Audit | FCPA Compliance and Ethics Blog

June 24, 2015

Pink Flamingos and the Compliance Audit

Filed under: Audit,Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, New York Times, NYT

The creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20^th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
Determine that actual due diligence took place on the third party vendor.
Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
Review expense reports for employees in high risk positions or high risk countries.
Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

May 20, 2015

Levi Strauss and Auditing of Third Parties

Filed under: Audit,Best Practices,Compliance,compliance programs,FCPA,Innovation,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, FCPA

Today we celebrate innovation. On this day in 1873, a patent to create work pants reinforced with metal rivets was granted. This marked the birth of one of the world’s most famous garments: the blue jeans. Jacob Davis, a tailor in Reno, Nevada, presented the idea to Levi Strauss in 1872 when he wrote Strauss a letter about his method of making work pants with metal rivets on the stress points to make them stronger. Davis didn’t have the money for the necessary paperwork and proposed that Strauss provide the funds and that they get the patent together. Strauss agreed and the patent for “Improvement in Fastening Pocket-Openings”, the innovation that would produce blue jeans, was granted.

Until Strauss opened a factory in 1880 the “waist overalls”, as the original jeans were known, were manufactured by seamstresses working out of their homes. Levi’s 501’s, previously known as “XX”, were soon a bestseller, and by the 1920s they were the top-selling work pant in the US. Over the decades the fad has grown and today they are a firm staple in closets around the globe.

I thought about this innovation and sustained excellence when I sat through a presentation at Compliance Week 2015 by two ladies from BakerHughes Inc. (BHI) Jennifer Ellison, Senior Legal Compliance Manager, and Marianne Ibrahim, Senior Counsel, on Audits and Investigations. They focused on three aspects of the company’s audit program in its compliance function, types and purpose of Foreign Corrupt Practices Act (FCPA) audits, planning for the audit and interviewing all in conjunction with your audit program for third parties.

When planning for such an audit they laid out the following steps. You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions.

They noted you should try and determine the entry points of foreign government involvement. They broke this down into (1) direct and (2) indirect. In the direct category they listed the following areas: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process. They said that you should ask for as much electronic information as possible well in advance of your audit. They did recognize that it is much easier to get database records for internal audits than audits of third parties. One item they made sure to ask for in advance was records in database or excel format and not simply in .pdf. They suggested you ask for the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

When you are ready to commence your interviews, they emphasized that the lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with auditors, who will be reviewing the documents from the forensic perspective. Regarding potential interviewees, they related you should focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

Business Leadership
Sales/Marketing/Business Development
Operations
Logistics
Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

For the interview topics, they suggested several lines of inquiry. Initially they noted you should conduct the audit interview as precisely that, an audit interview and not an investigative interview. You should not play ‘got-cha’ in this format. They said you should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included:

General policies and procedures
Books and records pertaining to FCPA risks;
Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
Regulatory challenges they may face;
Any payments of taxes, fees or fines;
Government interactions they have on your behalf; and
Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

Ellison and Ibrahim went into detail regarding the review you should make around the General Ledger (GL) accounts. They suggested you review commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, they suggested that a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

Review controls around bank accounts and cash disbursements;
Identify and review authorized signers, approval levels, and bank reconciliations;
Ensure all bank accounts are included in the General Ledger;
Identify and review certain bank and cash disbursement transactions;
Identify offshore bank accounts.

In the area of cash funds review the following:

Review controls around petty cash funds;
Ascertain processes in place regarding disbursement and reconciliation of cash funds;
Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

Around training you should determine whether your company provides industry specific training to government entities, and review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account.

Ellison and Ibrahim provided solid, detailed information on not only what your audit protocol should be but also provided material on what you should look for and how you should do it. It was an excellent presentation.

© Thomas R. Fox, 2015

Leave a Comment

October 2, 2014

The Mitford Sisters and the Compliance Audit

Filed under: Audit,Best Practices,Bribery Act,Compliance,Compliance and Ethics,Compliance Insider,compliance programs,FCPA — tfoxlaw @ 12:01 am
Tags: FCPA, Foreign Corrupt Practices Act, Red Flag Group

Deborah Cavendish died last week. She was the last surviving member of an extraordinary group of women known as the ‘Mitford Sisters’. They were six daughters of David Freeman-Mitford, the 2^nd Baron Redesdale and the former Sydney Bowles. The six had about as varied lives as one could possibly have from six different yet related siblings. Nancy (1904-73) became an author and wrote “The Pursuit of Love” and “Love in a Cold Climate.” Pamela (1907-94), who grew up wanting to be a horse, married a horseman who became a physicist. Diana (1910-2003) married Britain’s fascist leader Oswald Mosley, in the presence of Hitler and Joseph Goebbels. Unity (1914-1948) fell in love with Hitler and was Eva Braun’s rival for his affections; she died a decade after her attempted suicide with the bullet still in her head. Jessica (1917-96) was a communist. This did not prevent her from eloping with Churchill’s nephew and moving to the United States, where she penned “The American Way of Death” and other books. Deborah developed a passion for chickens and later married Andrew Cavendish, who became the Duke of Devonshire, making Deborah, the Duchess of Devonshire.

Deborah’s major accomplishment was to adapt the Duke ancestral home of Chatsworth into self-sustaining family business. She kept up a personal and active involvement in this project for nearly 40 years, until her husband died and she became the Dowager Duchess. Today, Chatsworth is one of the most visited sites in England.

