On January 25, 2018, the Associate Attorney General directed the Department of Justice (DOJ) not to rely on agency guidance documents to establish a violation in affirmative civil enforcement (“ACE”) cases. Agency guidance documents include letters to industry, policy manuals, handbooks and FAQs.
Affirmative Civil Enforcement (“ACE”) refers to filing civil lawsuits on behalf of the United States. The purpose of these civil actions is to recover government money lost to fraud or other misconduct or to impose penalties for violations of Federal health, safety, or environmental laws.
Under the January 25 directive, DOJ “may not use its enforcement authority to effectively convert agency guidance documents into binding rules,” and “may not use noncompliance with guidance documents as a basis for proving violations of applicable law in ACE cases.”
Clients should be aware of situations where DOJ or agencies cite guidance documents in the context of compliance actions and consider whether the January 25 directive may be applicable. Although the directive applies to DOJ, it may have broad impact across the federal government, as DOJ litigates enforcement actions for most federal agencies, including U.S. Department of Health and Human Services (HHS) agencies like the Food and Drug Administration (FDA) and the Centers for Medicare and Medicaid Services (CMS). The directive applies to both future ACE actions and ACE actions pending as of January 25, 2018.
Sources: Aiken Gump and DOJ
The Justice Department urged its lawyers to weed out merit less cases from the hundreds of suits brought on its behalf under an anti-fraud law called the False Claims Act.
Justice Department attorneys should consider using a provision in the False Claims Act that lets the department ask a judge to dismiss claims, even if the whistleblower who brought the case wants to go ahead, according to an internal memo dated Jan. 10 from Michael D. Granston, director of the commercial litigation branch of the Civil Division.
“This is good both for the government and it’s good for private industry,” said Mitch Ettinger, a white-collar defense lawyer at Skadden, Arps, Slate, Meagher & Flom LLP.
Under the law, private individuals who think they found fraud against the government can sue on the U.S.’ behalf, sharing in whatever money is collected. The Justice Department investigates and decides whether to intervene in the case, taking over from the whistleblower, known as a relator. Even if the department decides not to intervene, the relator generally can pursue the case.
Knowing whether to deploy the chief executive as its public face during a crisis is a tricky question for a company to answer but two recent research papers say there are times when it is more advantageous to do so.
The first paper, published in December in the Journal of International Management, found the use of the CEO is more effective in places where people expect and accept differences in status in soci-eties, also known as “power-distance orientation.”
The second paper can be found here .
I will be expanding on this topic in my next blog post.
Recent aggressive, anti-bribery actions by various governments are indicative of new challenges that businesses with global operations or supply chains are encountering. Although the U.S. Foreign Corrupt Practices Act (FCPA) has been the preeminent anti-corruption law for most companies with international operations or financial ties, in recent years other countries have become assertive in enforcing their own regulations, further complicating an organization’s governance, risk management, and compliance efforts (see “Sharper Focus on Foreign Bribery” below).
This growing complexity reinforces the importance of a system of strong internal controls backed by an effective, independent internal audit function. An internal auditor supplies to an organization’s governing body and senior management comprehensive assurance that anti-bribery controls are in place, designed appropriately, and operating as prescribed. Moreover, a leading practice is to map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. After you have mapped the controls (Suggest using COSO 2013 Framework) you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program.
For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.
Remember that internal control is a process, effected by those charged with governance or an entity’s board of directors, as well as management, and other personnel, designed to provide reasonable, not absolute (emphasis added) assurances that policies, procedures, monitoring, and training are in place to help mitigate risk by ensuring that company assets are used properly, with proper review and approval, so that transactions are properly recorded in the books and records. “Reasonable assurances” is further defined as “such level of detail and degree of assurance as would satisfy prudent officials in the conduct of their own affairs and recognizes that the costs of internal controls should not exceed the benefits expected to be derived.
