FCPA Compliance and Ethics Blog

September 15, 2014

Internal Controls for Third Party Representatives in a FCPA Compliance Program

7K0A0246This week, I am continuing my podcast series, on the FCPA Compliance and Ethics Report, on internal controls in best practices anti-corruption compliance program, under the Foreign Corrupt Practices (FCPA), UK Bribery Act or other anti-bribery legislation. In this series, I am visiting with Henry Mixon, a top notch internal controls expert, to help explain what internal controls might be needed, how to assess the need and then how to implement the needed internal controls. This week I am running a two-part episode of the internal controls related to the management of third party representatives.

Mixon suggested that a compliance practitioner should perform an analysis of any third party representative to provide insight into the pattern of dealings with such third parties and, therefore, the areas where additional controls should be considered. He listed some basic internal controls that should be a part of any financial controls system. The general internal controls, which might be appropriate, could be some or all of the following:

  • A control to correlate the approval of payments made to contracts with third party representatives and your company’s internal system for processing invoices.
  • A control to monitor all situations in which funds can be sent outside the US, in whatever form your company might use, which could include accounts payable computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances or other forms.
  • A control for the approval of sales discounts to distributors.
  • A control for the approval of accounts receivable write-offs.
  • A control for the granting of credit terms to third parties or customers outside the US.
  • A control for agreements for re-purchase of inventory sold to third parties or customers.
  • A control for opening of bank accounts specifically including accounts opened at request of an agent or a customer.
  • A control for the movement / disposal of inventory.
  • A control for the movement / disposal of movable fixed assets.
  • Execution and modification of contracts and agreements outside the US.

Mixon also noted that in addition to the above there should also be internal control needs based on activities with third party representatives. These could include some or all of the following internal controls

  • A control for the structure and enforcement of the Delegation of Authority.
  • A control for the maintenance of the vendor master file.
  • A control around expense reports received from third parties.
  • A control for gifts, entertainment and business courtesy expenditures by third party representatives.
  • Charitable donations.
  • All cash / currency, inventory, fixed asset transactions, and contract execution in countries outside the US where the country manager has final authority.
  • Any other activity for which there is a defined corporate policy relating to FCPA.

While that may appear to be an overly exhaustive list, Mixon indicated that he believed there were four significant controls that he would suggest the compliance practitioner implement initially. He listed: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

Mixon noted that a DOA should reflect the impact of FCPA risk including both transactions and geographic location so that a higher level of approval for matters involving third parties and for fund transfers and invoice payments to countries outside the US would be required inside an organization. He did concede that quite often the DOA is prepared without much thought given to FCPA risks. Unfortunately once a DOA is prepared it is not used again until it is time to update for personnel changes. Moreover, it is often not available, not kept current, and/or did not define authority in a way even the approvers could understand it. Therefore it is incumbent that the DOA be integrated into a company’s accounts payable (AP) processing system in a manner that ensures all high-risk vendor invoices receive the proper visibility. To achieve this you should identify the vendors within the vendor master file so payments are flagged for the appropriate approval BEFORE they are paid.

Furthermore if a DOA is properly prepared and enforced, it can be a powerful preventive tool for FCPA compliance. To support this Mixon used the following example: A wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. In this situation, the DOA should specify who must give the final approval for engaging third parties. Moreover, the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US (including those who travel from the US to work outside the US).

I then asked Mixon about the vendor master file, which he believes can be one of the most powerful PREVENTIVE control tools largely because payments to fictitious vendors are one of the most common occupational frauds. The vendor master file should be structured so that each vendor can be identified not only by risk level but also by the date on which the vetting was completed and the vendor received final approval. There should be electronic controls in place to block payments to any vendor for which vetting has not been approved. Next manual controls are needed over the submission, approval, and input of changes to the vendor master file. These controls include verification that all vendors have been approved before their information (and the vendor approval date) is input into the vendor master. Finally, manual controls are also needed when “one time” vendors are requested, when a vendor name and/or vendor payment information changes are submitted.

