Internal Controls | FCPA Compliance and Ethics Blog

July 29, 2015

What Would Dr. Seuss Say about an Allowance?

Filed under: Accounting Records violations,Administrative Proceedings,compliance programs,Department of Justice,FCPA,Internal Controls,Mead Johnson,SEC — tfoxlaw @ 12:01 am
Tags: accounting provisions, Books and Records, Department of Justice, FCPABlog, Foreign Corrupt Practices Act, Internal Controls

Earlier this month we had the release of a second book by Harper Lee, “Go Set a Watchman”, which was miraculously discovered having been written some 50+ years ago. This week, there was another release from a (now deceased) author from a newly discovered source. I of course refer to the release yesterday of the new Dr. Seuss book “What Pet Should I Get?”, published Random House, which informs today’s compliance lesson.

The book was discovered by Seuss’ widow, as noted in the Sunday New York Times (NYT) Book Review article, entitled “Dr. Seuss Book: Yes They Found it in a Box”, when she decided to “have the rest of his notes and sketches appraised, that they closely examined the contents of that box. They found a set of brightly colored alphabet flash cards, some rough sketches titled “The Horse Museum,” and a manila folder marked “Noble Failures,” with whimsical drawings that he had been unable to find a place for in his stories. But alongside the orphaned sketches was a more complete project labeled “The Pet Shop,” 16 black-and-white illustrations, with text that he had typed on paper and taped to the drawings. The pages were stained and yellowed, but the story was all there, in Dr. Seuss’ unmistakable rollicking rhymes.” This finding became the book, What Pet Should I Get?

Reading this discovery made me ponder about how a child would pay for the pet they wanted and of course my thoughts turned to that age-old parenting quandary – the allowance. It is always a question of great interest for both parents and children. As with many things involving parent/child relationships, my views have evolved. As a teenager, I certainly had the view that an allowance was a God-given right and the more the better. I would only note that my parents did not share those views. As the father of a teenaged daughter, my views reached the much fuller expression of spoiling my daughter as often as possible. Which one is correct? I still do not have a final answer.

I thought about the ongoing debate and dialogue over the allowance when I read the Foreign Corrupt Practices Act (FCPA) enforcement action brought by the Securities and Exchange Commission (SEC) against Mead Johnson Nutrition Company (Mead Johnson). The matter was resolved via SEC Administrative proceeding that concluded with a Cease and Desist Order being agreed to by the parties. Mead Johnson agreed to pay a fine of $12.3MM which consisted of profit disgorgement of $7.7MM, prejudgment interest of $1.26MM and a civil penalty of $3MM. Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit, said in a SEC Press Release, “Mead Johnson Nutrition’s lax internal control environment enabled its subsidiary to use off-the-books slush funds to pay doctors and other health care professionals in China to recommend its baby formula and give the company marketing access to mothers.”

The enforcement action turned on violations of the accounting provisions of the FCPA. This is where the ‘allowance’ issue comes into the discussion. According to the Cease and Desist Order, “certain employees of Mead Johnson China improperly compensated HCPs, who were foreign officials under the FCPA, to recommend Mead Johnson’s infant formula to, and to improperly provide contact information for, expectant and new mothers.” One of Mead Johnson’s sales channels in China was through distributors. To facilitate this illegal conduct, funding to the distributors, called the “Distributor Allowance”, was diverted to make illegal payments. The Cease and Desist Order stated, “Although the Distributor Allowance contractually belonged to the distributors, certain members of Mead Johnson China’s workforce exercised some control over how the money was spent, and certain Mead Johnson China employees provided specific guidance to distributors concerning the use of the funds. Mead Johnson China staff also maintained certain records related to Distributor Allowance expenditure by distributors. In addition, Mead Johnson China used some of the funds to reimburse Mead Johnson China’s sales personnel for a portion of their marketing and other expenditures on behalf of Mead Johnson China.”

This tactic was clearly a violation of the company’s books and records obligations under the FCPA. By doing so, Mead Johnson was able to hide its payments to doctors and health care providers (HCPs) from not only regulators but the company’s shareholders as well. As the Cease and Desist Order noted, the company’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies.” Finally, the Cease and Desist Order concluded, “Up through 2013, certain Mead Johnson China employees made payments to HCPs using funds maintained by third parties. These funds and payments from the funds were not accurately reflected on Mead Johnson China’s books and records. The books and records of Mead Johnson China were consolidated into Mead Johnson’s books and records. As a result of the misconduct of Mead Johnson China, Mead Johnson failed to make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflected its transactions as required by Section 13(b)(2)(A) of the Exchange Act.”

However Mead Johnson did not stop with books and records violations. The Distributor Allowance manipulation allowed the China business unit to “improperly compensate HCPs was contrary to management’s authorization and Mead Johnson’s internal policies. Mead Johnson failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that Mead Johnson China’s funding of marketing and sales expenditures through third-party distributors was done in accordance with management’s authorization.” Once again the Cease and Desist Order concluded, “Up through 2013, Mead Johnson failed to devise and maintain an adequate system of internal accounting controls to ensure that Mead Johnson China’s method of funding marketing and sales expenditures through third-party distributors was not used for unauthorized purposes, such as improperly compensating Chinese HCPs to recommend Mead Johnson’s products. As a result of such failure, the improper payments to HCPs occurred contrary to management’s authorizations, in violation of Section 13(b)(2)(B) of the Exchange Act.”

In an interesting twist Mead Johnson, based on an allegation of potential FCPA violations in China, performed an internal investigation on its China unit in 2011 and came up with no evidence. Somewhat dryly the SEC noted that the company did not make any self-disclosure around these allegations and “did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.”

