On November 20th, 2019, The Department of Justice (“DOJ”) announced updates to its Foreign Corrupt Practices Act (“FCPA”) Corporate Enforcement Policy. While the changes were relatively minor, the modifications underscored important principles surrounding the FCPA Corporate Enforcement Policy.
This latest update followsextensive revisions made in March of this yearand the announcement that the FCPA Policy will apply as non-binding guidance for all criminal cases; all reflect DOJ’s continued efforts to promote self-disclosures and provide clarity on DOJ’s approach for companies deciding whether to self-disclose.
There is little doubt the DOJ has landed on a Corporate Enforcement Policy that took years to develop. The FCPA Corporate Enforcement Policy now applies to all corporate criminal prosecutions except Antirust Division criminal prosecutions that are guided by the Leniency Program. The DOJ is consistently applying the principles and appears to be very comfortable with the results.
At the same time, DOJ has increased transparency in its resolution of corporate enforcement actions. DOJ now publishes declination letters and provides specific descriptions of how factors are applied to a corporate resolution. Note: At the time of this writing there were six (6) corporate resolutions.
The Policy is intended to encourage corporations to self-report, cooperate and remediate – in exchange for a possible declination or significant reductions in penalties. The updated Policy tilts in favor of prosecution of responsible individuals and part of the DOJ’s commitment to seek out and punish wrongdoers.
The Policy now states that a company must disclose “all relevant facts known to it at the time of the disclosure.” DOJ added a footnote, stating that it “recognizes that a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” A company that makes a disclosure while continuing its investigation should make this fact known to DOJ.
Further, to encourage companies to make an early disclosure, the Policy now requires companies to disclose facts “as to any individuals” who played a substantial part in the “misconduct at issue.”
The previous Policy required companies to disclose “all relevant facts” regarding individuals substantially involved in a “violation of law.” A company making a disclosure no longer has to reach a determination (and inform DOJ) that a “violation” occurred at the beginning of an investigation.
Similarly, companies now need only alert DOJ of evidence of the misconduct when they become aware of it. Previously, in order to gain credit, where the company was or should have been aware of relevant evidence outside of its possession, the company had to identify such evidence to DOJ. The Policy has been updated to remove the conditional language, which should ease the burden on companies seeking to comply with the Policy.
Accordingly to Mike Volkov, the updates to the Policy highlight DOJ’s desire for self-disclosures that are both substantive and made at an early stage. They are also practical, in particular removing the requirement that a company identify evidence of which it “should be” aware. The changes are in line with other recent DOJ policy changes, seeking to recognize practical realities of the policies.
With the recent changes to the policy, companies now are obligated only to disclose relevant facts known “at the time of the disclosure” and to provide information regarding any — not all — “individuals substantially involved in or responsible for the misconduct at issue.”
Importantly, companies need not wait to determine that a violation of law has occurred and may report suspected misconduct. As stated in a footnote, this modification reflects the DOJ’s recognition that disclosing companies “may not be in a position to know all relevant facts at the time of a voluntary self-disclosure.” In that case, companies are urged to fully disclose suspected misconduct “based upon a preliminary investigation or assessment of information.”
Volkov further stated, these changes are important because DOJ has clarified the precise information that a self-disclosing company must provide to trigger the potential benefits possible under the policy. From a practical standpoint, companies faced a difficult choice — disclose a potential violation based on a cursory investigation subject to DOJ’s determination that the company failed to disclose “within a reasonably prompt time.”
The DOJ’s modification directs companies to report what they know upon discovery of a suspected violation, while making clear to the DOJ that the disclosure is based on a preliminary findings.
Under the recent revisions, companies are no longer expected to identify every piece of evidence of which they should have been aware or potential collection by the DOJ. Instead, companies now are obligated only to identify relevant evidence not in their possession of which they actually are aware.
The modifications eliminates some of the risk that DOJ could determine that a company was not entitled to cooperation credit when DOJ identifies evidence that a companyshould have known about.
DOJ’s recent revisions indicate that it is satisfied with its Policy and want to make it work even better. By addressing some theoretical concerns that may have caused companies not to disclose potential violations, DOJ is taking steps to encourage companies to step forward and disclose potential violations.
Since its introduction as a pilot program and subsequent adoption into the Justice Manual a few years back, the DOJ has continuously honed its FCPA Policy—each time encouraging prompt but thorough self-disclosures.
Boards of Directors and Senior Leadership should take notice of DOJ’s policy changes and DOJ’s attempts to encourage such disclosures and adjust their tactics and strategy accordingly.
Specifically, it becomes even more important to have experienced investigators that can “ring fence” issues early! This will help in deciding whether or not to self-disclose in order to maximize the potential benefits of the FCPA Policy.