The International Standards for the Professional Practice of Internal Auditing (Standards) points out that although internal auditors are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud, they must possess the requisite knowledge to evaluate the potential for fraud — including corruption — to occur, along with the methods the organization uses to manage fraud risk. Enforcement actions by authorities in several nations provide valuable insight into the tools, processes, and procedures regulators expect organizations to follow to manage fraud risk. By reviewing such actions in the context of recent global anti-corruption trends, internal auditors can build the knowledge needed to meet their professional responsibilities.
Growing Roster of Enforcers
The U.S. has pursued foreign bribery cases more actively than other countries in recent years. U.S. authorities imposed sanctions against individuals and companies in 128 foreign bribery cases during the 15-year period covered by the Organisation for Economic Co-operation and Development’s (OECD’s) 2014 Foreign Bribery Report. Germany sanctioned individuals and companies in 26 cases, South Korea imposed sanctions in 11 cases, and Italy, Switzerland, and the U.K. each imposed sanctions in six cases. Four anti-bribery laws are notable.
U.S. The authority for most U.S. anti-corruption cases is the FCPA, which applies to all U.S.-based businesses, citizens, and residents. Moreover, the FCPA also governs any “U.S. issuer,” a broad term that encompasses all foreign companies trading on U.S. exchanges as well as any other company that is required to file periodic reports with the U.S. Securities and Exchange Commission (SEC). It also applies to foreign subsidiaries of U.S. companies and U.S. subsidiaries of foreign companies.
In addition to the anti-bribery requirement, publicly traded companies are subject to FCPA accounting provisions that mandate that the books and records accurately reflect all transactions and internal control provisions that require companies to have appropriate internal controls to prevent, detect, and remedy FCPA violations. Internal audit has a separate role in testing the books and records, as well as in assisting with designing and implementing internal controls and then testing them.
German-based Siemens AG and Daimler AG, U.K.-based BAE Systems, France’s Total S.A., and Japan’s JGC Corp. are among the prominent companies that have been required to pay steep FCPA-related fines in recent years. As of the end of 2014, eight of the 10 largest penalties imposed by the U.S. government in FCPA cases were assessed on companies headquartered outside the U.S. Moreover, the Latin American Law & Business Report newsletter notes that, “foreign individuals and foreign companies that do not trade on U.S. exchanges can also violate the FCPA if they cause an act in furtherance of a corrupt payment within the U.S.”
U.K. Several other countries’ laws are even broader in scope. For example, the U.K.’s Bribery Act of 2010 applies to a wider range of companies and makes a greater array of conduct illegal than the FCPA does. It has authority over any company that engages in any business or part of a business in the U.K. In addition to prohibiting the bribery of both government officials and non government individuals, the Bribery Act penalizes the bribe receiver, not just the bribe payer, as the FCPA does.
The U.K. act also prohibits de minimis “facilitation payments” for certain routine government actions that do not provide the payer with an unfair competitive advantage. A common example is the payment of a fee to speed up installation of telephone service by a state-owned telephone company. Practices such as this, regarded as a routine cost of doing business in some countries, are afforded an exemption under the FCPA but not under the Bribery Act.
Canada In 2013, changes Canada made to its Corruption of Foreign Public Officials Act aligned it more closely with the FCPA. However, in some respects, such as the prohibition of facilitation payments, the Canadian law is more similar to the U.K. Bribery Act.
Brazil Also in 2013, Brazil’s congress passed the Clean Company Act, which went into effect in January 2014. It is similar to the FCPA in that it targets only public corruption and not commercial bribery. But other aspects, such as those covering defendants’ state of mind and knowledge, are more similar to the U.K. Bribery Act.
The Brazilian law is particularly significant in that companies — not just individuals — are now subject to prosecution for bribery. Companies found guilty could face fines of up to 20 percent of their gross annual revenue, along with possible suspension of operations, confiscation of assets, and even dissolution. The law covers both bribery of foreign officials by Brazilian companies and bribery of local officials by any company.
