FCPA Compliance and Ethics Blog

February 23, 2015

Assessing Internal Controls, Part III

Assessing Internal Controls IIn this blog post I conclude my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, (herein ‘the Illustrative Guide’) as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Activities and Information and Communication.

One of the things the Illustrated Guide makes clear is the inter-related nature of internal controls. Simply because there may be a deficiency in one specific Principle or even if controls are not present around such a Principle, a company can consider its overall internal controls to effect the principles. For the compliance practitioner I think this is significant because you may have one Principle present and function in the context of another Principle. An example from the Illustrated Guide is the situation where Principle 8, Assessing Fraud Risk is not present yet if other Principles such as Principle 3 Establishing Structure, Authority and Responsibility and Principle 5, Enforcing Accountability adequately address the issue from a control perspective then a deficiency is handled. At the end of the day, unless a major deficiency is noted, it is up to senior management to assess the “severity of an internal control deficiency or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and the components are operating together, and ultimately in determining the effectiveness of the entity’s system of internal control.” So this would also be true from the compliance internal control perspective.

I.     Control Activity

Under the objective of Control Activity there are three principles which you will need to assess. The three principles are:

Principle 10 states that “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” Your entity must demonstrate that it integrates its compliance function around its risk assessment. You must demonstrate more than simply an ‘out of the box’ compliance solution but that your company has considered specific factors to it, including its relevant business processes, an evaluation of a mix of control activity types and consideration of at what level such compliance controls are applied. Finally there must be evidence that your company has addressed segregation of duties from the compliance perspective.

Principle 11 states that “The organization selects and develops general control activities over technology to support the achievement of the objectives.” Here a company must determine the dependency between the use of technology in business process and technology general controls. Then there must be evidence that it has established relevant technology acquisition, development, and maintenance process control activities over this technology. There must be evidence of the establishment of relevant technology infrastructure control activities and relevant security management process control activities.

Principle 12 states that “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.” This Principle management to put sufficient compliance policies and procedures in place to support the company’s anti-corruption compliance mandates and requires training of employees on these compliance policies and procedures with testing to determine the adequacy of such compliance training. It also requires evidence that sufficient incentives have been put in place for employees to follow the compliance regime with timely discipline administered for those employees who failed to do so. Finally it requires evidence of period re-assessments of the policies and procedures.

II.    Information and Communication 

This objective has three Principles that require assessment. They are (numbers follow the COSO Framework):

Principle 13 states that “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.” This means that from the compliance perspective you must identify information requirements for your compliance program and then capture that data via internal and external sources. If you cannot do so you must explain why you cannot do so. You must process the information and use it in your compliance function going forward and document that use.

Principle 14 states that “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” Under this Principle you must be able to demonstrate that your company communicates compliance internal control information with not only senior management but also appropriate employees and your board of directors. It re-emphasizes the need for separate lines of communications and there is documented consideration to show the reason for selection of the relevant method of communication.

Principle 15 states that “The organization communicates with external parties regarding matters affecting the functioning of internal control.” This Principle relates to your communications to third parties so you will need to demonstrate internal controls around your compliance communications with parties external to your company. You will also be required to show compliance internal controls inbound to your organization from third parties.

III.   Monitoring Activities

The Monitoring Activities objective consists of two principles that require assessment. They are (numbers follow the COSO Framework):

Principle 16 states that an “organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” This requires you to have employees knowledgeable in your business processes who can review it on an ongoing basis. You must show that there is a compliance internal controls which, in an objective manner evaluates rates of compliance changes, with an understanding of the baseline and projected business changes. All of this must be integrated with business processes with appropriate adjustments in scope and frequency.

Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” Under this Principle you must be able to demonstrate that from the compliance perspective your results were assessed, any deficiencies were communicated to the appropriate parties and finally there was corrective action which was appropriately monitored.

I regularly say that the three most important about FCPA compliance is Document Document Document. I believe the COSO 2013 Framework puts that point into practice, particularly with the auditing requirement. As Ron Kral noted in his article, “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answeredyou must “Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively.”

