FCPA Compliance and Ethics Blog

September 12, 2014

The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

September 8, 2014

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part II

Circle DiagramIn Part I of this two-part post regarding a Board of Director’s Role in Foreign Corrupt Practices Act (FCPA) oversight from the internal controls perspective, I reviewed how a Board might have independent liability for its failure to act as an appropriate internal control as required by Sarbanes-Oxley (SOX). Today I will review what internal controls are and what a Board’s role is within the context of internal controls.

Beginning on Tuesday, in conjunction with this two-part blog, my colleague Henry Mixon, Principal of Mixon Consulting, and myself are recording a podcast series on internal controls, which can be found on FCPA Compliance and Ethics Report. We are discussing the following areas: what are internal controls; how a company might use them and how they can be implemented? In the first of the podcast series I asked Mixon what are internal controls? He began with the textbook definition, which he said was “Internal controls are systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to:

  • conduct its business in an orderly and efficient manner,
  • safeguard its assets and resources,
  • deter and detect errors, fraud, and theft,
  • ensure accuracy and completeness of its accounting data,
  • produce reliable and timely financial and management information, and
  • Ensure adherence to its policies and plans.

Mixon noted that internal controls should be instituted entity wide, not simply limited to those functions used or reviewed by accountants and auditors. For an anti-corruption compliance regime such as the FCPA or UK Bribery Act, internal controls are measures to provide reasonable assurances that any assets or resources of a company (not limited to cash) cannot be used to pay a bribe. This definition includes diversion of company assets (such as by unauthorized sales discounts or receivables write-offs) as well as the distribution of assets.

Mixon noted that the basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.

In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting objectives – internal and external financial reporting; and (III) Compliance objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.

We then turned to the question of which internal controls does a company need to institute? Mixon said that each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in smaller companies but still effective if the focus is on the right risks. Based upon FCPA guidance, the most common control needs have been identified as follows: (i) Dealings with third parties; (ii) Gifts and entertainment, and (iii) Charitable donations. Yet even within those categories, a wide range of risks exists, depending on a company’s business practices. Mixon emphasized that a Top Down ‘Check-the-box’ generic set of policies will not likely result in effective controls.

The process to determine which internal controls are needed will be of some familiarity to the compliance professional. It all starts with a risk assessment to establish the corporate policies which are applicable, tailored to the company, and sufficiently specific. The risk assessment will also help to identify the types of transactions across the company which should be addressed (gifts and entertainment, maintenance of bank accounts and movement of cash, dealings with third parties, etc.). The next step is to prepare a set of documents which define the control objectives to be in place for each type of transaction – example: “Controls will be in place to ensure no vendor has been added to the vendor master file until complete due diligence has been completed and the vendor has been approved in accordance with Corporate policies. Thereafter, you will need to document how the controls will be performed and how they will be evidenced and then incorporate the control procedures into applicable work instructions and job descriptions.” Mixon cautioned that for each business location, determine the specific controls needed to accomplish each control objective. In many companies, a disparity of operating practices and accounting systems will result in different controls being needed. He ended by emphasizing that while this assignment may seem overwhelming it can be done in reasonable stages, pursuant to a specific implementation plan – it does not have to be done all at once for the entire company.

As you will recall from Part I, I believe, as gleaned from Jim Doty’s remarks, that a Board must not only have a corporate compliance program in place it must also actively oversee that function. This led me to conclude that failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Doty’s remarks drove home one of the roles that a Board performs, which fulfills those tasks. Internal controls work together with compliance policies and procedures as stated by Aaron Murphy, a partner at Akin Gump, in his book “Foreign Corrupt Practices Act”, as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Murphy breaks down internal controls into five concepts, which I have adapted for a Board or Board subcommittee role for compliance:

  1. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  2. Risk Assessment – A Board should assess the compliance risks associated with its business.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

