FCPA Compliance and Ethics Blog

October 23, 2014

Five Quick and Easy Ways To Sabotage Your Compliance Training

Chris BauerEd. Note-today we have a guest post from noted ethics and compliance expert, as well as steel guitar player, Chris Bauer.

Okay, you know that you need to have effective compliance training but do you really know what will actually make it effective? The reality is that far too many compliance training program fail on multiple counts. With compliance as critical as it is, that is unacceptable. Thankfully, there are a few areas which, if attended to well, can correct many of the most-frequently seen problems with the development and execution of these programs.

Here are five of the areas I see getting missed time after time in compliance training programs.

Do you actually have a solid, working definition of what compliance is? I see ethics, compliance, and accountability as being ‘cross-defined’ all the time. Do they inter-relate? Absolutely and it’s even a great idea to inter-relate them in your training. However, until you are clear about what you mean by all three of those terms, your training will leave employees confused and confusion is never good for compliance training…

To Do – Find or create definitions for all three of these terms that are clear, concise and, above all, practical. The moment these terms become hazy or academic you have already lost too many of your employees’ ability to build your ideas into their minute-to-minute, day-to-day practices. Also, be sure to use language that fits the culture of your organization. Just because something sounds good in another organization – or another part of your organization – doesn’t mean that it will work for anyone, let alone everyone, in every corner of your company. This is one of the many reasons that ‘one size fits all’ training is rarely effective. Different parts of your organization are likely to need things said and demonstrated in different ways. You have the choice; you can whine about the inconvenience of that or go about creating a great compliance training program.

Is your training practical? An awful lot of compliance training is little more than a coma-inducing parade of Powerpoint slides with the rules, regulations, and, perhaps, a few key updates. Is that information critical? Perhaps so. However, for starters be sure that the information really is critical before overwhelming employees with so much information that they can’t actually retain it.

To Do – Always build in opportunities for employees to ask how your training really applies to what they do on the job. If they can’t fully see the behaviors in which they are and are not to engage – or if they don’t believe those behaviors are possible in their circumstances – your training has missed the mark. Also, remember that employees are unlikely to tell you spontaneously that they don’t think they can do what you’re asking of them. Be active in seeking out feedback on not only their level of understanding of the material but, as importantly, their confidence that they can do what you’re asking of them. If they don’t think they can do it, it is your job to help them figure out how to deal with any roadblocks – real or perceived – they might see.

Are you simply transferring information or are you providing employees with solid ideas and tools to put the rules and regulations into practice? If you want a culture where compliance is topmost in your employees’ minds, they had better be able to first mentally retain and then apply the mandated rules and regulations. If you aren’t helping them apply what you’re telling them, it will have been an entirely academic exercise.

To Do – Here again, everything you train on needs to have clear, ‘do-able’ behaviors attached. Employees have to know exactly what they need to be doing to bring your compliance program to life. It’s not enough for you to believe that they ought to be able to figure it out; they really need to know and they need to hear it from you. (Mind you, they may also have ideas you haven’t thought of yet. Great! Just don’t pretend it isn’t your job to help them figure it out.)

Are you creating information overload? True, there’s a lot out there that your employees will need to know about compliance. However, are you giving so much in each sitting that it simply can’t be retained? Again, if they can’t retain the information – or, at least, find it easily – they certainly can’t put it into practice. Consider providing training in smaller, on-going chunks. Less time-efficient? Maybe. However, that will more than pay off in having your employees actually recall and apply what they’ve been trained on.

To Do – Remember that smaller chunks of information ‘stick’ better. Further, information that clearly has practical applications does the same. Work to avoid simply smothering employees with regulatory and oversight information. Make it real for them by providing it in digestible, easily recalled, practical chunks. Here again, whine if you like about this being inconvenient but the facts remain; you need to attend to this if you really want your compliance training to be effective.

Are you making compliance a tool for your employees’ personal success? I see a lot of organizations doing a fine job of conveying to employees how their bottom line can be wildly, adversely affected by compliance problems. However, they fail to show employees how compliance is important to them personally. Sure, we all want our employees to put our organization first but, really, is that realistic? If your goal is to motivate employees to attend to compliance – and that had better be one of your goals – you’ll get far more bang for your buck if you can help them see how their lives and careers will be easier/better if they keep their mind on compliance.

To Do – Without your employees, your organization would quite literally be nothing. They are already contributing all day, every day, to the success of your organization. Make compliance training – along with every other training your provide – a tool that they can use for their personal success as well. Maybe that success has to do with advancement, maybe it has to do with some kind of incentive. At the rock bottom, it has to do with them keeping their job. The point is that there will always be ways you can think of to help them see that a focus on compliance is as much for their personal benefit as the company’s. Do your homework and figure out what those motivations are for your employees. It will not only make your training a whole lot more effective, it’s a nice thing to help your employees be successful, yes?

It is all-too-easy to overlook all five of the above requirements for effective compliance training. In fact, by ignoring them, it will be far easier for you to create your training program; just throw a bunch of regulatory requirements onto a Powerpoint presentation or webinar and slam through it for as long as it takes. You will, in fact, be telling your employees what they are required to hear. If, however, your goal is to not sabotage your training and actually get employees to take action and create a culture where compliance is top-of-mind, ignore any of the above five concerns at your own risk.