Welcome to my site. I have spoken and been the keynote speaker for many conferences, including the ABA, ACC, ACFE, IIA, and IMA to name a few. I have designed customized training for the board, senior leadership, legal, compliance, internal audit, and others for some of the world’s largest organizations.
“I have had the pleasure to hear Jonathan Marks speak on a number of occasions. …most recently at a Fraud conference sponsored by the Long Island Institute of Internal Audit. Jonathan gave a dynamic and engaging half day presentation on fraud in financial reporting. He engages his audience with his expertise and knowledge of risk management, fraud and internal audit. His ability to share his experiences in fraud investigations over the past thirty years coupled with his interactive approach with his audience made for a compelling and memorable presentation.” Chief Audit Executive
If you are interested in booking me for your next event or need customized training, please email me with the date or dates, location and address of presentation, the audience make-up, the subjects you would like covered, and the duration of the talk or training.
I have provided you with some Selected Training Programs (See below) and please peruse my blog posts for some additional topics and ideas. Keep in mind I speak and provide training on most anything related to governance, risk, and compliance, with a focus on fraud and forensics.
I will do my best to get back to you quickly.
Jonathan T. Marks, CPA, CFF, CITP, CGMA, CFE and NACD Board Fellow
Selected Training Programs
Management Override of Internal Controls
The risk of management override of internal controls to commit fraud exists in any organization. When the opportunity to override internal controls is combined with powerful incentives to meet accounting objectives, senior management might engage in fraudulent financial reporting. This session will examine management override, focusing on the differences between the override of existing controls versus other, more prevalent breakdowns. It will also explore actions to help mitigate the threat of management override, approaches to auditing for management override and the psychology behind management’s override of controls. You Will Learn How To:
Identify red flags of management overriding controls
Ascertain an approach to auditing for management override
Assess the latest trends and research regarding management override of controls
Develop a better fraud risk assessment that highlights areas and gatekeepers that might have a greater chance of overriding controls.
Operationalizing Compliance – Master Class with Tom Fox, Esquire
The Master Class developed by Tom Fox, provides a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) and Chief Audit Executive (CAE), Chief Legal Counsel (CLO), to the practitioner who is new to the compliance profession.
If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a best practices compliance program going forward, this is the class for you to attend. Moreover, as I limit the class to 20 attendees, you will have an intensive focus group of like-minded compliance practitioners with which you can share best practices. It allows us to tailor the discussion to your needs. Mary Shirley, an attendee at the recent Boston Master Class said, “This is a great two-day course for getting new folks up to speed on what matters in Compliance programs.”
Tom Fox is one of the leading commentators in the compliance space partners with Jonathan T. Marks to bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled him to put together a unique educational opportunity for any person interested in anti-corruption compliance. Simply stated, there is no other compliance training on the market quite like it. Armed with this information, at the conclusion of the Doing Compliance Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.
The Doing Compliance Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Building from the Ten Hallmarks of an Effective Compliance, using the questions posed from the Evaluation of Corporate Compliance Programs and the FCPA Corporate Enforcement Policy as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third-party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.
Highlights of the training include:
Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
What are the best practices of an effective compliance program;
Why internal controls are the compliance practitioners best friend;
How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
Your ethical requirements as a compliance practitioner;
How to document what you have accomplished;
Risk assessments – what they are and how you can perform one each year.
You will be able to walk away from the class with a clear understanding of what anti-corruption compliance is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment (GTE) and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.
Ethics and Governance Training
This session will cover how ethics is key to good governance and how governance fits into your anti-fraud program. Moreover, we will explore the components of a Sample Code of Ethics, the cost of ethical lapses, organizational situations that encourage bad behavior, the new ethics paradigm, and how to spot a moral meltdown.
Corporate Governance During a Crisis
We also discuss leading practices in crisis management and present several scenarios allow the participant(s) to work though mock crisis scenarios. For example, in your first week at your company, you just received information about an alleged massive fraud and you are now in a crisis. In this session, members of the audience will play different roles within the company (members of the board, legal department, managers, etc.) to have a discussion, including:
What type of crisis plan do you have, if any?
What to do and how to formulate a plan of action?
Who to call first, how to prioritize tasks, and where to prioritize resources?
Who (internal and external players) to get involved and when to get them involved
What data is needed when a crisis hits?
How to prepare for the media and when to reach out?
How to communicate with customers, vendors and suppliers, regulatory agencies, and other parties?
Fraud Risk Assessment Process and Guidance
Many professionals struggle with developing a fraud risk assessment that is meaningful. We discuss the objectives of a fraud risk assessment, the components of a fraud, and key considerations for developing an effective assessment. Then we explore the sources of risk, the fraud risk universe, and some of the key components of the assessment. Lastly, we walk through the key steps in the assessment process and walk through a sample fraud risk assessment that considers COSO’s Principle 8, which contains considerably more discussion on fraud and considers the potential of fraud as a principle of internal control.