The auditing process should also work to determine not only if your compliance internal controls are are properly designed, operating effectively but also that the five components are operating together. Kral believes that “This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders.” To which I agree. By going through the auditing exercise, you will have created a framework to operate, assess and update your compliance internal controls to meet the ever-evolving nature of FCPA and other anti-corruption compliance programs.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 20, 2015

Assessing Internal Compliance Controls – Part II

Assessing Internal Controls IIn this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

  1. The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
  3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 19, 2015

Assessing Compliance Internal Controls – Part I

Assessing Internal Controls II have recently detailed the COSO 2013 Framework in the context of a best practices compliance regime. However there is one additional step you will need to take after you design and implement your internal controls. That step is that you will need to assess against your internal controls to determine if they are working.

In its Illustrative Guide, the Committee of Sponsoring Organization of the Treadway Organization (COSO), entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements which can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”? Over the next couple of posts I will lay out what COSO itself says about assessing the effectiveness of your internal controls and tie it to your compliance related internal controls.

As the COSO Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies which you may turn up and whether or not there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach could be along the following lines. A Principle Evaluation should consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment which would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA Guidance Ten Hallmarks of an Effective Compliance Program, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

However, if there are no objective criteria, as laid out in the FCPA Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other regulation. With the Illustrative Guide of these Illustrative Tools, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the Securities and Exchange Commission (SEC) comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. In subsequent blog posts I will take a look at how you might audit your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 11, 2015

COSO and Internal Controls – Part V

Internal ControlsThis post concludes my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fifth component, Monitoring Activities. In its Executive Summary of the 2013 Framework, COSO said, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of direc­tors as appropriate.”

However, as with the other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken in singularly. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” I heartily agree with the author when he says that he believes monitoring will take on increased importance. For the Chief Compliance Officer (CCO) or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In their Five Principles of an Effective Compliance Program, developed by Paul McNulty and Stephen Martin at the law firm of Baker and McKenzie, they listed oversight as Principle 5, including ongoing monitoring and this is reinforced in the 2013 COSO Framework.

In an article in Corporate Compliance Insights, entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activities objective consists of two principles. They are:

(1) Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”

(2) Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” This clearly incorporates McNulty and Martin’s dictate that Principle No. 5 consists of not only auditing but ongoing monitoring as well. The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated. 

Principle 17 – Communication of internal control deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.

Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Audit Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

This concludes my exploration of COSO and internal compliance controls. While I have cited directly to the language of the COSO 2013 Framework, I hope that you now have a sense of how these concepts directly relate to your company’s compliance program. With the Securities and Exchange Commission’s (SEC) invigorated interest in internal controls, I believe that through adherence to these five objectives and 17 Principles will allow you to not only withstand such government scrutiny but also have a better run organization.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 10, 2015

COSO and Internal Controls – Part IV

Internal ControlsThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fourth component, Information and Communication. In its Executive Summary of the 2013 Framework, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the orga­nization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant exter­nal information, and it provides information to external parties in response to require­ments and expectations.”

However, as with the other components of the COSO Cube, Information and Communication are not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

The objective of Information and Communication consists of three principles. They are:

(1) Principle 13 – “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”

(2) Principle 14 – “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

(3) Principle 15 – “The organization communicates with external parties regarding matters affecting the functioning of internal control.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the Chief Compliance Officer (CCO) or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the Securities and Exchange Commission (SEC) will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.

Principle 13 – Use of relevant and quality information

Rittenberg notes this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas with in a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.”

 Principle 14 – Communication up and down the organization about internal controls

This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but he adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.

Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15 – Communication with external parties regarding internal controls

This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any FCPA related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”

Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success with the Information and Communication objective. You can bring a wide range of talents, skills and imagination to bear on the objective.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 9, 2015

COSO and Internal Controls – Part III

Dean SmithThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) 2013 Framework. To help introduce today’s topic, I cannot think of a much more appropriate person to honor than Dean Smith, who died yesterday. Smith coached the North Carolina Tar Heels basketball team for 36 years. He retired with 879 victories, a winning percentage of 77.6% and two NCAA championships. He was one of the true giants of college coaching and the game of basketball itself. He will be missed but certainly never forgotten. If there was ever a coach that epitomized internal controls and frameworks, it was Dean Smith.

