FCPA Compliance and Ethics Blog

February 11, 2015

COSO and Internal Controls – Part V

Internal ControlsThis post concludes my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fifth component, Monitoring Activities. In its Executive Summary of the 2013 Framework, COSO said, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of direc­tors as appropriate.”

However, as with the other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken in singularly. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” I heartily agree with the author when he says that he believes monitoring will take on increased importance. For the Chief Compliance Officer (CCO) or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In their Five Principles of an Effective Compliance Program, developed by Paul McNulty and Stephen Martin at the law firm of Baker and McKenzie, they listed oversight as Principle 5, including ongoing monitoring and this is reinforced in the 2013 COSO Framework.

In an article in Corporate Compliance Insights, entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activities objective consists of two principles. They are:

(1) Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”

(2) Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” This clearly incorporates McNulty and Martin’s dictate that Principle No. 5 consists of not only auditing but ongoing monitoring as well. The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated. 

Principle 17 – Communication of internal control deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.

Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Audit Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

This concludes my exploration of COSO and internal compliance controls. While I have cited directly to the language of the COSO 2013 Framework, I hope that you now have a sense of how these concepts directly relate to your company’s compliance program. With the Securities and Exchange Commission’s (SEC) invigorated interest in internal controls, I believe that through adherence to these five objectives and 17 Principles will allow you to not only withstand such government scrutiny but also have a better run organization.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 10, 2015

COSO and Internal Controls – Part IV

Internal ControlsThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fourth component, Information and Communication. In its Executive Summary of the 2013 Framework, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the orga­nization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant exter­nal information, and it provides information to external parties in response to require­ments and expectations.”

However, as with the other components of the COSO Cube, Information and Communication are not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

The objective of Information and Communication consists of three principles. They are:

(1) Principle 13 – “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”

(2) Principle 14 – “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

(3) Principle 15 – “The organization communicates with external parties regarding matters affecting the functioning of internal control.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the Chief Compliance Officer (CCO) or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the Securities and Exchange Commission (SEC) will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.

Principle 13 – Use of relevant and quality information

Rittenberg notes this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas with in a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.”

 Principle 14 – Communication up and down the organization about internal controls

This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but he adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.

Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15 – Communication with external parties regarding internal controls

This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any FCPA related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”

Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success with the Information and Communication objective. You can bring a wide range of talents, skills and imagination to bear on the objective.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 9, 2015

COSO and Internal Controls – Part III

Dean SmithThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) 2013 Framework. To help introduce today’s topic, I cannot think of a much more appropriate person to honor than Dean Smith, who died yesterday. Smith coached the North Carolina Tar Heels basketball team for 36 years. He retired with 879 victories, a winning percentage of 77.6% and two NCAA championships. He was one of the true giants of college coaching and the game of basketball itself. He will be missed but certainly never forgotten. If there was ever a coach that epitomized internal controls and frameworks, it was Dean Smith.

I restart my discussion of the COSO 2013 Framework with a look at the third component, Control Activities. In its Executive Summary of the 2013 Framework, COSO said these “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.”

However, as with the other components of the COSO Cube, Control Activities are not to be taken in a vacuum. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the Control Activities “have traditionally received the most attention of the component” but noted that the real-world experience since the initial implementation of the COSO Framework back in 1992 has demonstrated that “the effectiveness of control activities must be evaluated with the context of the other five components.” Moreover, he believes that these conditions are aided by a company’s policies and procedures, which should help to lessen and manage risk going forward. Finally, Control Activities should be performed at all levels in the business process cycle within an organization.

The objective of Control Activity consists of three principles. They are:

(1) Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

(2) Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”

(3) Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”

Principle 10 – Control Activities to mitigate risk

Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.” 

Principle 11 – Control Activities over general technology

Last week I had a series of guest posts from Joe Oringel of Visual Risk IQ regarding the use of data analytics in your compliance program. The use of technology will be greater and more important going forward. I would certainly expect the Securities and Exchange Commission (SEC) to focus on a company’s use of technology in any evaluation of its overall compliance program.

Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

Principle 12 – Control Activities established through policies and procedures

This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

While the objective of Control Activities should be the most familiar to the Chief Compliance Officer (CCO) or compliance practitioner, you may well think of it in a way that basketball fans thought of Dean Smith’s Four Corners offense; in other words boring. However, just as Smith’s innovation was based on crisp focus and outstanding teamwork, this objective demonstrates the inter-relatedness of all the five COSO objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 30, 2015

COSO and Internal Controls, Part II

Internal ControlsThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adherence to the COSO 2013 Framework. Today I will begin a discussion of the updated COSO Framework. Brian Christensen, in an article in Corporate Compliance Insights, entitled “The Updated COSO Framework: Time for a Fresh Look at Internal Control”, said that the updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.

Christensen believes that “COSO has chosen to formalize more explicitly the principles embedded in the 1992 version of the framework that facilitate development of effective internal control and assessment of its effectiveness. While the 1992 version implicitly reflected the core principles of internal control, the 2013 version explicitly states them in the form of 17 principles, each of which is mapped to one of the five components. The 17 principles represent fundamental concepts associated with the five components of internal control. There isn’t any new ground broken by these principles as they reflect widely known tenets of sound internal control that have been around for a long time.” The principles remain broadly stated as they are intended to apply to for-profit companies, not-for-profit entities, government bodies and other organizations. Moreover, “supporting each principle are points of focus, representing characteristics associated with the principles and providing guidance for their application. Together, the components and principles constitute the criteria and the points of focus provide the guidance that will assist management in assess­ing whether the components of internal control are present, functioning and operating together within the organization.”

 

The first of the five objectives is ‘control environment’. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the control environment “sets the tome for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the control environment object are as follows:

  1. The organization demonstrates a commitment to integrity and ethical values.
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
  3. Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Commitment to integrity and ethical values

What are the characteristics of this principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, I think that this principle requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

 Board independence and oversight

 

This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

 

Structures, reporting lines, authority and responsibility

 

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

 

Attracting, developing and retaining competent individuals

 

This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

 

Individuals held accountable

 

This is the ‘stick’ principle. A company must show that it enforces compliance accountability through its compliance structures, authorizes and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and finally clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

 

I will take a short break from my explorations of COSO and Internal Controls next week, but do not worry the subject will return the week of February 9. Next week I will have a series of guest posts from Joe Oringel, Principle at Visual RiskIQ on data analytics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 29, 2015

Welcome to COSO and the World of Internal Controls – Part I

Internal ControlsI have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

January 6, 2015

Byzantium and the Alstom FCPA Settlement – Part III

ByzantiumPorphyry is a type of stone that was much favored in the Roman world. In a review of several books in the New York Review of Books, entitled “The Purple Stone of Emperors”, Peter Brown looked into the history of the lithic in the context of Byzantium as the true heir of the Roman Empire. He theorized that if “porphyry was the blood of ancient empire, then it must be to Constantinople that we should look (and not to Western Europe) if we wish to understand the heritage of Rome in the Middle Ages.” I found that an appropriate way to think about an apparent anomaly in the recent Alstom Foreign Corrupt Practices Act (FCPA) enforcement action. In Part III of my series on the Alstom natter I consider the accounting records violations that the French parent, Alstom SA, agreed to in this enforcement action.

The FCPA Professor noted in his second blog post on this matter, entitled “Issues to Consider from the Alstom Action”, “The charges against Alstom S.A. are a real head-scratcher. The conventional wisdom for why the Alstom action involved only a DOJ (and not SEC) component is that Alstom ceased being an issuer in 2004 (in other words 10 years prior to the enforcement action). Yet, the actual criminal charges Alstom pleaded guilty to – violations of the FCPA’s books and records and internal controls provisions – were based on Alstom’s status as an issuer (as only issuers are subject to these substantive provisions). In other words, Alstom pleaded guilty to substantive legal provisions in 2014 that last applied to the company in 2004.”

The Professor had also raised this issue in his first blog post on the resolution, entitled “All About the Alstom Enforcement Action”. After considering his thoughts on this issue, I decided to look into it a bit more deeply. Alstom SA was charged with several different FCPA violations including the following, 15 U.S.C. 78m(b)(2)(A), 15 USC §78m(b)(2)(B) and 78m(b)(5) which read in whole,

15 U.S.C. § 78m [Section 13 of the Securities Exchange Act of 1934] 

(b) Form of report; books, records, and internal accounting; directives

(2) Every issuer which has a class of securities registered pursuant to section 78l of this title and every issuer which is required to file reports pursuant to section 78o(d) of this title shall—

(A) make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of the assets of the issuer;

(B) devise and maintain a system of internal accounting controls sufficient

to provide reasonable assurances that—

(5) No person shall knowingly circumvent or knowingly fail to imple­ment a system of internal accounting controls or knowingly falsify any book, record, or account described in paragraph (2).