I thought about Deborah, her remaking of Chatsworth and how she and her sisters remade themselves from the fairly-tale princess lives they grew up with when I read a recent article in the Red Flag Group’s Compliance Insider, September-October issue, entitled “Rethinking the typical audit”, by Georgia White. The piece recognized that the standard financial audit clause may be of little use to the compliance practitioner but it can be reworked “to include proactive compliance obligations which can be an effective and valuable way to positively manage relationships with distributors and resellers.” Some of the reasons for typical audit clauses with such parties are disfavored and were identified as “insufficiently tailored and poorly defined” or such audit clauses have some type of “catch-all” provision which allows a company to audit more than simply its relationship with a distributor or reseller. Such audit clauses were noted to “represent little value for both the client and the business partner.”

Compliance Audit Clause

The first focus of the article was that “Compliance audits should be aimed at engaging business partners to participate in compliance initiatives pro-actively, whether by way of interview or discussion, integrity circles or forums, or healthy checks or periodic review” all supplemented by occasional transaction sampling. In other words, you must do the work required in managing the relationship after the contract is signed or Step 5 in the Five Step lifecycle management of third parties. The article suggested the following compliance audit clause, “In addition to maintaining proper records and accounts in relation to Distributor/Reseller’s use of product X, Distributor/Reseller will participate in compliance health checks and periodic reviews, and attend integrity circle and forums on a regular basis as required by Supplier Y. In the event of an allegation of misconduct, upon seven (7) days written notice Supplier Y (or its authorized agent)may conduct an inspection and audit all relevant facilities and records of Distributor/Reseller to verify compliance with obligations under this Agreement. Such audit is to be conducted in business hours at Supplier Y’s own expense and in such a manner as not to unreasonably interfere with Distributor/Reseller’s normal business activity.”

Getting buy-in from business partners

The piece suggests that in this manner of pro-actively engaging your Distributor/Reseller you can help maintain “the integrity of the relationship” and keep “open and transparent lines of communication.” While it may be easier to include such a clause with a new Distributor/Reseller; you may face a challenge with such a relationship which has been long standing. However for an effective Distributor/Reseller to be maintained, the author believes that everyone must be treated equally (the Fair Process Doctrine in play) as “compliance audits should apply to new and existing partners alike.” The key is communication by educating your Distributor/Reseller base “on the value of this kind of proactive exchange on compliance issues during business-planning sessions.” In other words, set expectations by talking to your business partners about why the compliance audit is necessary and, more importantly, have them understand the “risks associated with product diversion and unethical behaviour.”

When should the audit clause be added?

The piece takes on another touchy subject in audit clauses which is timing by stating, “To maintain positive relationships with existing business partners it is important to consider the timing of any proposed changes to existing contractual provisions.” However White provided some timing points for initiating this discussion.

Contract renewal cycle. If such a discussion is brought up during the regular renewal cycle you certainly should have good argument about such programs under a Foreign Corrupt Practices Act (FCPA) best practices compliance program. The debate about whether distributors were covered was ongoing until a couple of years ago so many companies may not have considered auditing such relationships. Moreover, White notes that if you raise the issue during a renewal cycle, “business partners are less likely to invoke suspicion that is a ‘targeted’ requirement” you are aiming only at them.
Annual business planning sessions. Such meetings usually entail an overall strategy component so White believes it is a good time to bring up the issue in the context of your company’s overall anti-corruption compliance efforts. You should have the opportunity to “discuss best-practice strategy and introduce the possibility of proactive compliance auditing for the relationship going forward.” The more you can focus on the ‘partner’ nature of the compliance obligation the more this should resonate with your Distributor/Reseller.
Company-wide annual meetings with Distributor/Resellers. Here White suggests that if you bring all of your Distributor/Resellers together and announce the auditing requirement, you may be able to demonstrate that auditing is now a system wide requirement. She believes “The chance of buy-in is increased if it is perceived that other competitors are already actively engaging with you in this manner.”
White suggests, particularly if you are in a high risk environment or need to institute such an audit right sooner rather than later, to negotiate over audits rights. She suggests “consider introducing the proposed change in tandem with a benefit that is being rolled out to the business partner.” I would add that you could also sweeten up the pot.

From the overall tone of White’s article, the key seems to communication. Communication can be used to show that adding and then invoking a compliance audit clause is not necessarily a negative outcome. But more than communication with your Distributor/Resellers is the concept from the Fair Process Doctrine; that is, if the process is fair, people and business partners may be more willing to accept a perceived negative outcome. This will go a long way to alleviating fears from Distributor/Resellers that they are being targeted for some nefarious reason or worse, that your company may be using the information obtained in a compliance audit to drive down the commercial value of the relationship.