Yet after a second internal investigation in 2013 they turned up evidence of FCPA violations, the company “undertook significant remedial measures including: termination of senior staff at Mead Johnson China; updating and enhancing financial accounting controls; significantly revising its compliance program; enhancing Mead Johnson’s compliance division, adding positions including a second senior-level position; establishing new business conduct controls and third party due-diligence procedures and contracts; establishing a unit in China that monitors compliance and controls in China on an on-going basis; and providing employees with a method to have immediate access the company’s policies and requirements.”

While there was no statement regarding self-disclosure, the company did cooperate extensively with the SEC after the company was called to task. The Cease and Desist Order noted, “Mead Johnson subsequently provided extensive and thorough cooperation. Mead Johnson voluntarily provided reports of its investigative findings; shared its analysis of documents and summaries of witness interviews; and responded to the Commission’s requests for documents and information and provided translations of key documents. These actions assisted the Commission staff in efficiently collecting valuable evidence, including information that may not have been otherwise available to the staff.”

There are several lessons to be learned from the Mead Johnson enforcement action. If it was not clear from the GlaxoSmithKline PLC (GSK) imbroglio in China in 2013-14, your internal investigation must be thorough. Performing an investigation, finding no FCPA violations only to have a regulator sitting on your shoulder and later finding such evidence is never good. The SEC also reaffirmed its clear intention to continue to enforce the accounting provisions of the FCPA, with or without a parallel Department of Justice (DOJ) enforcement action. Companies must also take heed on their internal controls. Clearly certain China business unit employees had developed a work-around of the compliance internal controls by requiring the distributors to use their allowances to pay bribes. Internal controls must not only exist but they must be effective. That means you have to test their effectiveness, not simply tick the box that you have put them in place.

Finally, and I think Dr. Seuss’ compliance lesson is that when you give out an allowance, while you may restrict some of its uses, you certainly should not direct where the money is spent. Every kid knows that if you are told where to spend your allowance, it is really not your allowance. Perhaps Mead Johnson would do well to remember that long lost lesson from childhood.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

May 21, 2015

Compliance Week 2015 Wrap Up

Filed under: Administrative Proceedings,Compliance Week,Department of Justice,FCPA,Leslie Caldwell,SEC,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Department of Justice, DOJ, ethical leadership, ethics, FCPA, Foreign Corrupt Practices Act, Internal Controls, SEC

Compliance Week 2015 has ended. This year was the tenth anniversary of the annual conference and in many ways I found it to be the best one yet. Matt Kelly and his team put together a conference and experience, which was absolutely first-rate. If you were not able to make this year’s event, I hope you will join us for Compliance Week 2016, which Matt announced the dates for at the conclusion of this year’s event. The dates for 2016 are May 23-26, back of course in Washington DC to be held yet again at the Mayflower Hotel. I wanted to give you some of my thoughts on the highlights of this year’s event and what made it so unique.

At my age, I am somewhat loathe to channel my teenage daughter but the first thing that I noticed was a very different vibe this year over past year’s conferences. From the Cocktail Party reception held on Sunday night, all the way through the conclusion of the event, there seemed to be an air that I have not quite been able to put my finger on. It was more than an acknowledgement and perhaps even an excitement about how far the compliance profession has come in the past ten years. While I have written about the Chief Compliance Officer (CCO) and compliance profession as CCO 2.0, I had the feeling that we may be moving on to CCO 3.0, as that was even the title of a session.

But this vibe was more tangible than simply a feeling. One key ingredient for me was the use of social media into the conference experience. While many events have a conference app, which can provide you information on such things as the agenda, speakers and their presentations, room locations and the like; the Compliance Week 2015 app was fully interactive, allowing you to live tweet, send IM to fellow conference attendees and receive text messages when a room changed or other conference alteration occurred. It also provided a virtual help desk for all attendees.

Many of sessions were led by CCOs from major corporations and they were able to provide a strategic vision of where they were going at their organizations. This was kicked off from the start of the conference, from the first panel on the first day where the CCOs from Boeing, GE and the Director of Compliance for Wal-Mart began the event. Obviously these are three of the largest companies in the US and do business on a worldwide basis. Yet, while sharing their strategic visions, each one was able to provide a solid example from their respective organization that a CCO or compliance practitioner from any sized company could implement. From Wal-Mart with a workforce of 2.2 million employees, it was keep the message simple. From Boeing, it was incorporate any compliance failures as teaching moments or lessons learned into your internal compliance training going forward. From GE, it was how to inculcate and incorporate compliance into your everyday business planning.

The conversations were excellent as usual. I led the FCPA conversation and there were several alumni present, who told me they look forward to attending each year. One of the reasons is that there is no avenue in their hometowns to get together in an environment to discuss issues of mutual concern. It is concept that Mike Snyder and I used in founding the Houston Compliance Roundtable. A place where you can ask any question and have it answered by another compliance professional in an environment where Chatham House rules apply. While I certainly started the discussion, it quickly became fully interactive with all participants sharing their views on a variety of topics. While we have some great compliance talent in Houston at our Roundtable, it cannot top the level of maturity and sophistication present at the Compliance Week annual conference. We all benefited from the experience.

This experience was doubled when I led a breakfast event on Tuesday. While an inducement to attend was a complimentary copy of my book Doing Compliance, there were 25 attendees who joined me for a very engaging and free-flowing conversation about the state of compliance, we practitioners and where enforcement may be heading. Compliance Week treated us all to breakfast and, once again, I probably learned as much as any one. But since Chatham House rules were in effect, I cannot report on any of the substantive things that were discussed. I will share with you that I am excited to lead such a breakfast again next year and I hope you will be one of the 25 to sign up.