I restart my discussion of the COSO 2013 Framework with a look at the third component, Control Activities. In its Executive Summary of the 2013 Framework, COSO said these “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.”

However, as with the other components of the COSO Cube, Control Activities are not to be taken in a vacuum. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the Control Activities “have traditionally received the most attention of the component” but noted that the real-world experience since the initial implementation of the COSO Framework back in 1992 has demonstrated that “the effectiveness of control activities must be evaluated with the context of the other five components.” Moreover, he believes that these conditions are aided by a company’s policies and procedures, which should help to lessen and manage risk going forward. Finally, Control Activities should be performed at all levels in the business process cycle within an organization.

The objective of Control Activity consists of three principles. They are:

(1) Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

(2) Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”

(3) Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”

Principle 10 – Control Activities to mitigate risk

Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.” 

Principle 11 – Control Activities over general technology

Last week I had a series of guest posts from Joe Oringel of Visual Risk IQ regarding the use of data analytics in your compliance program. The use of technology will be greater and more important going forward. I would certainly expect the Securities and Exchange Commission (SEC) to focus on a company’s use of technology in any evaluation of its overall compliance program.

Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

Principle 12 – Control Activities established through policies and procedures

This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

While the objective of Control Activities should be the most familiar to the Chief Compliance Officer (CCO) or compliance practitioner, you may well think of it in a way that basketball fans thought of Dean Smith’s Four Corners offense; in other words boring. However, just as Smith’s innovation was based on crisp focus and outstanding teamwork, this objective demonstrates the inter-relatedness of all the five COSO objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 30, 2015

COSO and Internal Controls, Part II

Internal ControlsThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adherence to the COSO 2013 Framework. Today I will begin a discussion of the updated COSO Framework. Brian Christensen, in an article in Corporate Compliance Insights, entitled “The Updated COSO Framework: Time for a Fresh Look at Internal Control”, said that the updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.

Christensen believes that “COSO has chosen to formalize more explicitly the principles embedded in the 1992 version of the framework that facilitate development of effective internal control and assessment of its effectiveness. While the 1992 version implicitly reflected the core principles of internal control, the 2013 version explicitly states them in the form of 17 principles, each of which is mapped to one of the five components. The 17 principles represent fundamental concepts associated with the five components of internal control. There isn’t any new ground broken by these principles as they reflect widely known tenets of sound internal control that have been around for a long time.” The principles remain broadly stated as they are intended to apply to for-profit companies, not-for-profit entities, government bodies and other organizations. Moreover, “supporting each principle are points of focus, representing characteristics associated with the principles and providing guidance for their application. Together, the components and principles constitute the criteria and the points of focus provide the guidance that will assist management in assess­ing whether the components of internal control are present, functioning and operating together within the organization.”

 

The first of the five objectives is ‘control environment’. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the control environment “sets the tome for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the control environment object are as follows:

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Commitment to integrity and ethical values

What are the characteristics of this principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, I think that this principle requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

 Board independence and oversight

 

This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

 

Structures, reporting lines, authority and responsibility

 

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

 

Attracting, developing and retaining competent individuals

 

This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

 

Individuals held accountable

 

This is the ‘stick’ principle. A company must show that it enforces compliance accountability through its compliance structures, authorizes and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and finally clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

 

I will take a short break from my explorations of COSO and Internal Controls next week, but do not worry the subject will return the week of February 9. Next week I will have a series of guest posts from Joe Oringel, Principle at Visual RiskIQ on data analytics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 29, 2015

Welcome to COSO and the World of Internal Controls – Part I

Internal ControlsI have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 6, 2015

Byzantium and the Alstom FCPA Settlement – Part III

ByzantiumPorphyry is a type of stone that was much favored in the Roman world. In a review of several books in the New York Review of Books, entitled “The Purple Stone of Emperors”, Peter Brown looked into the history of the lithic in the context of Byzantium as the true heir of the Roman Empire. He theorized that if “porphyry was the blood of ancient empire, then it must be to Constantinople that we should look (and not to Western Europe) if we wish to understand the heritage of Rome in the Middle Ages.” I found that an appropriate way to think about an apparent anomaly in the recent Alstom Foreign Corrupt Practices Act (FCPA) enforcement action. In Part III of my series on the Alstom natter I consider the accounting records violations that the French parent, Alstom SA, agreed to in this enforcement action.