© Thomas R. Fox, 2014

Leave a Comment

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

Filed under: Audit,Best Practices,Bribery and Corruption,Compliance,Compliance and Ethics,compliance programs,Culture,Ethical Leadership,Ethics,Incentives In Compliance Program,Training — tfoxlaw @ 12:01 am
Tags: best practices, CCO, compliance, compliance programs, ethical leadership, ethics, ethics and compliance

Note-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part II of a Three Part Series…

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

This one is tough, especially in global organizations. In many countries, you simply cannot run a background check, as criminal records are not public. In others, you can run them, but the criminal offense must be related to the job to exclude the candidate from being hired. In yet others, you can run them, but you can’t use them due to overly strict privacy rules. Then there’s the matter of cost relating to doing all this due diligence. The best thing you can do is determine the following:

First, is your business subject to a potential FCPA violation? If you are not “at risk” of public corruption because you are not engaging at any level with foreign government officials, then half the battle is won. Of course, you still run the risk of commercial corruption (bribes, kick backs, etc. with trading partners), but at least the spectre of government sanctions is not looming so large over you.
If you are “at risk” of an FCPA violation (you have interaction with govt. officials, including customs) have you developed a robust due diligence program, based on some corruption index to determine the level of due diligence required for your staff, your trading partners?
Have you identified your red flags thoroughly to spot anomalies in your business that would signal a deeper view is recommended?
Do you have staff to conduct the due diligence, or a vendor to do it on your behalf?
Are background checks run on everyone, or just certain individuals, or certain risk areas?
Have you taken a hard look at your gift policies to determine whether or not there are glaring holes that could give rise to inappropriate influence in business dealings?
Have you taken cultural considerations under advisement in your gift policies? Are they more stringent, or lax, compared to the US? Are the gift policies in Russia different than the gift policies in the US, because someone convinced someone else that you just can’t get things done without greasing a palm here or there?
Do you have a formal committee reviewing all charitable contributions, or, are ‘charitable contributions” acceptable as “facilitation” to get non-discretionary government functions moving along? Does your organization allow “facilitation payments” – if so, you better take a second, third, fourth look….

The point I’d like to emphasize here is that even companies that make it on the “World’s Most Ethical Companies” list also make it to the DOJ’s investigation list for foreign corruption, or violation of embargoes, sanctions, and the like. People interpret rules when the rules change, depending on the country. People then make mistakes in favor of what makes business sense to them, in their country, in their environment. You just have to make sure you’ve done what’s reasonable to prevent those mistakes.

Communicate and Educate Employees on Compliance and Ethics Programs

Here’s where the tone from the top, middle and bottom are key to your culture. This is probably the most important thing you want to measure. I am fond of saying 90% of a good ethics & compliance program is communication, and 10% is actions/deeds. While deeds do speak louder than words, it’s the communications – what you say, how you say it, what you mean by it, your intent – that frames up the actions of others. So you want to measure

Are the messages the same, the deeper you get into the organization? Is the understanding of the messages cascading from above the same the further down you go? Easy enough to measure with post-learning survey tools. Give all top, middle, and lower management the same “meeting in a box” and see if the understanding after delivery is the same. Reminds me of that campfire game, where the story starts at one end of the circle, and is completely different by the time the last person hears the tale. Your objective, of course, is to ensure that every person in the corporate audience hears the same message, and has the same take-aways, no matter who is telling the tale.
What kind of audience do you have? Does everyone have access to a computer, or do you have the challenge of manufacturing workers, with multiple languages and facilities to manage, and no technical means of reaching them? Have you done what’s necessary to ensure your training and communications mechanisms address every type of audience, or are pockets left out of the mix?
What learning aids do you have to help with understanding the code of conduct? Are the examples you use for harassment appropriate for your audience? Do you have a team of global reviewers who will not only preview your training, but offer suggestions on how to localize it to make it appropriate, meaningful and relevant to the teams they serve? If so, do they look at all communications pieces, or only certain ones? If only certain ones, which ones? And why?
Are there any leaders who go above and beyond when you launch your annual or quarterly training? I had an Asian business President who made sure he took the course the first day it was launched, and then sent a message to his leadership team about what he learned from the course, and what he wanted them to take away to their teams after they took the course. All of his team had the course done within the first month. I wanted to clone the guy, I swear!

I’m also reminded of mandatory harassment training I gave in Brazil one year. I relied upon the canned on-line training to help with my meeting amongst management, who all spoke English well. I was planning on asking them to cascade the messages to their teams while I was there, but they pointed out that the training was a farce. Women, they told me, wanted wolf calls lobbed in their direction in Brazil – it was not only culturally acceptable, but encouraged. This was substantiated by the several women in the room. Check. Fortunately, I had other examples at the ready to use for a facilitated session, which I vetted with the women on the team prior to delivery. Lesson learned? Make sure your ethics & compliance steering committee has global membership, and are willing to preview your training and communications prior to launch to ensure cultural relevance. If you don’t do this, your ethics & compliance program will be perceived as a joke. Not a desirable outcome, I would say….

Monitor and Audit Compliance and Ethics Programs for Effectiveness

So, how do you measure a non-event? I often ponder…. The challenge in highly ethical organizations is that you have, at first blush, very little to measure. If everyone’s doing a good job, how do you measure effectiveness. Is it because you have a great program that you have absolutely no calls on the hotline? Or is it that everyone is trembling in fear of retaliation the reason for no calls to the hotline? Hmmm.

Some of the things you can measure include

Indicators and ‘yardsticks’ – do you crawl, walk, or run to goals?
Do you seek periodic stakeholder feedback (including E&C council input)
What kind of documentation do you collect – trend analyses of HelpLine metrics, feedback on program enhancements as they are implemented, feedback on training and communications
Do you routinely conduct a “Lessons Learned” exercise after substantiated hotline calls?
Does your HR team engage in site assessments when a location, facility, or team seems to have a lot of issues that arise from a single manager or set of team leaders?
How often are your Code, policies, procedures updated and reviewed? Are they tested for readability and understanding? Are they just published, or is training introduced for new policies as they are issued?
Do you conduct risk assessments and/or change training or communications based on perceived risk areas?