As always there were a number of government representatives who spoke at Compliance Week again this year. For me, the parade was led by Department of Justice (DOJ) Assistant Attorney General Leslie Caldwell. While I will be writing further, and in more detail, about Caldwell’s remarks, she said a few things that I think bear emphasis. One was that compliance professionals need to work towards more data analytics in the form of transaction monitoring to assist in moving to a prevent and even predictive and prescriptive mode for your best practice compliance program. Next she emphasized that your compliance program must not be static but must evolve as your business risks evolve. Finally, and much closer to my heart, were her remarks that you need to “sensitize your business partners to compliance.” It was if she was channeling her inner Scott Killingsworth with his groundbreaking work on ‘Private-to-Private’ or P2P compliance solutions. Or, as I might say, she was advocating a business solution to the legal problem of bribery and corruption across the globe.

But Caldwell was not the only DOJ representative as we had Laurie Perkins, Assistant Chief, Foreign Corrupt Practices Act (FCPA) Unit and Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement from Securities and Exchange Commission (SEC), on a panel moderated by yours truly. First I would urge that if you are ever asked to moderate a panel with FCPA enforcers and regulators, jump at the chance. The reason is that you get to ask the questions you want answers to; even if you get past your prepared questions, when there is a lull in questions from the audience, you can follow up with something you want to know or in my case always wanted to know. So I asked some basic questions like: What is Criminal Information? (to Perkins) and Could you explain the process for the SEC’s Administrative Procedure? (to Brockmeyer). I was certainly enlightened by their answers to both questions.

The event sponsors were of course there to provide information on their solutions to assist any compliance practitioner. If you have never been to an event at the Mayflower Hotel in Washington, the conference rooms are along a wide hall that allows good people flow and adequate room for the sponsors and others to set up, meet attendees and discuss their products and services. I view the sponsors and vendors as a part of the compliance solution going forward and while they are clearly there to sell; they also engage in a fair amount of education. But the education runs both ways with many compliance practitioners communicating needs they have which can be incorporated into new product developments.

Unfortunately Compliance Week 2015 had to come to an end. But the feeling, information and new friends I met will last with me until Compliance Week 2016 next year. I hope you will plan to join me.

© Thomas R. Fox, 2015

Leave a Comment

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Filed under: Best Practices,Big Data,Compliance,Compliance and Ethics,compliance programs,Data Analytics,FCPA,Joe Oringel,Transaction Monitoring,Visual Risk IQ — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, FCPA, Internal Controls

Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system.

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

Business courtesies to foreign officials;
Payments to brokers or consultants;
Payments to service intermediaries;
Payments to vendors in high risk markets;
Round dollar disbursements;
Political contributions or charitable donations; and
Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

© Thomas R. Fox, 2015

Leave a Comment

April 7, 2015

Rolling Stone’s Rape Story Retraction: Lessons for the Compliance Practitioner

Filed under: Ethical Leadership,FCPA,Process Validation — tfoxlaw @ 12:01 am
Tags: FCPA, Internal Controls, Rolling Stone

There are only a very few magazine articles that have radically affected me when I read them. Nick Hornby’s account of a group of soccer hooligans, where he chronicled when they traveled to and briefly took over the Italian city of Turin in 1982; Jack McCallum who profiled Jerry Sandusky after he retired from Penn State University and began his fulltime work at the Second Mile organization in 1999; and Sabrina Rubin Erdely’s piece in Rolling Stone last fall about an alleged gang rape and its aftermath on the University of Virginia (UVA) campus. But as much as the first two articles moved me, it was Erdely’s article that sickened me. As a father of a teenaged daughter about to head off to college, I certainly did not want her in any such place.

This weekend, Rolling Stone magazine retracted its story about the rape at UVA and released a full copy of the internal investigation of the story by the Columbia School of Journalism Dean Steve Coll that detailed Rolling Stone magazines reporting missteps and its failures to engage in the most basic of journalistic techniques before it published the story. The New York Times (NYT) had two articles on the story. An article by Jonathan Mahler, entitled “In Report on Rolling Stone, a Case Study in Failed Journalism”, cited that journalism scandals fall into three broad categories. The first is “is pure fabrication, for which high-profile culprits include Jayson Blair (The New York Times), Stephen Glass (The New Republic) and, going back a little further, Janet Cooke (The Washington Post).” Next “is the act of plagiarism (culprits too numerous to list).” But the UVA piece fell into a third category, “lack of skepticism.”

In the second NYT article, entitled “Rolling Stone Article on Rape Failed All Basics, Report says”, reporter Ravi Somaiya wrote, “The Columbia report catalogued a series of errors at Rolling Stone, finding that the magazine could have avoided trouble with the article if certain basic ‘reporting pathways’ had been followed.” What was the central flaw in the way Rolling Stone handled the story? First, and foremost, it did not interview any of the three persons the victim named that she told about the rape. Rolling Stone printed the victim’s tale without bothering to check with them. While it is not clear, apparently Rolling Stone did not even try to substantiate the underlying charge of rape by the victim in any manner other than interviewing her seven times.

Mahler noted, “On the most basic level, the writer of the Rolling Stone article, Sabrina Rubin Erdely, was seduced by an untrustworthy source. More specifically, as the report details, she was swept up by the preconceptions that she brought to the article. As much casting director as journalist, she was looking for a single character with an emblematic story that would speak to — in her words — the “pervasive culture of sexual harassment/rape culture” on college campuses.”