These provisions are generally referred to as the ‘accounting provisions’ of the FCPA. As stated in the FCPA Guidance, “In addition to the anti-bribery provisions, the FCPA contains accounting provisions applicable to public companies. The FCPA’s accounting provisions operate in tandem with the anti-bribery provisions and prohibit off-the-books accounting. Company management and investors rely on a company’s financial statements and internal accounting controls to ensure transparency in the financial health of the business, the risks undertaken, and the transactions between the company and its customers and business partners. The accounting provisions are designed to “strengthen the accuracy of the corporate books and records and the reliability of the audit process which constitute the foundations of our system of corporate disclosure.””

Moreover, these accounting provisions, including both the books and records and internal control provisions, are defined to apply to “issuers”. As set out in the FCPA Guidance, “The FCPA’s accounting provisions apply to every issuer that has a class of securities registered pursuant to Section 12 of the Exchange Act or that is required to file annual or other periodic reports pursuant to Section 15(d) of the Exchange Act.244 These provisions apply to any issuer whose securities trade on a national securities exchange in the United States, including foreign issuers with exchange traded American Depository Receipts. They also apply to companies whose stock trades in the over-the-counter market in the United States and which file periodic reports with the Commission, such as annual and quarterly reports. Unlike the FCPA’s anti-bribery provisions, the accounting provisions do not apply to private companies.”

Charging Box Score

Alstom Entity Charges Time of Criminal Conduct Issuer Status
Alstom SA 15 USC §78m(b)(2)(A)15 USC §78m(b)(2)(B)15 USC §78m(b)(5)

15 USC §78ff(a)

18 USC §2

1998-2004 Issuer until 2004
Alstom Power Inc. 18 USC §371-conspiracy to violate the FCPA 2002-2009 Subsidiary of Issuer until 2004
Alstom Grid Inc. 18 USC §371-conspiracy to violate the FCPA 2000-2010 Subsidiary of Issuer until 2004
Alstom Network Schweiz AG 18 USC §371-conspiracy to violate the FCPA 2000-2011 Subsidiary of Issuer until 2004

While I agree with the above, I do disagree with the Professor’s final statement that “This free-for-all, anything goes, as long as the enforcement agencies collect the money nature of FCPA enforcement undermines the legitimacy and credibility of FCPA enforcement.” The reason I disagree is that this was a negotiated settlement, not a dictat or court proceeding. With no doubt excellent FCPA defense counsel involved, Alstom must have had its own reasons for agreeing to such a settlement. Without any further comment by the company, we will have to speculate as to some of the reasons for this component of the resolution.

First and foremost is that clearly Alstom did engage in conduct which substantially violated the FCPA. It would further appear that the conduct reached right up into the corporate home offices in France. By agreeing to the books and records and internal control violations, Alstom may have avoided any direct admission of guilt under French law, which we now know from the Total FCPA enforcement action is significant for a French company, because what is illegal bribery and corruption under US law is not necessarily illegal under French law.

Other than the anomalous French law issue, there may be another important consideration going on here. Alstom is under acquisition by General Electric (GE). Not only does GE pride itself and very publicly inform about its anti-corruption compliance program, GE has a large number of contracts with the US and other governments which might looks askance at doing business with a business unit that admitted to substantive FCPA violations of bribery and corruption. While I do not think that GE would be in danger of being debarred, it might well be that certain governments might not want to do business with a new subsidiary which made such a court admission. I find this to be more than simply a distinction without a difference. Consider the trouble that Hewlett-Packard (HP) is in north of the border in Canada regarding potential debarment by the Canadian government for its FCPA violations as set forth in its FCPA resolution of last April. So perhaps from Alstom’s perspective, the company believed it received benefits from settling based upon accounting violations.