Christopher Bauer is an expert on creating cultures of ethics, compliance, and accountability. Information on his programs as well as his Trust Foundry blog can be found at www.ChristopherBauer.com. Information specific to his programs on professional ethics can be found at www.BauerEthicsSeminars.com. In addition to speaking, training, and consulting on creating cultures ethics, compliance, and accountability, he publishes a Weekly Ethics Thought seen by thousands or readers worldwide. Free subscriptions are available by visiting either of his websites.

October 13, 2014

Ringo, Sir Paul and an Effective Compliance Program

Paul McCartneySometimes the universe converges in ways that are beyond my simple comprehension. This past weekend was one of them. It began a few months ago when I saw an advertisement from StubHub that showed Ringo Starr playing in Houston on October 10 and Sir Paul McCartney playing in New Orleans on October 11. I figured if the two surviving members of the greatest rock and roll band in the history of the world were going to play on two consecutive nights it was a sure sign from the Oracle of Rock ‘N Roll that I was intended to attend both, lest I tempt a fate worse than going against an entity nearly as powerful as the Oracle of Delphi. Moreover, the Friday concert coincided with the birthday of my little sister who happened to be in town and one of the planets biggest Beatles fans, it made the convergence complete. Ringo Starr

I also learned two completely new and unrelated facts this weekend. The first is that a native of Liverpool, England, is called a ‘Scouser’. That comes from my Liverpudlian friend Pam, who also introduced me to the Liverpool Football Club. The second is that my wife is a closet Mr. Mister uber fan, who rocked out as a teenager to this group in the early days of MTV. On reflection that is perhaps the more odder convergence.

While there is clearly a reason Ringo Starr tours with true musical all-stars and Sir Paul McCartney has been raised to the peerage for his musical prowess, in many ways the Ringo Starr concert was the bigger revelation. I had wondered how Ringo would fill out an entire concert. He did it by surrounding himself with musicians fabulous in their own right. They included: Steve Lukather, former lead singer from Toto on vocals, lead and rhythm guitar; Gregg Rolie, former keyboardist from Santana and Journey on vocals, organ, keyboards; Richard Page, former lead singer from Mr. Mister, on vocals and bass guitar; and finally, best and certainly not least, Todd Rundgren on vocals, lead and rhythm guitar, bass guitar, percussion, harmonica and, occasionally, even keyboards.

So in addition to Ringo singing his standards of Photograph, It Don’t Come Easy, Yellow Submarine and (of course) With a Little Help From My Friends. We also got to hear songs first released by Santana, Toto, Mr. Mister and some great Todd Rundgren hits. The group clearly loved playing and jamming with each other. Further, these other groups’ songs were great fun to hear and as they may never reform, I would not otherwise have the chance to hear them performed lived.

Sir Paul McCartney. You really do not have to say much more. His concert did not exceed my expectations because they were about as high as expectations could have been. He seriously rocked out for over three hours, playing everything from the earliest Beatles songs up to a ballad for his latest wife. I cannot remember ever attending a concert where everyone one in attendance knew the words to every song but we all did and we all sung them all the way through the entire show.

What is the compliance angle to all of this? Just as there is more than one way to put on a great concert, there is more than one way to have an effective compliance program. This continual message from the Department of Justice (DOJ) came again earlier this month through remarks by Assistant Attorney General for the Criminal Division, Leslie R. Caldwell, at the 22nd Annual Ethics and Compliance Conference, where she made clear that while the FCPA Ten Hallmarks of an Effective Compliance Program is one set of guidelines for an effective compliance program, there is no “one-size fits all” compliance program. She laid out another way to think through, review and analyze your compliance program. 

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  1. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do–or not do–when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
  1. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
  1. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources. And they need to have teeth and respect within the company.
  1. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  1. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
  1. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
  1. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. Further, the response to a violation must be even-handed. People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
  1. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners. This cannot be emphasized strongly enough.
  2. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

Caldwell also emphasized that as important as the compliance program itself; the implementation is also reviewed and evaluated by the DOJ. When the DOJ investigates a case, they look at the messages about compliance that are given to employees; they look at what employees are told in their day-to-day work. This means the DOJ will look at emails, chats, and recorded phone calls. They will interview witnesses about the messages they received from their supervisors and management to determine if they received messages about compliance, or about making money at all costs.

Another consideration for the DOJ is incentives. The DOJ will examine the incentives that a company provides to encourage compliant behavior – or not. This means that if a company is actually encouraging compliance, if its values are to be ethical and within the law, this message must be conveyed to employees in a meaningful way. If not, it is likely that the DOJ will not view the compliance program as credible. Interestingly, Caldwell said that sometimes the effective implementation of a compliance program means standing apart from the other companies in your industry.