Ensure Consistent Enforcement and Discipline of Violations

Does your organization allow for mistakes? Many will say they do, but when the rubber meets the road, you will find that they can be unforgiving for some transgressions, and unbelievably forgiving for others…. You will want to measure

Whether or not there appears to be wiggle room when folks stray. Deeds in this aspect do speak louder than words.
Are roles and responsibilities clearly defined, with escalation clauses when things go wrong?
Does your organization communicate when things go wrong as well as when things go right? I know one organization that struggled mightily when I suggested we let everyone know what actions we took for certain code violations. The attorneys were all worried that someone would sue, of course, but in the end, integrity prevailed. We were able to sanitize the situations in such a way to communicate what had been done, and what discipline was taken, without anyone learning personal details. Importantly, it drew a virtual line in the sand by publicizing transgression and discipline, so that people knew boundaries. Of course, this was after years of me observing that discipline seemed to be discretionary within the organization, and as a result, trust in management “doing right” was eroding significantly. It didn’t hurt that my observations were followed by multiple hotline calls saying the same thing… but it should never get to that point, should it?

Also measure whether or not policies and communications:

Encourage reporting
Identify resources to raise concerns
Prohibit retaliation for good faith concerns
Identifies management as the primary resource for issues or concerns
The average timeline to resolve complaints
Whether or not you benchmark reports that express fear of retaliation or unwillingness to consult with management first. This is tough to do, unless you build it in to your hotline reporting mechanism as a “customer service” function at the end of every call or report, actively soliciting this very feedback when a report is made.

Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

So, you are at the point where you have confidence you have the right policies and procedures in place to keep yourselves honest. But in case someone didn’t get the memo of “expected behavior” you have to make sure you respond appropriately, and take steps to avoid future missteps. One organization I worked at realized the culture of an acquired subsidiary was so awful that it opted to sell it off rather than try to fix it. They had other issues in the larger organization, but they knew a bad deal when they saw it, and took steps to rid themselves of an untenable position. Another organization I worked at kept throwing money at a subsidiary, when it probably would have been better to toss in the towel. Different organization, different results, neither perfect, but it fit them as they saw things.

When gauging the culture of your organization, some things you want to look at are the rewards and sanctions for behavior:

Positive rewards:

Retention of employment
Recognition
Appreciation
Commendation
Monetary or stock reward

Negative sanctions:

Termination or Suspension
Demotion
Probation
Appraisal comments/warnings
Reduction in compensation or bonus

You also want to measure your Performance Appraisal Systems, and look to see whether or not they include sections on:

Demonstrated Ethics and values in workplace conduct
Good communication skills
Building trust with stakeholders
Being fair or equitable
Maintaining a high level of quality or integrity in decision-making
Reporting Concerns
Empowering subordinates to reporting concerns
Training and development initiatives for the team

Tomorrow the Two Tough Cookies sum it all up…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

Leave a Comment

November 21, 2013

Edison, the Phonograph and Supply Chain Audits

Filed under: Audit,Best Practices,compliance programs,Deferred Prosecution Agreement,Department of Justice,FCPA,FCPA Guidance,Non-Prosecution Agreements,Supply Chain — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, DOJ, FCPA, SEC

Today we celebrate Thomas Edison. It is not his birthday but the 127^th anniversary of Edison announcing his first recording invention, the phonograph. According to This Day in History “Edison stumbled on one of his great inventions–the phonograph– while working on a way to record telephone communication at his laboratory in Menlo Park, New Jersey. His work led him to experiment with a stylus on a tinfoil cylinder, which, to his surprise, played back the short song he had recorded, “MARY HAD A LITTLE LAMB”. Public demonstrations of the phonograph made the Yankee inventor world famous, and he was dubbed the “Wizard of Menlo Park.”” For any audiophile, the phonograph was one of the greatest inventions of all-time.

I thought about Edison and the evolution of his invention in the context of how the audit requirement has been viewed under the Foreign Corrupt Practices Act (FCPA). In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to FCPA compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA and, in last year’s FCPA Guidance, the Department of Justice (DOJ) made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of the agents, business partners and supplier or contractors to ensure compliance with the foregoing. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I thought this might be a good time to review some of the items you should consider in this area.

I. Right to Audit

Initially it should be noted that a company must obtain the right to audit for FCPA compliance in its contract with any third party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

a. the effectiveness of existing compliance programs and codes of conduct;

b. the origin and legitimacy of any funds paid to Company;

c. its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;

d. all disbursements made for or on behalf of Company; and

e. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

II. Structure of the Audit

In the December 2010 issue of the Industrial Engineer Magazine, authors Aldowaisan and Ashkanai discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. In a webinar hosted by Securities Docket, entitled “Follow the Money: Using Technology to Find Fraud or Defend Financial Investigations”, noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data.

