures era by taking a look at Frankenstein. Unlike Dracula, where Bela Lugosi basically only played his character in one classic picture, the Englishman Boris Karloff played Frankenstein’s monster in three pictures; two great classics: the original Frankenstein and the sequel The Bride of Frankenstein, and the very good third movie in the series, The Son of Frankenstein.

The basic premise of the first movie was the creation of a man from the body parts of other dead souls. Boris Karloff, actually played Frankenstein’s monster, not Dr. Frankenstein himself. Colin Clive played Dr. Frankenstein who was so drunk with power that he began to think of himself as a god, yet in the end tried to destroy his own creation. However, for most of us, it was Boris Karloff as the Monster who created one of the most single iconic movie performances of all time. Anyone who sees a child puts his arms up and walk with a lumbering stride immediately knows the reference.

What made this performance so iconic? For me it was the pathos that Karloff brought to the role. He imbued the Monster with such a tortured soul that he literally cried out for love and acceptance in a world which was terrified of him. Even the scene from the original movie where he tosses the girl into the lake drove home the humanity that Karloff brought to the role. My suggestion is that you settle in one weekend night for an autumn’s eve of Karloff in the original Frankenstein movies. They are a visual, audio and an intellectual treat for all. Even if you enjoy none of those senses, you can always revert to your childhood and remember the terror he brought the first time you saw the Monster on the screen.

So how does Frankenstein relate to compliance and ethics? Exhibit A for today is my fellow Texan Lance Armstrong. Yesterday, in the FCPA Blog I wrote about Armstrong and ethical values in the context of engaging in conduct which is so unethical, that you would be embarrassed to tell your children about it. Today I want to focus on some other aspects of Armstrong. Should he be analogized to Dr. Frankenstein, the Monster, or perhaps both?

Initially, it should be noted that Wednesday had to be one of the worst PR and financial days a person can have because, not only did Armstrong resign as the chairman of his cancer charity, Livestrong, but, as reported in the Financial Times (FT) article “Disgraced Armstrong Ditched by Nike, RadioShack and AB InBev”, sponsors Nike, RadioShack and AB InBev all announced they were ending their respective relationships with Armstrong. The FT article reported that Armstrong earned an estimated “$15.3m” from endorsements in 2011 and that the “Nike contract alone was worth between $8m and $12m annually”. Hope he still has money to pay his legal bills going forward.

To top it off, Armstrong’s most vocal commercial sponsor, Nike also announced it was severing ties with him via a terse Press Release that stated “Due to the seemingly insurmountable evidence that Lance Armstrong participated in doping and misled Nike for more than a decade” though they did go on to explain they were doing it “with great sadness” Of course this was one short week after standing by their man with the statement that “Lance has stated his innocence and has been unwavering on this position.” Oops.

An article in the online publication Slate, entitled “How Lance Armstrong Is Like Lehman Bros.”, Daniel Coyle looked at the fall of both Armstrong and Lehman Brothers. Coyle found that in the case of both Armstrong and Lehman Brothers “a culture of excess and risk led to record-breaking performances, and then to catastrophe. In both cases, the behavior in question was driven by a distinct set of social forces, including a win-at-all-costs culture, lack of regulation, and the credulousness of journalists and the public.” Further, the sport of cycling is like “a trading floor: small, tightly knit teams competing daily, with great intensity and effort, for marginal rewards. A single percentage point can make the difference between winning and losing.” So what are the lessons for the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act practitioner?

I. The Difference Between Winning and Losing

While in cycling there are only 3 places on the podium, Lehman Brothers seemed to misunderstand that in the business world, there can be multiple winners. I have heard both Preet Bharara, the US Attorney for the Southern District of New York, and Stephen Cohen, Associate Director, Division of Enforcement of the Securities and Exchange Commission (SEC), both say essentially the same thing, and that is that there is plenty of business out there for companies to secure without engaging in bribery and corruption. Bharara went even further and said that those companies which move away from the sweet spot of doing business in an ethical manner to the edges of a system which tempt violations of the FCPA or Bribery Act are more likely to draw regulatory scrutiny. But perhaps the best example I have heard was during an interview I did of a company employee who told me that there was simply “too much money to be made in the middle of the road” without engaging in the high risk conduct which might require him to violate the FCPA.