Just as Ringo and Sir Paul ably demonstrated, there is more than one way to put on a great concert. They both assessed their strengths and weaknesses and used that information to put great bands around them illustrated their strengths. The same is true in the world of Foreign Corrupt Practices Act (FCPA) compliance. The key is to review and assess your compliance risks and then manage them. And, as always, Document, Document, and Document whatever you do so that if a regulator comes knocking, you can demonstrate evidence of the above.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

 

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 3, 2014

Hammer Films, “We Sell Hammers” and Other Famous Last Words

Hammer FilmsToday is the first of five Fridays in October so today I will begin my now annual October FrightFest blog posts. Over the past couple of years I have focused on the classic Universal horror movies from the 1930s and 40s. This year I am going to re-watch and blog about the classic Hammer Studio monster movies from the late 1950s. Hammer Films was founded in the UK in 1934 and are best known for their Gothic “Hammer Horror” films, produced from the mid-1950-70s. They also Peter Cushing and Christopher Lee, for which fans of Star Wars are eternally grateful, to the greater movie watching audience.

Another type of hammer informs today’s compliance moment, as in “We sell hammers.” That was the excuse given by Home Depot managers when their own cybersecurity department employees would try to obtain budget to update cybersecurity software or to even put on training about the dangers of a data breach. If you have attended any compliance conference this year, you have been subjected to one or more sessions on cybersecurity and/or data breaches. As if the Target fiasco from last year was not enough, the most recent massive breach comes courtesy of Home Depot. Unfortunately the Home Depot saga provides some excellent lessons for the anti-corruption compliance practitioner or a company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

In an article which appeared on the front page of the New York Times (NYT) entitled “Warned of Risk, Home Depot Left Data Vulnerable”, Julie Creswell and Nicole Perlroth, reported that the Home Depot data breach and theft was “The biggest data breach in retailing history” and it had “compromised 56 million of its customers credit cards.” Moreover, the “data has popped up on black markets, and, by one estimate, could be used to make $3 billion in illegal purchases.” How could such an event have happened even after the very public debacle endured by Target?

It certainly did not happen overnight but the article noted that “Industry experts were flabbergasted that Home Depot, one of the world’s largest retailing companies, was caught so flat-footed after the breach at Target, which resulted in the theft of more than 40 million cards before the holiday season.” The article reported Home Depot had been warned by its own employees of data security issues as far back as 2008. But a series of missteps, or perhaps more appropriately non-steps, led to the Home Depot’s current problems. One of the major problems was “Home Depot relied on outdated software to protect its network.” This included information that some of the company was still relying on “outdated Symantec software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.”

Another failure by Home Depot was in the area of ongoing monitoring. The article reported that “Credit card industry security rules require large retailers like Home Depot to conduct scans at least once per quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.” Unfortunately the article reported that two former employees stated “more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.” Rather unbelievably, this scanning is not only fundamental to data security but also one of the simplest and least costly. The article quoted Avivah Litan, a cybersecurity expert at Gartner, who said, “Scanning is the easiest part of compliance. There are lots of services that do this. And they can be run cheaply from the cloud.”

Yet another FUBAR by Home Depot was in the hiring for its cybersecurity team. No doubt due to his very Southern name, the company hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted up to a “job in which he oversaw security systems in Home Depot stores.” The problem for Home Depot and indeed Ricky Joe was that he had been terminated from, the articled stated “he was fired by EnerVest Operating, an oil and gas company, and before he left, he disabled EnerVest’s computers for a month.” For that cute little good-bye present, he was “sentenced to four years in federal prison in April.”

The article also reported that many cybersecurity focused employees in the company had departed over the years. The reason was that it appeared no one was listening to their concerns. The company simply refused to believe that it was at risk for a data breach.

So what lessons can be drawn for the anti-corruption compliance specialist who must deal with laws such as the FCPA or UK Bribery Act? Clearly Home Depot failed to adequately assess its risks for a data breach. For the compliance practitioner, I think the lesson here is to understand not only your company’s business sales model, products and services and foreign government touch-points but to reassess those risks on a regular basis.

You should keep track of external and internal events that may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Ongoing monitoring is another lesson to be drawn from Home Depot’s fiasco. While ongoing monitoring in the compliance realm is not as easy or inexpensive, ongoing monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. As in the cybersecurity world, there are both companies and software which you can use to help you in ongoing monitoring.

How about that good-ole boy Ricky Joe? Do you really want to have a head of a critical cybersecurity team who has sabotaged a prior employer? Similarly, in the compliance realm, do you want to have a top salesman or even Chief Compliance Officer (CCO) who engaged in bribery and corruption in a prior job? If the answer is yes, go directly to jail and DO NOT collect $200. What does Ricky Joe’s hiring and rapid promotion tell you about the pre-hire vetting done by Home Depot? Yes, I thought so.

I usually use sports as a mirror to look at compliance issues. Of course living in Houston, there are the sad-sack Houston Astros and their owner who are always around to provide some lessons. But the actions and inactions of Home Depot even rival those of the Astros for some lessons learned on compliance. In my title, I used the “We Sell Hammers” line and promised other famous last words. Unfortunately they come from one, un-named former Home Depot employee, who “went so far as to warn friends to use cash, rather than credit cards at the company’s store.” Famous last words indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 1, 2014

Creation of Yosemite and Putting Compliance at the Center of Strategy

YosemiteOn this day in 1890, an act of Congress created Yosemite National Park, home of such natural wonders as Half Dome and the giant sequoia trees. Environmental trailblazer John Muir (1838-1914) and his colleagues campaigned for the congressional action, which was signed into law by President Benjamin Harrison.