The Clean Company Act also spells out a particularly strong oversight role by a company’s internal audit function. Under the law, having strong compliance programs in effect is not an affirmative defense against corruption charges, but authorities can consider compliance efforts to reduce penalties. These compliance efforts can be evaluated on three factors: 1) the structure of the program, including reporting mechanisms, training, policies and procedures, and periodic risk assessments; 2) specifics about the legal entity, including specific compliance risks; and 3) an evaluation of the program’s efficiency, including a case-by-case verification of the program’s effectiveness by internal audit.
High-profile Enforcement Actions
In addition to expanding their statutory authority, governments are undertaking more vigorous anti-corruption enforcement actions. Several recent cases provide useful insights into the internal controls that must be in place and internal auditors’ responsibilities for helping their organizations maintain compliance.
GlaxoSmithKline PLC (GSK) One of the highest-profile actions in recent years has been an ongoing corruption investigation in China. The case culminated in September 2014 in the conviction of U.K.-based GSK for paying bribes to boost its business. China fined GSK a record US$491 million — the amount of the alleged bribery — and the former top GSK executive in China, four other company managers, and two ancillary GSK-hired investigators received criminal convictions.
The Chinese government’s entry into the international fight against corruption and bribery is a game changer. Foreign companies are now on notice: Doing business the old way will no longer be tolerated, and companies operating in China have a new risk to consider — possible prosecution under domestic Chinese law.
The Chinese example also could encourage additional anti-corruption enforcement around the globe. When other countries with endemic corruption issues see that they can attack their domestic corruption issues by prosecuting international businesses operating within their borders, there may be an appetite for additional prosecutions.
The GSK case also offers lessons about the potential cost of internal audit failures. Ironically, as various news sources have noted, GSK had more compliance officers in China than in any country except the U.S. and has conducted up to 20 internal audits a year in China. Nevertheless, the company was unprepared when Chinese officials accused it of using travel agencies to funnel bribes to doctors and officials under the guise of medical conferences and other events.
Although the cost of monitoring such payments would be high and would involve the tedious work of verifying numerous receipts and scrutinizing countless transactions for signs of fraud, the use of practices such as GSK’s to hide payments to doctors was a well-recognized risk. One lesson internal auditors can draw from the case is clear: If the risks for a certain pattern of corruption are well-known, a company must devote whatever resources are necessary to verify its compliance with relevant laws.
Avon Another case of bribery allegations involved cosmetic maker Avon Products Inc. According to settlement agreements with the SEC and the U.S. Department of Justice, the company’s Chinese subsidiary paid US$8 million in bribes to Chinese officials in 2004 in the form of cash, gifts, travel, and entertainment. The purpose was to gain access to officials who were drafting and implementing new direct-selling regulations in China.
The Avon case demonstrates the high cost of a failure by the internal audit function — in this case fines and investigative costs of more than US$500 million. The bribes reportedly were detected by Avon’s internal audit function in 2005 and 2006, but the company’s CAE at the time was persuaded to withdraw the internal audit report and destroy all evidence. This information was never presented to Avon’s board, which learned of the corruption only because of an internal whistleblower.
Petrobras The GSK case in China might be a harbinger of international anti-corruption enforcement actions based on domestic anti-bribery laws, but a case now underway in Brazil could turn out to be even larger. In fact, the investigation into Brazil’s state-owned energy company Petrobras eventually could become the world’s largest corruption investigation.
Petrobras CEO Maria das Gracas Foster and five board members have been forced to resign, and Brazilian President Dilma Rousseff has come under pressure because of her former role as minister of energy and president of the Petrobras board. The company’s former head of refining operations has told prosecutors that construction budgets for new projects were routinely inflated by 3 percent of their value to cover bribes and kickbacks, some of which were then routed to major Brazilian political parties. Another defendant has testified that more than a dozen of Brazil’s largest construction companies paid bribes to obtain contracts.
The case also has significant global implications. In addition to banks in Switzerland and the Cayman Islands, where funds allegedly were deposited, companies ranging from shipyards in Singapore to U.K.-based Rolls-Royce plc also have been accused of paying bribes.