The FCPA Professor noted in his second blog post on this matter, entitled “Issues to Consider from the Alstom Action”, “The charges against Alstom S.A. are a real head-scratcher. The conventional wisdom for why the Alstom action involved only a DOJ (and not SEC) component is that Alstom ceased being an issuer in 2004 (in other words 10 years prior to the enforcement action). Yet, the actual criminal charges Alstom pleaded guilty to – violations of the FCPA’s books and records and internal controls provisions – were based on Alstom’s status as an issuer (as only issuers are subject to these substantive provisions). In other words, Alstom pleaded guilty to substantive legal provisions in 2014 that last applied to the company in 2004.”

The Professor had also raised this issue in his first blog post on the resolution, entitled “All About the Alstom Enforcement Action”. After considering his thoughts on this issue, I decided to look into it a bit more deeply. Alstom SA was charged with several different FCPA violations including the following, 15 U.S.C. 78m(b)(2)(A), 15 USC §78m(b)(2)(B) and 78m(b)(5) which read in whole,

15 U.S.C. § 78m [Section 13 of the Securities Exchange Act of 1934] 

(b) Form of report; books, records, and internal accounting; directives

(2) Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer which is required to file reports pursuant to section 78o(d) of this title shall—

(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

(B) devise and maintain a system of internal accounting controls sufficient

to provide reasonable assurances that—

(5) No person shall knowingly circumvent or knowingly fail to imple­ment a system of internal accounting controls or knowingly falsify any book, record, or account described in paragraph (2).

These provisions are generally referred to as the ‘accounting provisions’ of the FCPA. As stated in the FCPA Guidance, “In addition to the anti-bribery provisions, the FCPA contains accounting provisions applicable to public companies. The FCPA’s accounting provisions operate in tandem with the anti-bribery provisions and prohibit off-the-books accounting. Company management and investors rely on a company’s financial statements and internal accounting controls to ensure transparency in the financial health of the business, the risks undertaken, and the transactions between the company and its customers and business partners. The accounting provisions are designed to “strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.””

Moreover, these accounting provisions, including both the books and records and internal control provisions, are defined to apply to “issuers”. As set out in the FCPA Guidance, “The FCPA’s accounting provisions apply to every issuer that has a class of securities registered pursuant to Section 12 of the Exchange Act or that is required to file annual or other periodic reports pursuant to Section 15(d) of the Exchange Act.244 These provisions apply to any issuer whose securities trade on a national securities exchange in the United States, including foreign issuers with exchange traded American Depository Receipts. They also apply to companies whose stock trades in the over-the-counter market in the United States and which file periodic reports with the Commission, such as annual and quarterly reports. Unlike the FCPA’s anti-bribery provisions, the accounting provisions do not apply to private companies.”

Charging Box Score

Alstom Entity Charges Time of Criminal Conduct Issuer Status
Alstom SA 15 USC §78m(b)(2)(A)15 USC §78m(b)(2)(B)15 USC §78m(b)(5)

15 USC §78ff(a)

18 USC §2

1998-2004 Issuer until 2004
Alstom Power Inc. 18 USC §371-conspiracy to violate the FCPA 2002-2009 Subsidiary of Issuer until 2004
Alstom Grid Inc. 18 USC §371-conspiracy to violate the FCPA 2000-2010 Subsidiary of Issuer until 2004
Alstom Network Schweiz AG 18 USC §371-conspiracy to violate the FCPA 2000-2011 Subsidiary of Issuer until 2004

While I agree with the above, I do disagree with the Professor’s final statement that “This free-for-all, anything goes, as long as the enforcement agencies collect the money nature of FCPA enforcement undermines the legitimacy and credibility of FCPA enforcement.” The reason I disagree is that this was a negotiated settlement, not a dictat or court proceeding. With no doubt excellent FCPA defense counsel involved, Alstom must have had its own reasons for agreeing to such a settlement. Without any further comment by the company, we will have to speculate as to some of the reasons for this component of the resolution.