II. The Chances of Getting Caught

As noted by Coyle, most cyclists who cheated “did so largely without fear of being caught. During the Armstrong era, cyclists regarded drug testers with the same nod-and-wink aloofness with which Wall Street firms regarded the SEC.” (Ouch!) That statement is why companies must maintain vigilance in their FCPA or Bribery Act compliance programs. Indeed in the US Department of Justice (DOJ) 13 point, or 9 point – take your pick, minimum best practices compliance program or the UK Ministry of Justice’s Six Principles of an Adequate Procedures compliance program both point towards not only internal controls but also internal audit as key components of your compliance program. Whether you view it in the McNulty Maxims of “What did you do to prevent it?” and “What did you do to protect it?” or in the Ronald Reagan formulation of “Trust, but verify”; your compliance program must do more than just have policies and procedures in place, it must also have clear controls.

I recognize that in cycling you can game the system to try and beat the tests. You can even try and bribe your way out of a positive test; you can schmooze your way out of a positive test; you can even have a friendly doctor who back-dates documents for you to show that you had a prescription for that banned and illegal substance. However, with rigorous internal audit, coupled by skeptical external auditors and use of continuous monitoring tools, companies should be better placed to detect indicia of bribery and corruption.

III. It is the government’s enforcement that backs up the fight against bribery and corruption

Coyle ends his piece by stating that “The Armstrong era happened because doping worked so powerfully and lucratively that no one—not riders, not cycling’s governing body, not the media—was willing to stop it. It was a time of hollow magic.” This ‘hollow magic’ did not end until “the federal government and USADA began their respective investigations, did the truth begin to emerge.” Lance Armstrong yelled from the highest mountain, the question is how, even with a system biased and stacked against him, did he never fail a drug test?

This last sentiment seems to me to be nearly the same thing that many commentators are saying about the FCPA; that it needs to lessened or softened so that US companies “can be competitive”. As Coyle noted, “Many of us instinctively presume that cheating creates a level playing field. In fact, it does precisely the reverse. Widespread cheating rewards the few who have the best information, the most money, and the highest risk tolerance.” The US led the way with the passage of the FCPA back in 1977 and has continued to lead the way since that time, both through the OECD and through leading international enforcement efforts. Does all of this make business better? For my money it does, but I leave it to my colleague Dick Cassin who phrased it in the following manner “Is there is less bribery and corruption – I don’t know but I know that there is more compliance.”

So at the end of the day I do not know who Lance Armstrong may be more like in the classic Frankenstein movies; Dr. Frankenstein or the Monster. He certainly became a physical cycling freak through the use of many different substances, but he lacks the pathos as the Monster was played by Karloff. So he may end up more like Dr. Frankenstein, who lost everything, including his own creation.

© Thomas R. Fox, 2012

Comments (1)

October 2, 2012

Tyco NPA and Chris Economaki – Details from the Pits

“This is Chris Economaki in the pits.”

That was the signature line of race car announcer Chris Economaki, who died last week at the age of 91. For a generation of us who grew up watching ABC’s Wide World of Sports, Chris Economaki was the voice of the Indy 500, the Dayton 500, the Summer and Winter Nationals of the National Hot Rod Association (NHRA) and a host of other auto races. In addition to having one of the most unique names this Southerner had ever heard of, Economaki had a staccato vocal delivery that, as noted in his obituary in the New York Times (NYT) by writer Douglas Martin, “reminded some of a rumbling racing engine.”

The Bribery Schemes

I thought about Chris Economaki and the detail he brought as a track-side commentator to a generation of Wide World of Sports’ aficionados when considering the various documents released last week in connection with the Tyco International Ltd (Tyco) Foreign Corrupt Practices Act (FCPA) enforcement action. For the most comprehensive summary of the Department of Justice’s (DOJ) criminal enforcement action and the Securities and Exchange Commission’s (SEC) civil action, I recommend either of the FCPA Professor’s excellent posts on Tyco. In addition to the points raised by the Professor I believe that there are significant lessons learned for the FCPA compliance practitioner. With a tip of our collective caps to the baseball pennant races which are down to the final few days, I present the Tyco Bribery Box Score.