FCPA (Bribery and Corruption): Building a Culture of Compliance
This session covers why compliance is important and the new guidance issues by the DOJ. We also explore current regulatory enforcement trends, whistleblowers Under Dodd-Frank, the U.S. Federal Sentencing Guidelines, risk-based third-party due diligence, way to thwart an investigation, differences and similarities between the FCPA and the U.K. Bribery Act, successor liability, and provides the participant with a proven 13-Step Action Plan.
Knowing what to do when an allegation of fraud is presented is critical. Failing to understand the process could jeopardize the ability to prosecute wrongdoers. This session discusses why investigations are important, inherent risk and exposures, the types of investigations: internal and independent, board considerations, triaging an allegation, investigative challenges, and keys to running a successful investigation, and why root cause analysis should be considered after completing the investigation.
Third Party Risk Management and Oversight
Third party risk is the biggest nemesis when it comes to FCPA violations. This session discusses the key components of a compliance program and why it needs to be evolving to meet the business and compliance challenges, which are constantly occurring across the globe. We explore the latest DOJ guidance on the evaluation of corporate compliance programs. We build our discussion on the foundation of the key steps to be included in a third-party risk management program and cover some of the red flags of agents and consultants.
Putting the Freud in Fraud: The Mind Behind the White Collar Criminal
To properly fight corporate fraud we need to understand how a fraudster’s normal differs, so executives, managers and board members can develop more effective anti-fraud programs that take into account the behavioral and environmental factors that are common in cases of white-collar crime. By establishing an environment in which ethical behavior is expected — and by understanding how white-collar criminals look at the world differently — it is possible to begin closing the gaps in internal controls, develop a proactive fraud risk assessment and response program and significantly reduce the financial and reputational risks associated with fraud.
In this session, we take a closer look at the personality traits of individual perpetrators of massive fraud.
Discuss the basics of profiling and identifying elements of behavior common among white-collar criminals.
Discover what role company culture plays in the commission of fraud.
Hear cutting-edge ideas and methods to help detect and deter fraud.
This session is a “nuts and bolts” discussion about fraud and responding to fraud in an effort to reduce the incidence of fraud and white-collar crime. We go into the characteristics of fraud, who commits fraud, the fraud triangle and Pentagon™, the components of fraud, the regulatory environment & the focus on increased personal responsibility, internal controls to deter and detect fraud, and anti-fraud programs.
Triaging a Whistleblower Allegation
As corporations continue to adopt whistleblower programs, many find themselves struggling to manage burgeoning caseloads. As a result, serious internal fraud investigations can be delayed (with mounting losses) while less consequential complaints are being investigated. The lack of a timely, systematic and repeatable process for evaluating and prioritizing whistleblower tips, which can also expose an organization to increased regulatory risk. While there is no single, “right” method for following up on whistleblower complaints, this session discusses Why Investigating allegations or tips are important, why timeliness matters, investigation challenges, and provides the participant with a sample approach.
Skepticism: A Primary Weapon in the Fight Against Fraud
What happens when we don’t ask why? Professional skepticism occurs when those responsible for fighting fraud take nothing for granted, continuously question what they hear and see and critically assess all evidence and statements. This session we discuss the role of independent reviewer or inspector, particularly of your own assumptions, whether you are placing undue weight on prior risk assessments or discounting evidence inconsistent with your expectations, and pressures placed on you to truncate procedures or make unwarranted assumptions to beat time constraints.
Root Cause Analysis
The regulators are expecting more today and want to know that your remediation efforts are not treating the symptoms), but rather the root cause(s).
Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. This analysis is a key element of a fraud risk management program and is now a best practice or hallmark of an organizations compliance program. When able to determine why an event or failure occurred, it is then possible to recommend workable corrective measures that deter future fraud events of the type observed. It is important that those conducting the root cause analysis are thinking critically by asking the right questions (sometimes probing), applying the proper level of skepticism, and when appropriate examining the information (evidence) from multiple perspectives.
This program is designed to introduce the common methods used for conducting root cause analysis and to develop an understanding of how to identify root causes (not just causal factors) using proven techniques. In addition, we will demonstrate how to initiate a root cause analysis incident exercise and work with senior management, legal, compliance, and internal audit on an appropriate resolution. We also introduce the “spheres” acting around the “meta model of fraud” and how to use those “spheres” in the root cause process. Finally, this program will present the “three lines of defense”, which provides the audit committee and senior management with a better understanding where the break downs occurred.
I am constantly reminding boards and Chief Executive’s or CEO’s of the strategic importance of ethics and values and that they should not be underestimated.￼
The nature of a corporate culture can be the difference between a thriving and a beleaguered organization, and it all starts at the top!