First and foremost is that clearly Alstom did engage in conduct which substantially violated the FCPA. It would further appear that the conduct reached right up into the corporate home offices in France. By agreeing to the books and records and internal control violations, Alstom may have avoided any direct admission of guilt under French law, which we now know from the Total FCPA enforcement action is significant for a French company, because what is illegal bribery and corruption under US law is not necessarily illegal under French law.

Other than the anomalous French law issue, there may be another important consideration going on here. Alstom is under acquisition by General Electric (GE). Not only does GE pride itself and very publicly inform about its anti-corruption compliance program, GE has a large number of contracts with the US and other governments which might looks askance at doing business with a business unit that admitted to substantive FCPA violations of bribery and corruption. While I do not think that GE would be in danger of being debarred, it might well be that certain governments might not want to do business with a new subsidiary which made such a court admission. I find this to be more than simply a distinction without a difference. Consider the trouble that Hewlett-Packard (HP) is in north of the border in Canada regarding potential debarment by the Canadian government for its FCPA violations as set forth in its FCPA resolution of last April. So perhaps from Alstom’s perspective, the company believed it received benefits from settling based upon accounting violations.

But whatever the reason, it is clear that Alstom did engage in substantive FCPA violations. It’s settlement is that, a settlement of outstanding issues, which the company was a willing participant. It may not have been what the company wanted but I do not find that by charging Alstom for books and records and internal controls violations for the time frame it was clearly liable in any way demeans, degrades or lessens FCPA enforcement going forward. But just as we need to look to Byzantium to determine the heritage of Rome through the Middle Ages, by looking at the facts and circumstances around Alstom’s FCPA from the Alstom perspective and what it hoped to obtain in the settlement, we might be able to glean some insights.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

December 12, 2014

Seamus Heaney and Compliance With a Seat at the Table

Seamus Heaney and beowulfI have long been fascinated with the Irish poet Seamus Heaney. I came to know him thought his 1999 translation of Beowulf. While I was aware that he had been awarded the 1995 Nobel Prize for Literature, I did not know his work as an Irish poet. However, this was rectified in a piece in the Times Literary Supplement (TLS), entitled “A stay against confusion – Seamus Heaney and the Ireland of his time”, by Roy Foster. In this piece he reviewed the evolution of Heaney’s poetry through the 1960s and 1990s. Foster believed that Heaney’s work in many ways mimicked the growth that “Irish intellectual as well as social and economic life”. Heaney began as a ‘nuts and bolts’ type of poet and moved to become a Yeatsian figure as the national poet of Ireland.

I thought about that growth and Foster’s article when I considered the question of what happens if you seek for something and then actually get it? For instance, you may have wanted a seat at the C-Suite table as a Chief Compliance Officer (CCO) and now you have one. What happens now, for instance in the situation where you find out that your company has decided to enter a new overseas market with a new product offering? The Chief Executive Officer (CEO) who championed you coming onboard with the big boys (or perhaps big girls) team looks down and says, “We need an analysis from the compliance perspective by the end of the week?” Where do you begin?

Obviously there are some preconditions for success such as your company should have a product that you can make and sell overseas for a profit. Further, you should have the time, money and sophistication to develop an international distribution network and you have the home office infrastructure to support a truly international business. Finally, you should have a senior management with at least an appreciation of compliance challenges in the target, with the personnel, technological solutions and internal training to address and meet these challenges. As you begin to think through this assignment you fall back on the four basic questions of (1) Who will we sell to? (2) What are we going to sell? (3) Where will we sell? (4) How will we sell?

Who will we sell to?