Tyco Subsidiary	Bribe Amount Paid	Profits Earned by Conduct
M/A Com	Not reported	$71,770
TTC Huzhou and TTC Shanghai	$196,267	$3,470,180
TWW Germany and Erhard	$2,371,094	$4,684,966
TFC HK and Keystone	$137,000	$378,088
TFCT Shanghai	$24,000	$59,412
ET Thailand	$292,268	$879,258
TFIS France	$363,839	$1,256,389
THC China	$250,000	$353,800
TVC ME	$488,479	$1,153,500
ADT Thailand	$78,000	$473,262
Tatra	$96,000	$226,863
Eurapipe	$358,000	$1,298,453
THC Saudi Arabia	Not reported	$1,900,600
Dulmison	$68,426	$109,249

I set out the full Box Score of bribes paid by Tyco in this detail to emphasize how bad the conduct of the company is and this is in the VERY BAD CONDUCT realm, coupled with the facts that (a) Tyco is now a two-time loser under the FCPA and (b) most of the illegal conduct occurred after Tyco agreed to an initial FCPA based Deferred Prosecution Agreement (DPA) in 2006 for prior FCPA sins. Yet even with all of this Tyco was able to obtain a Non Prosecution Agreement (NPA). Such a result is fairly stunning if you think about it in a superficial basis. However, if you consider what Paul McNulty continually says, and which I continually write about, the most important question will be What did you do when you found out about it?

As noted in the letter from the DOJ to counsel for Tyco, the DOJ entered into the NPA with Tyco based upon the following factors: (1) timely and voluntary self-disclosure; (2) a full and complete global investigation by Tyco; (3) extensive remediation including implementation of an enhanced compliance program, termination of employees responsible for the conduct at issue, severing contracts with third party agents who were parties to the frauds, closing subsidiaries involved in the illegal conduct; and (4) provide annual written reports to the DOJ on progress of the company’s enhanced compliance program.

Corporate Compliance Program

Tyco agreed to a robust corporate compliance program that either currently exists or will be implemented in the future. This Corporate Compliance Program is somewhat different than most of the 13 minimum best practices compliance regimes reported in DPAs and NPAs since the Panalpina DPA of November, 2010. Tyco agreed to a point compliance regime, which consists of the following.

1. High level commitment. The Company will ensure that its senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

2. Policies and Procedures. Tyco will promulgate compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and the Company’s compliance code, and the Company should take appropriate measures to encourage and support the observance of ethics and compliance standards and procedures against foreign bribery by personnel at all levels of the company. These anti-corruption standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of the Company in a foreign jurisdiction, including but not limited to, agents and intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia, and joint venture partners (collectively, “agents and business partners”), to the extent that agents and business partners may be employed under the Company’s corporate policy. The Company shall notify all employees that compliance with the standards and procedures is the duty of individuals at all levels of the company. Such standards and procedures shall include policies governing:

gifts;
hospitality, entertainment, and expenses;
customer travel;
political contributions;
charitable donations and sponsorships;
facilitation payments; and
solicitation and extortion.

3. Internal Controls. Tyco will ensure that it has a system of financial and accounting procedures, including a system of internal controls, reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts to ensure that they cannot be used for the purpose of foreign bribery or concealing such bribery. This system should be designed to provide reasonable assurance that:

Transactions are executed in accordance with management’s general or specific authorization;
Transactions are recorded to permit preparation of financial statements in accordance with GAAP;
Access to assets is permitted only in accordance with management’s general or specific authorization; and
Recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken if discrepancies are found.

4. Periodic Risk-Based Reviews. Tyco agreed to develop these compliance standards and procedures, on the basis of a risk assessment addressing the individual circumstances of Tyco, in particular the foreign bribery risks it faces including, its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.

5. Proper Oversight and Independence. Tyco will (or once again has) assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to the Tyco’s independent monitoring bodies, including internal audit, the Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

6. Training and Guidance.

Training. Tyco will implement mechanisms designed to ensure that its anti-corruption policies, standards, and procedures are communicated effectively to all directors, officers, employees, and where appropriate, agents and business partners. These mechanisms shall include periodic training for all directors and officers, and, all employees in positions of leadership or trust or positions which might otherwise pose a risk of corruption to the company. The training shall also be provided to agents and business partners. Lastly there shall be biannual certifications by all such directors and officers, and, where necessary and appropriate, employees, agents, and business partners, certifying compliance with the training requirements.
Guidance. Tyco is required to maintain an effective system for providing guidance and advice to directors, officers, employees, and, where necessary and appropriate, agents and business partners, on complying with Tyco’s anti-corruption compliance policies, standards, and procedures, including when they need advice on an urgent basis or in any foreign jurisdiction in which Tyco operates.