Although the allegations in the Petrobras case occurred before the passage of Brazil’s Clean Company Act, the prosecution of the case is being watched closely for any precedents that could affect the new law’s implementation.
Internal Audit’s Approach
Examples such as Avon, GSK, and Petrobras can provide useful lessons for internal audit functions to help their organizations fight bribery and corruption. The IIA practice guide, Auditing Anti-bribery and Anti-corruption Programs, recommends internal audit assess the effectiveness of anti-bribery and corruption programs to help anticipate the risk and identify the existence of potential and actual incidents.
Two different, but complementary, approaches may be used, either separately or together: 1) auditing each component of the anti-bribery and corruption program, and 2) incorporating an assessment of anti-bribery and corruption measures in all audits, as appropriate. With the latter approach, bribery and corruption risks are incorporated into the risk assessment and scoping process of each audit. This process may:
▪ Include procedures to assess bribery and corruption risks.
▪ Evaluate potential bribery and corruption scenarios.
▪ Evaluate the control environment and anti-bribery and corruption programs in that audit area.
▪ Link the scope of an audit area’s procedures to its assessed risks.
In some situations, management may not want internal audit’s findings about potential corruption brought to the board’s attention. This is why any compliance program must include structural protection that allows internal audit to share its concerns with the board or, at a minimum, the audit committee.
Moreover, it is a best practice in compliance programs for the board or audit committee to seek out and ask the tough questions about whether internal audit has uncovered any evidence of FCPA violations. There must be internal audit independence, an independent reporting channel to the board, and board fulfillment of its role in a compliance regime.
Internal audit’s role in anti-bribery and corruption programs depends on an organization’s governance structure. In addition, internal audit’s level of involvement should be recommended by the CAE and approved by the board. In all cases, however, it is critical that the function has the independence from senior management necessary to report directly to the board when violations of law are uncovered. By adhering to the Standards — and by understanding and applying the lessons from recent enforcement actions — internal auditors can be better prepared to provide the crucial third line of defense against fraud and corruption.
Jonathan T. Marks, CPA, CFE
Thomas R. Fox, JD
Article originally appeared in Internal Auditor Magazine and modified.
Fewer than one in five companies give compliance staff substantive roles in handling major mergers, and more than half have unresolved compliance problems that regulators have yet to discover, according to a survey of 537 companies with annual U.K. revenue of at least £1 billion ($1.4 billion). Compliance experts say those findings from law firm Baker McKenzie both point to high levels of concern among executives and suggest ways companies can do better.
Several years ago, Tom Fox was kind enough to post the “FCPA Compliance Overview and Action Plan” that I cobbled together based on my experiences. Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice. My goal is to continuously tweak the plan. Your suggestions and comments are always welcome.
Note: The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide used by the board in their oversight roles and management when implementing their anti-bribery compliance program.
Any company with foreign operations, “FCPA” is dirty acronym. It should not come a surprise that compliance with the Foreign Corrupt Practices Act has become a key area of focus for boards and senior management. Enforcement of the FCPA seems to be moving along and the SEC and DOJ continue to prosecute companies and individuals for fraud and other corporate misconduct. Overseeing FCPA compliance should not be taken lightly. One element of good governance dictates that boards must create and follow procedures designed to ensure compliance with applicable laws and regulations.
Directors succeed in this task by fostering a culture of high ethical standards, by prioritizing compliance oversight, and often by personally investing time and effort in the company outside the boardroom. Ethics and compliance should be near the top of the agenda at every board meeting, just as safety, environmental, and cyber hygiene often are. It is all too common for compliance review to be considered a “routine” item on the board agenda, associated with annual reviews of codes of conduct and other corporate governance staples.
The entire board of directors is responsible for compliance oversight and responsibility, whether or not a compliance or risk committee exists. It is essential for directors to stay current on developments that affect compliance. Shifts in the regulatory environment, updated best practices, issues that recently have arisen in the company or the industry, changes in laws, the hiring or firing of key personnel abroad, the company’s merger and acquisition activity—all of these elements are potentially significant to compliance oversight.