Coll in an interview on NPR said that there was a failure at Rolling Stone magazine up and down the line. There was a failure by the reporter’s editor and the Managing Editor for not insisting on the basic questioning of the holes in Erdley’s stories and failures to follow basic reporting protocols. Also the Fact Checking group at the magazine did not insist strongly enough that its concerns be addressed or those concerns were rejected by the magazine’s management.

What I see is a failure of process. This failure led to repercussions immediately for the fraternity involved, which was falsely accused of having its members gang raping a co-ed and to the tarnishing of UVA. But the long-term repercussions for Rolling Stone magazine and the reporter involved, and even the reporting and conversation around sexual assaults on college campuses. In his article Mahler cited Nicholas Lemann, professor at Columbia and the journalism school’s former dean, who “distributes a document called “The Journalistic Method” in his classes”. This process is similar to “investigating a scientific phenomenon. “It’s all about very rigorous hypothesis testing: What is my hypothesis and how would I disprove it? That’s what the journalist didn’t do in this case.””

For the compliance practitioner there are several clear lessons to be drawn from this horrific scandal. Most people have somewhere heard the journalistic technique of a second source to confirm information. It was enshrined in a scene from the movie version of All The President’s Men. In any process there must be validation of said process. You can easily remember this as ‘a second set of eyes’ on any process, compliance or other. It acts like a second source in that it validates the original information.

In the more formal world of internal controls, it is called ‘segregation of duties’. This technique acts to require a double check of any action by requiring a second set of eyes to take a look at an issue. In business the separation by sharing of information with more than one individual in one single task is an internal control intended to prevent fraud and errors. In the IT world this is called redundancy. It is generally recognized there are several techniques that can help to enforce the segregation of duties. They include:

Audit trails recreate the actual transaction flow from the point of origination to its existence on an updated file.
Reconciliation of accounts and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
Exceptions are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion.
Continuous controls monitoring should be maintained, which record all processed system commands or application transactions.
Supervisory review should be performed through observation and inquiry.
Independent reviews, which follow a prescribed procedure to detect errors and irregularities.

In addition to these segregation of duty lessons for the compliance practitioner, the Rolling Stone scandal provides one additional clear, concrete lesson. As Paul McNulty would say in No. 3 of his McNulty’s Maxims What did you do about it? Unfortunately for Rolling Stone the answer to that query appears to be not much. Not only were none of those directly involved in the article even so much as disciplined, Rolling Stone sees no need to change anything in its reporting or editorial process based on the lessons laid out in the Coll Report.

In an article in the online publication Slate, entitled “Despite Damning Report, Rolling Stone Will Continue “To Do What We’ve Always Done.” Are They Serious?”, reporter Hanna Rosin wrote, “Rolling Stone’s editors are “unanimous in the belief that the story’s failure does not require them to change their editorial systems.” Are they serious? Did they read the report?” She also reported that Rolling Stone, “ended by saying they don’t need new ways of doing things; they “just have to do what we’ve always done and just make sure we don’t make this mistake again.” And Coco McPherson, head of fact-checking, said, “I one hundred percent do not think that the policies that we have in place failed. I think decisions were made around those because of the subject matter.””

All I can hope is that companies subject to the Foreign Corrupt Practices Act (FCPA) do a better job of learning from the Rolling Stone fiasco than Rolling Stone appears to have done.

© Thomas R. Fox, 2015

Leave a Comment

March 16, 2015

Miss Marple Short Stories and SEC Enforcement of the FCPA, Part I

Filed under: Accounting Records violations,Books and Records,FCPA,FCPA Guidance,Internal Controls,SEC — tfoxlaw @ 12:01 am
Tags: Accounting provisions to FCPA, Books and Records, FCPA, Internal Controls, SEC

I am a huge Agatha Christie fan. I have read most of the Poriot novels and many of the Jane Marple novels as well. However, I was not aware of Christie’s work in the short story format until I recently read a volume entitled Miss Marple Short Stories. This volume included 13 short stories first published in 1932. In many ways reading them was like revisiting an old friend, who had new stories to tell me that I had not previously heard. So in honor of my love of Agatha Christie and her short stories, I will theme my blog posts this week around one of her original short stories, published as The Thirteen Problems.

The first story was called The Tuesday Night Club and introduced Miss Marple and her cast of characters around these stories. Each was asked to relate some mystery and the others would try and solve the mystery. As with most of Christie’s writing, there were the stories and the characters who were, in many ways, stories themselves so there was a double layer of intersection. In this story a wife died of poisoning and her husband was the prime suspect. However Miss Marple deduced that the couple’s longtime housekeeper who has gotten “into trouble” through a liaison with the husband had poisoned the wife in hope’s of marrying the now widow. The group around Miss Marple was astounded when her deduction was confirmed by the storyteller when he related the housekeeper’s own deathbed confession.

Just as many readers may not have focused on Agatha Christie’s work in the short story format, many Foreign Corrupt Practices Act (FCPA) practitioners tend to focus on Department of Justice (DOJ) FCPA enforcement actions. However, just as Christie aficionados who did not focus on her short stories, many FPCA compliance practitioners do not tend to focus on FCPA enforcement by the Securities and Exchange Commission (SEC). To help address this, over the next week I will discuss issues relating to SEC enforcements.

Today, I begin with reviewing some jurisdictional issues unique to the SEC; commonly referred to as the FCPA accounting provisions, they consist of the books and records provisions which, as set out in the FCPA Guidance, requires that “issuers must make and keep books, records, and accounts that, in reasonable detail, accurately and fairly reflect an issuer’s transactions and dispositions of an issuer’s assets and internal controls requirements.” Under the internal controls provisions, “issuers must devise and maintain a system of internal accounting controls sufficient to assure management’s control, authority, and responsibility over the firm’s assets.”

