Day: October 10, 2022

Categories
Blog

Internal Controls Week: Part 5 – Assessing Internal Controls in International Operations

How should you assess your internal controls regime for international operations? It is incumbent that you need to review as much information as you can to understand the financial and operational structure of an entity and how it is integrated with the corporate headquarters, or the U.S. business unit’s financial and operation structure, if the foreign operation is part of a U.S. business unit.

You could begin with the TI-CPI to garner a sense of the reputation of the country in which your business unit is located, as well as the CPI for all other countries in which the location either markets business or has current customers. Another area for inquiry or review is the scope of your foreign operations. This means you will need to consider your sales model, whether employee based or primarily using third party representatives. You will also need to consider if such third-party representatives are coming into a commercial relationship with your company through your supply chain.

Other areas of inquiry should include whether your company’s finance and accounting staff produce financial statements that are integrated into the parent’s financial statements; whether your international business locations utilize a local bank account for local sales receipts as well as funds transfers from the U.S. and whether the account has local check signers and whether dual signatures are required on the checks. You may also want to consider the extent to which disbursements are made in the local currency and, of course, is there a local petty cash fund.

As with many other areas around internal controls,it is important to consider the local DOA and whether it is consistent with your corporate DOA. Some of the considerations regarding the local DOA should extend to which corporate or U.S. business unit approvals are required for transactions initiated locally, such as: 1) approval of vendor invoices, 2) disbursements of funds, including wire transfers; 3) execution of facilities leases; 4) execution of contracts with agents; and 5) approval of pricing and credit terms to customers and distributors. You should also review whether the local DOA provides appropriate SODs at the local business unit level.

You should consider how sales of product are conducted. For example, is an inventory maintained at the local operation for shipment to customers; are products drop shipped from U.S. directly to the customers of the local operation or are they drop shipped to distributors for delivery to the ultimate customer?

Hopefully you are already doing the above, but you should review what is being done to determine if employees or local contractors who are local nationals have gone through your due diligence process so that they have been properly vetted to determine whether they are government officials in any capacity or are relatives of government officials. Along the lines of a more formal FCPA analysis you should review to see if there has been any investigation of alleged fraud, including FCPA violations, at the location and, if so, what were the results of the investigation? Around customers, you should review with whom each international location does business to determine the extent to which its current customers are local government entities as well as the extent to which the location is pursuing sales activities for other local government entities.

If there has not been a sufficient assessment of controls, the compliance professional must then decide how to best determine whether the local controls are sufficient to satisfy the requirement of the FCPA and accurately reflect all transactions and prevent concealment of improper transactions. Some of these considerations would be an inadequate SODs because the separation of responsibility for physical custody of an asset from the related record keeping is a critical control. In practice, this means that persons who can authorize purchase orders should not be capable of processing accounts payable transactions. Further, the employee who prepares the deposit should not post the receipts to the customer accounts.

You should look to see if there is inappropriate access to assets. If there are, internal controls should be created to provide safeguards for physical objects such as inventory and cash, restricted information, critical forms and update applications. This means that an employee who only needs to view computer information should be restricted to “read and file scan” access and should not be granted “write and create” access. Moreover, controls should prevent the unauthorized removal of resale inventory and movable fixed assets from the premises.

It is not necessary to prove a that a bribe has been paid to have an enforcement action against a company for violation of the internal controls provisions of the FCPA. That was the situation in the SEC 2018 FCPA enforcement action involving Kinross Gold Corporation. It was this lack of effective internal controls, not the payment of a bribe, which was the basis for the civil enforcement action. This means that you should look to make certain the situation is not one of form over substance, where controls can appear to be well designed but still lack substance, as is often the case with required approvals.

Such a situation could arise in several different scenarios. The first is where an account manager’s signature attests to the accuracy of the payroll voucher information, but if the account manager does not have assurance that the supporting time records are accurate, the approval process lacks substance. Other examples are where a supervisor who approves expense reports but routinely does not look at the supporting documentation; a country manager provides a true control as an approver; or where the country manager or the local finance manager has ability to conceal the true nature of transactions without detection by anyone else.

Another important area involves sales and compensation for a foreign business unit. On the sales side of the equation, you review the three-year historical sales for the location and the budgeted sales for the upcoming year. This can give insight into the relative pressure on employees to grow the business and, accordingly, the possibility of an employee seeing a bribe as a good way to grow the business. The inquiries can lead to questions about compensation such as: What is the sales incentive compensation plan for local sales personnel? For the country manager? Such an inquiry gives insight into the possibility of personal benefit which might result from someone paying a bribe to win a contract which results in a large sales incentive compensation to the employee.