While the entire board of directors is responsible for compliance oversight, the audit committee is often tasked to assess whether management has developed and is maintaining an effective compliance program to address corruption risk. Specifically, the audit committee is often asked to assess the overall compliance structure, including the roles, resources, and responsibilities of the compliance, legal, and internal audit functions, which if not harmonized could be problematic – what I refer as the “Bermuda Triangle”; the quality, thoroughness, and age of the risk assessment; and other elements of the compliance program.
The audit committee is also responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).
In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.
Sources: Harvard Law Forum and the Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action
FCPA Compliance Action Plan
Top level commitment – “Tone and Conduct from The Top”
▪ Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable. They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company. The draft guidance provides examples of what top-level commitment should include:
▪ A “zero tolerance policy” toward bribery in all parts of the company’s operation;
▪ Clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
▪ Personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
▪ Appointing a senior manager to oversee the development of an effective anti-bribery program.
“Top level commitment” is another commonly identified element of an effective compliance program. This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.
Corruption and Bribery Risk Assessment
The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment as does the Resource Guide to the FCPA U.S. Foreign Corrupt Practices Act By the Criminal Division of the U.S. Department of Justice and the Enforcement Division of the U.S. Securities and Exchange Commission, which says the assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
▪ Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.
▪ The risk assessment can serve as the documented rationale for the compliance program.
▪ Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate. The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets. But company’s are generally advised to consider the following:
▪ Whether those performing the risk assessment are “adequately skilled“; and,
▪ What data sources should inform the risk assessment. The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).
For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise. Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program. And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies. Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.
▪ Most companies struggle with implementing internal controls to mitigate risk and support their internal anti-bribery and anti-corruption policies.
▪ Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
▪ Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
▪ Gifts and entertainment controls. Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.
▪ Policy on conducting “root cause analysis” when there is a failure or break down, so any remediation that take place is treating the “actual cause” and not the “proximate cause” or the symptom(s).
Structuring and Defining Roles & Responsibilities
▪ Anti-corruption director (See Daimler)
▪ Chief Compliance Officer or Other Senior Corporate Official
▪ The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
▪ Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors. The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.
Risk-based Third Party Due Diligence
The fact that a bribe is paid by a third-party does not eliminate the potential for criminal or civil FCPA liability.
▪ Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
▪ The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
▪ The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
▪ Types or Levels of Due diligence
▪ Basic: simple database checks
▪ Medium: more in-depth review
▪ High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US
Third-Party Due Diligence Committee
- New third party relationships;
- The specific contract with the third-party;
- A program to monitor third-party activities;
- A training program for the specific third-party;
- A determination of the comparability of a third-party ethics and compliance program; and
- A plan to audit the company’s high-risk third parties by sampling transactions on a regular basis and then scheduling of an on-site visit and audit.
Clear, Practical, Current, And Accessible Policies And Procedures
▪ There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
▪ Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.
Documenting a Detailed Multi-year Compliance Plan
▪ Companies must embed anti-bribery policies and procedures throughout the business. “Paper compliance” is insufficient. Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:
▪ Who bears responsibility for program implementation;
▪ How to communicate the policies and procedures internally and externally;
▪ The content and nature of anti-bribery training and how to roll it out effectively;
▪ How senior management will monitor the program’s implementation;
▪ Whether and how the company will use external assurance processes;
▪ The processes for monitoring compliance;
▪ The implementation timetable;
▪ An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
▪ The date of the program’s next review; and
▪ A decision on whether to require or suggest that business partners take part in anti-corruption training courses.
Warning! “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials. Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.
Appropriate Disciplinary Procedures To Address Violations
▪ Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.
Ensuring Robust Monitoring and Review (Utilizing Internal Audit)
▪ Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
▪ Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.
▪ Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.
▪ Training should be a process and provided regularly to senior management and key compliance and business personnel. Blended training is a leading practice and requires follow-up of key points.