7. Internal Reporting and Investigation. Tyco will provide an effective system for internal and where possible, confidential reporting by, and protection of, directors, officers, employees, and, where necessary and appropriate, agents and business partners, concerning violations of the Company’s compliance program. Tyco also agreed to dedicate sufficient resources to respond to such requests and undertaking necessary and appropriate action in response to such reports.

8. Enforcement and Discipline. Tyco will institute appropriate disciplinary procedures to address, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. This shall include disciplining of those within the company no matter how the position of the person or their perceived authority. In addition to discipline, Tyco agrees to add appropriate mechanisms to incentivize compliant behavior.

9. Third Party Relationships. Tyco agreed to institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including: (a) properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of agents and business partners; (b) informing agents and business partners of the Company’s commitment to abiding by laws on the prohibitions against foreign bribery, and of the Company’s ethics and compliance standards and procedures and other measures for preventing and detecting such bribery; (c) seeking a reciprocal commitment from agents and business partners and (d) including appropriate compliance terms and conditions in the contract.

10. Mergers and Acquisitions. Tyco agreed to develop and implement appropriate compliance policies and procedures for any acquisition based upon an appropriate risk-analysis which would be completed as soon as practicable. Further such changes would be implemented as soon as practicable. Directors, officers and employees of newly acquired entities would be trained as soon as practicable.

11. Monitoring and Testing. Tyco agreed to conduct periodic review and testing of its anti-corruption compliance code, standards, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, standards and procedures, taking into account relevant developments in the field and evolving international and industry standards.

So the prior 13 point best practices program is now folded down to 11 for Tyco. Nevertheless, the general concepts are still the same for a company seeking to implement or enhance its compliance solution. Much like Chris Economaki reporting from the Pits at the Indy 500, the level of detail provided in the Tyco NPA should allow the compliance practitioner to evaluate their company’s compliance program.

============================================================================================

The Wall Street Journal has a series of articles today on the FCPA. In conjunction with these articles I will join Joe Palazzolo, Law Blog lead writer, for a conversation on the FCPA at 2:30 PM EDT. We will take your questions. To join us, click here.

===========================================================================================

© Thomas R. Fox, 2012

Leave a Comment

August 12, 2012

Pfizer DPA Part II – Enhanced Compliance Obligations and Corporate Compliance Obligations

Filed under: Audit,Best Practices,Board of Directors,compliance programs,Deferred Prosecution Agreement,Department of Justice,FCPA,Internal Controls,Joint Ventures,Mergers and Acquisition,Risk Assessment — tfoxlaw @ 8:26 pm
Tags: compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. Today we review the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

I. Attachment C.2 – Pfizer’s Enhanced Compliance Obligations

In addition to the minimum best practices,as set out in Attachment C.1 – Corporate Compliance Obligations, Pfizer agreed to the following additional compliance obligations:

A. In General. Pfizer will maintain the appointment of a senior corporate executive with significant experience with compliance with the FCPA, including its anti-bribery, books and records, and internal controls provisions, as well as other applicable anticorruption laws and regulations (hereinafter “anti-corruption laws and regulations”) to serve as Chief Compliance and Risk Officer, who will have reporting obligations directly to the Chief Executive Officer. The company will maintain the appointment of heads of compliance with responsibility for each of its business units (“BU Compliance Leads”) who have reporting obligations through the Chief Compliance and Risk Officer or General Counsel. There will be an Executive Compliance Committee to oversee Pfizer’s compliance program.