Near and dear to my heart as a lawyer, Mixon also indicated that contracts with third parties can be a very effective internal control which works to prevent nefarious conduct rather than simply as a detect control. He cautioned that for contracts to provide effective internal controls, relevant terms of those contracts (commission rate, whether business expenses can be reimbursed, use of subagents, etc.,) should be extracted and available to those who process and approve vendor invoices. If there are nonconforming service descriptions, commission rates, etc., present in a contract such terms must be approved not only by the original approver but also by the person so delegated in the DOA Unfortunately contracts are not typically integrated into the internal control system. They are left off to the side on their own, usually gathering dust in the legal department file room.

Mixon said that the Hewlett-Packard (HP) FCPA enforcement action was an excellent example of the lack of internal control over the disbursements of funds and movement of currency because you had the country manager delivering bags of cash to a Polish government official to obtain or retain business. Mixon believes that all situations where funds can be sent outside the US (AP computer checks, manual checks, wire transfers, replenishment of petty cash, loans, advances, etc.,) should be reviewed from a FCPA risk standpoint. He went on to say that within a given company structure you need to identify the ways in which a country manager (or a sales manager, etc.,) could cause funds to be transferred to their control and to conceal the true nature of the use of the funds within the accounting system.

To prevent these types of activities internal controls need to be in place. Mixon presented the following example of how this could be managed: All wire transfers outside the US should have defined approvals in the DOA, and the persons who execute the wire transfers should be required to evidence agreement of the approvals to the DOA and wire transfer requests going out of the US should always require dual approvals. Lastly, wire transfer requests going outside the US should be required to include a description of proper business purpose.

Mixon continues to emphasize that internal controls are really just good financial controls. The internal controls that he detailed for third party representatives in the FCPA context will help to detect fraud, which could well lead to bribery and corruption.

You can listen to my podcast with Henry Mixon on internal controls for third parties in a FCPA compliance program, part I by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 12, 2014

The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

January 2, 2014

The 2013 FCPA Year in Review-Corporate Enforcement Actions

In my final post of 2013, I reviewed all of the individual Foreign Corrupt Practices Act enforcement actions which occurred in the past year. In this first post of 2014, I review all the corporate enforcement actions in 2013. If you would like to have a handy reference on all of the 2013 FCPA enforcement actions, I am pleased to announce the publication of my latest book, entitled, “2013-the FCPA Year in Review”. It is available in an eBook format on Amazon.com.

A.     Total

Total SA engaged in a nearly decade long, breathtaking bribery scheme. In this scheme, Total paid approximately $60MM to an un-named Iranian Official of the National Iranian Oil Company (NIOC), who steered two major projects Total’s way. The projects for which Total paid the bribes were the Sirri A and E oil and gas fields and South Pars gas field. Total paid a criminal penalty to the DOJ of $245.2 million and civil penalty of $153 to the SEC.” Total’s agreed monetary penalty of $398MM was the fourth biggest FCPA resolution.

B.     Parker Drilling

The company was involved in a bribery scheme to pay-off judges in a Nigerian Tax Court to allow Parker Drilling to pay lower than warranted tax assessments for its drilling rigs in the country. Due to its efforts to create a gold standard compliance program all the while undergoing its own internal investigation, Parker Drilling’s conduct earned it an “approximately 20 percent reduction off the bottom of the fine range” which suggested a fine of between $14.7MM to $29.4MM. The final DOJ fine was $11,760,000. The company also agreed to pay disgorgement of $3,050MM plus pre-judgment interest of $1,040,818, to the SEC.

C.     Ralph Lauren

The Ralph Lauren Company received Non-Prosecution Agreements (NPA) granted by the SEC and DOJ. The illegal conduct at issue related to its Argentinian subsidiary and efforts by the General Manager of that operation, who conspired with a customs clearance agency to make payments “to assist in improperly obtaining paperwork necessary for goods to clear customs, to permit clearance of items without the necessary paperwork, to permit the clearance of prohibited items, and to avoid inspection.” For its conduct, Ralph Lauren agreed to pay $882K to the DOJ and $593K in disgorgement and $141K in pre-judgment interest to the SEC.

