Tag: compliance programs

Categories
Everything Compliance

Everything Compliance-Episode 14

Show Notes for Everything Compliance-Episode 14 

Topics from Matt:

  1. Trump Administration & FCPA enforcement— we have two declinations now; maybe a compare-and-contrast and speculation on what a tough Trump Admin enforcement WOULD look like;
  2. EU’s GDPR— Do EU regulators know what they want to do with the enforcement of this law; if they follow the lead of the anti-competition people whacking Google, it could be a big deal;
  3. Hui Chen’s departure from the Justice Department, both her public rebuke of Trump and the substance of how she believes her guidance has been misinterpreted; and
  4. Ethical leadership and the lack thereof; the menace of abusing perks and privilege, connecting my posts about Uber’s leaders and Chris Christie vacationing on a closed beach.

Topics from Jay:

  1. How do the Campaign Finance Laws mirror/or differ from the FCPA?
  2. Will the Russian Collusion Investigation reveal the ultimate FCPA violation?
  3. Regarding Walter Shaub’s departure from the Office of Governmental Ethics (OGE), does it matter? What is OGE supposed to do, and why did it work for the past 40+ years but fall on deaf ears with the Trump administration?
  4. Dovetailing with Matt’s question about a slow H1 for FCPA enforcement and in light of the just-released Gibson Dunn FCPA Mid-Year Report, does the current climate (and lack of vigorous enforcement) provide a perfect storm for companies to look the other way if they fall off the E&C wagon, or do we think that companies are still being vigilant despite a perception of decreased enforcement?

Rants follow this week’s episode. What do the two declinations in 2017 mean? The Everything Compliance panel of experts weighs in.

Categories
Blog

Day 19 of One Month to More Effective Internal Controls – COSO Objective V: Monitoring Activities

Monitoring Activities. The Framework Volume says, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different entity levels, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on the assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management, and the board of directors. Deficiencies are communicated to management and the board of direc­tors as appropriate.” However, as with all other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken singularly. Rittenberg states this objective “applies to all five components of internal control. The nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” For the CCO or compliance practitioner, Monitoring Activities have been growing in importance over the past few years and will continue to do so in the future. The Five Principles of an Effective Compliance Program, Principle 5, includes ongoing monitoring, reinforced in the 2013 COSO Framework. In an article in Corporate Compliance Insights (CCI), entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is essential to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning for a company to conclude that its ICFR is effective safely. Aligning the design of controls to the 17 principles to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

I. Objective-Monitoring Activities The Monitoring Activities objective consists of two principles. They are: Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.” Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing Evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle expects your organization to oversee, monitor, and audit. For the CCO or compliance practitioner, you will need to consider several different areas and concepts going forward. A current risk assessment or other evaluation of business changes should be based on some baseline understanding of your underlying compliance risk. Whatever you select will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments, and objectively evaluated.

Principle 17 – Evaluation And Communication Of Deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken.” If that does not sound like McNulty Maxim No. 3, What did you do when you found out about it? I do not know what it does. Therefore, under this Principle, the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the weaknesses up the chain to the board or Compliance Committee, correct and then monitor the corrective action going forward. Adapting Kral, I urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

II. Discussion Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use to support this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it also allows you to evaluate the effectiveness of that corrective action. The most important thing is that all the controls need to be sustainable. You cannot just build one-off controls that allow you to do one period and not have a process in place that will help you through all the periods you need to cover. The controls cannot just be a one-and-done. Many companies will find that their initial approach is one-and-done. There must also be a mechanism for communicating controls that do not work or can be overridden. From there, you must be able to remediate your controls going forward. This will align with the compliance professional’s requirement to prevent, detect, and remediate.

Three Key Takeaways:

  1. Monitoring activities are interrelated with all other Principles and cannot be taken singularly.
  2. Monitoring activities helps to ensure that all controls are present and functioning.
  3. Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running correctly.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Ongoing monitoring of your internal controls helps to endure they are sustainable and not overridden.

Categories
Blog

Day 12 of One Month to More Effective Internal Controls-Board Oversight as an Internal Control

Best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources,” which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight of the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided sufficient information to enable independent judgment?

The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must have a corporate compliance program in place and actively oversee that function.

Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and the compliance function. The Board must ask hard questions and be fully informed of the company’s overall compliance strategy. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to an FCPA violation and could even form the basis of an independent FCPA violation. A company must have a corporate compliance program in place and actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures and are interrelated control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance:

  1. Risk Assessment – A Board should assess the compliance risks associated with its business.
  2. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document informing the company, its employees, stakeholders, and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures that instructs employees on how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is, and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.
  6. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing even to be aware of the allegations, there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. 

Three Key Takeaways:

  1. GTE compliance internal controls are low-hanging fruit. Pick them.
  2. Compliance with internal controls can be both detected and prevented controls.
  3. Good compliance with internal controls is good for business.