I have witnessed first hand that employees that have interpreted the lax tone set in executive offices as corporate approval to take on more risks, even with a well-defined and communicated risk appetite and risk tolerance, which sometimes crosses the line on fraud.
The control environment – that is, the overall attitude, awareness, and actions of directors and management regarding the internal control system and its importance to the organization – is the key to setting the tone of the organization because it influences the “control consciousness of its people.” Factors that contribute to the control environment include, but are not limited to –
Integrity and ethical values communicated by executive management in speaking and writing and demonstrated by action;
Responses to incentives and temptations – clear policies and actions that prohibit the acceptance of inappropriate gifts, for example;
Moral guidance, as communicated through a code of business conduct and ethics;
A commitment to competence, as demonstrated by robust human resource policies and clear job descriptions for the purpose of hiring and retaining qualified people;
A board of directors and audit committee that are engaged, ask questions, and take appropriate action;
A management philosophy and operating style that place high value on risk assessment and internal control;
A well-defined organizational structure that is appropriate to the company’s size and complexity;
Appropriate assignment of authority and responsibility, with well-defined authority and duties that are appropriately segregated to prevent or detect error and fraud;
Human resource/capital recruiting and retention policies and practices to ensure that human capital is valued; and,
Ways to settle internal differences, such as a forum to discuss and settle differences of opinion between management and employees.
In any organization, the buck stops with the CEO: He or she has ultimate responsibility for the internal control system.
A positive control environment is a big part of maintaining effective internal controls. More than any other individual, group, or function in the organization, the chief executive sets the tone from the top through various messages, conduct, and other activities that affects factors related to the control environment and other components of internal control, but its not a one and done exercise, or as I say one blast from the trumpet!
Mike Volkov once said, In reality, “tone-at-the-top” is not really just “tone-at-the top” it is a lot more. I will try to be clear. Most people think that tone at the top is satisfied once the CEO puts out a statement of commitment to compliance.
Volkov is right and I believe we are closely aligned on the proper definition, which is “Tone from the Top” implies there is a strong and repeated commitment from the Chairperson of the Board, the CEO, and other senior leaders throughout the organization to emphasize the importance of compliance and ethical conduct, which is embraced, integrated, and operationalized into every level of business operations.
At or From?
You’ll notice that I use tone “from” rather than “at”. Why? For more than fifteen (15) years I have been barking about this subtlety. I’ve even expressed my opinions to Dave Richards and Richard Chambers, the former and current CEO’s at the IIA.
I strongly believe the tone needs to move or cut down, across, and even resonate through the organization and the extended enterprise. To me “at” implies the tone rests at the top and doesn’t move like I previously mentioned.
The Tone from the Top will dissipate quickly unless there is a true and on-going commitment from the board and senior leadership, which includes the Chief Compliance Officer and the Chief Audit Executive to send the right message using various mediums as well as building relationships throughout the organization one at a time.
Remember effective communication includes a sender, medium, receiver, and what’s often missing…feedback.
The actual message from the top is not just we will comply with the law. The message must be broader. For example:
Our organization is committed to the highest ethical standards in every facet of our business, like our business practices, sales practices, legal counseling, human resource practices, and treatment of employees and customers.
Lastly, some of the best organizations make ethics part of their corporate branding and values. Why? Because doing the right thing, even when no one is watching is profitable – this is called the Ethical Premium! There are several organizations that have examined the correlation between organizational justness and performance and the results are those organizations that have morals and ethics often outperform their competitors!
On May 1st, join Baker Tilly for our next topic: Using Continuous Auditing and Monitoring in the Fight Against Fraud with our discussion leader, Robert Mainardi.
Organizations are under increasing scrutiny regarding ethical lapses and allegations of fraud. Fiscal year 2018 was a record-breaking year for the U.S. Securities and Exchange Commission’s whistleblower program, as more and more individuals have been coming forward with allegations of impropriety.
It is critical for organizations to have processes in place to triage an allegation, investigate, remediate, evaluate and then enhance their governance, risk management, compliance and internal audit programs. Failure to conduct an appropriate investigation may lead to significant exposure and disruption to the organization.
Discussion Leader – Robert Mainardi, CIA, CRMA, CFSA – Author of “Harnessing the Power of Continuous Auditing: Developing and Implementing a Practical Methodology”, will be presenting at Baker Tilly’s Philadelphia Office on May 1, 2019.
With the focus on internal controls and monitoring today many are being scrutinized and judged by regulators and others whenever results are presented. Regulators have used the failure to institute appropriate internal controls alone as the basis of the enforcement actions.