D.    Weatherford

In late November, Weatherford International Limited (Weatherford) concluded one of the longest running open FCPA investigations when it agreed to the ninth largest FCPA fine of all-time and one of its subsidiaries, Weatherford Services Limited (WSL), agreed to plead guilty to violating the anti-bribery provisions of the FCPA. The total amount of fines and penalties for the FCPA violations was $152.6 million. The company was also hit with another $100 million in fines and penalties for trade sanctions bringing its total amount paid to $252.6 million. The bribery schemes that Weatherford used were varied but stunning in their brazen nature. But in spite of how things began, Weatherford was able to make a turnaround and substantially improve its position by reversing this initial nose-thumbing at US regulators.

E.     Stryker

In an interesting FCPA enforcement action resolved in October, the Stryker Corporation agreed to settle with the SEC via an Administrative Order, not a criminal action filed by the DOJ. According to the FCPA Blog, “The SEC said Stryker Corporation will pay $13.2 million to resolve FCPA violations. The bribes totaled about $2 million and were ‘incorrectly described as legitimate expenses in the company’s books and records,’ according to the SEC. Stryker will disgorge to the SEC $7.5 million and prejudgment interest of $2.28 million. It is also paying a penalty of $3.5 million.” SEC Complaint. There was not even a civil Complaint filed by the SEC and Stryker is not required to have a Corporate Monitor to assess its ongoing compliance efforts or its commitment to having a compliance program.

F.     Diebold

In late October, Diebold, an Ohio company which makes ATM machines, agreed to pay a criminal fine of $25.2 million to the DOJ and $23 million in disgorgement and prejudgment interest to the SEC to resolve allegations it violated the FCPA by covering up bribes to bank officials in China, Indonesia and Russia. The total fine of just over $48MM. The DOJ charged it in a two-count information with conspiring to violate the FCPA’s anti-bribery and books and records provisions and a substantive books and records offense. There were no charges under the anti-bribery provisions, which apply only to corrupt payments to foreign officials. The Diebold resolution took the form of a DPA with the DOJ, along with a fines and a Corporate Monitor. From its resolution with the SEC in addition to the profit disgorgement and prejudgment interest paid the company agreed to an agreed injunction to stop, once again, violating the FCPA.

G.    Bilfinger SE

In early December, DOJ announced it had resolved an ongoing FCPA with German entity Bilfinger SE (Bilfinger). This case involved the same background facts and events as the Willbros corporate FCPA enforcement action and the related individual enforcement actions with some of its former employees. The facts in this case were bad, bad, bad. The Bilfinger enforcement action moves towards the ending of one of the sorriest examples of corporate malfeasance in the FCPA world. While it took a long time, justice has certainly been a long time coming. With the continued flight from justice of former Willbros employee James Tillery who renounce his US citizenship to try and escape prosecution by taking refuge in Nigeria; perhaps things are coming to an end. But with the conclusion of this corporate enforcement action against Bilfinger, perhaps there may be additional individual enforcement actions.

H.    Archer-Daniels-Midland

In late December, it was announced by the DOJ and SEC that they had settled both a criminal and civil enforcement action with Archer-Daniels-Midland Company. The DOJ resolved the criminal action when a subsidiary of ADM pled guilty and agreed to pay more than $17 million in criminal fines to resolve charges that it paid bribes through vendors to Ukrainian government officials to obtain value-added tax (VAT) refunds, in violation of the FCPA. In a parallel civil FCPA action settled with the SEC and the SEC Press Release noted that “The payments were then concealed by improperly recording the transactions in accounting records as insurance premiums and other purported business expenses. ADM had insufficient anti-bribery compliance controls and made approximately $33 million in illegal profits as a result of the bribery by its subsidiaries.” In addition to the DOJ fine of $17.8MM, ADM agreed to pay “disgorgement of $33,342,012 plus prejudgment interest of $3,125,354.”

What Did It All Mean?

