Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part I

Today we begin by honoring the political process and a politician extraordinaire for on this day in 1836, Sam Houston was elected as the first President of the Republic of Texas. One of the most interesting characters from the early-to-mid-19^th century, Houston was born in Virginia in 1793, moved with his family to rural Tennessee as a teenager and later ran away and lived for several years with the Cherokee tribe. Houston served in the War of 1812. He practiced law in Nashville and from 1823 to 1827 served as a US congressman before being elected governor of Tennessee in 1827. He was extensively interviewed for Alex De Tocqueville’s seminal work Democracy in America.

A failed marriage led Houston to resign from office and live again with the Cherokee who officially adopted him. In 1832, President Andrew Jackson sent him to Texas to negotiate treaties with local Native Americans for protection of border traders. Houston arrived in Texas during a time of rising tensions between US settlers and Mexican authorities and soon emerged as a leader among the settlers. In 1835, Texans formed a provisional government, which issued a declaration of independence from Mexico the following year. Houston was appointed military commander of the Texas army.

Houston served as the Republic of Texas President until 1838, then again from 1841 to 1844. Houston helped Texas win admission to the United States in 1845 and was elected as one of the state’s first two senators. He served three terms in the Senate and ran successfully for Texas’ governorship in 1859. As the Civil War loomed, Houston argued unsuccessfully against secession, and was deposed from office in March 1861 after refusing to swear allegiance to the Confederacy. He died of pneumonia in 1863.

This political process angle informs your anti-corruption compliance program through the passage of Sarbanes-Oxley (SOX). Yesterday, I was at a presentation, where James Doty, Commissioner of the Public Company Accounting Oversight Board (PCAOB) spoke. One of the questions was put to him was regarding the function of a Board of Directors under SOX, which I thought had some significant implications for Foreign Corrupt Practices Act (FCPA) compliance. He was asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer (CCO) or compliance practitioner.

In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

Lawyers often speak to and advise Boards on their legal obligations and duties. However the insight I received from the Q&A with James Doty drove home a different, yet very valuable point to me. If a Board’s oversight is part of effective financial controls, then the failure to do so may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Bradley Wiggins, the Tour de France and Internal Audit under the FCPA

Today is a great day for Brits everywhere. Not only did Bradley Wiggins become the first Brit to win the Tour de France but fellow Team Sky rider Christopher Froome came in second making it the first British 1-2 finish in the 99 year history of the Tour as well. Wiggins ended his masterful three weeks of cycling by leading in yet another Team Sky member, Mark Cavendish, the “Mann Manx”, to his fourth consecutive win on the final day of the Tour, down the Champs-Elysees. It was a fabulous finish to an incredible 20 stages of riding. So a tip of my cycling helmet to Mr. Wiggins and to all of Team Sky.

One question which I sometimes ask in conjunction with the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act is what are some of the specific questions that should be reviewed by auditors in an internal audit which focuses on bribery, corruption and fraud? Last October the US Public Company Accounting Oversight Board (PCAOB) issued “Staff Audit Practice Alert No. 8 Audit Risks in Certain Emerging Markets” (Staff Alert No. 8). While Staff Alert No. 8 “focuses on risks of misstatement due to fraud that auditors might encounter in audits of companies with operations in emerging markets” I found it to be a useful guide for auditors who are also tasked with anti-bribery and anti-corruption focused audits, particularly internal auditors who may be asked to review such practices in the ongoing internal audits. Staff Alert No. 8 begins with a list of “conditions and situations indicating a heightened fraud risk”, which I cite in full because it is an excellent list of Red Flags.

