Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

One of my weekend reading pleasures is the Saturday section in the Financial Times (FT) entitled “Lunch with the FT”. Each week, this column highlights a weekly interview with leading cultural and business figures. In addition to an excellent interview with fascinating people, the column discusses the food served and lists the prices of all items purchased. The column is so smartly done that even the Men In Blazers talk about it in their weekly podcasts on all things soccer.

Since imitation is the most sincere form of flattery, today I will inaugurate a “Lunch with FCPA Compliance and Ethics Blog” series of posts. While it will not be a weekly feature, nor will I detail the costs for lunch, I will commit to you the cost will be in line with that of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program business entertainment lunch. My inaugural guest is Phil Wedemeyer, who is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective.

This week Phil and I sat down for a couple of Houston’s finest cheeseburgers to catch up. Phil asked me what might be happening on the FCPA front and I told him that I thought the news about the National Security Agency (NSA) information collection programs was going to make the job of the compliance practitioner more difficult. Many of America’s allies are up in arms over not only the collection of information but the revelation that such collection of information can be used in monitoring FCPA compliance across the globe. I think this will mean that companies will face greater data privacy laws and have more difficulty not only getting information out of foreign countries and into the US for evaluation but even in collecting types of data and information.

Great Board Oversight Required?

Phil had another take on it, which I found equally interesting. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?

Transaction Analysis

Phil also inquired about any trends that I might have seen over the past six to 12 months on FCPA enforcement. I told him that one of the things I have seen is the introduction of transaction monitoring, beginning with the Morgan Stanley declination. I then discussed the Eli Lilly enforcement action and particularly the bribery scheme used in Poland where charitable contributions were made to a charity run by the head of a provincial health service. This led to sales spiking in that province rather dramatically. These cases, and some others, have led me to advocate that companies engage in transaction monitoring from the compliance perspective to identify any anomalies.

Phil’s observation here was once again based on his auditing background. He said that, in considering variations in operating results as a director, he asks two questions of management: What happened and how do you know? In answering these questions, it is clearly important that management understands the business cause of significant sales increases and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. Phil thought analysis of variations needs to occur at the level at which the sales increase was material. As an example, he conjectured that, in the Lilly scenario, such a sales spike would likely not be material to the company’s consolidated financial statements or, for that matter, to the European business unit. However, such a sales increase would most probably be material for the country of Poland and certainly for the province in which the sales increase occurred.

Once the material level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on business entertainment or other specific categories; were charitable donations made to any non-core business charities and other questions might help to get at the true underlying reason for a sales spike. Further, a company should review its findings in subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods. The answer to such a question might identify red flags indicating the need for further review.

One of the key things that I learned from my lunch is the need for the compliance practitioner to talk to other non-compliance professionals to get their perspectives on how they view issues. So, just as I had lunch with Phil Wedemeyer, you could take out the head of your internal audit group for a lunch and chat; or HR; or IT. The list of possibilities is lengthy. I hope that you have enjoyed my inaugural, Lunch with the FCPA Compliance and Ethics Blog as much as I have bringing it to you.

———————————————————————————————————————————————————————-

I will be discussing transaction monitoring on a free Webinar entitled, “A Winning Strategy for Automating FCPA Compliance” hosted by SAP, next Wednesday, June 19 at 2 PM EDT. For registration and information, click here.

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23^rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author.