An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.
▪ Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations. Ensure that all allegations are captured in the system.
Other Risk Mitigation Procedures
▪ Standard provisions in contracts and agreements that include at a minimum:
▪ Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
▪ Rights to conduct audits of the books and records; and
▪ Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.
Annual Testing of The Compliance Program
▪ The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)
▪ A compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.
▪ The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.
In a speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.
Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.
I welcome your comments and suggestions.
Jonathan T. Marks, CPA, CFF, CFE
|Time||Speaker and Proposed Topic*|
|7:45 – 8:15||Registration and Continental Breakfast|
|8:15 – 9:30||Mark J. Nigrini will present on, “Digital Footprints”. He is a faculty member at the College of Business and Economics at West Virginia University in Morgantown in the US state of West Virginia. Nigrini is best known for his work on using Benford’s Law as an auditing and accounting tool to detect anomalies in company data.|
|9:30 – 10:15||Mike Doyle will present on, “FCPA Trends and White Collar Crime”. Mike is a Supervisory Special Agent with the FBI.|
|10:15 – 10-30||Break|
|10:30 – 11:30||Tom Fox will present on, “Operationalizing Compliance and How Internal Audit Can Help”. He is one of the leading commentators in the FCPA compliance space. He will bring a unique insight of what many companies have done right and many have done not so well over the years.|
|11:30 – 12:30||Lunchtime Speaker Erin Arvedlund, who writes a weekly column for the Inquirer on investing and personal finance, will discuss her book, “Too Good to Be True: The Rise and Fall of Bernie Madoff” (Penguin).|
|12:30 – 1:30||Thomas A Sporkin will present on, “Whistleblowers” – He is partner at Buckley Sander LLP and a former senior Securities and Exchange Commission (SEC) enforcement official. Mr. Sporkin has particular experience with whistleblower matters, having been one of the leaders in launching the SEC’s Whistleblower Office and writing the whistleblower rules called for by Dodd-Frank Act. Drawing from his experience and insights he is often called upon to advise financial institutions and public companies on sensitive whistleblower issues.|
|1:30 – 2:30||Dr. Richard “Dick” Riley will present on, “Management’s Override of Controls and Collusion and Cash flows Associated with Fraud”. Dr. Riley is a CPA, CFE, CFF, forensic accountant and fraud examiner who has developed and implemented fraud and forensic accounting education programs for the United States National Institute of Justice and the Internal Revenue Service. Since 2002, Dr. Riley has performed expert financial analysis and litigation support services, offering deposition and trial testimony. He has published two books: Financial Statement Fraud: Prevention and Detection with Zabi Rezaee (John Wiley & Sons, 2010) and a Forensic Accounting and Fraud Examination with Joseph Wells and Mary-Jo Kranacher (John Wiley & Sons, 2011).|
|2:30 – 2:40||Break|
|2:45 – 3:45||Morgan Lewis – The team at Morgan Lewis will present on “Triaging an Allegation and Conducting an Internal Investigation”. In today’s global economy, litigation, government investigations, and multidimensional corporate challenges often play out on the world stage. Clients turn to Morgan Lewis when their vital interests are at stake, looking to our team’s trial capabilities, legal and business sophistication, broad scope of litigation services, and ability to help find solutions to complex challenges. With experience in most jurisdictions worldwide and a rare combination of trial capacity and practical insight, we frequently serve as trial, strategic, permitting, and coordinating counsel in large, complex matters. Our deep skill set and breadth of experience across industries and jurisdictions give us a unique ability to address clients’ legal and business concerns, distinguishing Morgan Lewis from other law firms.|
|3:45 – 4:30||Theodore Schaer will present on “Cyber Trends and Tips”. He is a partner and Chairman of the Cyber Liability, Privacy and Data Security Department at Zarwin Baum and is board certified in Privacy and US Data Protection (CIPP/US). Ted advises clients on privacy and cyber related issues and leads the Firm’s data breach response team.|
|4:30||Closing remarks – Jonathan T. Marks, CPA, CFF, CFE|
Location Exelon Hall – Just enter the building lobby at 23rd and Market Street and follow the signs down the stairs to Exelon Hall. No building access is needed for access to the hall.