• Existence of two separate and different sets of financial books and records;
• Discrepancies between the company’s financial books and records and audit evidence obtained with respect to the existence and accuracy of cash balances, accounts receivable, and revenues;
• Auditor difficulties in confirming cash balances, including when requesting to visit the offices of the company’s bank, or questions about the authenticity of bank statements provided to the auditor;
• Auditors’ follow-up visits to bank offices indicating serious discrepancies between bank confirmations provided to the auditor and the bank’s actual records, such as previously undisclosed material borrowings and no record of or significant differences regarding certain transactions;
• Attempts by management to intercept or alter confirmation requests or responses;
• Irregularities in sales contracts, such as a company-specific seal affixed on the sales contract that does not belong to the purported customer named in the contract;
• Recognizing revenue from contracts or customers whose existence could not be corroborated;
• Recording sales of products shipped to warehouses or freight forwarders where no customer is identified;
• Undisclosed material facts surrounding acquisition transactions, sales transactions, and off-balance-sheet transactions with related parties;
• Recording of assets for which evidence of control, ownership, or title is either unclear or difficult to corroborate;
• Potential double counting of fixed assets;
• Recording of uncorroborated operating expenses for which the business purpose is unclear;
• Manipulation of the accounting records to mischaracterize or conceal payment of bribes or other improper payments;
• Significant unexplained discrepancies between amounts included in the financial statements in SEC filings and amounts included in financial reports to other regulators, such as local authorities;
• Use of personal-type bank accounts held in the name of corporate officers or employees instead of corporate-type bank accounts for company business; and
• Unusual delays by management in the production of routine documents requested by the auditor.

Staff Alert No. 8 makes clear that an auditor cannot accomplish a task unless he or she understands both the company and its environment. An auditor should have an understanding of the following:

• The relevant industry and regulatory factors, including the legal, and political environment, which may include matters such as:
  • The company’s significance in the regional or local economy and its level of influence over its industry, and regional or local government, and
  • Cultural norms in the business and regulatory environments;
• The company’s objectives, strategies, and related business risks; its organizational structure; and sources of funding of the company’s operations;
• The company’s significant investments, including equity method investments, joint ventures, and variable interest entities;
• The sources of the company’s earnings, including the relative profitability of key products and services; and
• The company’s key supplier and customer relationships.

From these factors, Staff Alert No. 8 advises that “incentives, pressures and opportunities” may lead to a heightened risk of corruption. Regarding incentives and pressures, the Staff Alert warns that companies which are looking to raise money for international markets may have an incentive to “manipulate financial statements rather than report poor results”. Providing a more detailed example the Staff Alert says that one technique used to accomplish such fraud would be consolidating the financial reports of a joint venture with a foreign state-owned enterprise, even if the company does not have a controlling interest in the partnership. Another example the Staff Report provides is the situation where a company repatriates large amounts of cash back to the US. Such foreign legal requirements can create a situation which could lead to bribery or corruption.

In the areas of opportunities, Staff Alert No. 8 focuses on weak internal controls as such deficiencies can provide opportunities for management or employees in such foreign jurisdictions to engage in bribery and corruption. In circumstances where a company is a dominant player in a geographic region, management might be able to dictate terms or conditions to local suppliers or customers, which might result in non-arm’s length transactions. Another example may well be where management could “pressure personnel of a local bank or other third parties to provide fraudulent information to the auditor.” Lastly, the PCAOB noted that there may be situations where employees are “not be willing to report instances of fraud for cultural reasons or fear of retribution from management” even where the company has a whistleblower program. The Staff Alert cautions that auditors should look for evidence of “undisclosed side agreements” and other evidence of collusion with third parties to “create false documentation to support fictitious transactions.”

Staff Alert No. 8 specifies that an auditor must exercise professional skepticism which requires an auditor to obtain and critically evaluate independent evidence from outside sources, rather than simply relying on “management representations about the company’s performance.” To accomplish this, the Staff Alert speaks to receipt of and review of independent confirmations and test and review revenue to ascertain that it is recognized correctly. Particular attention should be paid to transactions with related parties and to identify their materiality to financial statements.

I found Staff Alert No. 8 a very useful piece of guidance. Not only does it speak to the auditor looking at FCPA or Bribery Act issues but it is important for the compliance practitioner to understand what a regulator might expect to see. As most people you have heard me speak and know my FCPA and Bribery Act mantra is “Document Document Document”. This Staff Alert No. 8 lists what documentation a company should keep in order to help prove that it is doing business in compliance with these anti-bribery and anti-corruption laws.

So, congratulations, once more, to Bradley Wiggins. And for those of you cycling fans out there, seven of this year’s Tour de France stage winners will be riding in the London Olympics beginning this weekend. It should be great.

———————————————————————————————————————————————————————-

The FCPA Blog and ethiXbase are offering a cool deal to help dispell that summer heat wave by offering readers of the FCPA Blog a free download of the Anti-Corruption Compliance Benchmarking Survey. Normally valued at $295, the survey can be downloaded at no cost for a limited time with email registration here.

———————————————————————————————————————————————————————

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012