But whatever the reason, it is clear that Alstom did engage in substantive FCPA violations. It’s settlement is that, a settlement of outstanding issues, which the company was a willing participant. It may not have been what the company wanted but I do not find that by charging Alstom for books and records and internal controls violations for the time frame it was clearly liable in any way demeans, degrades or lessens FCPA enforcement going forward. But just as we need to look to Byzantium to determine the heritage of Rome through the Middle Ages, by looking at the facts and circumstances around Alstom’s FCPA from the Alstom perspective and what it hoped to obtain in the settlement, we might be able to glean some insights.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

October 20, 2014

Internal Controls Outside the US – Part IV

NavigatingThis post will conclude a short series I have presented on the issue of internal controls outside the US. I want to conclude by raising some ways in which a compliance professional can work to implement internal controls in a multi-national organization. As with my entire series on internal controls, I rely on internal controls expert Henry Mixon for guidance on this topic. 

Mixon advises that the first step is to convert your company’s Foreign Corrupt Practices Act (FCPA) risks into internal control objectives. The internal control objectives are then given to each business unit with instructions to develop controls, which meet the objectives. This process should allow more of a fine tuning approach within existing systems than the development of specific controls by corporate which all business units must adopt and will give the business unit a sense of buy-in and participation in the process.

Mixon provided an example of how the process might work in the situation where the FCPA risk is that a third party representative may be paid for an invoiced amount before that third party representative has gone through your company’s full third party approval process. Mixon began by noting that your control objective is that internal controls should be in place to ensure that no vendors are added to the vendor master file until the vendor has been approved. If your company has a sophisticated ERP system such as SAP where checks are generated using the vendor master file and signed by the computer, this control objective may be met by adding a field to the vendor master file in which inserts the date the vendor is approved and by programming such a requirement the vendor information cannot be inserted into the check to pay the vendor unless the designated fields are populated. There would also be manual controls over the input of the date to ensure the data is not entered inappropriately. These internal controls would translate into form for changes to the vendor master file which is initiated by the person in charge of vendor due diligence and requires a ‘second set of eyes’ requiring sign off by a second person, such as the controller. Through this mechanism you have created a primary control through your third party approval process and validated that process if a change is made.

What if your location or business unit involved does not have a sophisticated ERP system such as SAP, for instance at another location QuickBooks is used? Mixon suggests that the control objective could be satisfied by using a similar form for changes to the vendor master file combined with the requirement that a report of all changes are printed and submitted to both check signers, along with the applicable approved vendor change request.

One of the banes of any compliance practitioner is the push back they inevitably receive when they attempt to institute something new or different. The same can be true of internal controls. What happens when the compliance function receives push back and will be told the controls are too burdensome and also make operations less efficient? I inquired from Mixon how he might suggest this situation be dealt with going forward. Fortunately for us, this is something that Mixon has observed many times and is very familiar with the issue as many employees see internal controls only as an added burden. Moreover, many business development types will raise the hue and cry that internal controls prevent them from effectively running the business. Finally, there are many groups in any company that may well say that a re-work of internal controls will cost too much money.

One of the areas available to a compliance professional is benchmarking from other company’s compliance experiences. However this can be expanded into solid presentations about why it is important to assess and mitigate FCPA risks using your corporate peers that have been the subject of an FCPA enforcement action. This is some of the best sources of information a compliance practitioner can avail his or herself of to provide good insight into why it was never expected that the company would be subject to FCPA enforcement and insight into the extreme disruption, cost, and anxiety which accompanied the enforcement actions.

Mixon also advises that the premise is that the cost of controls should not exceed the benefits to be obtained, so it really comes down to internally selling a cost benefit analysis. If the selling is done after at least a basic risk analysis, Mixon believes that it should be relatively easy to obtain concurrence that certain risks must be mitigated and that the benefits exceed the expected costs. Furthermore, there are occasions where there are no costs associated with improving controls. A good example is when re-alignment of duties using existing staff achieves an improved set of internal controls. Another example is when manual controls can be converted to electronic controls such that the only cost is the programming and re-training costs.

Another key factor, as with all FCPA compliance initiatives, is ‘Tone at the Top’. This means that you should meet with and present the case for FCPA-focused internal controls to your company’s Executive Leadership Team (ELT), Audit Committee of the Board or other appropriate group of senior executives. The presentation should include, with examples, the importance of identifying and mitigating the FCPA and fraud risks. Some of these might include the following:

  • Illustrating the examples of how the controls can prevent bribery as well as many other types of occupational fraud;
  • Illustrating that the controls needed are all sound business controls, nothing exotic or out of the ordinary;
  • With proper control design, it may be possible to eliminate some existing detect controls in favor of more useful preventive controls or even prescriptive controls;
  • As a result of your business changes and resulting changes in assessed risks, it may be that some procedures now being performed are no longer needed and the resources can be shifted to more necessary controls; and
  • It may be possible to build in more electronic controls, which can replace existing manual controls.