*Speakers and Topics may change due to a variety of factors. We will do our best to adhere to this agenda.
In a recent article by the Wall Street Journal states that “Corporate boards are seeking greater insight into cyber security risks in the aftermath of the recent breach at Equifax Inc. The hacking attack on the credit-reporting firm last summer was a defining moment for directors, say technology and corporate-governance experts.
As cybercriminals damage company reputations and cause tens of millions in remediation and legal costs, some boards are increasing cyber security oversight and weighing how to delegate responsibilities among directors. Others are pushing for more meetings with corporate security chiefs.”
All of the above seems to be true, but many board members seem to be “silently” struggling with oversight, which is one of the board’s most important responsibilities.
A sound Cyber Strategy or compliance plan should be designed from the risks identified to deter and resolve cyber attacks as well as to address any possible repercussions, such as damage to the reputation of the enterprise.
Here are some key elements and things to consider when developing a Cyber Strategy, which can also be used by board members in their oversight role.
- Board level engagement.
- Monitor the news for other cyber incidents or perceived threats.
- Challenge management assumptions related to cyber security and the strategy.
- Management should engage the board.
- Provide the board with highlights of worthy news around cyber.
- Let the board know about the challenges; and most importantly,
- Communicate successes.
- The strategy should be business driven and consider the extended enterprise.
- Ensure there is good tone from the top. Does the messaging and conduct convey the importance of good cyber hygiene?
- Have a sound and defined communication plan.
- Internal and external communications.
- Don’t boil the ocean! Ensure a risk based approach is used to identify threats or vulnerabilities. Some key components include…
- What are the most valuable intellectual property and customer-based informational assets that need to be protected; and on a scale of 1-10, how do we categorize and rate these assets in terms of importance to the business that we are in?
- Where are these assets housed (in-house, in the US, in another country, or in “the cloud,”)?
- Are all assets (despite differing values or classification) housed on the same network server, thus rendering them subject to a cyber attacker laterally moving within our network?
- Are we conducting due diligence of our third-party or outsourced vendors to make sure they cannot be a source of a cyber attack against our firm by having too much access to our network, or can respond to and recover from a cyber-attack against their own network?
- Do the vendors with whom you have indemnity agreements have cyber insurance with sufficient limits of liability in place and in effect?
- Keep in mind that as technology advances, and today it does advance fast, so do the threats; it is harder than ever to protect business processes and information – so this is not a “set it and forget it” exercise.
- Understand the internal controls in place and ensure they are designed appropriately.
- Consider the human element.
- Don’t ignore physical security threats – Access!
- Training must be a process.
- Have targeted follow-up to reinforce the learning objectives.
- Have documented incident response (investigation) and crisis management plans.
- Walk through these plans frequently and tweak them as necessary.
- If there is an incident, and there will be one – use root cause analysis to get to the origin of the incident and remediate accordingly.
- Consider compliance and regulatory requirements.
- Have cyber and other insurance coverage’s reviewed by a competent professional – if you have no coverage I strongly encourage getting some.
- At the end, your strategy or plan must be consumable and scalable – said differently, it must be operationalized or embedded throughout the entire enterprise.
I welcome your thoughts and suggestions.
I also wanted to thank Theodore M. Schaer, who is a partner and the Chairman of the Cyber Liability, Privacy and Data Security Department at Zarwin Baum Devito Kaplan Schaer Toddy P.C. located in the Philadelphia office for his contribution to this writing.
Have a great weekend!
Jonathan T. Marks, CPA, CFF, CFE
Tom Fox podcast visits with Jonathan T Marks, CPA, CFE, on how to perform a root cause analysis and its uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action.