One of the significant challenges facing internal audit, compliance, enterprise risk management teams, and management is being able to understand what continuous auditing and continuous monitoring is and how the approach can be used effectively to mitigate risk, including fraud.
This two-hour session will explore what an internal control is and the best practices for using both continuous auditing and continuous monitoring, which are different, and how to transcend that knowledge in the fight against fraud. Specifically, we will provide an executive overview of the differences, keys to the methodologies, and practical guidance on how to operationalize both.
We will also facilitate a discussion around the obstacles attendees may be facing and provide suggested solutions on how to overcome those challenges. Your investment in this session will help ensure you’re developing proper methodologies that will save numerous hours of potential rework, stand scrutiny, and possibly improve the overall governance, risk management, and compliance processes.
Information about CPE eligibility
There are no prerequisites for this seminar, and advance preparation is not required. There is no cost to attend this seminar.
CPE credit: Two (2) hours total credit
Field of study: Regulatory Ethics
CPE host: Kendra Bergin
A certificate of completion will be emailed to you four to six weeks following the event.
For more information regarding administrative policies such as complaint and refund policies, please contact Heather Eggers at 608 240 2522.
Baker Tilly Virchow Krause, LLP is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: learningmarket.org.
Corruption can take many forms, but its root cause could and often does include a conflict of interest of some sort and possibly collusion.
OECD states, Conflict of interest occurs when an individual or a corporation (either private or governmental) is in a position to exploit his or their own professional or official capacity in some way for personal or corporate benefit.
The most commonly known fraud involving collision is bribery – something given to influence a specific act to happen – whether given after an act has been performed or made to obtain a future benefit or information. Where there is collusion there may also be a conflict of interest. While this type of fraud doesn’t necessarily involve a distinct third party, it does involve the employee in a role other than as an employee.
This is where an employee colludes with another party (whether from outside or inside the business) to use his role as an employee to obtain a personal benefit.
Frauds that involve collusion usually occur off the books. That is, usually no activity needs to be concealed or hidden in business records.Based on the above, it should be obvious that conflicts of interest can present significant fraud and other risks for corporations, government agencies, fiduciaries, customers and suppliers.
The following ICC Guidelines and a consultation with an experienced fraud examiner can help in fighting wrongdoing.
Recently, the ICC releasedits Guidelines on Conflicts of interest. As will most guidelines these should be viewed as a tool and can be applied to all organizations – public, private, and not for profits.
The International Chamber of Commerce (ICC) recommends that enterprises closely monitor and regulate actual or potential conflicts of interest, or the appearance thereof, of their directors, officers, employees, agents and representatives and make sure they don’t take advantage of conflicts of interest of others.
Section II of the Guidelines provide among other things a definition of a conflict of interest, with explanatory notes and a description of three types of conflicts with examples. I also provide you with a definition from the New York Stock Exchange’s Corporate Governance Rules below. I suggest reading both.
There is also discussion in Section III of the Guidelines on communication and training, evaluation of a policy on conflicts of interest (with a description of the key elements of a policy), and how to prevent, manage and mitigate conflicts.
The publication concludes by describing four “dilemma” scenarios that can be used as a training aide.
Inherently, conflicts of interest schemes are one of the most difficult areas of fraud to detect, investigate, and obtain adequate evidence. Improper investigations can create counterclaims and civil actions against organizations and professionals.
Common conflicts of interest schemes include:
Purchase schemes, which involve the over-billing of a company for goods or services by a vendor in which an employee has an undisclosed ownership or financial interest
Sales schemes, which involve the underselling of company goods by an employee to a company in which the employee maintains a hidden interest
When it comes to detecting conflicts of interest schemes, it’s usually a the failure to disclose because:
Employees, directors, or others don’t understand the potential seriousness of having a conflict of interest or the company’s policy relating to it.
The employee, director, or other party is deliberately trying to conceal or hide the conflict. There shouldn’t be any reasons for employees and others not declare conflicts of interest, assuming they have read the policy and are made aware of their responsibilities.
Other Risks and Activities
Leadership that is controlling or domineering can operate with a long-term view, in alignment with others’ interests.
There can be several risks from controlling or domineering leadership, including the potential for conflicts of interest and abusive related-party transactions that are often difficult to detect, assess, and investigate.
Why? Because many people have a difficult time avoiding conflicts of interest, they are usually secretive, and the financial or other benefits more often than not are hidden, albeit sometimes in plain sight, but nonetheless can put the individuals involved and their company at risk of regulatory scrutiny and reputational harm.
The New York Stock Exchange’s Corporate Governance Rules defines conflicts of interest as the following:
“A conflict of interest occurs when an individual’s private interest interferes in any way ̶ or even appears to interfere ̶ with the interests of the corporation as a whole. A conflict situation can arise when an employee, officer or director takes actions or has interests that may make it difficult to perform his or her company work objectively and effectively. Conflicts of interest also arise when an employee, officer or director, or a member of his or her family, receives improper personal benefits as a result of his or her position in the company…. The company should have a policy prohibiting such conflicts of interest, and providing a means for employees, officers and directors to communicate potential conflicts to the company.”