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:

Review of contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
Determine that actual due diligence took place on the third party vendor.
Review FCPA compliance training program; both the substance of the program and attendance records.
Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
Review expense reports for employees in high risk positions or high risk countries.
Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

III. Conclusion

As noted the above list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties (SODs). Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. At the conclusion of an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the FCPA compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

© Thomas R. Fox, 2013

Leave a Comment

October 31, 2013

It’s the Great Pumpkin: Lessons in Process Validation and Oversight

Filed under: Audit,Best Practices,compliance programs,FCPA,Oversight — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, ethics and compliance, FCPA

Today is Halloween and we celebrate the greatest Halloween cartoon in the history of the world, ever, “It’s the Great Pumpkin, Charlie Brown”, which premiered in 1966. As usual, the story revolves around the Peanuts gang, who are preparing for Halloween, Linus writes his annual letter to the Great Pumpkin, despite Charlie Brown’s disbelief, Snoopy’s laughter, Patty’s assurance that the Great Pumpkin is a fake, and even his own sister Lucy’s violent threat to make her brother stop. On Halloween night, the gang goes trick-or-treating. On the way, they stop at the pumpkin patch to ridicule Linus missing the festivities, just as he has done every year. Undeterred, Linus is convinced that the Great Pumpkin will come, and even persuades Charlie Brown’s little sister, Sally, to remain with him to wait. At 4:00 AM the next morning, Lucy awakes up and notices that Linus is not in his bed. She finds her brother asleep in the pumpkin patch, shivering. She brings him home and puts him to bed. Later, Charlie Brown and Linus are at a rock wall, commiserating about the previous night’s disappointments. Although Charlie Brown attempts to console his friend, admitting that he himself has done stupid things in his life also, Linus angrily vows to him that the Great Pumpkin will come to the pumpkin patch next year.

The compliance lesson from Linus’ adventure; it is process validation. Unlike Santa Claus, who we have been repeatedly told “Yes, Virginia there is a Santa Claus”; there has been no process validation for the Great Pumpkin. Linus faints when he thinks he sees the Great Pumpkin rising from his pumpkin patch; unfortunately it is only Snoopy. In the compliance world, process validation comes through oversight. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with last year’s Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols:

(a) On-site visits by an FCPA [Foreign Corrupt Practices Act] review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training;

(b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market;

(c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and

(d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

I hope that you have the chance to watch It’s the Great Pumpkin, Charlie Brown again this year. I did. When you watch, think about the compliance implications. Will anyone ever set a ‘second set of eyes’ on the Great Pumpkin? If not, will it ever be validated? I hope that if you are trick-or-treating tonight, you will be safe and dry.

© Thomas R. Fox, 2013

Comments (2)

August 16, 2013

Where’s The Ball? Lesson for the Compliance Practitioner in China

Filed under: Audit,Best Practices,Corruption in China,Department of Justice,FCPA,Financial Times,Internal Audit,Internal Controls,Michael Volkov,SEC — tfoxlaw @ 1:01 am
Tags: best practices, compliance, DOJ, FCPA, Foreign Corrupt Practices Act, Michael Volkov, SEC

Where’s the ball? That iconic question was asked by Oakland A’s center fielder Chris Young to Houston Astro left fielder Robbie Grossman near second base late Wednesday night, as Grossman was returning to the dugout after robbing Young of a game-winning walk-off home run by literally catching Young’s shot after it was over the left field fence. Grossman obliged Young as he passed second base, opening up his glove with a big grin on his face, to show that he did indeed have the ball. (For a clip of Young’s shot and Grossman’s catch, click here. Young’s question “Where’s the ball?” is at the 23 second mark.)

I thought about that question when I read an article in the Financial Times (FT), entitled “China drug bribe probes broaden”, where reporters Patti Waldmeir, Jamil Anderlini and Andrew Jack wrote that Chinese authorities are widening their probe of western pharmaceutical companies. In one example cited it was stated that the government of Shanghai “told hospitals to look for corruption in the purchasing and prescribing of drugs, as well as in clinical trials conducted with hospital participation.” This broadening also included investigations of doctors. Separately the State Administration for Industry and Commerce announced that it would investigate “bribery, fraud and anti-competitive practices in a range of industries that touch the lives of consumers, from drugs and medical services to school admissions.”

Whether the focus on the corruption by western companies is based on politics, nationalism, the rising cost of domestic drugs or any other reason, it really does not matter, however, it could mean that in addition to investigation and potential enforcement by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC); the Chinese themselves may take up the task. If that is the case there will most probably be cooperation between the various investigative agencies involved. All of that means more pain for the companies involved.

Over the past couple of days Mike Volkov has provided information to the compliance practitioner to assist in this new world order in China. In a blog post, entitled “China and Compliance Solutions: Choking Off the Money Supply” and webinar, entitled “How to Avoid Corruption Risks in China”, Volkov gave some specific suggestions for the compliance professional to utilize in the current enforcement environment in China. In his webinar, he said that western companies operating in China need to understand that the cost of compliance will exceed other countries. While there is certainly an upside in revenues from China business, it also involves greater compliance costs and risks. Companies need to construct enhanced compliance controls and implement aggressive monitoring programs, demand adherence to strict documentation policies and to integrate non-Chinese controls and personnel into China operations to supervise and monitor the local operations.

Volkov identified third party risks as the greatest risk because companies have a limited ability to control the outgoing of their monies much more than companies usually do of their own. Some of the key questions that need to be explored in the due diligence process include what specific services will the third parties be used for and have you verified that the potential agent can deliver those services? You need to care that there is an absence of relationship between your Chinese employees and third party. You also need to inquire about how the third party came to the company’s attention? So, for instance, does it have an internal sponsor in your company? Volkov notes that not only must audit rights be secured by western companies; they need to exercise those rights. Lastly, he advises that any unjustified expenditures have to be aggressively pursued both through the audit process and into the investigative process, if needed.