In 1889, John Muir discovered that the vast meadows surrounding Yosemite Valley, which lacked government protection, were being overrun and destroyed by domestic sheep grazing. Muir and Robert Underwood Johnson, a fellow environmentalist and influential magazine editor, lobbied for national park status for the large wilderness area around Yosemite Valley. With this persuasion, Congress set aside over 1,500 square miles of land for what would become Yosemite National Park, America’s third national park. In 1906, the state-controlled Yosemite Valley and Mariposa Grove came under federal jurisdiction with the rest of the park to create the Yosemite that we know today. It clearly was a triumph for Muir and Johnson but more so for the American people.

I recently read an article in the Harvard Business Review (HBR) that seemed to draw inspiration from the actions of Muir and Johnson. The article by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities your salespeople face.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.”

The problem is usually clear. Senior management and the C-Suite make clear their commitment to doing business ethically and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA). The company even has a best practices compliance. But the problem is that the installation or enhancement of a compliance regime is usually perceived as a ‘top-down’ exercise. The reality of the employee base that must execute the compliance strategy is not considered. Even when there are comments, it is derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. I thought Cespedes piece had some great insights for the compliance practitioner so borrowing from his four-point process, I will rework it for a compliance professional.

Communicate the Strategy

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault.

Continually improve your compliance productivity

I thought this point was insightful. Cespedes talked about incentivizing your sales force. Why not do the same concepts around compliance? You can work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to FCPA compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.

Improve the human element in your compliance program

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance.

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on FCPA risk during their careers.

Make your compliance strategy relevant

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks.

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 30, 2014

Discipline and Rigor in Your Internal Controls

DisciplineIn a recent New York Times (NYT) Op-Ed by David Brooks, entitled “The Good Order”, he discussed how routine can lead to creativity. He cited to the example of three well-known authors whose habits included the following. “Maya Angelou would get up every morning at 5:30 and have coffee at 6. At 6:30, she would go off to a hotel room she kept — a small modest room with nothing but a bed, desk, Bible, dictionary, deck of cards and bottle of sherry. She would arrive at the room at 7 a.m. and write until 12:30 p.m. or 2 o’clock.” Another example was John Cheever, who “would get up, put on his only suit, ride the elevator in his apartment building down to a storage room in the basement. Then he’d take off his suit and sit in his boxers and write until noon. Then he’d put the suit back on and ride upstairs to lunch.” Finally, there was the example of Anthony Trollope, who “would arrive at his writing table at 5:30 each morning. His servant would bring him the same cup of coffee at the same time. He would write 250 words every 15 minutes for two and a half hours every day. If he finished a novel without writing his daily 2,500 words, he would immediately start a new novel to complete his word allotment.” Brooks thesis for his piece seemed to be summed up by a quote from Henry Miller (of all people), “I know that to sustain these true moments of insight, one has to be highly disciplined, lead a disciplined life.” Sort of gives a whole new meaning to the word ‘discipline’.

However moving back to somewhat salacious concepts, I thought about those words in the context of internal controls around a Foreign Corrupt Practices Act (FCPA) compliance program. Brooks’ thoughts on building and maintaining order inform today’s post. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. Once again relying on my friend and internal controls expert Henry Mixon I queried him about some of the other types of internal controls a company should consider around gifts, travel, business courtesies and entertainment.

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. Here Mixon believes that the Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense.

I asked Mixon about the situation where checks drawn on local bank accounts in locations outside the US “off books” bank accounts, commonly known as slush funds. Petty cash disbursements in locations outside the US – the unique control issues regarding locations outside the US will be discussed in a future podcast. Some petty cash funds outside the US have small balances but substantial throughput of transactions. In this instance, Mixon said that the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US.

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Mixon noted that internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. Mixon advises that you should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place.

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. Mixon cautions that if your company uses procurement cards, assume this to be a very high-risk area, not just for FCPA but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements.

An interesting analogy that Mixon used is that misbehavior, like water, seeks its own level. Mixon explained that this meant if the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which, Mixon noted, would be subject to stringent controls. He added that in such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the gifts/travel items to the appropriate level of review and requires appropriate documentation.

I inquired as to why a Compliance Officer relies on the audit controls that are in place regarding gifts because in many companies, internal audits of expense reports are common. Mixon noted that it is important to keep in mind that, with respect to gifts, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies.

I thought about one line in Brooks’ piece, which seemed to echo Mixon’s thoughts on internal controls, where Brooks wrote, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Mixon has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 26, 2014

West Side Story and GSK In China – Board Oversight and Tone in the Middle

West Side Story IIYesterday, I celebrated the anniversary of one of America’s cultural lows. But today, I am extremely pleased to open with exactly the opposite, that being one of America’s greatest gifts to the performing arts. For on this day in 1957, the musical West Side Story premiered on Broadway. There are so many facets to one of the great, even greatest, works of musical theater. Leonard Bernstein penned the score, Stephen Sondheim wrote the lyrics, Jerome Robbins choreographed the dance and the story was by Arthur Laurents, inspired by Romeo and Juliet.