Board oversight of your compliance program can act as an internal control if properly documented. For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 337 – James Gellert on Assessing 3rd Party Financial Health for Compliance

In this episode, I visit with James Gellert, CEO of RapidRatings, a company that uses a financial dialogue to determine third-party supplier health and viability. Gellert explains what supply chain resilience is and how examining your suppliers’ financial health can lead to a more financially efficient supply chain. We then discuss the company’s third-party risk management tools. We consider how a company might evaluate a potential purchaser, partner, or someone buying a part of a business. Finally, we have a lengthy discussion of how a corporate compliance function uses the health of a third party as a tool to determine third-party compliance risk. 

For more information on RapidRatings, check out their website by clicking here.

Categories
Compliance Into the Weeds

Compliance into the Weeds – Episode 43 – The Linde Declination

On June 16, 2017, the Department of Justice (DOJ) issued a Declination to Linde North American Inc. and Linde Gas North America LLC (collectively “Linde”). This is the first Declination issued by the DOJ in the era of the Trump Administration. For that reason alone, it was instructive and should be studied by the compliance profession. However, the case presented several interesting factors which merit consideration, so we are discussing in depth to present lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner.

Lessons Learned

This was yet another Foreign Corrupt Practices Act (FCPA) action where a company performed insufficient due diligence in the acquisition phase. The timing of the Linde purchase of Spectra Gases and Spectra Gases’ purchase of the income-producing assets is too close in time to be a coincidence. It would certainly appear that Linde purchased Spectra Gases to facilitate its acquisition of the boron column and other assets. If your company is going to make such a multi-step acquisition, you must perform due diligence on all the actors and the assets involved.

The Byzantine corporate structure created for the ownership of the boron column, its operation, and its management contract are clear red flags that any CCO should sniff out immediately. While I am sure the internal corporate excuse for this clear ruse was the ubiquitous ‘tax considerations,’ every such transaction should also be reviewed by compliance. Anytime there is more than one entity to accomplish one task, there is the possibility of fraud. Further, it is unclear how Linde could not have been aware of the company’s ownership interests that it ultimately controlled. It would seem that the company did not even make any inquiries.

Even in 2006, the Republic of Georgia’s reputation for bribery and corruption was quite high. The 2006 Transparency International-Corrupt Perceptions Index (TI-CPI) listed Georgia at 99 out of 176 countries, which warranted red flag scrutiny. Extra care is warranted if you are purchasing an entity in a country with such a well-known affinity for corruption. Perhaps in 2006, Linde did not view the FCPA as something it would deal with in such a situation.

Yet even with all the apparent miss-steps and non-steps of compliance, the company was able to secure a declination from the DOJ. While there may be some additional penalties or sanctions by the Securities and Exchange Commission (SEC) for the failures of internal controls, the result obtained by Linde was certainly superior. The company has met the four pillars under the FCPA Pilot Program through (a) self-disclosure, (b) extraordinary cooperation, (3) full remediation, and (d) profit disgorgement. Interestingly, in this case, the profit disgorgement would have been beyond the five-year limitations for profit disgorgement under the recent Supreme Court decision in Kokesh. If the SEC brings an FCPA enforcement action, additional facts may be recited in any resolution documents.

Nevertheless, kudos are due to Linde and its counsel for obtaining this declination. Every CCO should study it for both the superior result received and underlying facts to see if you face anything similar in the Republic of Georgia or elsewhere.

For a full copy of the Linde Declination, click here

Categories
This Week in FCPA

This Week in FCPA-Episode 56

  • The Kokesh case at the US Supreme Court is significant for SEC enforcement of the FCPA around profit disgorgement. For what it means to the compliance practitioner, see Tom’s piece in the FCPA Compliance & Ethics Blog. For a legal review of the decision, see Miller & Chevalier client alert authored by Saskia Zandieh. Marc Bohn considered the case in the FCPA Blog. Marc and I discuss the case on the FCPA Compliance Report, Episode 332.
  • Trevor McFadden to leave the DOJ for federal bench. See article by Matt Kelly in Radical Compliance. Hui Chen’s contract not to be renewed, her position is posted for job applicants. Apply for the position here. Andrew Weissman leaves as head of the Fraud Section to go Special Prosecutor’s staff.
  • Former PetroTiger General Counsel Gregory Weismann is banned from SEC practice. See article in the FCPA Blog.
  • Matthew Stephenson considers what a Wal-Mart settlement might look like. See his article in the Global Anti-Corruption Blog.
  • The federal judge who sentenced Samuel Mebiame, the bag man for Och-Ziff; criticized the DOJ for its lack of prosecution of any individuals from the company. See article by Sam Rubenfeld in WSJ Risk and Compliance Report.
  • Jay previews his weekend report.
  • Tom continues to talk about the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.

    •  
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3kx” float=”none”]
    When do Mike & Mike agree on anything? Find out on This Week in FCPA. [/tweet_box]
    Jay Rosen can be reached:
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    Tom Fox can be reached:
    Phone: 832-744-0264
    Email: tfox@tfoxlaw.com]]>

    Categories
    Everything Compliance

    Everything Compliance-Episode 10, first 100 day of the Trump Administration

    This episode is dedicated to the chaotic (at best) first 100 days of the Trump administration related to compliance.