For any anti-corruption analysis you need to begin here as the Foreign Corrupt Practices Act (FCPA) applies to commercial relationships with foreign governments or instrumentalities such as state owned enterprises. Will your end using-direct customers be foreign governments or privately owned companies? What if your customers are distributors or other middlemen who will then sell to foreign governments or state owned enterprises? What about licenses; will you need special permits to sell to a foreign government or state owned enterprise or will you need some type of basic permit simply to transact business? If your company is subject to the UK Bribery Act this public/private distinction does not exist.

What are we going to sell?

What is the product or service you wish to take internationally? I will assume your company has done the market studies to ascertain it is a viable commercial concept. If it a product, is it a complete or partial product? Will you manufacture here in the US and only sell internationally or will you manufacture abroad as well? If it is here in the US, what about spare parts and accessories, will you need to obtain any licenses overseas? What about your technology, will that component require any licenses? If you will manufacture outside the corporate offices in the US, how will you assure quality in your supply chain? Conversely, if you manufacture in the US, do your supplier agreements allow you to resell outside the US?

Where will we sell? 

This question may seem more important for export control issues; however it is also important in the anti-corruption world. Obviously this is because certain geographic areas are more prone to corruption than others. A starting place might be the Transparency International-Corruption Perception Index but you can also use tools such as the recently released TRACE Matrix which provides a much broader assessment of corruption indices and give you additional insight into a fuller panoply of corruption risks in a country. In addition to the basic corruption analysis you need to ascertain whether you can even sell your products in a new country, either because of US export regulations or the end using jurisdictions laws. You should also focus on the business culture of a country and whether it is compatible in doing business in compliance with relevant anti-corruption legislation. This will also help you in your search to find any local business partners. 

How are you going to sell?

This is one of the most important questions you can ask under a FCPA analysis. It is because well over 90% of all FCPA enforcement actions involve third parties. If this is your first international sales effort, your company probably does not have an international based employee sales force. This means you will most probably need in-country partners for your target markets. Some of the most basic sales arrangements for third parties are as follows:

  1. Agent/Sales Representative – This person or entity is an independent third party from the company. Compensation is usually commission based or combined with a periodic fee plus commission. It is generally viewed as the highest risk from the anti-corruption perspective but you will have a direct relationship with the end-using customer.
  2. Distributor/Retailer – This person or entity is an independent third party from the company. Your company will sell to the distributor/retailer who then resells your product. You will have less visibility into the end user and hence a greater export control risk. Consignment is a variation on this model but if you are warehousing you will need to be aware of other US rules such as revenue recognition under US GAAP or local, indigenous rules on storage and warehousing.
  3. Consultant – This is also an independent third party who is paid a periodic fee. The fee can be more easily assessed for an hourly or service based rather than simply a commission based fee structure.

There are some other sales arrangements that you may whish to consider. You can acquire a local business and run it as your own company. Of course if you do so, you may buy all of these liabilities, both known and unknown. You can joint venture with another local company. Here you may have the dual problems of less actual control yet the same amount of potential exposure, particularly under the FCPA if you fail to perform the requisite pre-acquisition due diligence and allow any illegal conduct to continue going forward. You can issue a manufacturing license to an in-country manufacturer and allow them to make and then sell your product using your technology. Finally, you can issue a brand license where you license an existing company to put your brand name on your product manufactured by another entity. Of course if you use any of these types of arrangements you will need to go through a full third party management cycle; consisting of a business justification, questionnaire, due diligence, contract and management thereafter.

From the internal control perspective you will need to make sure you have several key compliance related controls in place. This will include the aforementioned vetting of all customers and third parties; appropriate controls over each transaction, including both quotes and contracts; empowered and non-conflicted employees; and finally training and self-auditing. You will need separate controls over payment terms and payment mechanisms and controls to align shipping and export controls. Finally, do not forget the omnipresent segregation of duties and control over the vendor master file.

Lastly, you should focus on your high-risk points in any of the above. These include your full vetting and management of third parties. You should pay attention as to how you became aware of these third party sales representatives. You will also need to pay attention to your freight forwarders and other export control representatives. You will need to be vigilant going forward for outright bribes paid in either cash or other values such as free products, lavish travel, gifts and entertainment, especially if the travel has no business purpose.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.