Perhaps the most interesting thing about the ‘accounting provisions’ under the FCPA as stated in the FCPA Guidance, is as follows: , “Although the accounting provisions were originally enacted as part of the FCPA, they do not apply only to bribery-related violations. Rather, the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. [emphasis supplied] This means there can be strict liability for stand alone violations of these provisions, with no ties back to the corrupt intent or elements of a FCPA violation are present.

Who is covered under SEC enforcement of the FCPA?

The SEC prosecutes ‘issuers’ who are defined as a company “that has a class of securities registered pursuant to Section 12 of the Exchange Act or that is required to file annual or other period reports pursuant to Section 15(d) of the Exchange Act.” The SEC also enforces the FCPA against companies “whose securities trade on a national securities exchange in the United States, including foreign issuers with exchange traded American Depository Receipts” and trade in over-the counter markets. While the SEC does not bring enforcement actions against private companies, private companies are also subject to the FCPA, just as public companies for bribing a foreign government official, in violation of the FCPA.

Accounting Provisions

Consistent with the concern that bribe payments are often disguised as other types of payments in a company’s books and records, “requires issuers to “make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer.”” The “in reasonable detail” qualification was adopted by Congress “in light of the concern that such a standard, if unqualified, might connote a degree of exactitude and precision which is unrealistic.” The addition of this phrase was intended to make clear “that the issuer’s records should reflect transactions in conformity with accepted methods of recording economic events and effectively prevent off-the-books slush funds and payments of bribes.”

The Guidance goes on to give several examples of SEC enforcement actions of the books and record provisions where bribes were mischaracterized in a company’s books and records. Such examples include bribes paid out in the guise of commissions, royalties or consulting fees. Another prominent example includes reimbursement for sales and marketing or miscellaneous expenses where no such activity occurred. A favorite has been mischaracterized travel and entertainment expenses. Finally, a large group of often over-looked expenses include free goods for demonstration products, intercompany accounts, vendor payments and customer write-offs.

A key distinction of FCPA enforcement by the SEC from other types of accounting fraud is that there is no materiality requirement under the FCPA. Typically, internal audit, external audit or even forensic accounting, only review material transactions. Obviously for a large multi-national company subject to the FCPA, materiality could be millions of dollars or multiplies thereof. However we have seen FCPA enforcement actions with corrupt payments made in the low thousands of dollars.

Internal Controls Provisions

The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” Neither the FCPA nor the FCPA Guidance specifies a particular set of controls that companies are required to implement. However the FCPA Guidance does note, “the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.”

Moreover, the FCPA Guidance recognizes that “An effective compliance program is a critical component of an issuer’s internal controls.” To do so, a company needs to access its risk and then design and implement a system of internal controls to “account the operational realities and risks attendant to the company’s business.” The FCPA Guidance suggests some of these areas should include “the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption”. But the over-riding key is to assess your company’s FCPA compliance risks and set up a set of internal controls to help manage those risks effectively.

Other SEC Enforcement Areas Relating to FCPA Compliance

In addition to the accounting provisions there are other laws and regulations that the SEC enforces and ties into FCPA enforcement. As noted in the FCPA Guidance, “Issuers have reporting obligations under Section 13(a) of the Exchange Act, which requires issuers to file an annual report that contains comprehensive information about the issuer. Failure to properly disclose material information about the issuer’s business, including material revenue, expenses, profits, assets, or liabilities related to bribery of foreign government officials, may give rise to anti-fraud and reporting violations under Sections 10(b) and 13(a) of the Exchange Act.”

There are also several sections under the Sarbanes-Oxley Act (SOX) that have FCPA implications. These include SOX §302 that requires the principle officers of a company “take responsibility for and certify the integrity of these company’s financial reports on a quarterly basis.” Under SOX §404 companies must present annually their conclusion “regarding the effectiveness of the company’s internal controls over accounting.” Finally, SOX §802 prohibits “altering, destroying, mutilating, concealing or falsifying records, documents or tangible objects” with the intent to obstruct or influence a federal investigation, such as the FCPA.

The remainder of this week I will tie another Miss Marple short story to another SEC FCPA enforcement issue. I hope that you will tune in for the next installment.

© Thomas R. Fox, 2015

Leave a Comment

March 5, 2015

Is Strict Liability Coming to FCPA Enforcement?

Filed under: 2013 Framework,COSO,FCPA,Internal Controls,Sarbanes-Oxley,SEC — tfoxlaw @ 12:01 am
Tags: COSO, Internal Controls, SEC, SOX, strict liability

I think that a strict liability standard is coming to Foreign Corrupt Practices Act (FCPA) enforcement. A number of factors have caused me to come to this conclusion. While there may well be wide disagreement as to whether such a standard is warranted under the FCPA, I think it is coming and it is something every Chief Compliance Officer (CCO) and compliance practitioner needs to be ready to address if and when the day comes that your company is under the shadow of a FCPA investigation.

I do not think this strict liability standard is coming for criminal enforcement of the FCPA by the Department of Justice (DOJ) because there is still a requirement of intent under the Act. Intent can be inferred by conscious indifference but I still do not think that day of reckoning is near for DOJ enforcement. However I do think that a confluence of events, FCPA enforcement actions by the Securities and Exchange Commission (SEC) and statements by the SEC representatives, all point towards a new enforcement angle to the FCPA. I think that the SEC is moving towards a strict liability standard for internal controls under the FCPA. That means if your compliance internal control regime is investigated, you will have to demonstrate that it meets some minimum standard that satisfies the SEC. If not, there will be a SEC administrative complaint filed against your company, alleging failure to maintain appropriate internal controls as required by the FCPA and your company will bear the burden of proof to demonstrate that you have designed and implemented an effective system of compliance internal controls.