The company will maintain gifts, hospitality, and travel policies and procedures in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations. Further and at a minimum, these policies and procedures shall contain the following restrictions regarding foreign government officials, including but not limited to public health care providers, administrators, and regulators: (i) Gifts must be modest in value, appropriate under the circumstances, and given in accordance with anti-corruption laws and regulations, including those of the government official’s home country; (ii) Hospitality shall be limited to reasonably priced meals, accommodations,

and incidental expenses that are part of product education and gaining programs, professional training, and conferences or business meetings; (iii) Travel shall be limited to product education and training programs, professional training and education, and conferences or business meetings; and (iv) Gifts, hospitality, and travel shall not include expenses for anyone other than the relevant officials, unless different standards are required by local law or regulation.

B. Complaints, Reports and Compliance Issues. The company will maintain “significant” resources for the compliance function. It shall have (a)An international investigations group charged with responding to and investigating anti-corruption compliance issues reported on a global basis acid ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) An anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) A mergers and acquisitions compliance function designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities.

Lastly the company must maintain its mechanisms for making and handling reports and complaints related to potential violations of anti-corruption laws and regulations, including, when appropriate, referral for review and response by internal audit, finance, legal, compliance and other personnel as appropriate, and will ensure that reasonable access is provided to an anonymous, toll-free hotline as well as to an anonymous electronic complaint form, where anonymous reporting is legally permissible.

C. Risk Assessments and Proactive Reviews. Pfizer will continue to conduct a risk-based program of annual proactive anti-corruption reviews of high-risk markets. These FCPA proactive reviews are designed to identify anti-corruption con7pliance issues, examine compliance procedures and controls as implemented in the field and identify best practices to be implemented in additional markets. In doing so, Pfizer will identify markets which are at high risk for corruption because of the business and location. Five of these will be identified and reviewed annually. Each review shall contain the minimum: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance and, when appropriate, Legal Divisions who have received FCPA and anti-corruption training; (b) Where appropriate, participation in the on-site visits by qualified auditors; (c) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with and payments to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (d) Creation of action plans resulting from issues identified during FCPA proactive reviews; these action plans will be shared with appropriate senior management, including when appropriate the Chief Compliance and Risk Officer, and will contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and € Where appropriate, feasible, and permissible under local law, review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

D. Acquisitions. The Company will continue to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence was conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond Pfizer’s control, or due to any applicable law, rule, or regulation, Pfizer will continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments or falsified books and records as required by company’s reporting obligations found in Attachment C.3 Pfizer will ensure that Pfizer’s policies, standards and procedures regarding anticorruption laws and regulations apply as quickly as is practicable, but in any event no more than one year post-closing, to newly-acquired businesses, and will promptly: (a) Train directors, officers, and senior managers, and those employees working in positions involving activities covered by Pfizer’s policies regarding anti-corruption and compliance with the FCPA, and, where necessary and appropriate, agents and business partners; and (b) Include all newly-acquired businesses in Pfizer’s regular anti-corruption auditing schedule.

E. Relationships with Third Parties. Based upon its internal risk assessment, the company will conduct risk-based due diligence of sales intermediaries, including agents, consultants, representatives, distributors, and joint venture partners. Such due diligence will be conducted prior to the retention of any new agent, consultant, representative, distributor, or joint venture partner and for all such sales intermediaries will be updated no less than once every three years. At a minimum, such due diligence shall include: (a) a review of the qualifications and business reputation of the sales intermediaries; (b) a rationale for the use of the sales intermediary; and (c) a review of relevant FCPA risk areas.

Where due diligence of a sales intermediary raises a serious red flag, the relevant information shall be reviewed by personnel from the compliance or legal divisions who have received FCPA and anti-corruption training. Where appropriate and where permitted by applicable law, the company will include appropriate compliance terms and conditions in each contract with such third parties.

F. Training. The company will provide biennial training on anti-corruption laws and regulations to directors, officers, executives, and employees working in positions involving activities covered by Pfizer’s policies regarding anti-corruption and compliance with the FCPA. The company will provide enhanced FCPA training for all internal audit, financial, compliance and legal personnel involved in FCPA proactive reviews or anti-corruption due diligence related to the potential acquisition of new businesses, if not already qualified and experienced. When it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company shall maintain a system of annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions (at the market or regional level, or the reasonable equivalent) as appropriate, confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements, that they have reviewed and followed up on any issues identified in FCPA trend analyses, and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

II. Attachment C.3 – Corporate Compliance Reporting

Here Pfizer agreed to conduct an initial report and two follow up reports during the pendency of the DPA. These reports would be set forth in a complete description of its FCPA and anti-corruption related remediation efforts to date, its proposals reasonably designed to improve the policies and procedures of Pfizer for ensuring compliance with the FCPA and other applicable anti-corruption laws, and the parameters of the subsequent reviews. The two follow up reports will incorporate any comments provided by the DOJ on the Initial Report, to further monitor and assess whether the policies and procedures of Pfizer are reasonably designed to detect and prevent violations of the FCPA and other applicable anti-corruption laws.