Click here for the PODCAST
One Prong of the Evaluation of Corporate Compliance Programs (Evaluation) which was not present in the Ten Hallmarks of an Effective Compliance Program, is root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s (DOJ’s) new FCPA Corporate Enforcement Policy (Policy).
Tom Fox discusses using the results of a root cause analysis in remediating a compliance program.
Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated:
Remediation –What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”.
I begin with who should perform the remediation; should it be someone or a team which were or were not a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP, who believes the key is both “independence and objectivity”. It may be that an investigator is a subject matter expert (SME) and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.
Marks also noted if “the errors require some type of financial restatement the company may also have deficiencies in internal controls. More importantly the failure to remediate gaps in internal controls provides the opportunity for additional errors or misconduct to occur, and could damage the company’s credibility with regulators” and allow the same or similar conduct to reoccur. Finally, with both the Evaluation and Policy, the DOJ has added its voice to prior Securities and Exchange Commission (SEC) statements that it “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”
Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply “cataloguing” and “assigning cause” to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting “human error” from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect.” This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.
Locwin concludes by noting, “Stop blaming people for bad systems and processes. The people are the human capital that is actually doing the thinking and processing to generate profits for your company — unless there is data to suggest willful negligence or gross incompetence, then in that case address the talent development gap or termination. A nicely documented retraining of Alice or Bob isn’t going to improve successive outcomes on future iterations of the same work. Guaranteed. And I have plenty of data showing these sorts of human error interventions [retraining] are less than 5 percent effective at preventing recurrence of the problem.”
As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the inform you developed in the root cause analysis? Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis you can bring real value and real solutions to your compliance program.
The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and will aid in having a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
When you step back and consider what the DOJ was trying to accomplish with its Evaluation, it becomes clearer what they expect from the compliance professional. Hui Chen, in an interview on the Radical Compliance podcast, made clear she desired that the Evaluation would cause Chief Compliance Officers (CCOs) and compliance practitioners to consider the structure of their compliance program and how it inter-relates to the company’s risk profile. When you have a compliance failure, you should use the root cause analysis to think about how each of the structural elements of your compliance program could impact on how you manage and deal with that risk. Chen stated, “I would use the approach that I hope is consistently clear through the document is that the quest for thinking through what you want to accomplish, how you are gonna do it, who are you going to work with to accomplish those things, and how you measure the results, what data are you getting need to collect to inform your decisions along the way.”
You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.
Marks also discussed there may be more than one root cause and that’s ok – right?
IIA PA 2320-2: Analysis and Evaluation – Root Cause Analysis notes, The internal auditor may, in some cases, provide multiple conclusions of fact along with multiple scenarios for management to consider as the root cause of an issue. In these circumstances, value provided by internal audit is the independent and objective evaluation and presentation of various data and analyses from which management may draw a conclusion on the most probable root cause.
Marks uses the three lines of defense (sometimes modified) as tool for the audit committee and management when explaining the key causal factors, generic causes, and the root cause(s) and how they might be linked to the breakdown or fraud. Marks calls this “visual guilt.”
Marks also provided an example:
Let’s say that you find an error in a policy and procedure. Did that error cause a fraud to occur?
Of course, you would immediately fix the error, right? But would you ask …Why was the error not picked up and allowed to exist for the two years since the policy was released?
Wasn’t there a quality control process or a policy in policies? Why didn’t the stakeholders who read and use the policy and procedure in the past report the error they spotted (assuming that this is the first time there was a fraud and the policy and procedure had been used before)?
You might find that there is an ineffective quality control process or the quality control process isn’t being performed. You might find that stakeholders had previously reported the problem but it had never been fixed. You might find that culture is so poor the stakeholders simply don’t care.
If you find there is a generic cause, you then have to think about all the other procedures that might have similar problems and how to best remediate.
So when a fraud occurs, there are probably multiple mistakes that were made (multiple causal factors), multiple root causes, some generic causes, and lots of corrective or remedial actions that could improve the control environment that could deter or prevent future frauds.
That all being said, Marks still searches for that one domino that fell and started the chain!