Volkov believes that a key control involves focusing on internal expenditure. Unfortunately, he notes that external auditors often rely on Chinese affiliates, who he believes are “notorious for bending to company resistance to auditing standards and inquiries.” Therefore companies need to require their external auditors to install quality controls. Companies should also demand strict adherence to auditing standards. He suggests that there should be both forensic auditing and transaction testing to review individual receipts and transactions. Lastly, he suggests that money should only be doled out through strict supervision by a non-Chinese controller.

In his blog post, Volkov drills down into some specific protections that a company can take to control its cash outlays in China to try and prevent some of the more well-known bribery schemes. He believes that “The strategy for compliance is then to focus on access to the money which the bribe payor needs to complete the bribe. Resources and controls need to be allocated and designed based on this analysis and focus.” He provides two scenarios where bribery and corruption can occur and two possible strategies to combat such actions.

In the first scenario, a company employee obtains company money by fraud and then pays a government official. Under this scenario, a company employee uses a fake invoice(s), which is typically required in China to satisfy tax authorities. The fake invoice, which may involve another party as the recipient of the payment, is a means by which to “steal” the money from the company and use it for an improper purpose. This was the bribery scheme used by Eli Lilly’s employees in China where employees submitted false expense accounts and used the difference to fund their bribery scheme.

Volkov’s prescription for this is that the company’s compliance function must ensure that internal financial controls are scrupulously followed, so that any potential fake invoice is identified in advance. He believes whether the offender is an ex-pat or a local employee it is important to enforce such rules, it is an issue which can be debated and the outcome will depend on the personal and the specific situation facing the company. The reason would seem rather self-obvious; that is, if no one is watching the invoicing process, verifying the accuracy of the invoice and ensuring that the payment is justified, money will slip out from the company for bribes. But, then again, maybe not given the paucity of Foreign Corrupt Practices Act (FCPA) enforcement actions in China. This means the focus of internal controls should include not only fake invoices but systems, procedures and forms to ensure that only approved and appropriate payments are made.

Under his second scenario, Volkov cites the situation where a company employee enlists the assistance of an agent to make direct payments to a foreign official to ensure that the government official purchases the company’s product or service. The company employee knows that the third party is used (or will be used) for legitimate and improper payments. The company employee knows that some of the invoices submitted by the third party are for legitimate services and some are for non-existent services and used to finance bribe payments. Sounds sort of like GlaxoSmithKline PLC’s (GSK) China operation to me.

To help counteract this second bribery and corruption scenario, Volkov recommends that “China-focused compliance strategy to reduce illegal money flows through third parties requires enhanced resources and controls to conduct due diligence, monitoring of money payments, justification for every payment, and enhanced monitoring elements. Each payment has to be fully justified, documented and corroborated. Monitoring techniques have to include detailed transaction testing and in-depth compliance and financial audits.” He once again cautions that the objective is to concentrate compliance on the movement of each dollar, confirm the legitimacy, and look for any signs of potential funding of bribery through the third party.

We started out with the question of “Where’s the Ball?” Just as Chris Young thought it was prudent to verify that indeed the Astros outfielder had caught his near game-winning, walk-off home run; you need to be prepared to ask some direct questions in your Chinese operations. If you do not see the ball or you do not get direct answers, my suggestion is that you gear up and get some people in place who can do so. Otherwise you might end up like our friends at GSK.

Comments (1)

August 13, 2013

GSK and Missed Red Flags in China

Filed under: Audit,compliance programs,Corruption in China,FCPA,Financial Times,Francine McKenna,Fraud,Fraud Investigations,GlaxoSmithKline,Internal Audit — tfoxlaw @ 1:01 am
Tags: best practices, bribery, Bribery Act, China, FCPA, Fraud, FT, GSK

One of the questions that GlaxoSmithKline PLC (GSK) will have to face during the next few years of bribery and corruption investigations is how an allegedly massive bribery and corruption scheme occur in its Chinese operations? The numbers thrown around have been upwards of $USD500MM. It is not as if the Chinese medical market is not well known for its propensity towards corruption, as prosecutions of the Foreign Corrupt Practices Act (FCPA) are littered with the names of US companies which came to corruption grief in China. GSK itself seemed to be aware of the corruption risks in China. In a Reuters article, entitled “How GlaxoSmithKline missed red flags in China”, Ben Hirschler reported that the company had “more compliance officers in China than in any country bar the United States”. Further, the company conducted “up to 20 internal audits in China a year, including an extensive 4-month probe earlier in 2013.” GSK even had PricewaterhouseCoopers LLP (PwC) as its outside auditor in China. Nevertheless, he noted that “GSK bosses were blindsided by police allegations of massive corruption involving travel agencies used to funnel bribes to doctors and officials.”

Types of Bribery Schemes

The types of bribery schemes in China are also well known. In a Financial Times (FT) article, entitled “Bribery built into the fabric of Chinese healthcare system”, reporters Jamil Anderlini and Tom Mitchell wrote about the ‘nuts and bolts’ of how bribery occurs in the health care industry in China. They open their article by noting that the practice of bribing “doctors, hospital administrators and health officials is rampant.” They quoted an un-named senior health official in Beijing for the following, “All foreign and domestic pharmaceuticals operating in China are equally corrupt”. The authors also quoted Shaun Rein, a Shanghai-based consultant and author of “The End of Cheap China” for the following, “This is a systemic problem and foreign pharmaceutical companies are in a conundrum. If they want to grow in China they have to give bribes. It’s not a choice because officials in health ministry, hospital administrators and doctors demand it.”