There have been several FCPA enforcement actions where the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discuss the failure of internal controls as a basis for FCPA liability. The Smith & Wesson enforcement action is but the latest. With the questions about the Walmart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 1, 2012

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA.  The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

  • whether the misstatement affects the registrant’s compliance with regulatory requirements, and
  • whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed.  First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality.  For example, standard procedure for expense reports is to describe who, what, where, when, and why.  Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items.  However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II:  illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

December 19, 2011

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

  1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
  2. Controls are needed over
    1. movement of inventory because bribes can be made through mechanisms other than cash.
    2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
    3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
    4. Offline processing and maintenance of key information related to vendors and disbursements.
    5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
    6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

November 30, 2011

Controls to Prevent Violations of Anti-Bribery Laws

Ed. Note-I recently asked my colleague Henry Mixon CPA, if he could explain the differences regarding internal controls required under financial regulations such are Sarbanes-Oxley with internal controls required under anti-corruption laws such as the Foreign Corrupt Practices Act. The following is his explanation. 

Relying on Sarbanes-Oxley (SOX) and independent audits presents significant risk of internal controls not being effective to comply with anti-bribery laws. Company management often believes that, because they have independent auditors and because they are SOX compliant, they don’t need any additional focus regarding compliance with anti-bribery laws.  While independent audits and procedures required for SOX are useful, there are several reasons why focused attention needs to be paid to certain internal control objectives in order to have an effective anti-bribery compliance program.

1. The overriding concept is that effective internal controls do not automatically follow when Policy Statements are issued. Training employees regarding new policy requirements and obtaining their certification of understanding does not ensure compliance.  A specific focus is needed to ensure there are control procedures in place to ensure compliance with the policies.

2. SOX controls are, by definition, focused on financial reporting. They do not address many transaction level controls needed to prevent violations of Anti-Bribery laws.  Based on my experience assisting clients remediate internal controls to satisfy an independent monitor and the Department of Justice (DOJ), I have compiled a list of controls which should be considered on a risk basis to determine effective controls needed to prevent violations. Shown below are only a few of the control objectives which are needed in an effective Compliance Program which, for materiality or other reasons, are typically not in SOX (or independent audit) scope:

a. Controls to prevent payment of bribes using cash (petty cash funds and otherwise) and using manual checks to meet “emergency needs” processed outside the normal invoice approval system. A Corporate review of such transactions after the fact is not a sufficient control.  (In each Independent Monitor situation, there was a substantial focus on risks associated with petty cash funds and manual checks.)

b. Because bribes can be given by methods other than cash, controls over contractual relationships with third parties should be scrutinized. This includes contracts with agents, contracts to lease facilities / equipment, etc. For example, unauthorized use of Company assets / facilities, with or without compensation, can be a means to pay a bribe. Therefore, controls are needed over movement of inventory (such as shipments of inventory to non-customer locations and use of mobile fixed assets). For example: (1) controls are needed to ensure shipments of goods after they have been accepted and paid for result in appropriate compensation to the Company; (2) controls are needed to ensure Company vehicles are not “loaned” to unauthorized persons without adequate compensation to the Company.

c. Controls are needed over gifts, entertainment, hospitality, political contributions, and charitable contributions. For materiality reasons (see below), these controls are typically not included in SOX scope.

d. Enforcement of an effective Delegation of Authority (including the accounting controls for processing / approving vendor invoices, signing checks,) is typically not addressed in SOX scope but is a critical control from a Compliance perspective.  For example, when dual signatures are required, what is the control to ensure they are obtained? (Banks will pay checks with only one signature, even if two are required.) Another example, control should be in place to ensure document approvers actually review support for transactions they are approving, and these controls must be evidenced for the Compliance Program to be considered effective.

e. Use of offline processing and maintenance of key information related to vendors and disbursements (such as Excel spreadsheets which can impact payments to vendors or which track entertainment provided to third parties) presents risk.  Therefore, controls over the creation and maintenance of spreadsheets which “feed” the financial accounting process require evaluation.