These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena. You should take a look at these obligations and compare them with your program to see where you might be lacking or need to enhance your compliance coverage.

© Thomas R. Fox, 2012

Leave a Comment

May 1, 2012

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Filed under: Best Practices,compliance programs,FCPA,Henry Mixon,Howard Sklar,Internal Controls — tfoxlaw @ 1:01 am
Tags: compliance programs, DOJ, FCPA, Howard Sklar, Internal Controls

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA. The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

whether the misstatement affects the registrant’s compliance with regulatory requirements, and
whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed. First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality. For example, standard procedure for expense reports is to describe who, what, where, when, and why. Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items. However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II: illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

Leave a Comment

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

Filed under: Best Practices,compliance programs,FCPA,Henry Mixon,Internal Audit,Internal Controls — tfoxlaw @ 3:48 am
Tags: Biomet, FCPA, Henry Mixon, Internal Audit, Internal Controls, prevention of corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter. The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further. Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this. Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure. Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com

———————————————————————————————————————————————————————-

Leave a Comment

March 27, 2012

The Biomet SEC Complaint: Lessons for Internal Audit

Filed under: Best Practices,Deferred Prosecution Agreement,Department of Justice,FCPA,FCPABlog,Internal Audit,Internal Controls — tfoxlaw @ 1:22 am
Tags: compliance programs, Department of Justice, DOJ, DPA, FCPA, FCPA Blog, SEC

On March 26, 2012, both the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) announced the resolution of enforcement actions against Biomet Inc. a US entity, which manufactures and sells global medical devices around the world. It is headquartered in Fort Wayne, Indiana. The Company admitted to a lengthy run of bribery and corruption of doctors to purchase its products. The FCPA Blog reported that the “company will pay a criminal fine of $17.3 million to resolve charges brought by the DOJ. It also agreed with the SEC to settle civil charges by paying $5.5 million in disgorgement of profits and pre-judgment interest.” In this post I will review the SEC Complaint and discuss the facts it posited regarding the Company’s internal auditors to draw out some lessons for an Internal Audit Department’s role in Foreign Corrupt Practices Act (FCPA) compliance programs.

Bribery and Corruption Facts

The Company engaged in an eight (8) year scheme to bribe and corrupt doctors in the countries of Argentina, Brazil and China to induce the physicians to purchase Biomet products. The SEC complaint reported that “2000 to August 2008, Biomet Argentina employees paid bribes to doctors employed by publicly owned and operated hospitals in Argentina in exchange for sales of Biomet’s medical device products. The doctors were paid approximately 15-20 percent of each sale.” In Brazil, the SEC Compliant reported that from 2001 until 2008, Biomet’s “Brazilian Distributor, paid bribes to doctors employed by publicly owned and operated hospitals to purchase Biomet’s implants. Brazilian Distributor paid the doctors bribes in the form of “commissions” of 10-20 percent of the value of the medical devices purchased.” In China, Biomet subsidiaries and its Chinese distributor paid from 5% up to 25% commissions to doctors for the sale of its products which were used during surgeries and also paid for Chinese surgeons to travel for training “including a substantial portion of the trip being devoted to sightseeing and other entertainment at Biomet’s expense.”

Biomet Bribery Box Score

Country	Bribe Rate	Total Amount Paid	Loss or Write Off
Brazil	10 to 20%	$1.1	$4.2MM
China	5 to 25%	Not reported	Not reported
Argentina	15 to 20%	$466,000	Not reported
Costs			Fine or Profit Disgorgement
DOJ Fine			$17.3MM
SEC Profit Disgorgement			$5.5 MM
Documented Cost			$29.7 MM

Internal Audit

The SEC Compliant reported that the Company’s Internal Audit was not only aware of the bribery program but discussed it in Memorandum to the Company’s home office, including the head of the Company’s Internal Audit Department. For instance in Argentina, the Company’s head of Internal Audit noted, as early as 2003, “circulated an internal audit report on Argentina to Senior Vice President and others in Biomet in Indiana in which he stated, “[R]oyalties are paid to surgeons if requested. These are disclosed in the accounting records as commissions.” The internal audit report described the payments to surgeons, but only in the context of confirming that the amount paid to the surgeon was the amount recorded on the books.” However, the Company’s Internal Audit Department, took no steps to determine why royalties were paid to doctors or why the payments to the doctors were 15-20% of sales. Internal Audit did not obtain any evidence of services which the doctors might have performed entitling them to the payments. The SEC Complaint noted that Internal Audit “concluded that there were adequate controls in place to properly account for royalties paid to surgeons without any supporting documentation” and Internal Audit’s only “recommendation was to change the journal entry from “commission expenses” to “royalties.”

Biomet’s Director of Internal Audit is reported to have “instructed an auditor to code improper payments being made to doctors [in China] in connection with clinical trials as “entertainment.” The Director of Internal Audit also reported that Biomet’s “Brazilian Distributor makes payments to surgeons that may be considered as a kickback. These payments are made in cash that allows the surgeon to receive income tax free . . . . In the consolidated financials sent to Biomet, these payments were reclassified to expense in the income statement.”

The SEC Complaint also noted that “Biomet’s books and records did not reflect the true nature of those payments. The Company’s payments were improperly recorded as “commissions,” “royalties”, “consulting fees”, “other sales and marketing”, “scientific incentives”, “travel” and “entertainment.” The SEC Compliant concluded with the following “False documents were routinely created or accepted that concealed the improper payments.”

Lessons Learned for Internal Audit

The SEC Complaint had some very clear guidance for the role of Internal Audit in detecting bribery and corruption in a best practices FCPA compliance program. First and foremost, if there are any types of commission payments being made, Internal Audit needs to review the documentation supporting why such payments are being made. A review of contracts or other legal requirements which may obligate a company to make such payments should be a basic undertaking in any internal audit. After an internal auditor has determined if commission payments are legally authorized, the internal auditor should review evidence that such commission payments have been earned. In other words, is there any evidence in the company’s books and records that the person or entity performed services which might have entitled them to such commission payments?

Another role delineated in the SEC Complaint for Internal Audit is to correctly classify payments so that the books and records of the company accurately reflect them as expenses. As noted, the Director of Internal Audit instructed that bribes paid during clinical trials of the Company’s products should be reclassified as ‘expenses’. Further, while specifically stating that Biomet was assisting Brazilian physicians to evade the payment of taxes on income, he directed that such bribes be classified on the Company’s books and records once again as ‘expenses.’

Of course the costs in the Bribery Box Score listed above does not reflect the 3+ years of investigative costs, loss of sales in the three countries which it pulled out from or the anticipated cost of its upcoming three year monitorship. All I can say with certainty is that the cost for non-compliance is much higher than the cost of complying with the FCPA. The SEC Compliant gives clear guidance from what it expects from internal audit in a FCPA compliance program. I recommend that these steps be implemented much sooner rather than later.

Comments (1)

March 21, 2012

OCEG Illustrated Series: Managing Corruption Risks

Filed under: Best Practices,Board of Directors,compliance programs,Ethical Leadership,Ethics,FCPA,Internal Controls,OCEG,Risk Assessment — tfoxlaw @ 1:15 am
Tags: Compliance Policies, compliance programs, OCEG, Policies and Procedures

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
Monitor and Evaluate- Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

Leave a Comment

FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

March 28, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

October 19, 2012

Frankenstein, Lance Armstrong and FCPA/Bribery Act Compliance

October 2, 2012

Tyco NPA and Chris Economaki – Details from the Pits

August 12, 2012

Pfizer DPA Part II – Enhanced Compliance Obligations and Corporate Compliance Obligations

May 1, 2012

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

March 27, 2012

The Biomet SEC Complaint: Lessons for Internal Audit

March 21, 2012

OCEG Illustrated Series: Managing Corruption Risks

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31