These reviews, questions, inquiries and analyses are designed to locate the pressure points involved in any company’s sales processes. This is because pressure is a key element of occupational fraud and the risk of fraud, including corruption, increases as the pressure increases. Since corruption is viewed as a subset of fraud, it might be a good time to review the “fraud triangle,” which lays out breeding ground for fraud in the corruption context:

  • Pressure which has financial implications, whether it be personal financial needs that are unmet or pressure to reach sales goals;
  • Rationalization. A fraud perpetrator always rationalizes that he/she is not a criminal and when committing fraud for personal benefit, the perpetrator intends to repay the money; when committing fraud for company benefit, the perpetrator rationalizes that the company really wants to meet its goals and that the perpetrator’s actions are in furtherance of the company’s goals; and
  • Opportunity. The perpetrator must be in a situation where the internal controls do not prevent the fraud and its necessary concealment
Categories
All Things Investigations

All Things Investigations: Episode 13 – Tyler Grove on New CFIUS Executive Order

Welcome to the Hughes Hubbard Anti-Corruption and Internal Investigations Practice Group’s Podcast, All Things Investigations. In this podcast, host Tom Fox and returning guest Tyler Grove of the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group, highlight some of the key legal issues in white-collar investigations, locally and internationally.

 

 

Tyler Grove has worked at Hughes Hubbard for over 10 years, starting as a paralegal and then working his way up to full-time associate before taking the position of counsel. Tyler’s specialties include sanctions and export controls in addition to anti-money laundering and foreign investment issues. His practice has three main areas: compliance counseling, enforcement and investigations, and corporate diligence and filings.

Key areas we explore on this podcast are:

  • The genesis of Executive Order 14083 relating to CFIUS, and what it entails.
  • It’s become a standard follow-up question when making CFIUS filings to ask about a US business’ cybersecurity policies.
  • What is excepted foreign state? 
  • The Biden administration has conducted a holistic approach to business issues that may not have been considered national security issues in the past. 
  • CFIUS has been a flexible tool for the Biden administration to apply foreign policy.
  • How companies should be prepared to respond when asked to provide information or assistance in a CFIUS review.

Resources

Hughes Hubbard & Reed website 

Tyler Grove on LinkedIn

 

Categories
The ESG Report

UFLPA, Supply Chain & ESG with Travis Miller and Jamie Wallisch

 

Tom Fox welcomes Travis Miller and Jamie Wallisch to the ESG Report. In this episode, they talk about the Uyghur Forced Labor Prevention Act (UFLPA), and how it impacts the way companies do business across the supply chain.

 

 

The UFLPA is a United States federal law that stops companies from importing products made with forced labor in the Xinjiang region of China or any other part of China with forced labor by workers or other minorities. This law is important because it makes sure that companies are aware of what is happening and take steps to stop it. The UFLPA makes companies use processes that already exist in their business. To follow the UFLPA, your company would need to have a compliance program in place. Jamie also explains how regulators could assess companies’ compliance programs using the UFLPA. 

 

Organizations need to recognize their organizational footprint because each company out there affects more than just the people who work there. It’s not just about who you choose to do business with but also who you choose to profit from. You can’t just condemn bad business practices verbally. You have to be actively engaged in ethical behavior. “It’s this assessment, it’s this realization that you are the sum of your components. You are the sum of your relationships,” Travis adds. 

 

Resources

Travis Miller | LinkedIn 

Jamie Wallash  

Assent

 

Categories
FCPA Compliance Report

Oracle FCPA Enforcement Action

In this episode, I take on a solo pod to discuss and consider the Oracle FCPA enforcement action brought by the Securities and Exchange Commission.

Key areas we discuss on this podcast are:

  • Background facts.
  • Same facts in same country?
  • Failure of a paper program.
  • The need for data analytics.
  • Where is the DOJ?
  • What are the lesson learned going forward?

 Resources

For a White Paper on the Oracle FCPE enforcement action, email tfox@tfoxlaw.com

Categories
Daily Compliance News

October 10, 2022 the Data Privacy Edition

In today’s edition of Daily Compliance News:

  • Weinstein LA trial takes on new urgency. (NYT)
  • Twitter/Musk case study. (Reuters)
  • US tries to fulfill data privacy agreement with EU. (WSJ)
  • Met creates an anti-corruption unit. (BBC)
Categories
Blog

Fighting Transparency and Whistleblowers

We sadly had two more examples of how companies are fighting transparency and the light of day through actions taken against whistleblowers. With these two examples we see once again how businesses which say they have a speak up culture and an open-door policy in writing do not seem to follow these prescriptions in practice. One comes from the world of sports (NBA basketball) and the second involves Exxon Mobil Corporation (Exxon).