f. Employment of “contract” employees, as well as permanent employees in foreign locations requires controls in the payroll processing to ensure the employees’ status as a current / former Government Official, or as a relative of a Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.

g. The controls regarding creation / approval / unauthorized modification of Purchase Orders should be carefully evaluated, not just the focus on the three-way match.

h. Controls should be in place regarding maintenance of the vendor master file to ensure no vendors are paid unless there has been appropriate due diligence performed. Controls should be in place to prevent situations where the vendor has invoiced the company and wants to be paid, but the vendor’s name is not in the vendor master file as an approved vendor.  Having controls over changes to the vendor master is more effective than only having a policy that all vendors must be subject to diligence and pre-approval.

i. Having controls to ensure compliance with reimbursement to employees for travel and other business expenses is critical. Requiring a manager to initial an expense report does little to prevent unauthorized activities, unless there is evidence the approver actually looked at the substance of the requested reimbursement.

3. SOX and Generally Accepted Auditing Standards allow a scope definition which eliminates business locations / business units which are considered to be immaterial, as well as eliminating types of transactions / accounts not considered material for financial reporting purposes. Therefore relying on a SOX-acceptable universe of control assessment based on materiality increases the risk of violations occurring. Many of the instances of prosecution by the DOJ and by the SEC involved business locations considered immaterial for financial reporting (SOX) purposes. The DOJ and the SEC have been very specific that individually immaterial violations over time constitute a violation and that even improper recording of immaterial transactions determined to be bribes violates, respectively, the anti-bribery and Books and Records provisions of the FCPA.

Using a standard other than the traditional financial statement concept of materiality does not necessarily mean controls need to be more extensive.  Rather, the controls which are needed for an effective Compliance Program take into account the risk of violation (such as inherent corruption index and the inherent risk of certain types of transactions and business relationships) rather than the number of transactions or cumulative financial totals of transactions.  For example, controls in countries with a Corruption Perception Index (CPI) of 3 or less should be robust, regardless of volume of transactions. Doing business with agents and foreign business partners generally presents higher risk than with other third parties.  Transactions which may be immaterial for financial reporting purposes (petty cash disbursements, gifts, charitable contributions, etc.) may present significantly higher Compliance risk than their individual financial amounts might indicate.

4. SOX allows a significant portion of controls to be “detect” controls.  Anti-bribery laws require a specific focus on “preventive” controls. If improper payments are identified by “detect” controls which review disbursements and asset disposals after the fact, the identification of suspicious transactions only leads to a decision whether to self-report and how extensive (expensive) an internal investigation is needed to determine the company-wide magnitude of the issue.  Little has been done to prevent the improper activity.  (Accordingly, relying on a SOX approach will not meet the burden of proof necessary to satisfy the “prevent” requirements of the UK Bribery Act.)

5. The SOX approach does not take into account the high evidence standard which comes into play when there is a suspected Compliance violation. Certain types of controls should have more robust documentation from a Compliance perspective than from a “traditional” perspective.  The “evidence standard” issue is very significant when third party investigations are at hand. For example, an initial on a document means someone initialed the document. It does not define what the person did before initialing the document or the representations which are being made when the person initials a document.  Often such evidence is simply a matter of defining control procedures and of modifying approval blocks on forms.

============================================================================================

If you are going to be in Houston on December 7, myself, Mike Volkov and the Bribery Act guys, Richard Kovalevsky QC and Barry Vitou will be making their only US appearance this year. Mike and I will review some of the more significant enforcement matters of 2011 and discussion lessons which may be drawn from them. Richard and Barry will discuss the Bribery Act. Best of all the event is free and CLE will be provided. Event details and registration are found at http://events.r20.constantcontact.com/register/event?llr=myqi4pcab&oeidk=a07e55t5re06e78f1e3. I hope you can make it!

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 


« Previous Page

Blog at WordPress.com.