FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

  1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
  2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
  3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 30, 2011

Controls to Prevent Violations of Anti-Bribery Laws

Ed. Note-I recently asked my colleague Henry Mixon CPA, if he could explain the differences regarding internal controls required under financial regulations such are Sarbanes-Oxley with internal controls required under anti-corruption laws such as the Foreign Corrupt Practices Act. The following is his explanation. 

Relying on Sarbanes-Oxley (SOX) and independent audits presents significant risk of internal controls not being effective to comply with anti-bribery laws. Company management often believes that, because they have independent auditors and because they are SOX compliant, they don’t need any additional focus regarding compliance with anti-bribery laws.  While independent audits and procedures required for SOX are useful, there are several reasons why focused attention needs to be paid to certain internal control objectives in order to have an effective anti-bribery compliance program.

1. The overriding concept is that effective internal controls do not automatically follow when Policy Statements are issued. Training employees regarding new policy requirements and obtaining their certification of understanding does not ensure compliance.  A specific focus is needed to ensure there are control procedures in place to ensure compliance with the policies.

2. SOX controls are, by definition, focused on financial reporting. They do not address many transaction level controls needed to prevent violations of Anti-Bribery laws.  Based on my experience assisting clients remediate internal controls to satisfy an independent monitor and the Department of Justice (DOJ), I have compiled a list of controls which should be considered on a risk basis to determine effective controls needed to prevent violations. Shown below are only a few of the control objectives which are needed in an effective Compliance Program which, for materiality or other reasons, are typically not in SOX (or independent audit) scope:

a. Controls to prevent payment of bribes using cash (petty cash funds and otherwise) and using manual checks to meet “emergency needs” processed outside the normal invoice approval system. A Corporate review of such transactions after the fact is not a sufficient control.  (In each Independent Monitor situation, there was a substantial focus on risks associated with petty cash funds and manual checks.)

b. Because bribes can be given by methods other than cash, controls over contractual relationships with third parties should be scrutinized. This includes contracts with agents, contracts to lease facilities / equipment, etc. For example, unauthorized use of Company assets / facilities, with or without compensation, can be a means to pay a bribe. Therefore, controls are needed over movement of inventory (such as shipments of inventory to non-customer locations and use of mobile fixed assets). For example: (1) controls are needed to ensure shipments of goods after they have been accepted and paid for result in appropriate compensation to the Company; (2) controls are needed to ensure Company vehicles are not “loaned” to unauthorized persons without adequate compensation to the Company.

c. Controls are needed over gifts, entertainment, hospitality, political contributions, and charitable contributions. For materiality reasons (see below), these controls are typically not included in SOX scope.

d. Enforcement of an effective Delegation of Authority (including the accounting controls for processing / approving vendor invoices, signing checks,) is typically not addressed in SOX scope but is a critical control from a Compliance perspective.  For example, when dual signatures are required, what is the control to ensure they are obtained? (Banks will pay checks with only one signature, even if two are required.) Another example, control should be in place to ensure document approvers actually review support for transactions they are approving, and these controls must be evidenced for the Compliance Program to be considered effective.

e. Use of offline processing and maintenance of key information related to vendors and disbursements (such as Excel spreadsheets which can impact payments to vendors or which track entertainment provided to third parties) presents risk.  Therefore, controls over the creation and maintenance of spreadsheets which “feed” the financial accounting process require evaluation.

f. Employment of “contract” employees, as well as permanent employees in foreign locations requires controls in the payroll processing to ensure the employees’ status as a current / former Government Official, or as a relative of a Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.

g. The controls regarding creation / approval / unauthorized modification of Purchase Orders should be carefully evaluated, not just the focus on the three-way match.

h. Controls should be in place regarding maintenance of the vendor master file to ensure no vendors are paid unless there has been appropriate due diligence performed. Controls should be in place to prevent situations where the vendor has invoiced the company and wants to be paid, but the vendor’s name is not in the vendor master file as an approved vendor.  Having controls over changes to the vendor master is more effective than only having a policy that all vendors must be subject to diligence and pre-approval.

i. Having controls to ensure compliance with reimbursement to employees for travel and other business expenses is critical. Requiring a manager to initial an expense report does little to prevent unauthorized activities, unless there is evidence the approver actually looked at the substance of the requested reimbursement.