What if your company does an assessment of the internal controls over financial reporting as part of Sarbanes Oxley (SOX) compliance and that the Chief Financial Officer (CFO), or other appropriate corporate officer, annually certifies the internal controls are effective? How should such a situation be dealt with or conversely how might a compliance professional respond? 

Mixon believes that there are two primary reasons why the assessment under SOX is not sufficient for a Compliance Officer’s purposes. One is the scope of the SOX assessment and the second is the design of the SOX assessment. This means that the SOX process addresses only the internal controls over financial reporting, that is, the controls in place to prepare the financial statements for presentation to third parties. That process does not address the risks or the control needs with respect to FCPA. Mixon cited to the example of internal controls over disbursements, which may be evaluated as being effective if there is a three-way match of the approved purchase order, the vendor invoice, and the receiving report. Those controls do not address the risk that an agent may submit an invoice before the agent has been vetted and the invoice will be paid. It also does not address whether the agent’s invoice was reviewed for proper description of business purpose and for being consistent with the approved contract with the agent.

The second primary reason SOX certification of financial internal controls itself is not enough is the design criteria. SOX allows a materiality threshold. This means that operations outside the US may be excluded from scope due to materiality. It may also mean that some functions are operating below the financial internal controls level. Compliance professionals need to continually remind others that there is no materiality requirement in FCPA enforcement.

I hope that you have benefited from these posts on internal controls outside the US. I clearly believe that the price for noncompliance can easily be substantially greater than the cost to assess and implement good internal controls. But good FCPA internal controls are not some standalone protective measure. They can help to make a company run more efficiently as the internal controls that prevent FCPA violations are the same ones that prevent fraud in the workplace. So the presence of good internal controls saves money by preventing fraud. It is a business best practice to prevent fraud, which includes preventing corruption. I have long wondered about Ethisphere and its annual survey of the world’s most ethical companies because they seem to exceed the Standard & Poor’s (S&P) index of average profits and growth. What I have come to believe is that one of the keys ways such companies do seem to have better than average profitability is that they have better internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 14, 2014

Steve Bartman and Internal Controls Outside the US, Part II

BartmanToday, we note that 11 years ago, Steve Bartman entered the Chicago Cubs Hall of Infamy. For every baseball fan, if there was ever a but for the grace of God, go thee moment the sad saga of Bartman is it. The Chicago Cubs, who at that point had not played in World Series appearance in 58 years were five outs away from going to the 2003 Fall Classic. Bartman interfered with a ball he thought was in foul territory on the left field line but was in fact playable and about to be caught by Left Fielder Moisés Alou. His interference allowed the at-bat to continue and the batter got a hit. The Cubs fell apart and lost the game. Bartman was escorted from Wrigley Field by security guards as bloodthirsty fans hurled beer cans and other debris at his head. The next day, he went into hiding—but not before he told the press that “I’ve been a Cub fan all my life and fully understand the relationship between my actions and the outcome of the game – I am so truly sorry from the bottom of this Cubs fan’s broken heart.” Bartman lives in hiding to this day. Why is it a but for the grace of God moment? Because probably every baseball fan in the universe would have done what Bartman did and interfere by catching the ball, or at least trying to catch it.

Bartman’s story provides the starting point for today’s post. Last week, in Part I of this three-part series on internal controls for US company-business units which are located outside the US, I discussed some of the reasons why there might be such differences and provided a framework for thinking through how to assess the risk they might pose a company subject to the Foreign Corrupt Practices Act (FCPA). The framework I introduced in Part I was a Location Risk Assessment; today, I will discuss how to perform this assessment. Once again, I will rely on internal controls expert Henry Mixon for guidance in this area.

It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how the financial and operation structure outside the US is integrated with the corporate headquarters, or the US business unit’s financial and operation structure, if the foreign operation is part of a US business unit. Mixon suggested that you could begin with the Transparency International (TI) Corruption Perceptions Index (CPI) to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your operations at a location outside the US. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third party representatives are coming into a commercial relationship with your company through your supply chain.