Their article included a diagram which visually represented two methods used to pay bribes in China, which were designated the Direct incentives and Indirect incentives methods. Whichever method is used, the goal is the same – to boost sales.

In the Direct incentives method, a third party representative of a company would provide cash to the department head of a clinic or hospital. The department head would in turn pay it to the physicians to encourage them to prescribe the company’s medical products. But a third party representative could also contact a physician directly and reward them with “gifts such as storecards, vouchers and travel” expenses. Other direct methods might include the opening of bank accounts or charge accounts at luxury goods store and then the company would hand “the debit card or VIP card directly to the recipient.”

The FT noted that the Indirect incentives method tended to be “used by larger pharmaceutical groups with stricter governance procedures.” Under this bribery scheme there were two recognized manners to get benefits into the hands of prescribing physicians. The first is to have cash incentives paid to a third party representative, such as a travel agency, which would then “pass on some of these rewards to the physician directly.” Another method was for the company itself to make a “lump sum sponsorship paid to hospitals”. The hospitals would then distribute perks “to the doctors as a monthly or annual bonus.” Another indirect method noted was that companies might organize overseas conferences and site visits, which might “include free first class travel and five-star accommodation.”

Anderlini and Mitchell reported that “The 2012 annual reports of half a dozen listed Chinese pharmaceutical companies reveal the companies paid out enormous sums in “sales expenses”, including travel costs and fees for sales meetings, marketing “business development” and “other expenses”. Most of the largest expenses were “travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned last year.” They cited the example of Guizhou Yibai Pharmaceutical Co Ltd which earned a net profit last year of Rmb333.3m. However its “sales expenses came to a total of Rmb1.25bn, including meetings expenses of more than Rmb295m and wages of just Rmb88m.” Indeed the “largest expense for the company’s sales team of 2,318 people was Rmb404m spent on travel, for an average of more than Rmb174,000 per sales representative for the year. That is roughly what it would cost every single sales representative to fly 10 times a month between Beijing and Guiyang, where the company is based.”

Auditing Responses – Missed Red Flags?

But what should GSK have done if such expenses were kept ‘off the books’? Hirschler, in his Reuters article, quoted one un-named source for the following, ““You’d look at invoices and expenses, and it would all look legitimate,” said a senior executive at one top accountancy firm. The problem with fraud – if it is good fraud – is it is well hidden, and when there is collusion high up then it is very difficult to detect.” However, Jeremy Gordon, director of China Business Services was quoted as saying “There is a disconnect between the global decision makers and the guys running things on the ground. It’s about initially identifying red flags and then searching for specifics.”

There are legitimate reasons to hold Continuing Medical Conferences (CME), such as to make physicians aware of the latest products and advances in medicine. However, this legitimate purpose can easily be corrupted. Hirschler quoted Paul Gillis, author of the China Accounting Blog, for the following “Travel agencies are used like ATMs in China to distribute out illegal payments. Any company that does not have their internal audit department all over travel agency spending is negligent.” Based on this, GSK should have looked more closely on marketing expenses and more particularly, the monies spent on travel agencies. Hirschler wrote, “They [un-named auditing experts] say that one red flag was the number of checks being written to travel agencies for sending doctors to medical conferences, although this may have been blurred by the fact that CME accounts for a huge part of drug industry marketing.”

One other issue might be materiality. If GSK’s internal auditors had not been trained that there is no materiality standard under the FCPA, they may have simply skipped past a large number of payments made that were under a company’s governance procedure for elevated review of expenses. Further, if more than one auditor was involved with more than one travel agency, they may not have been able to connect the dots regarding the totality of payments made to one travel agency.

What about the external auditors, PwC? Francine McKenna, who writes and speaks extensively on all things related to Big 4 auditing, wrote last year, in blog entitled “What The SEC And PCAOB Fail To Acknowledge About Chinese Fraud”, that Pam Chepiga, of Allen & Overy LLP, in 2012, “told the audience that FCPA investigations in China are difficult because, “you can’t take the documents out of the country.”” After her panel, Chepiga, told McKenna “that not only does China restrict the dissemination of documents outside of China, but internal investigations by multinationals must be done by Chinese lawyers with support from the Chinese accounting firms. Given the experience that the SEC is having with Deloitte, it seems, “previous cooperation agreements are not in force”. The SEC would have a hard time going over and investigating a fraud or FCPA violation by the Chinese arm of a US based company”. So things may not have been any easier for PwC. However, the recent agreement between the Securities and Exchange Commission (SEC) and the Chinese Securities Regulatory Commission will allow the SEC some access to audit the work papers of Chinese companies listed in the US may influence this issue.

Ongoing Monitoring

Another response that GSK could have implemented was to engage in greater ongoing monitoring. In the Texas Law, Out of Order column, entitled “5Tips for Avoiding Email Compliance Traps”, Alexandra Wrage, President of TRACE International, reported that “Internal Glaxo documents and emails reviewed by The Wall Street Journal show Glaxo’s China sales staff was apparently instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. In the personal emails, sales staff discuss rewarding doctors for prescribing Botox with cash payments, credits that could be used to meet medical education requirements and other rewards.”