3. SOX and Generally Accepted Auditing Standards allow a scope definition which eliminates business locations / business units which are considered to be immaterial, as well as eliminating types of transactions / accounts not considered material for financial reporting purposes. Therefore relying on a SOX-acceptable universe of control assessment based on materiality increases the risk of violations occurring. Many of the instances of prosecution by the DOJ and by the SEC involved business locations considered immaterial for financial reporting (SOX) purposes. The DOJ and the SEC have been very specific that individually immaterial violations over time constitute a violation and that even improper recording of immaterial transactions determined to be bribes violates, respectively, the anti-bribery and Books and Records provisions of the FCPA.

Using a standard other than the traditional financial statement concept of materiality does not necessarily mean controls need to be more extensive.  Rather, the controls which are needed for an effective Compliance Program take into account the risk of violation (such as inherent corruption index and the inherent risk of certain types of transactions and business relationships) rather than the number of transactions or cumulative financial totals of transactions.  For example, controls in countries with a Corruption Perception Index (CPI) of 3 or less should be robust, regardless of volume of transactions. Doing business with agents and foreign business partners generally presents higher risk than with other third parties.  Transactions which may be immaterial for financial reporting purposes (petty cash disbursements, gifts, charitable contributions, etc.) may present significantly higher Compliance risk than their individual financial amounts might indicate.

4. SOX allows a significant portion of controls to be “detect” controls.  Anti-bribery laws require a specific focus on “preventive” controls. If improper payments are identified by “detect” controls which review disbursements and asset disposals after the fact, the identification of suspicious transactions only leads to a decision whether to self-report and how extensive (expensive) an internal investigation is needed to determine the company-wide magnitude of the issue.  Little has been done to prevent the improper activity.  (Accordingly, relying on a SOX approach will not meet the burden of proof necessary to satisfy the “prevent” requirements of the UK Bribery Act.)

5. The SOX approach does not take into account the high evidence standard which comes into play when there is a suspected Compliance violation. Certain types of controls should have more robust documentation from a Compliance perspective than from a “traditional” perspective.  The “evidence standard” issue is very significant when third party investigations are at hand. For example, an initial on a document means someone initialed the document. It does not define what the person did before initialing the document or the representations which are being made when the person initials a document.  Often such evidence is simply a matter of defining control procedures and of modifying approval blocks on forms.


If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!


This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

November 28, 2011

The Fight against Shell Corporations in the US

One of the critical areas in due diligence for foreign business partners is determining who are the true owners of an entity. Unfortunately this is not always possible to determine as many countries do not require the names, addresses and other identifying information of shell company owners or limited liability partners. Many people think of the Cayman Islands or other traditional tax havens when such issues arise.

However, a surprising number of allegedly low risk countries also have this problem. New Zealand is generally recognized as one of the lowest risk countries in the annual Transparency International Corruption Perceptions Index, nevertheless this rating may not be all it seems. In an article by Michael Field on the Stuff.co.nz website, entitled “NZ firms linked to money laundering”, Field reported that one individual was listed as a Director of over 300 New Zealand formed companies. Another person, listed as the Director of the New Zealand Company alleged to have been involved with the shipment of arms to North Korea, was “convicted of 75 breaches of the Companies Act for giving false addresses on registration forms”.

New Zealand is not be the only country with a low corruption perception which may not be completely accurate. In a Reuters article, entitled “Special Report: A little house of secrets on the Great Plains”, authors Kelly Carr and Brian Grow reported on one house in Cheyenne, Wyoming which the authors claim “serves as a little Cayman Island on the Great Plains” as it is home to the registration of over 2,000 entities. The article claims that Wyoming allows “the real owners of corporations to hide behind “nominee” officers and directors with no direct role in the business, often executives of the mass incorporator.” Carr and Grow also quote Jason Sharman, a professor at Griffith University in Nathan, Australia, who states that “Somalia has slightly higher standards [for business incorporation] than Wyoming and Nevada.”