    1. Jonathan Armstrong leads a discussion of the Trump administration’s devolution of Privacy Shield, GDPR, and what they mean for American companies doing business in the UK and EU. He discusses the key differences in the DOJ’s Evaluation of Corporate Compliance Programs in an FCPA analysis and under the Bribery Act, differences in the EU approach to conflict minerals, and under the Trump Administration, and concludes by giving us his thoughts on what Brexit means for compliance.

    For the Cordery Compliance client alerts, see the following:
    EU conflicts minerals compliance legislation 
    DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010?
    BREXIT Glossary

    1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the business response he has observed to Trump administrations steps and miss-steps, the comments made by DOJ representatives at Q1 conferences, and the vibe of compliance conference attendees.

    For Jay’s posts, see,
     Still in the Enforcement Business and Evaluation of Corporate Compliance Programs
    “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength”
     Matt Kelly opens with a discussion of regulatory enforcement under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, and industry responses to deregulation issues and lays down some markers around compliance issues under the new administration.
    For Matt Kelly’s posts, see:
    Compliance in the Trump Era: More Markers Placed
    Trump Administration Whacks Telco Firm for $892 Million
    Drone Industry Pan Trump’s Regulatory
    Trump Risk Disclosures Start Rolling In
    First SEC Whistleblower Award of the Trump Era
    Sessions Dodges, Weaves, Promises on FCPA

    1. Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program, and DOJ Compliance Counsel Hui Chen.

    For Mike Volkov’s posts, see the following:
    Yates, AG Sessions and Individual Criminal Prosecutions
    New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance
    FCPA Remediation Focus on Supervisory Personnel
    FPCA Pilot Program Motors On
    For Tom Fox’s posts on the Trump administration’s first 100 days, see the following:
    The Trump Administration-Kaos is Bad for Business
    The Trump Administration-Failures in Leadership and Management
    The Trump Administration-Preparing for a Catastrophe
    The Trump Administration-the Business Response
    DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration
    The members of the Everything Compliance panel include:

    • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
    • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
    • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
    • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3eF” float=”none”]What has the Trump effect meant for FCPA? The experts weigh in.[/tweet_box]]]>

    Categories
    Everything Compliance

    Everything Compliance – Episode 10, first 100 days of the Trump Administration

    • Jonathan Armstrong discusses the Trump administration’s devolution of Privacy Shield, GDPR, and what they mean for American companies doing business in the UK and EU. He discusses the key differences in the DOJ’s Evaluation of Corporate Compliance Programs in an FCPA analysis, under the Bribery Act, in the EU approach to conflict minerals, and under the Trump Administration. He concludes by giving us his thoughts on what Brexit means for compliance.

    For the Cordery Compliance client, alerts see the following: EU conflicts minerals compliance legislation  DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010? BREXIT Glossary

    1. Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the business response he has observed to Trump administrations steps and miss-steps, the comments made by DOJ representatives at Q1 conferences, and the vibe of compliance conference attendees.

    For Jay’s posts, see,  Still, in the Enforcement Business and Evaluation of Corporate Compliance Programs “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is StrengthMatt Kelly opens with a discussion of regulatory enforcement; under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, industry responses to deregulation issues and lays down some markers around compliance issues under the new administration. For Matt Kelly’s posts, see Compliance in the Trump Era: More Markers Placed Trump Administration Whacks Telco Firm for $892 Million Drone Industry Pan Trump’s Regulatory Trump Risk Disclosures Start Rolling In First SEC Whistleblower Award of Trump Era Sessions Dodges, Weaves, Promises on FCPA.

    1. Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program, and DOJ Compliance Counsel Hui Chen.

    For Mike Volkov’s posts, see the following: Yates, AG Sessions and Individual Criminal Prosecutions New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance FCPA Remediation Focus on Supervisory Personnel FPCA Pilot Program Motors On For Tom Fox’s posts on the Trump administration’s first 100 days see the following: The Trump Administration-Kaos is Bad for Business The Trump Administration-Failures in Leadership and Management The Trump Administration-Preparing for a Catastrophe The Trump Administration-the Business Response DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration The members of the Everything Compliance panel include:

    • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com.
    • Mike Volkov – One of the top FCPA commentators and practitioners and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
    • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com.
    • Jonathan Armstrong – Rounding out the panel is our UK colleague, an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com.
    Categories
    This Week in FCPA

    This Week in FCPA-Episode 46, the On the Rode to Prague Edition

  • Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
  • Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
  • Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
  • Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
  • Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
  • What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
  • Jay previews his weekend report.

    • Jay Rosen new contact information:
    Jay Rosen, CCEP
    Vice President, Business Development
    Monitoring Specialist
    Affiliated Monitors, Inc.
    Mobile (310) 729-6746
    Toll Free (866)-201-0903
    JRosen@affiliatedmonitors.com
    [tweet_box design=”default” url=”http://wp.me/p6DnMo-3aD” float=”none”]How can the use of data help to operationalize your compliance program?[/tweet_box]]]>

    Categories
    Compliance Into the Weeds

    Compliance into the Weeds-Episode 33, enhancing culture

    Great Speech About Improving Corporate Culture“.]]>