Wrage uses the GSK matter as a jumping off point “For companies wanting to get a handle on the compliance risks they face through email (mis)uses and other forms of technology”. She gives five tips to avoid email compliance traps: (1) Encourage communication between compliance and IT departments. (2) Map out your universe of data. (3) Know your obligations, then develop an established set of policies and procedures around them. (4) Train employees to speak up about the new uses in technology. (5) Stress-test your program.

Remember with the technology available to companies today it is possible that companies have the ability to determine if employees are accessing personal email accounts business computers. Also to Wrage’s list, I would add one other point and that is call Eddie Cogan at Catelas Software. Relationship monitoring is what they do and they can help you out immediately.

Leave a Comment

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

Filed under: Audit,Best Practices,Board of Directors,Books and Records,compliance programs,FCPA,Financial Times,Internal Audit — tfoxlaw @ 1:01 am
Tags: best practices, Board of Directors, compliance programs, FCPA, Foreign Corrupt Practices Act, FT, Internal Audit

One of my weekend reading pleasures is the Saturday section in the Financial Times (FT) entitled “Lunch with the FT”. Each week, this column highlights a weekly interview with leading cultural and business figures. In addition to an excellent interview with fascinating people, the column discusses the food served and lists the prices of all items purchased. The column is so smartly done that even the Men In Blazers talk about it in their weekly podcasts on all things soccer.

Since imitation is the most sincere form of flattery, today I will inaugurate a “Lunch with FCPA Compliance and Ethics Blog” series of posts. While it will not be a weekly feature, nor will I detail the costs for lunch, I will commit to you the cost will be in line with that of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program business entertainment lunch. My inaugural guest is Phil Wedemeyer, who is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective.

This week Phil and I sat down for a couple of Houston’s finest cheeseburgers to catch up. Phil asked me what might be happening on the FCPA front and I told him that I thought the news about the National Security Agency (NSA) information collection programs was going to make the job of the compliance practitioner more difficult. Many of America’s allies are up in arms over not only the collection of information but the revelation that such collection of information can be used in monitoring FCPA compliance across the globe. I think this will mean that companies will face greater data privacy laws and have more difficulty not only getting information out of foreign countries and into the US for evaluation but even in collecting types of data and information.

Great Board Oversight Required?

Phil had another take on it, which I found equally interesting. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?

Transaction Analysis

Phil also inquired about any trends that I might have seen over the past six to 12 months on FCPA enforcement. I told him that one of the things I have seen is the introduction of transaction monitoring, beginning with the Morgan Stanley declination. I then discussed the Eli Lilly enforcement action and particularly the bribery scheme used in Poland where charitable contributions were made to a charity run by the head of a provincial health service. This led to sales spiking in that province rather dramatically. These cases, and some others, have led me to advocate that companies engage in transaction monitoring from the compliance perspective to identify any anomalies.

Phil’s observation here was once again based on his auditing background. He said that, in considering variations in operating results as a director, he asks two questions of management: What happened and how do you know? In answering these questions, it is clearly important that management understands the business cause of significant sales increases and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. Phil thought analysis of variations needs to occur at the level at which the sales increase was material. As an example, he conjectured that, in the Lilly scenario, such a sales spike would likely not be material to the company’s consolidated financial statements or, for that matter, to the European business unit. However, such a sales increase would most probably be material for the country of Poland and certainly for the province in which the sales increase occurred.

Once the material level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on business entertainment or other specific categories; were charitable donations made to any non-core business charities and other questions might help to get at the true underlying reason for a sales spike. Further, a company should review its findings in subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods. The answer to such a question might identify red flags indicating the need for further review.

One of the key things that I learned from my lunch is the need for the compliance practitioner to talk to other non-compliance professionals to get their perspectives on how they view issues. So, just as I had lunch with Phil Wedemeyer, you could take out the head of your internal audit group for a lunch and chat; or HR; or IT. The list of possibilities is lengthy. I hope that you have enjoyed my inaugural, Lunch with the FCPA Compliance and Ethics Blog as much as I have bringing it to you.

———————————————————————————————————————————————————————-

I will be discussing transaction monitoring on a free Webinar entitled, “A Winning Strategy for Automating FCPA Compliance” hosted by SAP, next Wednesday, June 19 at 2 PM EDT. For registration and information, click here.

———————————————————————————————————————————————————————-

Leave a Comment

May 19, 2013

The Drugstore Cowboy and Compliance

Filed under: Anti-Money Laundering,Audit,Best Practices,compliance programs,FCPA,Monitors,Training — tfoxlaw @ 6:28 pm
Tags: auditing, compliance, Internal Controls, monitoring, training, Wired Magazine

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.” Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

Leave a Comment

FCPA Compliance and Ethics Blog

June 24, 2015

Pink Flamingos and the Compliance Audit

May 20, 2015

Levi Strauss and Auditing of Third Parties

October 2, 2014

The Mitford Sisters and the Compliance Audit

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

November 21, 2013

Edison, the Phonograph and Supply Chain Audits

October 31, 2013

It’s the Great Pumpkin: Lessons in Process Validation and Oversight

August 16, 2013

Where’s The Ball? Lesson for the Compliance Practitioner in China

August 13, 2013

GSK and Missed Red Flags in China

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

May 19, 2013

The Drugstore Cowboy and Compliance

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey