Internal Controls Outside the US – Part IV

This post will conclude a short series I have presented on the issue of internal controls outside the US. I want to conclude by raising some ways in which a compliance professional can work to implement internal controls in a multi-national organization. As with my entire series on internal controls, I rely on internal controls expert Henry Mixon for guidance on this topic. 

Mixon advises that the first step is to convert your company’s Foreign Corrupt Practices Act (FCPA) risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

Mixon provided an example of how the process might work in the situation where the FCPA risk is that a third party representative may be paid for an invoiced amount before that third party representative has gone through your company’s full third party approval process. Mixon began by noting that your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Mixon suggests that the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and will be told the controls are too burdensome and also make operations less efficient? I inquired from Mixon how he might suggest this situation be dealt with going forward. Fortunately for us, this is something that Mixon has observed many times and is very familiar with the issue as many employees see internal controls only as an added burden. Moreover, many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of an FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Mixon also advises that the premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, Mixon believes that it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

• Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
• Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
• With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
• As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
• It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

Mixon believes that there are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Mixon cited to the example of internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

I hope that you have benefited from these posts on internal controls outside the US. I clearly believe that the price for noncompliance can easily be substantially greater than the cost to assess and implement good internal controls. But good FCPA internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

TNG Premiers and Internal Controls for Gifts in a Best Practices Compliance Program

This week, 27 years ago, Star Trek – The Next Generation (TNG) made its television debut. Rarely has there a follow up to a beloved original series (Star Trek – The Original Series (TOS)) that is equally treasured by fans. They say that your favorite Star Trek is the one you grew up with, so for me that is TOS and that will always be my most beloved Star Trek series, but for the younger generations TNG fills that bill. The series occurred some 70 years in the time after TOS so things were a bit different. One of the differences was on following the Prime Directive more rigorously. While Captain Kirk, who actually had a hand in drafting the Prime Directive, seemed to view it with situational ethics, Captain Picard was much more concerned about not violating it.

I thought about this evolution of the Prime Directive from TOS to TNG when considering what types of internal controls a compliance practitioner might consider in the area of gifts in a Foreign Corrupt Practices Act (FCPA) best practices compliance program. I have been continuing my exploration of internal controls with well-known expert Henry Mixon, Principal of Mixon-Consulting. Mixon believes that it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the criteria as defined and interpreted in Company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?

The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. Mixon cautions that in considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

Mixon believes that the key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. To help to answer this query, he posited that there are four issues to evaluate.

• Is the correct level of person approving the payment / reimbursement for the gift?
• Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
• Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
• If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Mixon believes that once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

Mixon believes the format itself of an expense report can go a long way toward prevention of violations of company policy. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

Mixon suggested two forms of representation, the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies regarding FCPA compliance. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts. Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Mixon noted that some companies have two basic forms of expense reports. One is for situations in which all items pertain to US locations and do not involve any expenses incurred outside the US or for benefit of persons outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Mixon believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Mixon ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.

While following the Prime Directive does not always lead to the result that the crew of TNG Enterprise desired; it did have the greater effect of allowing cultures and peoples to develop without interference. Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Mixon has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. Just as Star Trek’s Prime Directive had an ultimate purpose, if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.