The clear message from these corporate enforcement actions is that early detection and remediation can lead to a significant reduction in fines and penalties. I believe that these corporate enforcement actions make clear that a company’s actions during the pendency of the investigation, in addition to the underlying FCPA violations, will be evaluated and assessed to determine the final penalty. The DOJ and SEC continue to communicate not only what they believe constitutes a best practices compliance program but equally importantly what actions a company can engage in which will significantly reduce a company’s overall fine and penalty. Both the DOJ and SEC continue to communicate, through their enforcement actions, to the compliance practitioner what they expect from companies in the way of a best practices compliance program and what a company should do if they discover a potential FCPA violation. These communications, through enforcement actions, DPAs, NPAs and Declinations, are consistent with the information provided by the DOJ/SEC in the FCPA Guidance. These enforcement actions demonstrate that if a company gets ahead of the curve, it can significantly lessen its overall penalty and pain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 6, 2013

The Rogue Employee Myth: Prevention and Detection in a FCPA Compliance Program

I cannot think of any criminal enforcement actions against a corporation involving the Foreign Corrupt Practices Act (FCPA) where there was a lone wolf employee engaging in bribery and corruption on his or her own. There might well be some internal investigations and even self-disclosures to the Department of Justice (DOJ) of such conduct but the public usually does not know about them since the DOJ would issue a Declination under such circumstances. The only publicly announced Declination where the company was identified was the Morgan Stanley Declination. In that matter, a Managing Director, Garth Peterson was prosecuted for his individual action in violating the FCPA. But from the information made available, it appears that the company uncovered Peterson’s conduct, investigated and self-reported it to the DOJ.

One of things that Donna Boehme and Jim McGrath regularly rail against is the claim that violations of the FCPA, UK Bribery Act and other anti-corruption laws are the result of some ‘rogue employee’ out there, dreaming up ways to engage in bribery and corruption to obtain or retain business. Organizations such as the US Chamber of Commerce want to limit corporate liability for the criminal actions of their employees saying it is not fair for a company to pay for the sins of these alleged rogue employees.

While I recognize the US Supreme Court may soon make all of the above moot by deciding that corporations have the same rights, obligations and duties of real persons, those individuals making the claim of rogue-ness do not seem to contemplate how much work and effort must go into any ongoing bribery scandal which would result in a FCPA violation and how much is attributable to the company. First if the company, explicitly or implicitly, communicates that the bottom line, quarterly numbers or anything like that is the most important action an employee will be evaluated on, guess what, their numbers, and employees will always find a way to make their numbers. Further, if employees can either manipulate or over-ride a company’s internal controls to help fund or hide the payment of bribes, it is the fault of the company not having robust controls in the first place.

Remember Paul McNulty’s Three Maxims? (1) What did you do to prevent it? (2) What did you do to detect it? (3) What did you when you found out about it? If a company’s internal controls are so porous that employees can slide the payment of bribes through the system, I would say that you have failed to answer Maxim 1 in the affirmative. If your auditing or monitoring is so poor that you cannot find any evidence of bribery and corruption because you didn’t want to (See: Wal-Mart’s initial investigation into its Mexican subsidiary) or because the auditing and monitoring is so poor (See: GSK in China where they somehow missed $500MM in payments to ‘travel agents’); you have also failed to answer McNulty Maxim 2 in the affirmative.

Yesterday I wrote about psychopaths in the guise of Chief Executive Officers (CEOs). I do not think there could be a better example of this than Bernie Madoff. His grandiosity extended to attempting to claim to federal investigators that his multi-decade, multi-billion dollar fraud and Ponzi scheme was all his work alone, that no one else in his company was involved or even knew about it. That outsized claim is being put to the test over the next couple of months in a courtroom in New York where five former employees are currently on trial for participating in this massive fraud.

In fascinating testimony Frank DiPascali, a former top lieutenant to Madoff, reported in a Wall Street Journal (WSJ) article, entitled “Madoff’s Cold Play Outwitted Auditor” by James Sterngold, the schemes used to defraud customers and fool auditors and regulators. Initially, he noted that NONE of the trades recorded in the company’s books and records ever took place and that “a number of staff members spent most of their time producing large volumes of fake documents to convince customers there were earning attractive returns.” To put an explanation point on his testimony, when asked if Madoff’s staff created trades out of thin air, he responded, “Literally, yes.” To confuse and misdirect an auditor from KPMG, when the accounting firm demanded to see “detailed daily trading logs to confirm that the firm was actually engaged in trading”, Madoff’s staff not only created the fake logs but put them in the refrigerator to “cool them down”. Another time, the staff tossed them around “like a medicine ball to make them look used and crinkled.” All of this was presented as evidence in the trial which indicates that more people had to be involved in the fraud.

The clear lesson for the compliance practitioner from the Madoff employees’ trial testimony to-date is that there cannot be one person or the ubiquitous ‘rogue employee’ who decides to engage in bribery and corruption. There has to be more than one person. To circumvent a company’s internal controls takes work. For in any criminal FCPA enforcement matter, it is because the company involved had such weak internal controls that such circumvention could occur in the first place. But more than this circumvention, it means that the company did not employ sufficient systems to detect such bribery and corruption. And if the documentation you are reviewing is cold to the touch that may now constitute a red flag.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 19, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

  1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
  2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
  3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
  4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
  5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

March 28, 2013

Use of Forensic Accounting to Avoid a Compliance Meltdown

On this date in 1979, the worst accident in the history of the US nuclear power industry began when a pressure valve in the Unit-2 reactor at Three Mile Island fails to close. Cooling water, contaminated with radiation, drained from the open valve into adjoining buildings, and the core began to dangerously overheat. While plant workers were exposed to unhealthy levels of radiation, no one outside Three Mile Island had their health adversely affected by the accident. Nonetheless, the incident greatly eroded the public’s faith in nuclear power. In the more than two decades since the accident at Three Mile Island, not a single new nuclear power plant has been ordered in the United States.

One of the recognized aspects of a best practices compliance program is auditing. In many ways, auditing is thought of as one of the ways to avoid a compliance meltdown. However, in a recent article in the Texas Lawyer, entitled “How Forensic Accountants Differ from Auditors”, author Elizabeth M. Junell discussed how a forensic accountant can assist an in-house lawyer in a manner of different ways than auditors from a company’s internal audit function. I found that her article had some interesting points for the compliance practitioner.

Junell says that forensic accountants collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic accountant’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. Junell contrasts these areas with that of internal audit, which she believes more often looks at process to determine if it has been adhered to in a procedure. This leads to internal auditors examining evidence to determine whether people followed prescribed processes or internal controls; this occurs, for example, in an operational Sarbanes-Oxley (SOX) or Foreign Corrupt Practices Act (FCPA) compliance audit.

Junell writes that forensic accounting differs from auditing in both its objective and skill sets. The objective of a forensic accounting assignment is to collect, analyze and report on the evidence or facts surrounding a particular act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, she argues that a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered.

From there Junell believes that management should determine if further investigation is warranted. If further investigation is decided upon by management, then Junell considers that “this is where objective shifts and one of the forensic accountant’s strongest skills comes in: an investigative mind that drives him or her to answer questions about what occurred, when and how it happened, and who was involved.” She expects that, at times, a forensic accountant will be required to gather facts about why an event may have occurred so that they look for answers to such questions or for other red flags in the evidence.

One of the discussions that I found interesting in her article was how a compliance practitioner might use a forensic accountant. On the initial level, a decision should be made about whether a forensic accountant should be retained as an outside consultant or hired as an employee. Junell articulates that if such professional is brought in as an employee, the position should sit in the legal department rather than the company’s internal audit department. She recognizes that in the past, many companies have used existing internal auditors to do forensic accounting work as a way to reduce costs and because the perceived similarities in the skill set and work product. She believes that this view is becoming outdated and that more companies are placing the forensic accountant position into the legal and compliance department because of the legal implications surrounding the work. Further, by placing the forensic accountant in the compliance department, it allows the maintenance of an objective approach to any assignment, since, as Junell believes, “he or she will not be governed by management or influenced by potential biases within” a company.

Lastly is the issue of privilege. If a forensic accountant is assigned to the internal audit group, you can kiss away even the chance of claiming privilege. Junell argues that by assigning the forensic accountant to the legal and compliance department one might have “more privilege protection than assigning him or her to internal audit or another department.”

I found Junell’s article to have some interesting points about how a compliance practitioner and compliance department can use a forensic accountant to help create a best practices program. It might be something that you would like to consider for your compliance regime. The lesson from Three Mile Island is not that it just might keep you from having a compliance meltdown but that since that time, think about the number of nuclear plants which have been built.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 1, 2012

Welcome to Howard’s Nightmare and How to Deal with It-(spoiler alert-Internal Controls)

Ed. Note-as most of you will recognize, Henry Mixon is a frequent guest commentator, focusing on internal controls as a part of a best practices compliance program. He recently called me and said that he thought he could provide some information which might help my This Week in FCPA co-host Howard Sklar get some sleep by suggesting a way to deal with his “Nightmare Scenario”. I asked Henry to write up a blog post and this is what he delivered.

In his Nightmare Scenario posted on his OpenAir Blog, Howard Sklar wrote about a very bad dream in which a $5 payment to a customs official in a foreign country by a business development employee might result in the employer filing an 8-K to report a violation of the FCPA.  The employee who paid the USD 5 to the customs agent included the payment in his expense report as “tips.”

Howard references the examples in SEC Staff Accounting Bulletin 99 in which a transaction can become material for SEC reporting purposes, even though it falls well below the typically-used percentage thresholds used by auditors and preparers of financial statements. Two of the considerations from the Staff Accounting Bulletin which can transform a small misstatement into a material one are:

  • whether the misstatement affects the registrant’s compliance with regulatory requirements, and
  • whether the misstatement involves concealment of an unlawful transaction.

I agree with Howard’s concerns about the potential impact of transactions typically considered immaterial. The risk of the 8-K being required may not result from a single USD 5 payment, but can certainly result from a pattern of individually immaterial illegal payments made over time.

When processing reimbursement for transactions occurring outside the US, I believe a different mindset for internal controls is needed.  First, the amount of a transaction is not as important as the nature and whether the transaction has proper business purpose. Many approvers in US companies do not focus on that important difference.

Second, internal controls in many US companies do not focus on the prevention of illegal payments, but instead focus on detection.

Expense report reviewers should be trained to look for Red Flags and to question suspicious items, or items for which proper business purpose is not clearly documented, regardless of perceived materiality.  For example, standard procedure for expense reports is to describe who, what, where, when, and why.  Failure to provide such transparent description should be a Red Flag, whether the requested reimbursement is for meals, hotel, taxi, car rental or any other “common” expense report items.

I would certainly never advise a client to develop internal controls specifically designed to deal with very small dollar items.  However, in the FCPA world, controls should be designed on the basis of the risk profile of the transaction, not the dollar amount. Expense reports of employees traveling to high corruption risk locations outside the US should be high on any risk profile.

Relatively small amounts paid frequently can result in violations of meaningful proportions, especially if all adopt the belief that small illegal payments are permitted and concealment can be rationalized.

In particular, creating the wrong mindset in the business development function can lead to Nightmare Scenario II:  illegal payments made when they result directly in obtaining or retaining business, rather than a payment made to a customs official to be allowed to cross a border.

If nobody questions the concealed illegal payment to a customs official, might an employee see opportunity, and rationalize misbehavior, when a potential customer asks for a bribe in exchange for business advantage?

So, while Nightmare Scenario might not occur for one payment made to be allowed to cross a border, how many payments to government officials concealed in expense reports are required before Nightmare Scenario II becomes reality?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

April 16, 2012

The Biomet SEC Complaint: Lessons for Management on the Prevention of Corruption

I am in the UK this week. Today I have a presentation with thebriberyact.com guys, Barry Vitou and Richard Kovalevsky, QC. So this week, my blog posts will have an English theme.

Today, we begin with a melancholy tribute to the Liverpool Football Club, which advanced into the FA Cup final by beating Everton on Saturday. The tribute is melancholy as Sunday, April 15 was the 23rd anniversary of the worst sporting disaster in UK history, the Hillsborough disaster which occurred during the semi-final FA Cup tie between Liverpool and Nottingham Forest football clubs on April 15, 1989 at the Hillsborough Stadium in Sheffield, England. The crush resulted in the deaths of 96 people, with a total of 766 other persons being injured. All of them were fans of Liverpool Football Club. The official inquiry into the disaster, the Taylor Report, concluded that “the main reason for the disaster was the failure of police control.” May you never walk alone.

In today’s post we revisit the Biomet Deferred Prosecution Agreement. As you may recall, one of the major failings of the company, which led to the violations of the Foreign Corrupt Practices Act were those of the company’s Internal Audit Department. I asked my colleague Henry Mixon, CPA and FCPA internal controls specialist, for his reaction to the recent posting regarding lessons for Internal Audit in the recent Biomet matter.  The following is his response.