Other areas of inquiry, which could be considered, include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the US and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which local disbursements are made in local currency and, of course, is there a local petty cash fund?

As with many other areas around internal controls, it is important to consider the local Delegation of Authority (DOA) and whether it is consistent with your corporate DOA. Mixon suggested that some of the considerations regarding the local DOA should extend to which corporate or US business unit approvals are required for transactions initiated locally, such as: (1) Approval of vendor invoices, (2) Disbursements of funds, including wire transfers; (3). Execution of facilities leases; (4) Execution of contracts with agents; and (5) Approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate segregation of duties at the local business unit level.

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment of customers? Are products drop shipped from US directly to the customers of the local operation? Are products drop shipped to distributors for delivery to the ultimate customer?

Hopefully you are already doing the above but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and if so, what were the results of the investigation? In the area of customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Mixon believes that some of these considerations would be an inadequate segregation of duties because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders (Purchasing) should not be capable of processing payments (Accounts Payable). Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there is internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms, and update applications. This means that an employee who only needs to view computer information should be restricted to Read and File Scan access and should not be granted Write and Create access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.

It is not necessary to prove a bribe to have been paid in order to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. In the recent Securities and Exchange Commission (SEC) enforcement action against Smith & Wesson, that was the situation. The lack of effective internal controls, not the payment of a bribe, was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.

Mixon said that such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a Country Manager provides a true control as an approver; or where the Country Manager or the local Finance Manager has ability to conceal the true nature of transactions without detection by anyone else.

Another important area involves sales and compensation for the international business unit in question. On the sales side of the equation, Mixon suggested you review the three-year historical sales for the location and what are the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as what is the sales incentive compensation plan for local sales personnel and for the Country Manager; as this inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe in order to win a contract which results in a large sales incentive compensation to the employee.

All of these reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the Fraud Triangle, which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization – a fraud perpetrator always rationalizes that he / she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity – the perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment.

Steve Bartman has never spoken publicly about the event to this day. There has been no catharsis for him like the Red Sox fans gave Bill Buckner. But in the FCPA universe for your operations outside the US, you do not have to be a Bartman. In Parts I & II of this series, I have reviewed what some of the risks might be in your international locations that you do not have in your US domestic operations. In Part III, I will discuss how to use the Location Risk Assessment as a tool to provide a structured approach to establishing effective internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 29, 2014

TNG Premiers and Internal Controls for Gifts in a Best Practices Compliance Program

Star Trek TNGThis week, 27 years ago, Star Trek – The Next Generation (TNG) made its television debut. Rarely has there a follow up to a beloved original series (Star Trek – The Original Series (TOS)) that is equally treasured by fans. They say that your favorite Star Trek is the one you grew up with, so for me that is TOS and that will always be my most beloved Star Trek series, but for the younger generations TNG fills that bill. The series occurred some 70 years in the time after TOS so things were a bit different. One of the differences was on following the Prime Directive more rigorously. While Captain Kirk, who actually had a hand in drafting the Prime Directive, seemed to view it with situational ethics, Captain Picard was much more concerned about not violating it.

I thought about this evolution of the Prime Directive from TOS to TNG when considering what types of internal controls a compliance practitioner might consider in the area of gifts in a Foreign Corrupt Practices Act (FCPA) best practices compliance program. I have been continuing my exploration of internal controls with well-known expert Henry Mixon, Principal of Mixon-Consulting. Mixon believes that it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the criteria as defined and interpreted in Company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?

The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. Mixon cautions that in considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

Mixon believes that the key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. To help to answer this query, he posited that there are four issues to evaluate.

  • Is the correct level of person approving the payment / reimbursement for the gift?
  • Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  • Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  • If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Mixon believes that once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

Mixon believes the format itself of an expense report can go a long way toward prevention of violations of company policy. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

Mixon suggested two forms of representation, the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies regarding FCPA compliance. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts. Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Mixon noted that some companies have two basic forms of expense reports. One is for situations in which all items pertain to US locations and do not involve any expenses incurred outside the US or for benefit of persons outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Mixon believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Mixon ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.

While following the Prime Directive does not always lead to the result that the crew of TNG Enterprise desired; it did have the greater effect of allowing cultures and peoples to develop without interference. Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Mixon has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. Just as Star Trek’s Prime Directive had an ultimate purpose, if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.