The FCPA says that internal controls requires issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.

As further explained in the FCPA Guidance, “the Act defines “reasonable assurances” as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs.” The Act does not specify a particular set of controls that companies are required to implement. Rather, the internal controls provision gives companies the flexibility to develop and maintain a system of controls that is appropriate to their particular needs and circumstances.””

My evolution of thinking on this issue began last fall with the Smith & Wesson (S&W) FCPA enforcement action. There was nothing in the reported settlement documents that tied the failure of S&W internal controls to the payment (or offer to pay) of a bribe or the obtaining of any benefit. The claims made against S&W were basically along the lines of this language laid out in the Order Instituting Cease-and-Desist Proceedings, “Despite making it a high priority to grow sales in new and high risk markets overseas, the company failed to design and implement a system of internal controls or an appropriate FCPA compliance program reasonably designed to address the increased risks of its new business model.” It should be noted that S&W did not ‘admit or deny’ any of the allegations made against it, the company simply consented to the entry of the Order.

In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.”

All of this was laid out in the face of no evidence of the payment of bribes by S&W to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that ““This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.””

The second factor that informs my thinking on this issue is the updated COSO 2013 Framework that became effective in December 2014. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which include the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, compliance is the responsibility for the implementation of effective internal controls resides with everyone in the organization.”

For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

The updated Framework also gives a precise model for the SEC to use to inquire from companies about their compliance internal controls. How many companies could not only present evidence of implementation of compliance internal controls along the lines of the updated Framework but also evidence of their effectiveness? Unfortunately the answer is not many.

There is one other factor that informs my evolution of thinking regarding a strict liability standard under the FCPA. Under Sarbanes-Oxley (SOX), Section 404, public companies are required to report on the adequacy of the company’s internal control on financial reporting. The report must affirm the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. The report must also contain an assessment, as of the end of the most recent fiscal year of the Company, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. External auditors must also assess and make such a report. To do so, most companies, and their external auditors were using the prior COSO Framework.

Now imagine a situation where your external auditors have made their report and your company has made such report public, under its SOX 404 reporting obligation. What if the SEC took that report, reviewed it and made an initial assessment that your compliance internal controls around bribery and corruption were not sufficient, as required under the FCPA? What if the SEC sent you a letter asking for evidence of development and implementation of compliance internal controls, also asking for your audited evidence of effectiveness? What if you respond in due course and you receive another letter from SEC, which opines that your compliance internal controls are insufficient under the FCPA giving your proposed fine. You protest that there is no evidence of bribery or corruption regarding this insufficiency of your compliance internal controls. What if your company is then invited to contest this issue through the SEC Administrative process?

Does that sound far-fetched? Maybe it is but, from where I sit, that is the direction I see the issue of internal controls going in FCPA enforcement. I think a strict liability regime is coming under SEC enforcement of the FCPA. As a CCO or compliance practitioner in a public company, you need to be ready to defend your compliance internal controls.

© Thomas R. Fox, 2015

Leave a Comment

March 4, 2015

Minnie Minoso Broke Barriers; Goodyear Pushes Compliance Forward

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,Internal Controls,SEC — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Internal Controls, SEC

Yesterday we celebrated the hard-nosed playing style of Anthony Mason, who recently passed away. Today we honor a true pioneer in professional baseball, Minnie Minoso, or Mr. White Sox. Minoso was the first black Cuban to play in Major League Baseball (MLB) when he debuted for the Cleveland Indians in 1949. In 1951, he was traded to the Chicago White Sox and he became a southside fixture for the rest of the decade. While his numbers were less than 2000 hits and 200 home runs, he was a fearless and speedy base runner and a nine-time All Star. Similarly to Mr. Cub, Ernie Banks, the Chicago White Sox erected a statue in tribute to Mr. White Sox outside their ballpark. Even President Obama was moved to release a statement about Minoso saying in part, “Minnie may have been passed over by the Baseball Hall of Fame during his lifetime, but for me and for generations of black and Latino young people, Minnie’s quintessentially American story embodies far more than a plaque ever could.”

The contribution of Minoso in the exorable march of MLB towards integration informed part of my reading of the recent Goodyear Tire & Rubber Company (Goodyear) Foreign Corrupt Practices Act (FCPA) enforcement strategy of the Securities and Exchange Commission (SEC). This enforcement action was a solo effort by the SEC; there was no corresponding Department of Justice (DOJ) criminal enforcement action. So following this past fall’s triumvirate of SEC enforcement actions involving Smith & Wesson, Layne Christenen and Bio-Rad, the SEC continues to bring enforcement actions based upon the books and records and internal controls civil requirements of the FCPA. Therefore the Goodyear enforcement action is one which provides many lessons to be learned by the Chief Compliance Officer (CCO) or compliance practitioner going forward and should be studied quite carefully by anyone in the compliance field.

The Bribery Schemes

As set out in the SEC Cease and Desist Order (the Order), Goodyear used several different bribery schemes in different countries, all violating the FCPA. In Kenya, Goodyear became a minority owner in a locally owned business which apparently paid bribes the old-fashioned way, in cash to the tune of over $1.5MM, yet falsely recorded the cash bribe payments as “promotional expenses.” In Angola, a wholly-owned subsidiary of the company paid approximately $1.6MM in bribes by falsely marking up invoices with “phony freight and customs clearing costs.” The subsidiary made the payments in cash and through wire transfers to various government officials. Finally, the subsidiary apparently cross-referenced the bribes it paid as follows, “As bribes were paid, the amounts were debited from the balance sheet account, and falsely recorded as payments to vendors for freight and clearing costs.” In other words a complete, total and utter failure of internal controls to forestall any of the foregoing.