I have found the types of activities that can create a possible conflict of interest include:
Nepotism is the practice of giving favors to relatives and close friends, often by hiring them
Cronyismis the appointment of friends and associates to positions of authority, without proper regard to their qualifications
Self-dealing is a situation in which someone in a position of responsibility in an organization has outside conflicting interests and acts in their own interest rather than the interest of the organization
The ICC Guidelines have some examples in Section II that I suggest you review too.
For those subject to SOx, in addition Sections 302, 906, and 404, several other sections of SOx relate to internal controls and corporate governance.
Section 406: code of conduct and ethics Section 406(c) requires all US-listed companies to maintain a code of conduct applicable to all directors, executives, and employees with the definition of “code of ethics” as stated in this section. The NYSE Corporate Governance Rules (Provision 10) also require a company to adopt and disclose its Corporate Governance Guidelines and Code of Business Conduct and Ethics.
The code of conduct must be publicly available and must define conflicts of interest, illegal and improper payments, anti-competitive guidelines, and Foreign Corrupt Practices Act (FCPA) compliance, as well as acceptable dealings with employees, suppliers, customers, investors, creditors, insurers, competitors, auditors, and so forth.
Conflicts of interest can be problematic if not understood and managed appropriately.
Conflicts of interest increase the risk of bias and poor judgment because of the obligation to two or more competing interests and usually never end well for those that have consciously avoided the company’s business practices and ethics.
When it comes to fraud risk management, compliance and internal audit need to understand conflicts of interest and address them accordingly.
All conflicts of interest must be documented in writing! This really helps if there is ever an issue, because you can show the regulators the company is proactively dealing with these issues.
I welcome you thoughts, comments, and suggestions.
Organizations are under increasing scrutiny and unfortunately some have or are dealing with ethical lapses or worse, allegations of fraud. In addition, Fiscal Year 2018 was a record-breaking year for the U.S. Securities and Exchange Commission’s whistle-blower program, as more and more individuals have been coming forward with allegations of impropriety. All this combined with the regulators re-focusing on individual accountability, independent investigations, and compliance makes for interesting times.
Given these trends, companies should be reviewing their protocols regarding how to conduct investigations in a manner that is defensible. Thus, It is critical organizations to have processes in place to triage an allegation, investigate, remediate, evaluate and then enhance their governance, risk management, compliance, and internal audit programs. Failure to conduct an appropriate investigation may lead to significant exposure and disruption to the organization.
In light of the above, on Jan. 23, Baker Tilly along with Morgan Lewis will hosting a 90 minute panel discussion. The panel is planning to focus this discussion on current issues in compliance, board governance, corporate investigations, risk management, and related subjects. The scheduled panelists who all have proven track records of leading important investigations and compliance initiatives are:
Radical Compliance is the personal blog of Matt Kelly, long-time writer and observer of the corporate compliance. Prior to launching Radical Compliance, Matt Kelly was a writer, editor, and publisher at Compliance Week from 2003 through 2015.
The Department of Justice (DOJ) said in arelease, “Executives at the highest levels of Petrobras — including members of its executive board and board of directors — facilitated the payment of hundreds of millions of dollars in bribes to Brazilian politicians and political parties and then cooked the books to conceal the bribe payments from investors and regulators.”
On September 26, 2018, Petróleo Brasileiro S.A. (“Petrobras” or the “Company”), the Brazilian majority state-owned oil and gas company, settled Foreign Corrupt Practices Act (“FCPA”) charges with the U.S. Department of Justice (the “DOJ”) and the Securities and Exchange Commission (the “SEC”) for a total of $1.78 billion. Petrobras has American Depositary Shares (“ADSs”) registered with the SEC and traded on the New York Stock Exchange and is therefore subject to the FCPA as an “issuer.”
Petrobras entered into a non-prosecution agreement (“NPA”) with the DOJ that included a criminal penalty of $853.2 million for knowingly and willfully failing to keep accurate books and records and implement appropriate internal financial and accounting controls by “facilitating payments to politicians and political parties in Brazil.” Under the NPA, Petrobras will pay 10 percent, or $85.32 million, of the criminal penalty to the DOJ and another 10 percent to the SEC. Petrobras will pay the remaining 80 percent of the criminal penalty, or $682.56 million, to authorities in Brazil.
The Company did not receive voluntary disclosure credit because it did not voluntarily and timely disclose to the Fraud Section and the Office the conduct described in the Statement of Facts.