One of the anomalies in the ongoing HP investigation, for alleged bribery and corruption violations in its German subsidiary, was the German authorities’ investigation of activities in and through the state of Wyoming. The article by Carr and Grow may help explain why the German authorities needed to investigate matters relating to Wyoming where the allegations were that bribes were paid by a HP German subsidiary for a sale into Russia.

However, perhaps there is legislation on the way to close this loophole in the US. In another Reuters article, entitled “House bill targets anonymous shell corporations”, Patrick Temple-West reports on US legislations, introduced in the House of Representatives, which would require stricter discloser laws. The author notes that “This is at least the third time lawmakers have considered proposals to crack down on shell company incorporation.” The legislation has bipartisan support, the bill was introduced by a Democrat in the House and jointly introduced by a Democrat and Republican in the Senate. It is reported to have “wide support by law enforcement” and support from the US Departments of Treasury and Justice.

So you ask who would be opposed to bringing the US standards for business incorporation up to that of at least Somalia. Temple-West reports that “Some state government group[s] remain opposed. In the past, resistance has also come from business groups and lawyers.” I am also somewhat chagrined to report that an organization that I belong to, the American Bar Association, has opposed prior legislation to provide greater discloser for shell companies. However, it is now reported to be “reviewing the latest bills.”

How does all of this relate due diligence as the US problem would not seem to impact a company covered by the Foreign Corrupt Practices Act (FCPA)? First of all, a company should know with whom they are doing business, and  more pointedly a US company which is subject to the UK Bribery Act needs to recognize that any agent, distributor or other type of representative here in the US, is a foreign entity under the Bribery Act and needs full due diligence. While the jurisdictional scope of the Bribery Act has yet to be fully fleshed out, such a US company needs to consider its due diligence here in the US and may need to strengthen its investigations and background checks on such parties to comply with the Bribery Act.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

August 3, 2011

Identification of Legal and Regulatory Risks: Gap Analysis with the Supply Chain Management Department

Ed. Note-today we are pleased to host our colleague, Mary Shaddock Jones in her continuing series on identification of risk. Today she writes on the Supply Chain.

On July 21st I wrote a blog titled “Identification of Legal and Regulatory Risks: Gap Analysis with the Human Resources Department”. Today I turn my attention to the Supply Chain Management Department. There is no question but that international trade is more prevalent now than ever before. In many industries, international trade is more of a necessity than a luxury. The ability of a company to compete and financially grow in a particular industry may depend upon tailoring a program to buy and sell goods and services from and to companies and consumers in other countries.

There are numerous laws (international, federal, state and local) that employees within the Supply Chain Management (“SCM”) Department are required to comply with in order to perform the responsibilities inherent in their jobs. How does the Compliance Department make certain that the Supply Chain Management Department as a “risk center” and the employees as “risk owners” have a system in place to know, abide by and monitor the compliance of the laws under their domain? Here are a few questions that the Compliance Officer may pose to the SCM department in order to perform a gap analysis regarding policies and procedures: (Note: many of the questions listed below are similar, if not identical, to the ones I posed for dealing with the HR department. Obviously, there are overlapping questions, but it is important to document that the question has been asked and answered with all “risk centers’).

1. Does the SCM department have an inventory of policies, procedures, laws and regulations covering supply chain related matters applicable to the company’s business?

2. If yes, do you have a specified person who is in charge of updating the inventory?

3. If no, what system does the SCM department utilize to ensure that it is aware of the various laws and regulations and has a process to comply with them?

4. What evidence would the SCM department be able to produce to the government to support a finding that the company has a solid compliance program for applicable supply chain laws and regulations?

5. What types of enforcement actions are predominate in the supply chain arena? How does the SCM department track such actions? (i.e. import and export requirements; customs; freight forwarding, port clearances, “deemed exports”, blocked persons; etc.)

6. Are employees within the SCM department specifically trained to understand compliance requirements applicable to the supply chain arena?

7. Does the SCM department provide senior management with periodic updates on the monitoring of results, key risks, and compliance violations within SCM?