If you are any kind of pro basketball fan, you have heard about the ‘altercation’ between Golden State Warriors Draymond Green and Justin Poole. Following an initial report of an ‘altercation’ occurring during a practice this week, TMZ released a video of the incident. After some unknown verbal sparring, Poole pushes Green away from him. Green then winds up and coldcocks Poole, knocking him down. Green’s initial response was essentially, I am sorry you are sorry. After the video was released, Green fully apologized and announced he was taking some time off.

What was the Warriors response to all this? According to ESPN, the public airing of the video and ensuing transparency, “has impacted the way the team has been able to move forward from the altercation. “In 32 years, I’ve probably seen 20-plus fights. It should not make it out of our walls,” Kerr said. “When things are kept internally, it’s almost easy to handle,” he continued. “As soon as things are leaked, all hell breaks loose. That affects every single player, coach. … It’s like if you had a camera in your family and there was a family dispute. Would you really want to discuss it with the world? No.”” According to Fox Sports, “the Warriors are taking “every legal course of action” to discover how the video was released to the public.”

For those NBA fans who do not remember, Laker Kermit Washington severely injured Rocket Rudy in 1978 with a similar punch to the face. So, this is not a ‘boys will be boys’ or a hyper competitive player dancing on the edge issue, but a full personal safety at work issue. What do the Warriors want too about it? Apparently not much as Outkick.com wrote, “Warriors general manager Bob Myers discussed the situation on Thursday. He stated that Green’s punishment would be “dealt with internally,” with little expectation for the 10-year veteran to miss any games in the upcoming season as a result. “There’s nothing that warranted the situation yesterday. I want to make that clear. It’s also something we feel like won’t derail our season and that’s with Draymond a part of that,” Myers told reporters.”

In a case from the more traditional corporate world, involving Exxon. The Wall Street Journal (WSJ) reported, “The Labor Department said it found Exxon Mobil Corp. illegally fired two company scientists over suspicions they shared information with The Wall Street Journal about concerns the pair had earlier raised with the company. The department’s Occupational Safety and Health Administration on Friday said Exxon must reinstate the two employees and pay them more than $800,000 in back wages, interest and damages.” In other words, Exxon has been found to have fired two whistleblowers.

The WSJ further noted, “Citing current and former employees, the Journal reported in September 2020 that some staff assigned to the Permian, the most active U.S. oil field, thought Exxon had been overly optimistic about an earlier projection it could increase oil and gas production in the New Mexico and West Texas region to 1 million barrels of oil equivalent per day as early as 2024. The people told the Journal that Exxon had overestimated how quickly it could drill wells there, which they said led the company to overvalue the asset by billions of dollars. Exxon later fired two scientists. The Labor Department determined the firings were prompted by Exxon’s suspicions the pair had brought information to the Journal.”

“Exxon denied the allegations at the time and has repeatedly said it has met and exceeded its drilling targets.” The WSJ went on to note, “Exxon claimed it had fired one of the scientists for mishandling proprietary information and another for “a negative attitude,” job hunting and losing management’s confidence.” Exxon spokesman Casey Norton, as quoted in the WSJ, said, “The terminations in late 2020 were unrelated to the ill-founded concerns raised by the employees in 2019.” Exxon has said that it will appeal.

Interestingly, in 2021, the WSJ “reported the Securities and Exchange Commission launched an investigation following an employee’s whistleblower complaint alleging the company’s overvaluation of the Permian had misled investors. The agency earlier this year closed the investigation and said it would not recommend an enforcement action against Exxon.” Additionally, “A federal judge in Texas dismissed a lawsuit last week brought by Exxon shareholders alleging the company misled investors about the value of its Permian assets. The judge determined the plaintiffs had not shown enough evidence that Exxon executives deliberately defrauded investors. The judge said they can refile the complaint with additional evidence.”

It is not clear if there was new evidence brought forward in this OSHA case that was not available to the SEC or federal district court. Perhaps OSHA found Exxon’s version of events not plausible. Nevertheless, coupled with the Warriors response to the leaking of Green punching a teammate, it seems that corporate America will try to prevent transparency at all costs. Compliance professionals would do well to make sure their organizations not simply welcome whistleblowers but embrace them to prevent fraud, waste and abuse and illegal conduct from moving forward in their organization.