Petrobras no longer employs or is affiliated with any of the individuals known to the Company to be implicated in the conduct at issue.
Summary of Remedial Measures
Petrobras engaged in extensive remedial measures, including: replacing the Board of Directors and the Executive Board (the Company’s high-level managers) and implementing governance reforms, such as expanding the scope of decisions requiring Board of Director approval; elevating and revamping the Company’s compliance function, including creating and staffing the Division of Governance and Compliance (“DGC”), and mandating that the Officer of DGC cannot be terminated without the affirmative vote of a Board member representing minority shareholders; limiting individual decision-making authority by implementing a “four eyes” approval policy (now I know the DOJ reads my thought leadership) that requires a second review by supervisors from different reporting lines for substantive decisions; creating new corporate investment policies and procedures, including a new Approval Authority Matrix, mandatory collective decision-making, and participation of the Division of DGC in investment committees; enhancing the Company’s policies and procedures related to confidential reporting and investigations, including restructuring the Office of the Ombudsman, implementing a confidential reporting hotline, and enhancing the procedures related to the Company’s Internal Commissions of Inquiry; updating policies and procedures related to compliance; implementing measures to ensure the Company’s operations are insulated from improper political interference, including new hiring and promotion procedures, a comprehensive government relations policy, and uniquely protecting the Officer of DGC within the organization; enhancing anti-corruption training by requiring all employees to complete compliance training, providing specialized training to employees engaged in the procurement of goods and services, and providing anti-corruption training to the Board of Directors and Executive Board; creating an Ethics Committee responsible for guiding, disseminating, and promoting compliance with ethical principles and conduct obligations; creating a committee within the Company’s compliance function to discipline employees and ensure that discipline is meted out consistently; disciplining employees known to have violated Company policies and procedures, including suspending employees, removing their managerial functions, and terminating their employment; and enhancing controls related to procurement and contracting, including centralizing the procurement function, segregating procurement duties, and implementing a risk-based integrity due diligence program for prospective contractors.
From the “Realm of the Obvious”, why was there no monitor installed?
We live in a disruption-intensive world and complacency is no longer an option!
To support my statement is the DOJ and their writing on the Evaluation of Corporate Compliance Programs (“Evaluation”), which states “prosecutors should also consider ‘[t]he effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment’ and whether its criteria are ‘periodically updated.’
(See, e.g., [Justice Manual] 9-47-120(2)(c); [Sentencing Guidelines] § 8B2.1(c) (‘the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement or modify each requirement [of the compliance program] to reduce the risk of criminal conduct’.”)
The Evaluation further states, “prosecutors may credit the quality and effectiveness of a risk-based compliance program that devotes appropriate attention and resources to high-risk transactions, even if it fails to prevent an infraction in a low-risk area.”
When the original Federal Sentencing Guidelines for Organizations (“the Sentencing Guidelines”) were issued in 1991, there was no mention of a risk assessment as part of compliance programs. It was not until the Sentencing Guidelines were amended in 2004 that this alarming omission was remedied. But even then, the risk assessment had not fully “arrived,” as some of the early compliance program requirements in FCPA settlements failed to include a risk assessment component.
As risks continue to expand and intensify many struggle to ring-fence them in and manage them appropriately. Relying on manual processes like spreadsheets, email, and other disparate methods more likely than not are not effective.
The recipe below must be adapted accordingly. Also, the risks that are identified need to be monitored appropriately. I suggest you strongly evaluate and consider automating, where possible, the management of risks and controls with the mindset of continuous improvement or tuning of the fraud risk management program.
In addition to establishing an ethical environment, board members and management must also take the lead in implementing and maintaining a formal fraud risk management program. One key element of such a program is a fraud risk assessment, which should be updated annually at a minimum or more frequently if conditions warrant. Recall that GRC means, Governance, Risk, and Compliance because it’s a waterfall concept – meaning that good governance includes risk management, and risk management should be driving the compliance initiative or program. Why? Because how can you design an effective compliance program to deter and detect ethical breaches, or worse, fraud, including bribery and corruption, unless you understand the risks your organization faces.
The risk assessment, which some say is easy and I disagree, should identify at a minimum fraud schemes and the acts that could potentially occur, possible concealment strategies that could be used by the fraudster to avoid detection, possible conversion tactics, the individuals or gatekeepers who pose the highest risk of committing fraud, controls that are in place to deter or detect fraud and a list of warning signals or “red flags” that are useful in many ways, including assessing the design of controls.
The success of the fraud risk assessment process hinges on how effectively the results are reported and what the organization then does with those results – in other words, “How is it operationalized”? – See Practice Pointer below.
Here is My Recipe or Methodology*
Having a documented risk-based methodology will help in many ways, including properly tailoring your internal audit and compliance programs.
