… Subdue the enemy without fighting.” —Sun Tzu
The U.S. Foreign Corrupt Practices Act has been setting an ever-lower threshold for violations of the FCPA’s books and records and internal controls provisions. As the clock turned to 2017, the U.S. Securities and Exchange Commission (SEC) charged Mondelez International, Inc. (formerly Kraft Foods) because one of its subsidiaries Cadbury, a U.K.-based confectionery and snack beverage company that had securities registered with the SEC and manufacturing facilities in India, failed to conduct appropriate due diligence on and monitor the activities of an agent, which “created the risk” that funds paid to the agent, which has no written contract, could have be used for improper or unauthorized purposes and Cadbury’s books and records did not accurately and fairly reflect the natures of the services rendered by the agent.
It’s unclear why Cadbury didn’t undertake any due diligence or monitor its agent’s activities and the SEC didn’t outline what created the risk of bribery. Maybe the root cause here is the failure to understand risk or even more alarming the risk that legal, compliance, and internal audit are not effectively communicating and collaborating—or what I call the “Bermuda Triangle.”
What is clear that over the past few years, starting in 2012 when the SEC charged Oracle for with violations of the FCPA for failing to prevent an overseas subsidiary from setting aside off-the-books money and using the funds to make unauthorized payments to certain vendors in India, the SEC is setting an ever-lower threshold for violations of the FCPA’s books and records and internal controls provisions and exercising greater authority in enforcement.
To what seems to be on the surface extreme, in United Continental Holdings, case, which involved not foreign but domestic corruption and therefore wasn’t subject to the FCPA, the SEC enforced in an administrative proceeding, a “Code of Business Conduct” violation and tied that to the lack of due diligence and monitoring omissions that created a risk of bribery, but did not result in actual bribery.
When it comes to internal controls, many don’t understand how to design them! I define a control as –
This generally results from proper planning, organizing, and directing by management. What sometimes is more important in the design, is the understanding its enemies (See Below), which are generally: culture, people, time, judgment and work-arounds or overrides.
In addition to ensuring controls are properly designed to deter or detect fraud, below are some procedures that could help reduce the risk of bribery:
• Conduct an enterprise-wide fraud risk assessment that includes corruption.
• Make sure to harmonize all risk assessment processes.
• Formally review your third-party risk management program.
• Ensure the internal audit activity is part of the compliance program.
• Verify FCPA testing is incorporated into an internal audit program and risk assessment.
• Establish and maintain a mechanism to monitor compliance with the anti-corruption program.
• Due diligence, due diligence and more due diligence – establish uniform review process to ensure consistency.
• Document your good faith actions to protect the company from post-violation scrutiny.
• Re-examine and fine tune your travel, entertainment, gifts, and meal controls and approval process.
• Find ways to use continuous monitoring and auditing to reduce risk.
Based on the current trend in enforcement, it appears the internal control and books and records requirement appear to be fully applicable in a variety of contexts. Thus, the governance of the risk management process must include the coordination and collaboration with legal, compliance, and internal audit. Otherwise, we might be reading about the “mysterious appearance” of your company on a variety of regulatory enforcement lists.
Jonathan T. Marks, CPA, CFE