While I agree there is a lesson for Internal Audit in the SEC Complaint in the Biomet matter, I also believe there is an even more important a lesson for management.

In the Biomet matter, the SEC was critical of the manner in which Internal Audit dealt with certain transactions which involved payments to customers and potential customers of Biomet.

For sure, Internal Audit should have investigated the payments further.  Without more facts, what Internal Audit did, and the possible alternative scenarios, is speculative.

However, the problem I see is this.  Even if Internal Audit had pursued the Red Flags to a different resolution, their findings would not have had the desired result of an effective Compliance Program — the prevention of bribes, not the detection of bribes.

The SEC focuses on correct accounting and disclosure.  Controls to detect and correct errors and irregularities before they impact published financial statements have been the mainstay of controls over financial reporting for many years. Had Internal Audit thoroughly pursued the transactions at issue, the correct accounting would likely have been determined and the impropriety of the true nature of the payments would have been confirmed and possibly corrected before the financial statements were published.

What would have remained was the need for an expensive independent investigation to quantify the magnitude of the issue and a management decision what to do after the magnitude has been determined, i.e. e., whether to self report to the DOJ.

However, no amount of investigation and documentation by Internal Audit would have changed the primary issue – the bribes had not been prevented.

In the author’s, management of all companies should be more proactive in developing measures to prevent bribes, rather than relying on measures to detect them.

Well-designed prevention controls do not need to be more expensive or time consuming than detective controls. In any event, the cost of such prevention will most surely be less than the total cost of failure to prevent bribes.

In the author’s opinion, when it comes to compliance with anti-bribery laws, the conventional model of detection and correction will not get the job done.

Henry Mixon can be contacted at hmixon@mixon-consulting.com  

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

December 19, 2011

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

  1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
  2. Controls are needed over
    1. movement of inventory because bribes can be made through mechanisms other than cash.
    2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
    3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
    4. Offline processing and maintenance of key information related to vendors and disbursements.
    5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
    6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

August 15, 2011

Henry II Revisited: The Fair Process Doctrine as a Key Component of a Compliance Program

In a recent post entitled “Will No One Rid Me of this Meddlesome Priest?” I highlighted ‘Tone at the Top’ by discussing the words of Henry II leading to the subsequent murder of Thomas Becket. One of the things I learned on my recent vacation to England was that Henry II developed many of the procedural safeguards which became the basis of Anglo-American jurisprudence. While English Kings, at least after William the Conqueror, had always been able to issue Writs to direct the King’s subjects to perform tasks, Henry II developed certain standardized Writs which could be utilized to determine disputes between the King’s subjects, in a more fair and judicial manner. So today we will honor Henry II by discussing how he helped to bring procedural fairness to English law and how that relates to modern day compliance program.

Two of the most famous were the Writ of Novel Disseisin, which would allow a person to contest property ownership through a trial on the merits, decided by a jury. The second was a Writ of Mort D’Ancestor which allowed heirs to contest property distribution after a person’s death. As with the Writ of Novel Disseisin, it would be issued in the King’s name to the County Sheriff, who would seize the property in question. The matter would then go through a legal process culminating in a trial by jury to determine rightful ownership. Both of these Writs allowed a manner of procedural fairness to come into disputes which heretofore had not been present in English law.

Procedural fairness is one of the things that will bring credibility to your Compliance Program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce.

A. Internal Investigations

The first area is that of internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. I have recently written about several aspects of internal investigations, in order to emphasize how to handle internal whistleblower complaints in light of the Dodd-Frank implications. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

B. Administration of Discipline and Employee Promotions

However, as important as the Fair Process Doctrine is with internal investigations, I have come to believe it is more important in another area. That area is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal)tale  about some Far East Region Manager which goes along the following lines “If I violate the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

So we should thank Henry II for showing us that he was more than simply about ‘Tone at the Top’. His changes in English jurisprudence helped lead us down the road to procedural fairness in the law and today in the workplace. You should thank him and remember that people will be more loyal if they think they have been treated fairly, even if the results are not exactly what they wanted.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

« Previous PageNext Page »

Blog at WordPress.com.