There are many great songs, dances and moments in the play. Most of us (at least of my age) outside New York were introduced to the play via television where it ran for one showing in 1971. The show never toured until the 2000s. When I finally got to see the stage production I was absolutely blown away. I had never seen anything like and it and I will never forget the 5-counter point singing by Tony, Maria, Anita, Bernardo and the Sharks, and Riff and the Jets, as they all anticipate the events to come that night in the song Tonight’s Quintet. The show truly is one of America’s gems.

I thought about the continuing appeal of West Side Story as a musical and why the story continues to resonate with the American people when I continued to consider some of the lessons learned from the GlaxoSmithKline PLC (GSK) matter in China. Today’s areas for reflection should be the role of a company’s Board of Directors and the second is the ‘tone in the middle’. While we have not heard from the GSK Board on this case, it has become clear that the GSK Board was aware of both the anonymous whistleblower allegations and the release of the tape of the GSK China Country Manager and his girlfriend. One of the lessons learned from the GSK scandal is that a Board must absolutely take a more active oversight role not only when specific allegations of bribery and corruption are brought forward but also when companies are operating in high risk environments. Further how can a company move its message of doing business ethically and in compliance down the employee chain.

In a NACD Directorship article, entitled “Corruption in China and Elsewhere Demands Board Oversight”, authors Eric Zwisler and Dean Yoost noted that as “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? The authors reported, “20 percent of FCPA enforcement actions in the past five years have involved business conduct in China. The reputational and economic ramifications of misinterpreting these duties and responsibilities can have a long-lasting impact on the economic and reputation of the company.”

The authors understand that corruption can be endemic in China. They wrote, “Local organizations in China are exceedingly adept at appearing compliant while hiding unacceptable business practices. The board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just documentation.” Further, “the management cadence of monitoring and auditing should be visible to the board.” All of the foregoing would certainly apply to GSK and its China operations.

Moreover, the FCPA Guidance makes clear that resources and their allocation are an important part of any best practices compliance program. So if that risk is perceived to be high in a country such as China, the Board should follow the prescription in the Guidance, which states “the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

To help achieve these goals, the authors suggested a list of questions that they believe every director should ask about a company’s business in China.

  • How is “tone at the top” established and communicated?
  • How are business practice risks assessed?
  • Are effective standards, policies and procedures in place to address these risks?
  • What procedures are in place to identify and mitigate fraud, theft, and corruption?
  • What local training is conducted on business practices and is it effective?
  • Are incentives provided to promote the correct behaviors?
  • How is the detection of improper behavior monitored and audited?
  • How is the effectiveness of the compliance program reviewed and initiated?
  • If a problem is identified, how is an independent and thorough investigation assured?

Third parties generally present the most risk under a Foreign Corrupt Practices Act (FCPA) compliance program and are believed (at least anecdotally) to comprise over 90 percent of reported FCPA cases, which subsequently involve the use of third-party intermediaries such as agents or consultants. But this is broader than simply third party agents because any business opportunity in China will require some type of business relationship.

One of the major failings of the GSK Board was that it apparently did not understand the actual business practices that the company was engaging in through its China business unit. While $500MM may not have been a material monetary figure for the Board to consider; the payment of such an amount to any third party or group of third parties, such as Chinese travel agencies, should have been raised to the Board. All of this leads me to believe that the GSK Board was not sufficiently engaged. While one might think a company which had received a $3bn fine and was under a Corporate Integrity Agreement (CIA) for its marketing sins might have sufficient Board attention; perhaps legal marketing had greater Board scrutiny than doing business in compliance with the FCPA or UK Bribery Act. The Board certainly did not seem to understand the potential financial and reputational impact of a bribery and corruption matter arising in China. Perhaps they do now but, for the rest of us, I think the clear lesson to be learned is that a Board must increase oversight of its China operations from the anti-corruption perspective.

GSK Chief Executive Officer (CEO) Sir Andrew Witty has certainly tried to say all of the right things during the GSK imbroglio on China. But did that message really get down into to the troops at GSK China? Moreover, did that message even get to middle management, such as the GSK leadership in China? Apparently not so, one of the lessons learned is moving the Olympian Pronouncements of Sir Andrew down to lower levels on his company. Just how important is “Tone at the Top”? Conversely, what does it say to middle management when upper management practices the age-old parental line of “Don’t do as I do; Do as I say”? In his article entitled, “Ethics and the Middle Manager: Creating “Tone in The Middle” Kirk O. Hanson, listed eight specific actions that top executives could engage in which demonstrate a company’s and their personnel’s commitment to ethics and compliance. The actions he listed were:

  1. Top executives must themselves exhibit all the “tone at the top” behaviors, including acting ethically, talking frequently about the organization’s values and ethics, and supporting the organization’s and individual employee’s adherence to the values.
  2. Top executives must explicitly ask middle managers what dilemmas arise in implementing the ethical commitments of the organization in the work of that group.
  3. Top executives must give general guidance about how values apply to those specific dilemmas.
  4. Top executives must explicitly delegate resolution of those dilemmas to the middle managers.
  5. Top executives must make it clear to middle managers that their ethical performance is being watched as closely as their financial performance.
  6. Top executives must make ethical competence and commitment of middle managers a part of their performance evaluation.
  7. The organization must provide opportunities for middle managers to work with peers on resolving the hard cases.
  8. Top executives must be available to the middle managers to discuss/coach/resolve the hardest cases.