Internal Controls Violations

The Order set out the section of the FCPA that the company violated. Regarding the internal controls, the Order stated, “Under Section 13(b)(2)(B) of the Exchange Act issuers are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

The Comeback

Equally important for the CCO or compliance practitioner are the specific steps that Goodyear took to remediate the situation it found itself in through these illegal payments. When the company received the initial reports about “the bribes, Goodyear promptly halted the improper payments and reported the matter to Commission staff.” Moreover, the company also cooperated extensively with the SEC. As noted in the Order, “Goodyear also provided significant cooperation with the Commission’s investigation. This included voluntarily producing documents and reports and other information from the company’s internal investigation, and promptly responding to Commission staff’s requests for information and documents. These efforts assisted the Commission in efficiently collecting evidence including information that may not have been otherwise available to the staff.”

In the area of internal remediation, regarding the entity in Kenya, where Goodyear was a minority owner in a local business, the company got rid of its from its corrupt partners by divesting its interest and ceasing all business dealings with the company. Goodyear is also divesting itself of its Angolan subsidiary. The Order also noted that Goodyear had lost its largest customer in Angola when it halted its illegal payment scheme. The company also took decisive disciplinary action against company employees “including executives of its Europe, Middle East and Africa region who had oversight responsibility, for failing to ensure adequate FCPA compliance training and controls were in place at the company’s subsidiaries in sub-Saharan Africa.”

Finally, in a long paragraph, the SEC detailed some of the more specific steps Goodyear took in the area of remediation. These steps included:

Improvements to the company’s compliance function not only in sub-Saharan Africa but also world-wide;
In Africa, both online and in person training was beefed up for “subsidiary management, sales and finance personnel”;
Regular audits were instituted by the company’s internal audit function, which “specifically focused on corruption risks”;
Quarterly self-assessment questionnaires were required of each subsidiary regarding business with government-affiliated customers;
For each subsidiary, there were management certifications required on a quarterly basis that required, “among other things controls over financial reporting; and annual testing of internal controls”;
Goodyear put in a “new regional management structure, and added new compliance, accounting, and audit positions”;
The company made technological improvements to allow the company to “electronically link subsidiaries in sub-Saharan Africa to its global network”;

However these changes were not limited to improvement of Goodyear’s compliance function in Africa only. At the corporate headquarters, Goodyear created the new position of “Vice President of Compliance and Ethics, which further elevated the compliance function within the company”. There was expanded online and in-person training at the corporate headquarters and other company subsidiaries. Finally, the company instituted a new “Integrity Hotline Web Portal, which enhanced users’ ability to file anonymous online reports to its hotline system. With that system, Goodyear is also implementing a new case management system for legal, compliance and internal audit to document and track complaints, investigations and remediation.”

The specific listing of the compliance initiatives or enhancements that Goodyear pushed after its illegal conduct came to light is certainly a welcomed addition to SEC advice about what it might consider some of the best practices a company may engage in around its compliance function. Moreover, this specific information can provide audit and information to the compliance practitioner of strategies that he or she might use to measure a company’s compliance program going forward. The continued message of cooperation and remediation as a way to lessen your overall fine and penalty continues to resonate from the SEC. Finally, just as Minoso helped move forward the integration of baseball and civil rights in general, the Goodyear FCPA enforcement action demonstrates that the SEC will continue to prosecute cases around the failure of or lack of internal controls. The clear import is that a company must have an appropriate compliance internal control regime in place. We are moving towards a strict liability standard under the FCPA around internal controls, which I will have much more to say about later but for now – you have been warned.

Leave a Comment

February 23, 2015

Assessing Internal Controls, Part III

Filed under: 2013 Framework,Best Practices,Compliance,Compliance and Ethics,compliance programs,COSO,FCPA,Internal Controls — tfoxlaw @ 12:01 am
Tags: Assessing Internal controls, COSO, Internal Controls

In this blog post I conclude my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls”, (herein ‘the Illustrative Guide’) as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Activities and Information and Communication.

One of the things the Illustrated Guide makes clear is the inter-related nature of internal controls. Simply because there may be a deficiency in one specific Principle or even if controls are not present around such a Principle, a company can consider its overall internal controls to effect the principles. For the compliance practitioner I think this is significant because you may have one Principle present and function in the context of another Principle. An example from the Illustrated Guide is the situation where Principle 8, Assessing Fraud Risk is not present yet if other Principles such as Principle 3 Establishing Structure, Authority and Responsibility and Principle 5, Enforcing Accountability adequately address the issue from a control perspective then a deficiency is handled. At the end of the day, unless a major deficiency is noted, it is up to senior management to assess the “severity of an internal control deficiency or combination of deficiencies, in determining whether components and relevant principles are present and functioning, and the components are operating together, and ultimately in determining the effectiveness of the entity’s system of internal control.” So this would also be true from the compliance internal control perspective.

I. Control Activity

Under the objective of Control Activity there are three principles which you will need to assess. The three principles are:

Principle 10 states that “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.” Your entity must demonstrate that it integrates its compliance function around its risk assessment. You must demonstrate more than simply an ‘out of the box’ compliance solution but that your company has considered specific factors to it, including its relevant business processes, an evaluation of a mix of control activity types and consideration of at what level such compliance controls are applied. Finally there must be evidence that your company has addressed segregation of duties from the compliance perspective.