8. Has the SCM department established some type of escalation criteria to ensure that high-risk issues are reviewed at the corporate level?

9. Does the SCM department have compliance monitoring standards in place? Does the SCM department perform periodic audits to ensure that the policies and procedures are being complied with?

10. Do any of the following laws impact the SCM department? Foreign Corrupt Practices Act; Embargo; Anti-Boycott; Anti-Money Laundering; Export Administration (such as ITAR, EAR and OFAC or “deemed exports”?); Custom and Import laws?

These are only a few of the questions that you may want to ask to begin the process of assessing what laws and regulations applicable to the Supply Chain Management Department apply to your company. In addition, I am always looking for good resources so that I don’t have to recreate the wheel. Here are a few that I found searching the Internet that may be of assistance in identifying legal and regulatory requirements applicable to SCM department.
• “Getting the Deal Through Online” http://www.gettingthedealthrough.com/
This website (free for in-house counsel according to the website) provides international guides to law and regulation in 45 practice areas and more than 100 jurisdictions. There are books addressing Public Procurement, Anti-Corruption; Mining; Oil; and Gas Regulation to name a few. Each book is written in a question and answer format addressing many common issues that arise with the particular topic of the book. Each chapter focuses on one of the various international jurisdictions highlighted.
• Gregory Husisian, Foley & Lardner, LLP, wrote a great article in January 2009 “Coping with U.S. Regulation of International conduct: Compliance Strategies for the Foreign Corrupt Practices Act, Export Controls, Sanctions, and Anti-Money Laundering Laws and Regulations”.

My final suggestion is to work with the Supply Chain Management Department (and possibly the Audit) department to have a consolidated “Supply Chain Management Compliance Audit Checklist” that can be used to audit (and document) the company’s SCM Compliance Program.

When in doubt, contact a good attorney both in the U.S. and locally in whatever foreign country you are operating, and have them review the SCM Compliance Audit Checklist. Enlist their help in keeping you advised of changes in the applicable laws and regulations, which apply to the SCM department of your company.

The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and document, document, document.

Mary Shaddock Jones, Attorney at Law can be reached at 1202 Kirkman St. Suite C, Lake Charles, LA 70601 or via email at msjones@msjllc.com or via phone at 337-515-8527.

June 30, 2011

Creating a “Gap” Analysis and Sharing Issues with Management

Our colleague, Michael Portorti continues his series on risk assessments from a CPA perspective. He has previously provided guest posts on The Auditor’s Role in FCPA and UK Bribery Act Compliance and  Performing a Risk Assessment for FCPA and UK Bribery Act Compliance .

A formalized risk assessment should be completed to identify the areas where the Company is exposed under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act (UKBA). Subsequent to this identification, specific and detailed questions should be asked of relevant risk area management/employees to determine if “Best Practice” controls are in place. 

Interviews should be scheduled between responsible parties and an objective interviewer. A tool that can be used by the interviewer to track responses would be a document containing the following:

• Area Being Investigated
• Model Control Description
• Control Risk
• Actual Control
• Individual Responsible
• Deficiencies Identified

The deficiencies identified should be accumulated in a “Gap Analysis” document. This document should contain the following:

• Area Being Investigated
• Description of Deficiency
• Action Plan to Remediate Deficiency
• Individual Responsible
• Action Plan Due Date

The Gap Analysis document can then be used to track status of deficiencies and used as a source to update Executive Management as necessary. It also can expose bottlenecks and identify potential revisions for controls that need additional tailoring to fit in with the Company’s operational environment.

Accumulating deficiencies in this manner keeps all parties up-to-date on remediation progress so overall compliance efforts can move along at an acceptable rate.

Micheal Potorti can be reached at mpotorti@mp-audit.com. 


Episode 9 of This Week in the FCPA is now up and available for viewing. Check out Howard Sklar and myself with our weekly commentary on all things FCPA.

This Week’s Show Notes include the following topics:

1.  Three Articles on FCPA and International Rule of Law issues
2.  Tyson Foods case (one of the three articles)
3.  Private Equity and the UK Bribery Act
4.  Niko Resources

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 5,168 other followers