What about at the bottom, as in remember those China unit employees who claimed they were owed bonuses because their bosses had instructed them to pay bribes? Well if your management instructs you to pay bribes that is a very different problem. But if your company’s issue is how to move the message of compliance down to the bottom, Dawn Lomer, Managing Editor at i-Sight Software, provided some concrete suggestions in an article in the SCCE magazine, entitled “An ethical corporate culture goes beyond the code”, where she wrote that that the unofficial message which a company sends to its employees “is just as powerful – if not more powerful – than any messages carried in the code of conduct.” Lomer suggested that a company use “unofficial channels” by which your company can convey and communicate its message regarding doing business in an ethical manner and “influence employee behavior across the board.” Her suggestions were:

  1. Reward for Integrity - Lomer writes that the key is to reward employees for doing business in an ethical manner and that such an action “sends a powerful message without saying a word.”
  2. The three-second ethics rule – It is important that senior management not only consistently drives home the message of doing business ethically but they should communicate that message in a short, clear values statement.
  3. Environmental cues – Simply the idea that a company is providing oversight on doing business ethically can be enough to modify employee behavior.
  4. Control the images – It is not all about winning but conducting business, as it should be done.
  5. Align Messages – you should think about the totality of the messages that your company is sending out to its employees regarding doing business and make sure that all these messages are aligned in a way that makes clear your ethical corporate culture clear. 

The GSK case will be in the public eye for many months to come. Both the UK Serious Fraud Office (SFO) and US authorities have open investigations into the company. Just as the five counter-point singing or the rooftop symphonic dance scene to the song America demonstrates the best of that art form; you can draw lessons from GSK’s miss-steps in China now for implementing or enhancing your anti-corruption compliance program going forward now.

And while you are ending your week of considering GSK and its lessons learned for your compliance program, crank up your speakers to 11 and listen to some five counter-point singing the movie version of the Tonight Quintet, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 15, 2014

Internal Controls for Third Party Representatives in a FCPA Compliance Program

7K0A0246This week, I am continuing my podcast series, on the FCPA Compliance and Ethics Report, on internal controls in best practices anti-corruption compliance program, under the Foreign Corrupt Practices (FCPA), UK Bribery Act or other anti-bribery legislation. In this series, I am visiting with Henry Mixon, a top notch internal controls expert, to help explain what internal controls might be needed, how to assess the need and then how to implement the needed internal controls. This week I am running a two-part episode of the internal controls related to the management of third party representatives.

Mixon suggested that a compliance practitioner should perform an analysis of any third party representative to provide insight into the pattern of dealings with such third parties and, therefore, the areas where additional controls should be considered. He listed some basic internal controls that should be a part of any financial controls system. The general internal controls, which might be appropriate, could be some or all of the following:

  • A control to correlate the approval of payments made to contracts with third party representatives and your company’s internal system for processing invoices.
  • A control to monitor all situations in which funds can be sent outside the US, in whatever form your company might use, which could include accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances or other forms.
  • A control for the approval of sales discounts to distributors.
  • A control for the approval of accounts receivable write-offs.
  • A control for the granting of credit terms to third parties or customers outside the US.
  • A control for agreements for re-purchase of inventory sold to third parties or customers.
  • A control for opening of bank accounts specifically including accounts opened at request of an agent or a customer.
  • A control for the movement / disposal of inventory.
  • A control for the movement / disposal of movable fixed assets.
  • Execution and modification of contracts and agreements outside the US.

Mixon also noted that in addition to the above there should also be internal control needs based on activities with third party representatives. These could include some or all of the following internal controls

  • A control for the structure and enforcement of the Delegation of Authority.
  • A control for the maintenance of the vendor master file.
  • A control around expense reports received from third parties.
  • A control for gifts, entertainment and business courtesy expenditures by third party representatives.
  • Charitable donations.
  • All cash / currency, inventory, fixed asset transactions, and contract execution in countries outside the US where the country manager has final authority.
  • Any other activity for which there is a defined corporate policy relating to FCPA.

While that may appear to be an overly exhaustive list, Mixon indicated that he believed there were four significant controls that he would suggest the compliance practitioner implement initially. He listed: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

Mixon noted that a DOA should reflect the impact of FCPA risk including both transactions and geographic location so that a higher level of approval for matters involving third parties and for fund transfers and invoice payments to countries outside the US would be required inside an organization. He did concede that quite often the DOA is prepared without much thought given to FCPA risks. Unfortunately once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.

Furthermore if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. To support this Mixon used the following example: A wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Moreover, the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US (including those who travel from the US to work outside the US).

I then asked Mixon about the vendor master file, which he believes can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted.

Near and dear to my heart as a lawyer, Mixon also indicated that contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. He cautioned that for contracts to provide effective internal controls, relevant terms of those contracts (commission rate, whether business expenses can be reimbursed, use of subagents, etc.,) should be extracted and available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, etc., present in a contract such terms must be approved not only by the original approver but also by the person so delegated in the DOA Unfortunately contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room.

Mixon said that the Hewlett-Packard (HP) FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. Mixon believes that all situations where funds can be sent outside the US (AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a FCPA risk standpoint. He went on to say that within a given company structure you need to identify the ways in which a country manager (or a sales manager, etc.,) could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.

To prevent these types of activities internal controls need to be in place. Mixon presented the following example of how this could be managed: All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

Mixon continues to emphasize that internal controls are really just good financial controls. The internal controls that he detailed for third party representatives in the FCPA context will help to detect fraud, which could well lead to bribery and corruption.

You can listen to my podcast with Henry Mixon on internal controls for third parties in a FCPA compliance program, part I by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 8, 2014

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part II

Circle DiagramIn Part I of this two-part post regarding a Board of Director’s Role in Foreign Corrupt Practices Act (FCPA) oversight from the internal controls perspective, I reviewed how a Board might have independent liability for its failure to act as an appropriate internal control as required by Sarbanes-Oxley (SOX). Today I will review what internal controls are and what a Board’s role is within the context of internal controls.

Beginning on Tuesday, in conjunction with this two-part blog, my colleague Henry Mixon, Principal of Mixon Consulting, and myself are recording a podcast series on internal controls, which can be found on FCPA Compliance and Ethics Report. We are discussing the following areas: what are internal controls; how a company might use them and how they can be implemented? In the first of the podcast series I asked Mixon what are internal controls? He began with the textbook definition, which he said was “Internal controls are systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to:

  • conduct its business in an orderly and efficient manner,
  • safeguard its assets and resources,
  • deter and detect errors, fraud, and theft,
  • ensure accuracy and completeness of its accounting data,
  • produce reliable and timely financial and management information, and
  • Ensure adherence to its policies and plans.

Mixon noted that internal controls should be instituted entity wide, not simply limited to those functions used or reviewed by accountants and auditors. For an anti-corruption compliance regime such as the FCPA or UK Bribery Act, internal controls are measures to provide reasonable assurances that any assets or resources of a company (not limited to cash) cannot be used to pay a bribe. This definition includes diversion of company assets (such as by unauthorized sales discounts or receivables write-offs) as well as the distribution of assets.

Mixon noted that the basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.

In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting objectives – internal and external financial reporting; and (III) Compliance objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.

We then turned to the question of which internal controls does a company need to institute? Mixon said that each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in smaller companies but still effective if the focus is on the right risks. Based upon FCPA guidance, the most common control needs have been identified as follows: (i) Dealings with third parties; (ii) Gifts and entertainment, and (iii) Charitable donations. Yet even within those categories, a wide range of risks exists, depending on a company’s business practices. Mixon emphasized that a Top Down ‘Check-the-box’ generic set of policies will not likely result in effective controls.

The process to determine which internal controls are needed will be of some familiarity to the compliance professional. It all starts with a risk assessment to establish the corporate policies which are applicable, tailored to the company, and sufficiently specific. The risk assessment will also help to identify the types of transactions across the company which should be addressed (gifts and entertainment, maintenance of bank accounts and movement of cash, dealings with third parties, etc.). The next step is to prepare a set of documents which define the control objectives to be in place for each type of transaction – example: “Controls will be in place to ensure no vendor has been added to the vendor master file until complete due diligence has been completed and the vendor has been approved in accordance with Corporate policies. Thereafter, you will need to document how the controls will be performed and how they will be evidenced and then incorporate the control procedures into applicable work instructions and job descriptions.” Mixon cautioned that for each business location, determine the specific controls needed to accomplish each control objective. In many companies, a disparity of operating practices and accounting systems will result in different controls being needed. He ended by emphasizing that while this assignment may seem overwhelming it can be done in reasonable stages, pursuant to a specific implementation plan – it does not have to be done all at once for the entire company.

As you will recall from Part I, I believe, as gleaned from Jim Doty’s remarks, that a Board must not only have a corporate compliance program in place it must also actively oversee that function. This led me to conclude that failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Doty’s remarks drove home one of the roles that a Board performs, which fulfills those tasks. Internal controls work together with compliance policies and procedures as stated by Aaron Murphy, a partner at Akin Gump, in his book “Foreign Corrupt Practices Act”, as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Murphy breaks down internal controls into five concepts, which I have adapted for a Board or Board subcommittee role for compliance:

  1. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  2. Risk Assessment – A Board should assess the compliance risks associated with its business.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

There have been several FCPA enforcement actions where the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discuss the failure of internal controls as a basis for FCPA liability. The Smith & Wesson enforcement action is but the latest. With the questions about the Walmart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 3, 2014

Language as a Long Term Compliance Strategy

LangaugeI constantly rely on Jay Rosen and his team at Merrill Brink for translation and other language related services in the compliance portion of my work. (Yes I do practice law and compliance for a living; I blog for gratis.) For not only am I required to help evaluate documents in a foreign language which need to translated into English but often I need a foreign language version of compliance related documents that I create, from third party questionnaires to contracts to Foreign Corrupt Practices Act (FCPA) training materials. While I still tend to think of language as a tactical issue, Jay has long striven to have me see it as part of a businesses overall strategy.

I think I may have finally seen the light that Jay has been preaching to me over the past few years when I read an article in the September issue of the Harvard Business Review (HBR), entitled “What’s Your Language Strategy?” by Tsedal Neely and Robert Steven Kaplan. The authors posit that language should bind not only your company’s global talent pool but also your company’s vision. After concluding the article, I now understand how language is a strategy to help inform your compliance program as well. This is because just as “Language pervades every aspect of organizational life” the authors believe that companies “often pay too little attention to it in their approach to talent management.” I would add that is also true in the compliance function.

The authors believe that problems revolve around potential “blind spots regarding language.” They write that company leaders pay too little attention to the role of language when “hiring, training, assessing and promoting employees. This can lead to miscommunication and friction, especially among team members who collaborate across borders.” While the authors point that a company’s competitiveness that may suffer, I would suggest that a company’s compliance function could also suffer. The authors believe that a company should align its language strategy with its overarching priorities. Further, by building “language skills and cultural awareness throughout your organization in order to acquire and develop the kind of talent you need to compete globally and locally.” The authors believe that by paying attention to this issue, your company can potentially turn “vulnerability into a competitive strength.”

The authors identify five key points which a company should evaluate regarding language. I would also add they relate directly to any international company’s anti-corruption compliance function whether under the FCPA; UK Bribery Act or other anti-bribery regime.

Hiring and Training

Here companies need to understand how candidates might come across in the interview or other pre-employment evaluation process. While a candidate with multiple language fluency may overshadow deficits in other critical areas, it may also be a problem because as an evaluator, “you may need to accept some limitations on language capabilities and be prepared to provide training to meet both global and local language needs.” But even if you get pass this first hurdle the authors identify a follow up problem in this area; that is, after hiring and/or promotion. They state, “Another blind spot is a tendency to over rely on external lateral hires with a certain degree of language skill to fill midlevel roles rather than hiring and grooming outstanding junior candidates with the capacity and motivation to learn new languages. While the latter approach may initially take more time, companies often find that entry-level hires ultimately become their best leaders, because they have been trained from an early stage in company culture and practices. Defaulting to lateral hires can make it more difficult to build a cohesive culture—those recruits have been trained elsewhere and may have trouble assimilating.”

Evaluating Talent Accurately

Even if your company does improve its entry level hiring practices and provide training to assist new employees in their language skills, you still need to make accurate performance evaluations. Here companies may get into trouble because “Language agility does not necessarily spell high performance.” The authors point to the need for a robust process to assess skills and attributes which allows a company to “look beyond verbal agility when gauging performance. It’s a reality check, a way to make sure that you and other leaders are not unduly swayed by fluency.”

Rethinking the Role of Expatriates

One of the key areas in the compliance field is to develop local compliance talent and expertise. This is not only because “expatriates may not be familiar with the local language, culture, and business practices, they can bring knowledge of organizational culture along with an understanding of the company’s products, processes, and systems.” One of the roles of any compliance manager, particularly an ex-pat is “to focus on developing local talent and ensuring that indigenous professionals begin to play leadership roles in the local businesses.” Equally important is to “think about the people you’re choosing to send abroad. To build a strong team of local leaders, it’s critical to give expatriate assignments to your best people—not just to solid contributors who happen to have the right language skills and are more easily dispensed with at home. Otherwise, you may find that your firm’s global offices fail to attract, develop, and retain the strong indigenous talent they need for high performance.”

Managing Communications on a Global Team

Most of the company’s I have worked at hold all their communications in English-language on a company wide basis. Of course I thought this was great. But the authors note that “managers often unwittingly position native speakers of a lingua franca as “winners” within the firm; consequently, nonnative speakers experience a substantial loss of power and status. If companies don’t take such issues into account, they can cause otherwise talented and engaged professionals to underperform and even withdraw.”

The authors believe that managers need to understand which of their employees are comfortable with the second-language proficiency and those who may not be so comfortable. They provide specific guidance as follows, “Global managers must deal directly with such issues to promote productive global cooperation. They must be sensitive to how employees of varying language proficiency are interacting. The goal is to make it easier for native and nonnative speakers to establish trust and communicate effectively. Managers’ observations should include the following: Who attends meetings? Who speaks up? Are the best employees contributing, or is language getting in the way? It’s then important to facilitate meetings and calls so that nonnative and native speakers get equal airtime. Often this means coaching primary-language people to speak less and second-language people to speak more. It also involves setting clear agendas up front, considering the mode of communication, and thinking through meeting choreography in advance.”

Building Cultural Awareness

The authors conclude by reminding us that language fluency does not always equate to cultural fluency, as “too often leaders underperform because they fail to adapt their management styles and practices to fit a multicultural environment. For them, understanding the cultural background of each team member, the role of the company, its products and services, and the customers it serves within various cultural and regional contexts is as essential as learning to conjugate new verbs.” They believe that “Managers should be held accountable that language and cultural skills are developed throughout their organization.”

The authors’ piece is chock full of ideas, insights and issues for a Chief Compliance Officer (CCO) or compliance practitioner. Any company doing business internationally is going to have the issues that the authors discuss in their article. The compliance function has all of these issues in spades because if you need to consider the FCPA, it is because you are doing business internationally.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,744 other followers