Inventory the various risk assessments within the organizations. Ensure risk ratings are consistent.
Identify, understand, and evaluate the company’s business, their strategy, and operating environment along with the pressures that exist.
Understand the legal and regulatory aspects of your business. For example: If your organization is subject to the Foreign Corrupt Practices Act (“FCPA”) then your risk assessment will in all likelihood need to be expanded to include the appropriate elements to assess FCPA risk, which should focus on foreign government “touch points”.
Many miss here as they focus on sales/revenue. Sale volume and materiality shouldn’t matter – again focus on foreign government touch points!
Consider the strategy and objectives put forth. This helps with assessing pressure and possible override then link the objectives to controls.
Evaluate and determine your Fraud Risk Universe (See graphic above).
Identify the business processes and consider differences across the organization.
Review prior allegations of fraud and actual frauds. Understand the root cause(s) of the actual frauds.
Consider at a minimum audit results (internal and external), investigations, results of root cause analysis, recent litigation or settlements, compliance complaints, employee claims, industry enforcement trends, and the existence and sufficiency of policies covering an area.
Identify the Process Owner for each Process and understand their duties and roles. Throughout the risk assessment exercise consider segregation of duty conflicts and document them so they can be remediated.
Identify how Fraud may occur (fraud schemes) in each process and at each location through interviews and meetings.
Understand if the scheme involves financial statement fraud, asset misappropriation, or corruption. Note: It may include all three.
Look at the potential fraud manifestations (scenarios) within each process and location.
Identify the parties and profile (not stereotype) the individuals who have ability to commit the potential fraud. Process Owners, Gatekeepers, etc., who are competent and arrogant enough to possibly override/circumvent controls, if they exist, and misbehave.
Evaluate the likelihood that each of the identified frauds could occur and be significant/material as well as the persuasiveness of the potential fraud without considering controls and possibility of management override of those controls.
Consider the strategy to commit and conceal the fraud and the conversion to determine the effort / controls required to prevent, detect and deter the fraud.
Document the inherent risk.
Identify red flags by reviewing the fraud schemes, scenarios, concealment strategy, and conversion. This helps in evaluating the controls that are or should be in place and the design. These “red flags” can be organized into four general categories:
Transactions conducted at unusual times of day, on weekends or holidays or during a season when such transactions normally do not occur;
Transactions that occur more frequently than expected — or not frequently enough;
Accounts with many large, round numbers or transactions that are unusually large or small; and
Transactions with questionable parties, including related parties or unrecognized vendors, which may or may not be disclosed.
Missing or altered documents;
Evidence of backdated documents;
Missing or unavailable originals;
Documents that conflict with one another; and
Questionable or missing signatures.
Lack of Controls
Unwillingness to remediate gaps;
Inconsistent or nonexistent monitoring controls;
Lack of clear management position about conflicts of interest;
Inadequate segregation of duties;
Lax rules regarding transaction authorization; and
Failure to reconcile accounts in a timely manner.
Rationalization, changes in behavior, contradictory behavior or recurring negative behavior patterns;
Lack of stability;
Inadequate income for the individual’s lifestyle;
Resentment of superiors and frustration with job;
Emotional trauma in home or work life;
Undue expectations from family, company or community; and
Attendance! Perfect attendance or severe absenteeism.
Determine the appropriate audit response and investigate the characteristics of potential fraud manifestations within each process identified, where “Residual Fraud Risk” exists.
Determine the fraud risk expectancy (quantify).
Document the residual risk.
Remediate fraud risk by designing control activities or exiting/ending the activity, relationship, etc. Use the “four eyes principle”. Ensure there is an appropriate segregation of duties. Note: Also use this to insure you have proper insurance coverage.
Harmonize. Make sure the fraud risks identified are evaluated similarly and are in sync with your Enterprise-wide Risk Assessment and other risk assessments you have done. A savvy regulator will pick up on this and could conclude that from a governance perspective your risk management program is deficient – siloed.
Use the “red flags” identified as part of your training! Teach people what to look for and how to report any suspicious activity.
Review the fraud risk assessment frequently, especially after an event – like a fraud, change in senior leadership, merger, acquisition, reduction in force, system upgrade, etc.
Compliance, internal audit, legal, and the organization’s stakeholders can use the results of, or operationalize, the fraud risk assessment, which includes the identified “red flags” to fine tune or strengthen controls, policies, procedures, training, and testing strategies/programs.
Risk assessments are critical today more than ever.
Having a risk assessment may help in resource allocation and prevent punishment for areas not in scope.
Please reach out to me if you have any comments or questions.
*Note: This is a standard approach. It has been customized and modified accordingly over the years. Also, for a complete assessment there are other procedures that more likely than not need to be performed in order to properly assess the risk of bribery and corruption.