Principle 11 states that “The organization selects and develops general control activities over technology to support the achievement of the objectives.” Here a company must determine the dependency between the use of technology in business process and technology general controls. Then there must be evidence that it has established relevant technology acquisition, development, and maintenance process control activities over this technology. There must be evidence of the establishment of relevant technology infrastructure control activities and relevant security management process control activities.

Principle 12 states that “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.” This Principle management to put sufficient compliance policies and procedures in place to support the company’s anti-corruption compliance mandates and requires training of employees on these compliance policies and procedures with testing to determine the adequacy of such compliance training. It also requires evidence that sufficient incentives have been put in place for employees to follow the compliance regime with timely discipline administered for those employees who failed to do so. Finally it requires evidence of period re-assessments of the policies and procedures.

II. Information and Communication

This objective has three Principles that require assessment. They are (numbers follow the COSO Framework):

Principle 13 states that “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.” This means that from the compliance perspective you must identify information requirements for your compliance program and then capture that data via internal and external sources. If you cannot do so you must explain why you cannot do so. You must process the information and use it in your compliance function going forward and document that use.

Principle 14 states that “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.” Under this Principle you must be able to demonstrate that your company communicates compliance internal control information with not only senior management but also appropriate employees and your board of directors. It re-emphasizes the need for separate lines of communications and there is documented consideration to show the reason for selection of the relevant method of communication.

Principle 15 states that “The organization communicates with external parties regarding matters affecting the functioning of internal control.” This Principle relates to your communications to third parties so you will need to demonstrate internal controls around your compliance communications with parties external to your company. You will also be required to show compliance internal controls inbound to your organization from third parties.

III. Monitoring Activities

The Monitoring Activities objective consists of two principles that require assessment. They are (numbers follow the COSO Framework):

Principle 16 states that an “organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” This requires you to have employees knowledgeable in your business processes who can review it on an ongoing basis. You must show that there is a compliance internal controls which, in an objective manner evaluates rates of compliance changes, with an understanding of the baseline and projected business changes. All of this must be integrated with business processes with appropriate adjustments in scope and frequency.

Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” Under this Principle you must be able to demonstrate that from the compliance perspective your results were assessed, any deficiencies were communicated to the appropriate parties and finally there was corrective action which was appropriately monitored.

I regularly say that the three most important about FCPA compliance is Document Document Document. I believe the COSO 2013 Framework puts that point into practice, particularly with the auditing requirement. As Ron Kral noted in his article, “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered” you must “Verify the adequacy of your documentation and alignment of controls to the 17 principles with the external auditors at key junctions and decision points. Also, consider involving your internal audit function in answering this question. Not only do you want assurance that your documentation of control design is adequately aligned, but also that the controls are operating effectively.”

The auditing process should also work to determine not only if your compliance internal controls are are properly designed, operating effectively but also that the five components are operating together. Kral believes that “This is the essence of any sound internal control evaluation. It’s not merely a matter of satisfying documentation and compliance requirements, but rather a matter of protecting the interests of shareholders.” To which I agree. By going through the auditing exercise, you will have created a framework to operate, assess and update your compliance internal controls to meet the ever-evolving nature of FCPA and other anti-corruption compliance programs.

Leave a Comment

February 20, 2015

Assessing Internal Compliance Controls – Part II

Filed under: 2013 Framework,Best Practices,Compliance and Ethics,COSO,Department of Justice,FCPA,FCPA Guidance,Internal Controls,SEC,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: compliance, compliance programs, COSO, DOJ, FCPA, Internal Controls, SEC

In this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

Leave a Comment

February 19, 2015

Assessing Compliance Internal Controls – Part I

Filed under: 2013 Framework,Best Practices,COSO,Department of Justice,FCPA,Internal Controls,SEC — tfoxlaw @ 7:16 am
Tags: best practices, compliance, compliance programs, Foreign Corrupt Practices Act, Internal Controls, SEC

I have recently detailed the COSO 2013 Framework in the context of a best practices compliance regime. However there is one additional step you will need to take after you design and implement your internal controls. That step is that you will need to assess against your internal controls to determine if they are working.

In its Illustrative Guide, the Committee of Sponsoring Organization of the Treadway Organization (COSO), entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements which can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”? Over the next couple of posts I will lay out what COSO itself says about assessing the effectiveness of your internal controls and tie it to your compliance related internal controls.

As the COSO Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies which you may turn up and whether or not there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach could be along the following lines. A Principle Evaluation should consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment which would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA Guidance Ten Hallmarks of an Effective Compliance Program, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

However, if there are no objective criteria, as laid out in the FCPA Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other regulation. With the Illustrative Guide of these Illustrative Tools, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the Securities and Exchange Commission (SEC) comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. In subsequent blog posts I will take a look at how you might audit your compliance internal controls.

Comments (1)

FCPA Compliance and Ethics Blog

July 29, 2015

What Would Dr. Seuss Say about an Allowance?

May 21, 2015

Compliance Week 2015 Wrap Up

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

April 7, 2015

Rolling Stone’s Rape Story Retraction: Lessons for the Compliance Practitioner

March 16, 2015

Miss Marple Short Stories and SEC Enforcement of the FCPA, Part I

March 5, 2015

Is Strict Liability Coming to FCPA Enforcement?

March 4, 2015

Minnie Minoso Broke Barriers; Goodyear Pushes Compliance Forward

February 23, 2015

Assessing Internal Controls, Part III

February 20, 2015

Assessing Internal Compliance Controls – Part II

February 19, 2015

Assessing Compliance Internal Controls – Part I

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey