Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA.  The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

• whether the misstatement affects the registrant’s compliance with regulatory requirements, and
• whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed.  First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality.  For example, standard procedure for expense reports is to describe who, what, where, when, and why.  Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items.  However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II:  illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
2. Controls are needed over
   1. movement of inventory because bribes can be made through mechanisms other than cash.
   2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
   3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
   4. Offline processing and maintenance of key information related to vendors and disbursements.
   5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
   6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Controls to Prevent Violations of Anti-Bribery Laws

Ed. Note-I recently asked my colleague Henry Mixon CPA, if he could explain the differences regarding internal controls required under financial regulations such are Sarbanes-Oxley with internal controls required under anti-corruption laws such as the Foreign Corrupt Practices Act. The following is his explanation. 

Relying on Sarbanes-Oxley (SOX) and independent audits presents significant risk of internal controls not being effective to comply with anti-bribery laws. Company management often believes that, because they have independent auditors and because they are SOX compliant, they don’t need any additional focus regarding compliance with anti-bribery laws.  While independent audits and procedures required for SOX are useful, there are several reasons why focused attention needs to be paid to certain internal control objectives in order to have an effective anti-bribery compliance program.

1. The overriding concept is that effective internal controls do not automatically follow when Policy Statements are issued. Training employees regarding new policy requirements and obtaining their certification of understanding does not ensure compliance.  A specific focus is needed to ensure there are control procedures in place to ensure compliance with the policies.

2. SOX controls are, by definition, focused on financial reporting. They do not address many transaction level controls needed to prevent violations of Anti-Bribery laws.  Based on my experience assisting clients remediate internal controls to satisfy an independent monitor and the Department of Justice (DOJ), I have compiled a list of controls which should be considered on a risk basis to determine effective controls needed to prevent violations. Shown below are only a few of the control objectives which are needed in an effective Compliance Program which, for materiality or other reasons, are typically not in SOX (or independent audit) scope:

a. Controls to prevent payment of bribes using cash (petty cash funds and otherwise) and using manual checks to meet “emergency needs” processed outside the normal invoice approval system. A Corporate review of such transactions after the fact is not a sufficient control.  (In each Independent Monitor situation, there was a substantial focus on risks associated with petty cash funds and manual checks.)

b. Because bribes can be given by methods other than cash, controls over contractual relationships with third parties should be scrutinized. This includes contracts with agents, contracts to lease facilities / equipment, etc. For example, unauthorized use of Company assets / facilities, with or without compensation, can be a means to pay a bribe. Therefore, controls are needed over movement of inventory (such as shipments of inventory to non-customer locations and use of mobile fixed assets). For example: (1) controls are needed to ensure shipments of goods after they have been accepted and paid for result in appropriate compensation to the Company; (2) controls are needed to ensure Company vehicles are not “loaned” to unauthorized persons without adequate compensation to the Company.

c. Controls are needed over gifts, entertainment, hospitality, political contributions, and charitable contributions. For materiality reasons (see below), these controls are typically not included in SOX scope.

d. Enforcement of an effective Delegation of Authority (including the accounting controls for processing / approving vendor invoices, signing checks,) is typically not addressed in SOX scope but is a critical control from a Compliance perspective.  For example, when dual signatures are required, what is the control to ensure they are obtained? (Banks will pay checks with only one signature, even if two are required.) Another example, control should be in place to ensure document approvers actually review support for transactions they are approving, and these controls must be evidenced for the Compliance Program to be considered effective.

e. Use of offline processing and maintenance of key information related to vendors and disbursements (such as Excel spreadsheets which can impact payments to vendors or which track entertainment provided to third parties) presents risk.  Therefore, controls over the creation and maintenance of spreadsheets which “feed” the financial accounting process require evaluation.

f. Employment of “contract” employees, as well as permanent employees in foreign locations requires controls in the payroll processing to ensure the employees’ status as a current / former Government Official, or as a relative of a Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.

g. The controls regarding creation / approval / unauthorized modification of Purchase Orders should be carefully evaluated, not just the focus on the three-way match.

h. Controls should be in place regarding maintenance of the vendor master file to ensure no vendors are paid unless there has been appropriate due diligence performed. Controls should be in place to prevent situations where the vendor has invoiced the company and wants to be paid, but the vendor’s name is not in the vendor master file as an approved vendor.  Having controls over changes to the vendor master is more effective than only having a policy that all vendors must be subject to diligence and pre-approval.

i. Having controls to ensure compliance with reimbursement to employees for travel and other business expenses is critical. Requiring a manager to initial an expense report does little to prevent unauthorized activities, unless there is evidence the approver actually looked at the substance of the requested reimbursement.

3. SOX and Generally Accepted Auditing Standards allow a scope definition which eliminates business locations / business units which are considered to be immaterial, as well as eliminating types of transactions / accounts not considered material for financial reporting purposes. Therefore relying on a SOX-acceptable universe of control assessment based on materiality increases the risk of violations occurring. Many of the instances of prosecution by the DOJ and by the SEC involved business locations considered immaterial for financial reporting (SOX) purposes. The DOJ and the SEC have been very specific that individually immaterial violations over time constitute a violation and that even improper recording of immaterial transactions determined to be bribes violates, respectively, the anti-bribery and Books and Records provisions of the FCPA.

Using a standard other than the traditional financial statement concept of materiality does not necessarily mean controls need to be more extensive.  Rather, the controls which are needed for an effective Compliance Program take into account the risk of violation (such as inherent corruption index and the inherent risk of certain types of transactions and business relationships) rather than the number of transactions or cumulative financial totals of transactions.  For example, controls in countries with a Corruption Perception Index (CPI) of 3 or less should be robust, regardless of volume of transactions. Doing business with agents and foreign business partners generally presents higher risk than with other third parties.  Transactions which may be immaterial for financial reporting purposes (petty cash disbursements, gifts, charitable contributions, etc.) may present significantly higher Compliance risk than their individual financial amounts might indicate.

4. SOX allows a significant portion of controls to be “detect” controls.  Anti-bribery laws require a specific focus on “preventive” controls. If improper payments are identified by “detect” controls which review disbursements and asset disposals after the fact, the identification of suspicious transactions only leads to a decision whether to self-report and how extensive (expensive) an internal investigation is needed to determine the company-wide magnitude of the issue.  Little has been done to prevent the improper activity.  (Accordingly, relying on a SOX approach will not meet the burden of proof necessary to satisfy the “prevent” requirements of the UK Bribery Act.)

5. The SOX approach does not take into account the high evidence standard which comes into play when there is a suspected Compliance violation. Certain types of controls should have more robust documentation from a Compliance perspective than from a “traditional” perspective.  The “evidence standard” issue is very significant when third party investigations are at hand. For example, an initial on a document means someone initialed the document. It does not define what the person did before initialing the document or the representations which are being made when the person initials a document.  Often such evidence is simply a matter of defining control procedures and of modifying approval blocks on forms.

============================================================================================

If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.